Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.
Chema Alonso
(@chemaalonso)
Problem: Cybercrime in Android
http://blog.elevenpaths.com/2014/02/el-negocio-de-las-fakeapps-y-el-malware.html
Problem: Cybercrime in Google Play
http://blog.elevenpaths.com/2013/10/fake-whatsapp-adware-in-google-play.html
Intelligence & Security
OSINT (Open Source Intelligence)
• OSINT is the art and science of creating
ethical, evidence-based decision support using...
OSINT
• Useful
• Not less powerful than other *INTs*
• Not more powerful than other *INTs*
• Sometimes not that easy to bu...
Tacyt (Codename Path 5)
• Goal: Build an OSINT platform
–Android Markets
• Google Play Included
• Process all data related...
PlayDrone
http://www.elladodelmal.com/2014/06/playdrone-tokens-de-autenticacion-en.html
Tacyt (Codename Path 5)
• Real Time integration of apps
• Real Time processing of filters
• Interactive Console
• Cross-Ma...
Tacyt Demo 1:
Fake Apps + Fake Devs
http://www.elladodelmal.com/2013/11/cuidado-con-los-fake-av-y-los-rogue-av.html
http:/...
Shuaban Botnet
Shuaban Botnet
Tacyt Demo 2:
Shuabang Botnet
http://blog.elevenpaths.com/2014/11/shuabang-botnet-blackhat-app-store_25.html
Security Solutions
• Antivirus
– They do work, but are
good detecting, not
discovering
• Reputation
– Voting, users, opini...
Reputation Report
Reputation Report
Tacyt (Codename Path 5)
• Apply some intelligence to the way attackers work
on Google Play. Anomalies & Singularities.
• D...
Tacyt (Codename Path 5)
• We need to know our enemies and what
makes them singular.
• Android apps are APK, which are just...
Mutant Apps
Tacyt Demo 3:
Profiling Attack - Clicker
http://blog.elevenpaths.com/2015/02/detectados-un-cut-rope-y-talking-tom.html
Examples: Research and clusterization
• We can correlate data and cluster apps:
– From an app, we can include the person o...
Tacyt Demo 4:
AppGeyser + JSDialers
http://blog.elevenpaths.com/2014/12/5500-apps-potentially-vulnerable-to-man.html
http:...
Tacyt (Codename Path 5)
• Allows to correlate data and detect
– Anomalies
– Singularities
• Helps to search quickly in a B...
“Apache Storm is a free and open source distributed
realtime computation system. Storm makes it easy to
reliably process u...
Sinfonier
DRAIN
BOLT
SPOUT
BOLT
DRAIN
DRAIN
SPOUT
Sinfonier
+ + =
Drag & Drop
Interface
Automatic
Deploy API
(Nightly version)
Storm
Cluster
Sinfonier
How It works
Canvas
User Tools Context Info
Synfonier Demo 5:
Hunting Singularities:
SingularPaths + SingularDomains
http://www.elladodelmal.com/2014/12/investigar-ci...
Tacyt + Sinfonier
Conclusions
• Cybercrime in Apps is huge
• Research in Google Play is not easy
• Tacyt (Path 5) allows to
– Discover and I...
Credits
• Sinfonier and Tacyt(Path 5) have been created by
Eleven Paths and Telefónica. In order to provide to you
all dem...
Can I Play with Madness?!?
Próxima SlideShare
Cargando en…5
×

Can I Play with Madness?!?

1.024 visualizaciones

Publicado el

El mundo del crimen se ha migrado al mundo móvil. Apps de adware, spyware, r.a.t.s, APTs y demás malware intentan abrirse paso a través de los sistemas operativos móviles. En esta sesión se podrá ver cómo se puede investigar de manera masiva y continua el vasto número de apps que hay en Google Play para poder cruzar los datos con fuentes OSTINT en tiempo real, obteniendo paneles de control de monitorización que ayudan a tener controlado en cada momento las amenazas, los grupos de desarrollo o los tipos de apps que surgen en los markets. En esta sesión se verá el funcionamiento de la plataforma Tacyt (PATH5), el perfilado de apps & developers, además de su integración con fuentes de datos OSINT mediante topologías Sinfonier, para lograr paneles de control con información de valor. En tiempo real se crearán las topologías y se liberarán feeds de información para ser usados en otros proyectos.

Publicado en: Tecnología
  • Sé el primero en comentar

  • Sé el primero en recomendar esto

Can I Play with Madness?!?

