How to Do it Wrong: Smartphone Antivirus and Security Applications Under Fire

Presented at DEF CON 24 (2016), Aug. 7, 2016, 10 a.m. (60 minutes)

-Today’s evil often comes in the form of ransomware, keyloggers, or spyware, against which AntiVirus applications are usually an end user’s only means of protection. But current security apps not only scan for malware, they also aid end users by detecting malicious URLs, scams or phishing attacks. Generally, security apps appear so self-evidently useful that institutions such as online-banking providers even require users to install anti-virus programs. In this talk, however, we show that the installation of security applications, at least in the context of smartphones, can sometimes open the phone to a number of attack vectors, making the system more instead of less vulnerable to attacks. In a recent research we conducted on Android security apps from renowned vendors such as Kaspersky, McAfee, Androhelm, Eset, Malwarebytes or Avira. When conducting a study of the apps’ security features (Antivirus and Privacy Protection, Device Protection, Secure Web Browsing, etc.) it came as a shock to us that every inspected application contained critical vulnerabilities, and that in the end no single of the promoted security features proved to be sufficiently secure. In a simple case, we would have been able to harm the app vendor’s business model by upgrading a trial version into a premium one at no charge. In other instances, attackers would be able to harm the end user by completely disabling the malware-scanning engine remotely. Or how about accessing confidential data by exploiting broken SSL communication, broken self-developed "advanced" crypto implementations or through SQL-injections? Yes, we can. On top, we were able to bypass the secure browsing protection and abuse it for code execution. The most alarming findings, however, were security applications that we were able to actually turn into a remote access trojan (RAT) or into ransomware. In light of all those findings, one must seriously question whether the advice to install a security app onto one’s smartphone is a wise one. In this talk, we will not only explain our findings in detail but also propose possible security fixes.

Presenters:

• Siegfried Rasthofer - Fraunhofer SIT & TU Darmstadt
  Siegfried Rasthofer is a fourth year PhD student at the TU Darmstadt (Germany) and Fraunhofer SIT and his main research focus is on applied software security on Android applications. He developed different tools that combine static and dynamic code analysis for security purposes. He likes to break Android applications and found various AOSP exploits. Most of his research is published at top tier academic conferences and very recently he started publishing at industry conferences like BlackHat, VirusBulletin or AVAR.
• Stephan Huber - Fraunhofer SIT
  Stephan Huber is a security researcher at the testlab mobile security group at the Fraunhofer Institute for Secure Information Technology (SIT). His main focus is Android application security testing and developing new static and dynamic analysis techniques for app security evaluation. He found different vulnerabilities in well-known Android applications and the AOSP. In his spare time he enjoys teaching students in Android hacking.

Links:

• https://defcon.org/html/defcon-24/dc-24-speakers.html#Huber

Similar Presentations:

• VB2015 / Last-minute paper: From Asia with love? Smartphones with pre-installed malware
• VB2016 / (In-) Security of Smartphone AntiVirus and Security Apps
• Black Hat Asia 2021 Virtual / A Mirage of Safety: Bug Finding and Exploit Techniques of Top Android Vendor's Privacy Protection Apps