Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Trojan horseofbyod2
1. THE TROJAN
HORSE OF BYOD
No individuals were harmed during the creation of the Proof of Concept EVIL
application. The content of this presentation is purely for research and
educative purposes.
2. STEPHANIE VANROELEN
SECURITY RESEARCHER
I am an IT security researcher currently focussing on Web Application Security, Mobile
Application Security and IOT/ICS Security. I currently work for Nynox (Cronos
Security).
I co-organize BruCON and CyberSKool, keeping in touch with IT Security colleagues
and remaining aware of the latest developments within the industry.
In my free time I pretend to be GODZILLA :)
@nephastieke
3. THE TROJAN HORSE OF BYOD
This talk will show how a malicious app can take advantage of a rooted phone. This is interesting in the current
BYOD climate that reigns in corporations. Besides discussing technical vulnerabilities that are being exploited
we will also go into a number of solutions that can be used by companies to minimise the associated risk.
4. AGENDA
EVIL APP: We will first explore the difficulties we
encountered in creating a malicious app.
I
KNOWLEDGE IS POWER: Next, we will take a closer look
at the access a malicious app has to data on a rooted
device.
II
DEFENCE IS THE BEST OFFENCE: Finally we will look at
how companies can mitigate these issues on both a
technical and managerial level.
III
5.
6. SCENARIO
My EVIL app, currently installed on ANDROID Device XX. Malware can be hiding in a
knock-off app (Pokemon, CandyCrush, …) or in an app of our own creation, for example
a motivational quotes app with malicious features.
For our further narrative this phone will belong to a C-level manager of Company X.
DEVICE XX
8. PERCENTAGE OF
ROOTED PHONES
ACROSS THE WORLD
ON AVERAGE AROUND 12% OF PHONES ARE ROOTED
Businesses will have to weigh the risk of
sensitive company data leaked vs. mobile
application availability for users or clients.
ACCORDING TO KASPERSKY
WE FOUND NO VENDORS THAT SHIP THEIR PHONES
ROOTED BY DEFAULT
https://www.kaspersky.com/blog/android-root-faq/17135/
11. CORPORATE ANDROID DEVICES
THAT ALLOW THIRD-PARTY
INSTALLATIONS
Wandera research shows that more than 20% of corporate Android devices allow
third-party installations, so a significant number of devices are vulnerable to this
threat.
20%
14. ROOT CHECK
POSSIBLE SOLUTIONS
1. Use existing Root Checking libraries such as: RootBeer (Scottyab),
rootChecker(CMDann), RootTools (Stericson), …
2. Write your own code checking:
- if you can see the SU binary exists (check multiple file locations)
- if the SuperUser app is installed
- if the su command can be run
15. FILE TRANSFER
SETUP
1. Set up a Debian server with SSH and SCP access but only
with key files, not passwords.
2.The app has a list of “interesting” directories and a function that
executes the SCP command on the phone as root while
throttling the file transfer.
3. Files are stored on the server in folders per device. Each
device folder name was the device’s UDID.
16. EASY PEASY
EXPECTED MORE DIFFICULTIES
✦ Originally I thought that I would have to read out more data in
the app itself to gain access. I expected more databases and
files to be encrypted.
✦ However after looking at transfered files, I realised that this is
not necessary as most files are stored in cleartext.
17. IMPROVEMENTS?
IMPROVEMENTS FOR THE EVIL APP
1. Use a Command & Control set-up with dashboard to remotely
control devices.
2. Add redundancy checks for different types of android devices.
3. Target specific apps and abuse their vulnerabilities to gain
more sensitive information. (Commonly used apps such as:
Facebook, Instagram, LinkedIn, etc.)
4. Add a virus component so other devices within the same
network can be infected with the malware.
18. STEALS DATA
27 FEBRUARY 2018
Malware steals data such as photos,
contacts list, company data, IMEI and
IMSI number, SIM card information,
nearby WiFi networks and live recordings
of the device’s surroundings.
Malware research team Wandera
blogged and revealed this latest
malware.
53 APPS INFECTED
4000 COMPROMISED DOMAINS
Third-party apps infected with
this malware. The apps include
calculators, image editors,
language teaching, space
exploration, etc.
