Presented at
VB2015,
Oct. 1, 2015, 9 a.m.
(30 minutes)
Backend-as-a-Service (BaaS) solutions are a very convenient way for developers to connect their apps easily with a cloud storage. There are different BaaS solutions on the market, offered by various vendors such as *Amazon*, *Google* and *Facebook*. All of them provide simple APIs for common tasks such as managing database records or files. Adding a few library classes and writing three or four lines of code is sufficient to integrate cloud storage into the app.
While usually such solutions are created for well-intentioned developers, very recently we have spotted two *Android* malware families that make use of BaaS solutions as well, *Facebook*'s in this case. Using *Facebook*'s BaaS solution, the malware stores stolen data, delivers commands executed remotely on the infected device and performs SMS banking fraud.
However, malware authors are apparently unaware of how to set up a BaaS solution securely, which gave us the possibility to easily obtain access to all data they store. This gave interesting insights into their C&C communication protocol and all sensitive data they stole, including requesting the current balance of credit cards associated with the device, and the attempt to perform payments and fraudulent transfer of funds via SMS messages during June and July 2015. To extract the necessary data from malicious applications automatically, we developed an automatic exploit generator that extracts credentials from the app, even if they are obfuscated, and provides access to the respective BaaS backend.
Presenters:
Links:
Similar Presentations: