Android Malware Adventures

Abstract: Android malware is evolving every day and they are everywhere, even in Google Play Store. Malware developers have found ways to bypass Google’s Bouncer as well as antivirus solutions and many alternative techniques to operate like Windows malware do. Using benign looking application working as a dropper is just one of them. This talk is about android malware on Google Play Store and targeting Turkey. The talk will cover;1. Techniques to Analyze Samples: Unencrypted samples are often used to retrieve personal informations to sell and do not have obfuscation. Encrypted samples however are used for much sophisticated tasks like stealing banking information. They decrypt themselves by getting the key from a twitter account who owned by the malware developer and operate by communicating with the C&C. Also, most banking samples are using techniques like screen injection and dependency injection which is mostly used by android application developers.2. Bypassing Anti-* Techniques: To be able to dynamically analyze the sample, defeating anti-* techniques are often needed. We will introduce some (known) Frida scripts to be able to defeat common anti-* checks malware uses.3. Extracting IoCs: Extracting twitter account as well as C&C from encrypted samples are often critical to perform threat intelligence over samples. Extracting IoCs while assets are still active was crucial for our research since we are also aiming to takeover C&Cs. We will introduce (known) automatization technique to extract twitter account, decryption key and C&C address.4. Extract Stolen Information from C&Cs: In order to extract information from C&C, one should act swiftly. The speed of extraction process is critical since the actors change C&Cs often. We will give a detailed walkthrough about how we approach C&Cs as a target and extract the informations.The samples and informations in the talk is the product of our researches over many bankbot samples as well as other Turkish malware developer actors’ samples. Bio: Mert Can Coşkuner is a Security Engineer at Trendyol. He is maintaining a Penetration Testing and Malware Analysis blog at medium.com/@mcoskuner. In his free time Mert Can is performing mobile malware research and threat intelligence. Bio: Kürşat Oğuzhan Akıncı is a Cyber Security Engineer at Trendyol. He is also a team leader of Blackbox Cyber Security which is Turkey’s first cyber security volunteer group, coordinator and mentor of Turkcell CyberCamp and Turkish Airlines CyberTakeOff. In his free time Kürşat is performing bug bounty researches and helping Mert Can to break into C2s. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Security BSides Athens 2020 CyberSecurity | InfoSec | Ethical Hacking | Computer Security | Evolving Threats | Threat Landscape | Privacy | Cyber Resilience Security BSides is a community-driven framework for building events by and for information security community members. These events are already happening in major cities all over the world! We are responsible for organizing an independent Security BSides-Approved event for Athens, Greece. More: https://www.bsidesath.gr Follow on Twitter: @BSidesAth