  1. 1. Chema Alonso (@chemaalonso)
  2. 2. Problem: Cybercrime in Android http://blog.elevenpaths.com/2014/02/el-negocio-de-las-fakeapps-y-el-malware.html
  3. 3. Problem: Cybercrime in Google Play http://blog.elevenpaths.com/2013/10/fake-whatsapp-adware-in-google-play.html
  4. 4. Intelligence & Security
  5. 5. OSINT (Open Source Intelligence) • OSINT is the art and science of creating ethical, evidence-based decision support using only open sources and methods, legal and ethical in every respect. – Big data to store & process – Analytic toolkits to detect patterns and anomalies • Beyond that, OSINT is all about humans- analysts who can think, and deciders who can listen. Robert David Steele on OSINT - 2014
  6. 6. OSINT • Useful • Not less powerful than other *INTs* • Not more powerful than other *INTs* • Sometimes not that easy to build up • Not always free • Not always easy
  7. 7. Tacyt (Codename Path 5) • Goal: Build an OSINT platform –Android Markets • Google Play Included • Process all data related to apps & markets –Build up a Big Data –Build a real time processing tool for analyst –Create connections to other security tools
  8. 8. PlayDrone http://www.elladodelmal.com/2014/06/playdrone-tokens-de-autenticacion-en.html
  9. 9. Tacyt (Codename Path 5) • Real Time integration of apps • Real Time processing of filters • Interactive Console • Cross-Market analysis • Cross-Time results (Dead apps) • API
  10. 10. Tacyt Demo 1: Fake Apps + Fake Devs http://www.elladodelmal.com/2013/11/cuidado-con-los-fake-av-y-los-rogue-av.html http://www.elladodelmal.com/2015/01/instalar-un-antivirus-en-android-puede.html http://www.elladodelmal.com/2014/12/en-apps-de-android-en-google-play-te.html
  11. 11. Shuaban Botnet
  12. 12. Shuaban Botnet
  13. 13. Tacyt Demo 2: Shuabang Botnet http://blog.elevenpaths.com/2014/11/shuabang-botnet-blackhat-app-store_25.html
  14. 14. Security Solutions • Antivirus – They do work, but are good detecting, not discovering • Reputation – Voting, users, opinions • Automatic Report – False positives – False negatives • Sandboxes – Slow, bypass, Slow
  15. 15. Reputation Report
  16. 16. Reputation Report
  17. 17. Tacyt (Codename Path 5) • Apply some intelligence to the way attackers work on Google Play. Anomalies & Singularities. • Do not concentrate on DETECTING, but on CORRELATING data. Detecting is difficult, but once you know your enemy and with the right amount of information and data, correlating is easy. • We try to find singularities • Avoid code. Code is a wall you go against again and again. Attackers know how to avoid being detected.
  18. 18. Tacyt (Codename Path 5) • We need to know our enemies and what makes them singular. • Android apps are APK, which are just Java files, which are just ZIP files signed with a selfsigned certificate. We have identified and dissected most of the technical characteristics. • Android apps are hosted in Google Play, with a developer, comments, descriptions, images, versions, categories… • There is plenty of information. Almost 50 “checkpoints”.
  19. 19. Mutant Apps
  20. 20. Tacyt Demo 3: Profiling Attack - Clicker http://blog.elevenpaths.com/2015/02/detectados-un-cut-rope-y-talking-tom.html
  21. 21. Examples: Research and clusterization • We can correlate data and cluster apps: – From an app, we can include the person or company who made it and correlate it with other developers in which account they hide. – We can detect anomalies: developers uploading 50 apps in a row? Developers sharing exactly the same files in their APK? Developers sharing images? APKs with just a second of developing time?...
  22. 22. Tacyt Demo 4: AppGeyser + JSDialers http://blog.elevenpaths.com/2014/12/5500-apps-potentially-vulnerable-to-man.html http://www.elladodelmal.com/2014/12/navegadores-de-android-que-no-debes.html http://blog.elevenpaths.com/2015/02/jsdialers-apps-que-llaman-numeros.html
  23. 23. Tacyt (Codename Path 5) • Allows to correlate data and detect – Anomalies – Singularities • Helps to search quickly in a Big Data of apps • Helps to avoid code in detecting cybercrime • Provides an API to be an OSINT and integrate with other tools.
  24. 24. “Apache Storm is a free and open source distributed realtime computation system. Storm makes it easy to reliably process unbounded streams of data, doing for realtime processing what Hadoop did for batch processing. Storm is simple, can be used with any programming language, and is a lot of fun to use! “ Sinfonier
  25. 25. Sinfonier
  26. 26. DRAIN BOLT SPOUT BOLT DRAIN DRAIN SPOUT Sinfonier
  27. 27. + + = Drag & Drop Interface Automatic Deploy API (Nightly version) Storm Cluster Sinfonier How It works
  28. 28. Canvas User Tools Context Info
  29. 29. Synfonier Demo 5: Hunting Singularities: SingularPaths + SingularDomains http://www.elladodelmal.com/2014/12/investigar-cibercrimen-en-android-con.html http://www.sinfonier-project.net
  30. 30. Tacyt + Sinfonier
  31. 31. Conclusions • Cybercrime in Apps is huge • Research in Google Play is not easy • Tacyt (Path 5) allows to – Discover and Investigate anomalies & singularities – Cross-Market – Cross-Time • Synfonier helps to – integrate other sources – Automate Intelligence Generation • Yes, You Can play with madness ( and it is fun)
  32. 32. Credits • Sinfonier and Tacyt(Path 5) have been created by Eleven Paths and Telefónica. In order to provide to you all demos in this talk, more than 30 people have been working hard to have everything up & running in time to RootedCON 2015. • I personally thank to all of them the effort they day by day do in developing their jobs as they do. I am proud of been working with them.

×