Unmask The Bastards: Malice And Fraud In Mobile Ads - Abdullah Joseph
Show transcript [en]
hi everyone how you doing nice to see all of you seriously bides prog first edition amazing amazing work thank you so much Martin Cooper organization team everybody thank you so much and thank you all for joining me today all right let's see if the clicker Works does it work it doesn't work no it works here's my Afro so it works hi my name is Abdullah Joseph I've been working in security for a bit uh currently I work Consulting attech to enhance their application and cryptography practices I'm actually going to put a timer so I don't go over time nice all right so let's do it so today I have uh talked to describe a few things
related to the mobile ad industry I've been working on it for about uh about 10 years now something like this I worked as a developer so forward engineer and I've worked as a security researcher and I worked as a team lead hiring other people in it so I've and I jumped about four companies through it so I've seen a few Publishers advertisers advertisement networks attribution Partners all terms that we're going to introduce today and see how it goes but there's a quick disclaimer in here um and this is a disclaimer I do most in every talk um I like security research I like the stuff that I'm doing I'm very blessed that I was able to reach the position where I
can talk to Beautiful People Like You on publish uh wonderful work but there's a disclaimer as an offensive person as an person who doing offensive security research I don't want to kick anybody in the balls there will be some slides in here where I'm talking about some bad practices for some people and this video will be alive so disclaimer this is not about me kicking anybody in the balls this is not about me trying to make anybody tell them that they're doing a bad job or something like that that's weak and childish um the responsibility that I'm trying to do here is educate and have fun in the process and ideally not try to improve the status quo push
the envelope a little bit further pay it forward and not try to make things worse for everybody the worst outcome for me in this presentation would be that someone actually gets fired or somebody gets really annoyed or get yelled at that's not something that I would like to do so let's talk about some goals for today uh I don't think anybody in here is so familiar with the mobile ad space um is there some like does the volume go up a little bit too much while I'm talking or is it good like okay I'll stop um so I have a couple of goals today I want to introduce you a little bit to the mobile ad space and I would
like to show you some really weird exhibits that I found through my career um and we're going to go through a couple of history of some published security work that people have taken very serious and have changed and evolved and some stuff that I've researched and I do work in the industry IND I work in the private sector I work currently for one employer but I do consult for others so I'm not going to name any names in this presentation and that's not a qu that's not something that you're going to get out of me but we're going to see some of their attacks we're going to see some code Snippets and hopefully we'll all enjoy some uh
really weird stuff in the offensive scene so let's talk about some players so we have four mostly the ones that we actually care about the others are a little bit secondary so we have Publishers and advertisers okay so a publisher is a person who creates the mobile apps it's a person like Snapchat Facebook Instagram Google to an extent but we're talking about mobile apps so in here we have those Publishers who have those beautiful intertitle video ads or an ad bar or something that you what you would call an ad inventory and those are um public those are apps that have ad space you actually can advertise through them and we have the advertisers who is um we're going to give an example
in a minute but they're basically companies that trying to advertise their brands they hope that they can get on the Publishers um ad space ad inventory so for example if I created a game I would want everybody on Tik Tok to know that I have a cool game I want Tik Tok to display the ad every single minute uh and in that case I Am The Advertiser the Tik Tok is the publisher now let's talk about how to make life easier this is an advertisement network if I as an app developer go specifically to Tik Tok to Facebook to Instagram and I like those are just big names those are actually the self- attributing networks term we're not going to discuss
too deeply it's hard to go to every single app and try to say oh please advertise my product it's really cool a much easier way would you would be for you to go to an advertisement Network who are Brokers and they will connect the two dots and they do everything uh together in a very highspeed Market with a 6sec number which is the magic number number and that magic number means that when the user clicks on something and then installs it everything needs to be attributed through across every partner they have this technology it's really interesting and there's a lot of advertisement networks from everything you want from golf ads to porn to games to shoes to whatever it is that you want
and the advertisement network network would actually require the publisher to integrate what's called a network SDK and a network SDK is a library it's a dependency in Mobile space you have actually the statistic that from Google in 2021 that 80% of an app is not written by the developer it's written by other people which is really fun you're trusting 80% of random other people's work to be in an app that's supposed to be consumed by your customer which is a very interesting thing we live in a world where nobody wants to rewrite how to do video encoding every time you just integrate a library but that comes at a cost and and our case we have to
integrate Network SD case to make money as Publishers now let's talk about our fourth and last player which is the attribution partner the attribution partner is okay you made a game you're a really cool game you want to know if the advertisement network is cheating you giving you Rolex traffic really good installs beautiful beautiful users who will engage with your game with your product and they will be faithful users or they are Bots a curl request that mimics being an an insall or a click or an impression because all of those are just HTTP requests by the way the attribution partner gives you a beautiful graph where you can see the total revenue the span active users
