Stalkerware In Mobile Devices - Jessica Amery

okay so user probably had a lot of time to read the screen this will be an introduction to Android star career and my name is Jess contrary to my my it's Jess not Jessica and so yeah just a quick Who am I I'm a fourth year at a university and Dundy ion their ethical hacking program up there if you've not heard of that and I'm gonna be the 2019 2020 and president of our society as well I'm quite into Android malware analysis I basically didn't like the Android platform and people kept asking me why so now suddenly Android has became my thing so to speak and I don't quite know how that's happened but we're

gonna go with it and so just a quick disclaimer here the apps that I'm gonna talk about and some of the sites have been obfuscated I don't want to advertise any of these products as some of them are live and during the analysis I did find some security vulnerabilities in there and which could endanger the privacy of the victims and as you can imagine this is quite a touchy subject so just a quick overview of what we're going to be talking about and we're going to start with a wee background to the subject and then go on to a little what is and then some functionality some legality and some countermeasures so some people might be asking why is this specifically

Android and nor I oh s based Android makes up over 85% of the mobile market so I targeted this analysis towards M Android so this is just a few M tools that I used we've got Mara up there which is the mobile analysis and reverse engineering and framework so it puts together a lot of commonly used tools into one easily accessible kind of bundle it's on github it's open source it's got some ap Caid the obfuscation in there some APK analysis security analysis and you can also do some analysis of the manifest file as well we've got true seeing true scenes of vulnerability scanner I'm for Android applications and it puts all the findings to a huge tml document so

really easy to use again a droid box is a dynamic analysis tool as well and we've got virustotal up there and some hybrid analysis as well so what is stock erase tool the long and short is stock arrears consumer based spyware and it offers accessible more often than not low-cost solutions to monitor I loved ones it targets the kind of darkest areas of human nature and make some profit off of that and it usually comes under kind of three categories so usually it'll be branded towards spouses children and employees so we've just got some example branding up on the board there so as you can see you've got your parental control for your children your

employee monitoring and your catching your cheating spouse so and functionality these applications they tend to consist of of two applications the attacker and the victim so the attacker requires physical access to the phone and the install an application and on installation that application is then hidden as they call a system service so it doesn't it doesn't appear anywhere it's basically invisible to the naked eye and they operate through using highly highly invasive permissions and they compromise session integrity and using privilege escalation and of the applications that I've analyzed I've found that they very much lack any any secure transmission of data so we're lacking TLS on that front as well so the the installation as you can see there

and this is a screenshot as you can see again I've got you scared it's because I I don't want to reveal what application is wrong but you have got em the the lack of the ssl and certificates also your lacking your TLS and connection buddy there that appears to be the function that's linking the victims device to their to their attackers tracking application so as you can imagine over there you've got some secure data that you don't want to be leaked so for one you don't want to be using these these applications anyway but to be using them and then to be forfeiting that data and to be just having it submit in plaintext kind of

again increases their the risk of using them so this is just a few of the permissions that I found to be probably the most the the most highly highly invasive some of the applications that were analyzed they had over for a permissions they were taken between 40 and 50 permissions that that's not uncommon so you can see the scale of a problem that we're dealing with you you have applications are able to record your audio you have applications that can access your camera you have applications that can see both your your exact and your rough GPS location if that gets into the wrong hands this data you can see that the war on terror on

time massive problem here so following on from this we've got the legality of these applications these are these are in the open these are easy to download online they're very accessible again they're low cost and during 2018 ross cairns was convicted of him stalking charges in regard to his use of these destocking apps on his partners devices and he was convicted of stalking charges so the these apps are being used in real life trials and of the applications that were used they all contain disclaimer is basically saying that when using these applications you're using them at your own well you're using them in regard to the legislation in your geographical area so as you can see the legality that I've

looked at is obviously the United Kingdom so we've got protection from harassment and there you've got you can in fear with any persons property and by installing these applications you're taking someone's physical device you're unlocking it whether it's got a pin code or not you're gaining access to that and you're then in feud with that property further by installing the application you've also got your computer misuse Act and you've got unauthorized access which would be your first claim and your second claim would be your unauthorized access to commit our further crime so some countermeasures we must do better surrounding this subject there has been lots done to raise awareness and some of you might seen keynes talk earlier he

touched on this as well but we must do better I'm sure we're surrounded by security professionals here but it's very common for us to share our pin codes or passwords with a partner that's maybe for us that's not normal but for other people that has seemed to be to be very normal so we must encourage people and tell them that there's no point in having a pin code on your phone if you're gonna tell it to 20 people there's no despite the fact that's your partner you've you've got to keep that to yourself and that's that's the best that you can do but we've got other solutions as well because obviously that's not a one-size-fits-all and

