Beware! Zombies are Coming

Presented at VB2016, Oct. 5, 2016, noon (30 minutes)

It is common for a third-party mobile SDK to maintain a communication and control (C&C) channel between the app installed with the SDK and its remote master server. For example, most mobile ad SDKs and analytics SDKs allows the SDK company's master server to collect device/user/app information, deliver content to the device, and even control certain behaviours of the app remotely. Should the master server or the C&C channel fall into the hands of attackers, it would bring great security risks to all apps installed with the SDK (e.g. the BadNews attack in 2013). Benign apps may even turn malicious under the control of a compromised C&C channel. Unfortunately, since the launch of the *Google Android* OS in 2008, a great number of mobile SDK companies have failed, leaving their SDK and C&C channels unmaintained, though the domain names of many SDK companies are now available to register at a cheap price. We call those unmaintained SDKs, the 'zombie SDKs'. If an attacker takes over the C&C channel of a zombie SDK, he will have control of all APK files with this SDK. Furthermore, the attacker can intentionally send existing APK files with the compromised zombie SDK to targeted victims. Since the zombie SDKs and the APK files are usually legitimate and have been published for a long time, they will easily pass an anti-virus whitelist check. In this presentation, we will present our study of zombie SDKs: First, we will present a survey of observed zombie SDKs, detailing the status of their master servers/domains, the capabilities gained once installed, and the security impact if an attacker takes over the domain. We will show that these ignored zombie SDKs have great potential for attackers and pose great security risks to the users. Then, we will demonstrate two approaches that an attacker can use to launch attacks within a zombie SDK. One approach is through taking control of the domain and building a malicious master server to control the C&C channel. In this way, the attacker inherits all the capabilities of the zombie SDK's previous owner. Another approach targets at the zombie SDK with dynamic loaded web content (e.g. PhoneGap apps). By serving a crafted web page with malicious JavaScript code, an attacker could take advantage of the bridge between WebView and the mobile app to invoke any registered Java functions, with the same permissions as the APK file.


  • Cong Zheng - Palo Alto Networks
    Cong Zheng Cong Zheng is a mobile security researcher at Palo Alto Networks. His research mainly focuses on Android malware analysis and detection, program analysis, and system security. He has developed several Android security systems/tools including the SmartDroid, ARTDroid and APKInspector.
  • Tongbo Luo - Palo Alto Networks
    Tongbo Luo Tongbo Luo is a security reseacher at Palo Alto Networks. His current research interests include cybersecurity, mobile security and security data analysis. He obtained his M.S. and Ph.D. in computer science from Syracuse University in 2014.
  • Zhi Xu - Palo Alto Networks
    Zhi Xu Zhi Xu is a researcher in the Security Research Group of Palo Alto Networks. He works on mobile security, mobile malware analysis, automatic app analysis, etc. Prior to joining the company, he received a Ph.D. degree in computer science from Pennsylvania State University in 2012.


Similar Presentations: