Android Malware Adventures: Analyzing Samples and Breaking into C&C

Presented at DeepSec 2019 „Internet of Facts and Fears“, Unknown date/time (Unknown duration)

Android malware is evolving every day and is everywhere, even in Google Play Store. Malware developers have found ways to bypass Google's Bouncer as well as antivirus solutions, and many alternative techniques to operate like Windows malware does. Using benign looking applications working as a dropper is just one of them. This talk is about android malware on Google Play Store targeting Turkey such as Red Alert, Exobot, Anubis, etc. The talk will cover 1. Techniques to analyze samples: Unencrypted samples are often used to retrieve personal information to sell and do not have obfuscation. Encrypted samples however are used for sophisticated tasks like stealing banking information. They decrypt themselves by getting the key from a twitter account owned by the malware developer and operate by communicating with the C&C. Also,most banking samples are using techniques like screen injection and dependency injection which is mostly used by android application developers. 2. Bypassing Anti-* Techniques: To be able to dynamically analyze the samples, defeating anti-* techniques are often needed. We will introduce some (known) Frida scripts to be able to defeat common uses of anti-* checks malware. 3. Extracting IoCs: Extracting twitter accounts as well as C&C from encrypted samples is often critical to perform threat intelligence over samples. Extracting IoCs while assets are still active has been crucial for our research since we are also aiming to takeover C&Cs. We will introduce (known) automatization techniques to extract twitter account, decryption key and C&C address. 4. Extract stolen information from C&Cs: In order to extract information from C&C, one should act swiftly. The speed of the extraction process is critical since the actors change C&Cs often. We will give a detailed walkthrough about how we approach C&Cs as a target and extract the informations. The samples and information presented in the talk are the product of our research on many bankbots - such as Anubis, Red Alert and Exobot - as well as other Turkish malware developer actors' samples. All IoCs in this talk have been shared with the relevant third parties and are now inactive.

Presenters:

• Mert Can Coşkuner - STM AS & Trendyol
  Mert Can Coşkuner is a Security Engineer at Trendyol. He is maintaining a Penetration Testing and Malware Analysis blog at medium.com/@mcoskuner.
• Kürşat Oğuzhan Akıncı - STM AS & Trendyol
  Kürşat Oğuzhan Akıncı is a Cyber Security Engineer at Trendyol. He is also a team leader of Blackbox Cyber Security which is Turkey's first cyber security volunteer group, coordinator and mentor of Turkcell CyberCamp and Turkish Airlines CyberTakeOff.

Links:

• https://deepsec.net/archive/2019.deepsec.net/speaker.html#PSLOT440
• https://infocon.org/cons/DeepSec/DeepSec 2019/Android Malware Adventures - Krsat Oguzhan Akinci and Mert Can Coskuner.mp4

Similar Presentations:

• Black Hat USA 2014 / Prevalent Characteristics in Modern Malware
• 44CON 2016 / The Malware CAPE: Automated Extraction of Configuration and Payloads from Sophisticated Malware
• Black Hat USA 2013 / BinaryPig - Scalable Malware Analytics in Hadoop