everything you can track everything as an Advertiser you will have faith in this most of them actually all of them from I last time checked have some sort of a fraud prevention Suite which means that you can actually integrate it to make sure that the traffic you're getting is real users there's a big exclamation mark about this real user thing which we're going to talk about in a bit but that's what's advertised on the tin can and that's our four players now let's intro my beautiful AI generated anime picture of a game I call Bunny Fufu I just gave uh I just gave an intro about um you being an Advertiser you are a game
developer you're an amazing game developer you actually just created this beautiful game you Ed some AI images you use some AI text you told jet gbt please write me the beautiful game in unity and he gave you this and you went into you are now the advertiser you go to an advertisement Network and you tell them I want everybody in the world to play Bunny Fufu I want 100 million installs by end of today uh on Google Play on Amazon store on Apple on everything I want I want a 100 million installs make it happen the advertisement network will tell you [ __ ] yeah let's do it me and you broest let's do it you pay 10K and you can do it and
um then the advertisement network will um talk to their Publishers they will use the add they will use the real estate um code that they have the network SDK and they will push your advertisements whether it is a video whether it's an ad bar saying Bunny Fufu to all their Publishers everybody should install Bunny Fufu how do you track this as the developer of Bunny Fufu you integrate an attribution partner who have beautiful can I go back and they will give you slides like this they will give you dashboard like this where you can see all the metrics and all the everything and you're happy you're seeing so much money coming from your game your hard
work this is amazing now let's talk about the bad stuff Advertiser you pay the ad Network the ad Network takes a cut you also pay the attribution partner attribution partner um will show you what the results that they get are and the advertisement network will pay the publisher everybody depends on your money now do they really care about you do they really really care about you now what's the stopping the advertisement network from making a million requests a curl requests that's it why do they need real users actually let's take a step further what's stopping them from making a million requests and sending an event that says they just reached level 10 in your game
what's stopping them from doing that and they just got money they don't need to convert any real users they don't need to convince them to do it let's talk about how this industry works and a few things that I've seen so let's talk about some previous research in 2020 there's a company called sneak uh besides Dublin in 2021 I believe Mr Carol FM if I'm saying his name correct Amazing Security researcher at a company called sneak and they discovered a network SDK that is doing extremely weird convoluted stuff in their in the users apps and it's a network SDK that means that it's a bunch of code installed in the app and it's capable of doing things in the app space
and it's supposed to be capable of showing the advertisement to the users but it's doing a little bit more than that now I'm not going to spend too much time on this because Carol already gave a fantastic talk please check it out besides Dublin and they already made um pretty a lot of blog articles about it but I'm just going to use a couple of slides just to illustrate how this thing happened and what happened after 2020 what happened after this big deal because this is a big deal we got Tech crunch here we got ZDNet we got we got some Forbes talking about a dark reading it's a lot of stuff so how this thing
works I redacted the pictures naturally it's kind of stupid because be like the the names are online but still I I'm redacted them because 2020 was a long time ago so the idea behind the capability the dark malicious capability that this network SDK had was that they were able to intercept it wasn't on iOS primarily but Android they also had a few other weird stuff in it it was both an Android and and an iOS SDK the iOS SDK specifically had the ability to intercept any URL that is open from that app any time you make any HTTP requests HTTP https request coming from that app they're able to intercept it why is that important what benefit do they get from
that well if they uh if there is multiple networks installed in that app which is a regular practice for anybody trying to make money you're not going to install one network you want Network that's focused on golf Network that's focused on gaming and you want everybody to display ads in your in your game because you want more money as a publisher why would you restrict yourself to only a network that deals with I don't know um shoes or sneakers you can integrate more they were able to intercept any URL coming getting going out of the app and send it to their servers and in the advertisement world this basically allow them to intercept clicks anytime you click on an
advertisement they know about it why is this an important thing because they know about it they send it to their servers and they send to the attribution partner the person the the dashboard adjudicator that tells you that this network is giving you Rolex money and this network is giving you [ __ ] traffic they send information to them telling them all those installs came from us all those clicks came from us and as I mentioned with the 6sec rule if you are faster than your opponent you will win they made a lot of money out of this and this was a hidden this was in the SDK how did they do it was something interesting actually it was mostly this
block of code which is really interesting obviously it was an off fiscated sample they used olm if anybody here knows uh Mr Duncan made a talk about llvm for reverse Engineers but lvm is a pretty old offis skater I think it's 11 years now um wasn't an incredibly hard off fiscated sample but they used some alisation and which which is usually a red flag why would a network SDK displaying Java script and HTML need to use offc so that's usually a very big red flag now they a technique called method swizzling we're not going to get into it for too long but the idea behind it is that in Objective C anytime that you're trying to call a
function you do it through a messaging pattern that's how Objective C works and this messaging pattern means you send a message string saying please run this function and you use a function called obgc objc message send they basically intercepted this base 64 string which will translate to UI application Callin open URL and rewrote their own implementation for it that mean this is allowed an objective c space by the way it's called metaprogramming Ruby has it too I [ __ ] hate Ruby but they have it so they were allowed to do something like this which was interesting because Objective C allows this this is just part of how Objective C Works Swift to an extent allows it if I'm not mistaken