More than 4000 domains are
compromised and spread the
infected apps.
RED
DROP
https://www.wandera.com/blog/reddrop-malware/
20. TYPE OF DATA FOUND
IN MOBILE DEVICE XX
6
287
765
1
2
38
3
0
236
446
23
125
6
541
144
WIFI
URLS
TEXT MESSAGES
SOUND RECORDINGS
SCREENSHOTS
REMINDERS
PICTURES
NOTES
MUSIC
MAILS
LOCATIONS
EVENTS
DOWNLOADS
CONTACTS
APPLICATIONS
21. RISK FOR COMPANY XX
A compromised device is like having an internal
threat, any information that can be accessed from
a mobile device within Company X is up for grabs.
This can be customer data, financial data,
strategy, employee data, technical data, etc.
Personal information leakage will have GDPR
implications as of May 2018.
Reputation damage.
22. 6
WIFI
ACCESS TO NETWORK
6 WIFI networks with
passwords on device XX,
including company WIFI
541
CONTACTS
ACCESS TO PI - GDPR
541 phone contacts on device
XX with full contact info, such
as e-mail, phone numbers,
companies, etc.
2
SCREENSHOTS
ACCESS TO CONFIDENTIAL DATA
2 screenshots on device XX,
leaking company information
24. 287
URLS
DATA LEAKAGE
287 URLS in browser history
on device XX, including
cookies, saved passwords and
login data. This leaks internal
company URLS giving
attackers focus.
125
EVENTS
ACCESS TO PI - GDPR +
CONFIDENTIAL DATA
125 calendar events on device
XX with full event info, leaking
personal appointments,
vacation time as well as
company meetings.
1
SOUND
RECORDING
ACCESS TO CONFIDENTIAL DATA
1 sound recording on device
XX, leaking confidential
meeting notes.
25. 765
MESSAGES
DATA LEAKAGE
765 messages, leaking
personal info for social
engineering attacks such as
tone of voice, as well as
passwords sent by message.
6
DOWNLOADS
ACCESS TO
CONFIDENTIAL DATA
6 downloads on device XX.
These downloads include
confidential PDF reports, XLS,
quarterly financial overviews,
etc.
3
PICTURES
ACCESS TO CONFIDENTIAL DATA
3 pictures, revealing company
location layout, colleague faces
as well as passwords on post-its.
26. 446
MAILS
446 mails on device XX
revealing confidential company
data, tone of voice, signatures,
etc.
TARGET ATTACK DATA
144
APPLICATIONS
ACCESS TO
CONFIDENTIAL DATA
144 applications on device XX.
This is relevant if the attacker is
targeting specific apps or wants to
know what type of apps or
software is being used within the
company.
23
LOCATIONS
23 locations on device XX. This
reveals both work and home
locations. As well as possibly
data centres or disaster
recovery centres.
ACCESS TO PI - GDPR +
CONFIDENTIAL DATA
27. 0
NOTES
DATA LEAKAGE &
ACCESS TO
CONFIDENTIAL DATA
Device XX does not have a
note app installed and thus no
notes were leaked. We noticed
that the Microsoft Word app
was installed but no application
specific attacks were executed
during this PoC.
38
REMINDERS
ACCESS TO
CONFIDENTIAL DATA
38 reminders on device XX.
Reminders are usually tasks
you have to complete or
remind you of meetings that
are important. This can reveal
all kinds of sensitive
information or provide an
attacker with a conversation
topic needed to gather data.
236
MUSIC
ATTACKER PROFIT
236 music files on device XX.
While this may not be relevant
for a regular company it can be
relevant for production studios,
etc.
33. CONCLUSION
TROJAN HORSE OF BYOD
Allowing employees with rooted devices into your organisation
presents certain risks. If we take into account that the Android
Platform statistically gets the most malware attacks in the world
over any other OS, we can only recommend that companies try to
mitigate this risk as much as possible.
On the other hand allowing your mobile application to be installed
on a rooted device also introduces a big risk. These are devices
that your company cannot exercise control. So any flaw in your
application can provide an attacker with the open door they need
to gather sensitive data.