Earlier this year, we reported on the Korean threat we identified in collaboration with McAfee Mobile Research. We have now released a technical report describing in detail the Android/BadAccents malware. Furthermore, we also describe a new tapjacking attack (also reported earlier this year) the malware exploited.
The technical report also describes the fix we submitted to the Android Security Team in January this year. Until now (approximately 4 month later), the official AOSP still doesn’t include the fix, meaning likely all Android versions are still vulnerable. Unfortunately, there is no real protection-mechanism for the user against this attack. A general recommendation from our side is the installation of apps from the official app stores and the usage of anti-virus applications (many AV vendors already detect this malware family).
On 17th of march, we organized our first Android Hacking event. Our participants (a mix of students, security researchers, PhD-students and Post-Docs) had to solve various Android-based challenges on different levels of complexity. Each challenge involved reverse-engineering a specific application without access to the app’s source code – similar to what malware analysts need to accomplish in their daily jobs. Inside these apps, passwords needed to be found, key checking algorithms needed to be understood, and hidden functionality had to be discovered. To accomplish this task, the participants were using different analysis techniques including debugging, decompilation, and fuzzing.
The event was not only great fun for both the participants and the organizers, but also allowed us to provide free CodeInspect licenses for the day, to be used and tested on the challenges. We were very satisfied with the feedback we got on the tool – we’re making rapid progress towards a stable product. Stay tuned for commercial CodeInspect offerings. In the meantime, our free beta program is still running.
At almost midnight, the winners of the challenges were finally found: Andreas Wittmann, Max Weller and Daniel Magin scored best. Congratulations from the Android team @ SSE.
In Java 8, Oracle added support for Lambda expressions to the Java programming language and the Java Virtual Machine (JVM). Though Android apps are also written in Java, this however doesn’t automatically make them available to app developers. In fact, it takes some time until Android catches up with newer Java developments.
The build chain for Android is (at least at the moment) built on top of the Java build chain: The normal Java compiler takes Java source files and creates Java class files. These files then serve as inputs to Android’s “dx” tool which finally emits the Dalvik bytecode that can be run on an Android device or emulator. In version 19 of the Android build tools, support for Java 1.7 class files was added – with the usual delay (Java 1.7 came out in July 2011, Android build tools v19 came out in April 2012). Up to now, that was the end of the line. But now, Java 1.8 support might be around the corner.
Our talk about our new Android bytecode analysis framework CodeInspect got accepted at the CARO (Computer Antivirus Research Organization) workshop 2015.
There will be also a demo-table reserved for CodeInspect where we will do some live reverse-engineering.
We are looking forward to an interesting workshop with a lot of interesting discussions.
With the help of our new CodeInspect tool, we – together with the McAfee Research Lab – have identified a new threat campaign currently underway in South Korea;
attempting to exploit the huge media frenzy surrounding the release of the movie ‘The Interview’. Continue reading
We are very happy to announce a new tool in our toolchain: CodeInspect – A Jimple-based Reverse-Engineering framework for Android and Java applications.
Developing an Android application in an IDE is very convenient since features like code completion, “Open Declaration“, renaming variables, searching files etc. help the developer a lot. Especially code-debugging is a very important feature in IDEs. Usually, all those features are available for the source code and not for the bytecode, since they support the developer not a reverse-engineer. Well, but all those features would be be also very helpful for reverse-engineering Android or Java applications. This is the reason why we came up with a new reverse-engineering framework that works on the intermediate representation Jimple and supports all the features above and a lot more. In the following we give a detailed description about CodeInspect and its features. Continue reading
On 7th November, we are presenting our “Denial-of-App Attack” at the SPSM 2014 workshop in Scottsdale, Arizona (USA).
Stephan, Steven and Me have been added to the list of Android Security Acknowledgements:
Thanks Android Security Team!
Max Kolhagen (bachelor student) and Siegfried Rasthofer demonstrate how a malicious application with no permission can be used to read incoming messages from WhatsApps, Hangouts, etc. and even “encrypted” messages sent through Threema, TextSecure or Chadder with ease.
We are happy to announce IccTA, a new tool for tracking data flows between Android components and even between Android applications. IccTA is a joined work together with Li Li, Alexandre Bartel, Jacques Klein, Yves Le Traon from the University of Luxembourg, Damien Octeau and Patrick McDaniel from the Pennsylvania State University, Steven Arzt, Siegfried Rasthofer and Eric Bodden from EC SPRIDE. IccTA is a tool performing static taint analysis for one or multiple Android applications. It leverages Epicc to connect Android components and FlowDroid to model the life-cycles of components and perform the taint analysis.
The taint analysis is performed intra- and inter-components, which improves the precision of the analysis. IccTA outperforms all other available tools (FlowDroid and AppScan) by reaching a precision of 95.0% and a recall of 82.6% on DroidBench.
When analyzing multiple applications, IccTA first merges them into one then performs the analysis.
Almost exactly the same moment, there came up an additional tool call DidFail from the Carnegie Mellon University, which is a similar approach to IccTA.
IccTA and DidFail both rely on Epicc and FlowDroid to find data leaks between components of Android applications. They can both detect intra- and inter-component leaks within a single application or between multiple applications. Even though they leverage the same tools to compute links between components and perform data-flow analysis, the implementations differ in term of precision.
In the following we would like to do a rough comparison of both tools: