A joint project together with McAfee (Intel Security) revealed very interesting insights into current Android Malware, in particular into Command and Control communications. We will be presenting our results at the VirusBulletin 2015 conference. We are also planning to publish a blog post with more concrete information, but if you are at VirusBulletin conference, feel free to join our talk on Thursday 1 October 09:00 – 09:30.
Title: We know what you did this summer: Android banking trojan exposing its sins in the cloud
Backend-as-a-Service (BaaS) solutions are a very convenient way for developers to connect their apps easily with a cloud storage. There are different BaaS solutions on the market, offered by various vendors such as Amazon, Google and Facebook. All of them provide simple APIs for common tasks such as managing database records or files. Adding a few library classes and writing three or four lines of code is sufficient to integrate cloud storage into the app.
While usually such solutions are created for well-intentioned developers, very recently we have spotted two Android malware families that make use of BaaS solutions as well, Facebook’s in this case. Using Facebook’s BaaS solution, the malware stores stolen data, delivers commands executed remotely on the infected device and performs SMS banking fraud.
However, malware authors are apparently unaware of how to set up a BaaS solution securely, which gave us the possibility to easily obtain access to all data they store. This gave interesting insights into their C&C communication protocol and all sensitive data they stole, including requesting the current balance of credit cards associated with the device, and the attempt to perform payments and fraudulent transfer of funds via SMS messages during June and July 2015. To extract the necessary data from malicious applications automatically, we developed an automatic exploit generator that extracts credentials from the app, even if they are obfuscated, and provides access to the respective BaaS backend.