Google announced this year that as part of their acute operating system they've got plans to introduce a new security feature under their settings so a user can go in and they can see which application has specific permissions and they'll be flagged they'll be flagged if there seem to be invasive and you can automatically just go into that and download it will under load it as opposed em as opposed to sitting there I'm going through your applications or trying to find a hidden servus it's on your phone you're gonna be a bit stuck and so that's definitely Google Google in the right mind and they're going about that and we've also got antivirus companies and compare ski

of recently started blacklisting your stalker where and they display on unmistakable privacy alert if they deem something to be invasive and again this isn't a one size fits all during analysis we found that certificates were being reused so these companies they're releasing an application it might get pulled down by an antivirus company it might get flagged up and they just released another one they'll reuse their certificates and and you can see it's the same companies that are doing over and over and over again it's a problem but in flag in it we've just got to make sure that as security professionals as well we're raising this if we see this we bring it up and we challenge it right

but yeah this this was I know it was quite a quick Whistlestop tour and but has anyone got any questions yeah you need a separate user set up so that your kid or your wife could use the device under a separate profile and then it can go straight into kid mode and then when you're watching Ben and Holly then it's all in a secure version of the rather than having it on a separate one for your using it for InfoSec purposes or whatever yeah yeah tell me that's that that's the best way to solve or one of a better way to solve the problem then sharing the pin code or sharing the pattern on the screen yeah yeah totally

we need to make sure that people are aware of the different options that you have to protect your children to protect your loved ones to make sure that you can shelter them because like you said lots of companies have got children modes and they've got options available that make sure that this is this is there and then but but what this this problem is is people who are installing applications on their children's devices too it is not necessarily but it is to find them but I think these companies are very aware of the branding that they use their the target parents and they help them right in the heart and they say I want you to install this because

this is the only thing that's going to protect your child and you're right we do have other options out there but right now people are looking towards this and it's a problem because you're then looking at very secure data such as your children your loved ones people who could be potentially in abusive relationships that information could get leaked so although you do have those children options and specific applications we're looking at a whole device and kind of kind of set in and we looking at these applications that brand themselves to parents as a one shoe fits all solution I thank you first of all for doing this talk is really important and it's brilliantly fit so well done

the question I had was how you mentioned sort of whistleblowing and calling things out and kind of how would you apart from that which is obviously a major part of that you know make one we're kind of part of organizations that creating products like this or enabling it how else could we as a security sector do you think improve on this and improve like because you know I work within schools as well so you know the amount of our pact and things I see so it's a real issue like you say so how could we do this and advise people more got any ideas on that I think is it's it's a societal problem we need to take

on that burden I think mostly I think I think it comes down to education but again it's down to your providers it's down to your operating systems they need to be flagging and we need to be ensuring that these applications there they're put into virus to over there put into blacklist and that people are aware of them and people are aware that they are a problem because quite often people will install this and whether it's a parent whether it's a partner although they might be misguided sometimes the intentions of there but they just don't realize the threat that is posed egg and so I don't know how much that answers your question and but I say I think it's a difficult

answer to give because I think it starts with the basics of Education and then just see where we go from there one last question thanks for your presentations excellent and you you purposefully obfuscated from names and product names which understand what do you have a feel for how many different apps are out there that perform this kind of a function I have personally looked at in depth and to probably about 15 to 20 but I know that's just to start with the problem they're everywhere if you go out to find them you'll find them so I've got 15 to 20 that I've looked in depth too but that problem is not just soften there we've got probably in the region of a

few folds plus that and but again in this country we are quite lucky because a lot of these applications they might be available in different countries they're available worldwide and they brand themselves definitely accordingly and so yeah again it's not probably the answer that you wanted but they put it this way it's a it's a problem that's on a large scale thank you you're welcome thank you everyone