but I haven't looked too deeply into it but I believe they still do something but it really doesn't matter because there is a much more powerful technique we're going to see in a couple of slides and they didn't get away with it they got blocked from a couple of places and got put back because money you know they're a huge Network and stuff like that you can read all about what happened but you know that's four years ago you know who remembers let's talk about uh some interesting stuff what happened after 2020 which was really fun notoriously other network sdks got inspired to do something even more cunning and hawkish than with these guys and we're going to check it out right
now so let's check exhibit a remote code execution through JavaScript I love the word rce very much and it's usually a beautiful word makes everybody's eyes sparkle it's as good of a word as when you say plain text passwords it's just so rce let's talk a little bit about what's a web view a web view if some of you who don't know it's basically an embedded browser you have HTML CSS and JavaScript web technology and you can embed them in a mobile app which saves a lot of time and space because most of the time you web is older than mobile and you've already maybe had some stuff in web you have some JavaScript stuff you can reuse them
in your mobile application and a web view at least that's the term in Android which I'm going to use for both platforms um allows you to basically it's just a window that allows you to render this this information and all mobile ads in essence are HTML CSS and Ja script they're web Technologies there's they're nothing more there's no native connections there's no native functions in there the network SDK gets the HTML which is big like 20 kilobytes worth of an advertisement they don't just display an image they do a lot of things and a single and this is not even talking about the streaming they do encoding they control volume they connect with sensors to see if you can do a geoscope
when you play an interal video game or something on the toilet setting taking of crap and playing the video game they do a lot of stuff they stream 1080p videos they listen to touch events they do a lot of things and all of this is Javascript CSS and HTML that's not even talking about the resources that they're using the images the videos and the and and the audio files that they include this is just text it's a lot um so this was just an example of running um the uh a random app in like 10 minutes and they just downloaded all those HTML for me to to render and use and we're going to talk about how the RC Works through that
so um yeah this can never go wrong you can control sensors through JavaScript yay okay so let's talk about this beautiful thing this was this was a very interesting find when I found it so inside the network SDK there's some JavaScript Bridge code so the network SDK is here the JavaScript that they get from their servers is here and there's some Bridge code in here that understands the stuff that JavaScript needs to understands the stuff that the advertisement needs to do and it executes it in the app this is just how JavaScript and this is just how the native communication between JavaScript and native code works all of this is in the network SDK and there is this
beautiful method called call method it's in JavaScript and it specifies a URI scheme a URI scheme that starts with MV uh colon SL slash and then it includes something called by the way this was heavily fiscated I used the tool called illuminate JS to be able to decate it it's pretty good I'm not a JS person so that was actually a very easy thing for me to do which is very good it has method and parameters and they include everything together like this and then to do something the advertisement can call this the advertisement if you have an advertisement that just has any URL scheme that starts with MV Colin slash and some stuff it will do something what
does it do let's check it out so this this is the native code in The Objective C in the network SDK this is the decompiled version so you're going to see extremely ugly code in here this is decompiled my apologies and the MV Colin SL SL is being handled by this function called process XXX request and if you see in here it just does some processing blah blah blah blah blah and then it calls this beautiful method called JS call native with method name um there is no I that's why I did the intonation uh so what does this JS call native with method name does exactly as you expect call any function in the app no
restriction none you can call any function in the app through serving a JavaScript ad that starts with MV colon sl/ and you specify the name of the function that you want to call nothing to do with the network SDK you can call any function in the app anything get Ebon number send $10,000 uh underscore to that person whatever it is that you want and this is a simple blob that I just created and it works and if you just specify their own custom base 64 encoding they don't use the same Bas 64 that you expect that they're using it's officiation um my app. youi controller this is something that I've written if you serve this through a JavaScript ad
you will invoke that function beautifully all you need it is just like what how many lines is this like 3 six s seven lines with formatting to serve to run an rce to actually run code through JavaScript it was beautiful and this is still live most probably in 90% of your phones um so but how they know which function to call yes they can reverse the app they can hire a person like one of you reversing the app the Target app that they're really interested in attacking but they had an easier method at least that's one of the methods that I've seen they had a method to get the class hierarchy they get every single
method in the app that can be called put it into a nice string and send it to themselves how do I know this because they're using those beautiful two functions n s string from class and the extremely weird class unor get super class they call this iteratively through this while loop and they basically collect every single function that is in the app that can be called through Objective C and they send it to themselves and through that they will be able to know which function that they that you would want to know obviously this is interesting but uh when you have a network SDK that's supposed to serve JavaScript and CSS HTML and you see that they have rce and
uh debugger capabilities you start getting a little bit scared I don't there are some stuff that you see in the wild that just doesn't make any sense and I believe aasc is the first sign that when you see aasc code you usually don't think of them as Defenders trying to defend their Castle but malware trying to hide from reversers that's at least my first thought so that's exhibit a now let's talk about exhibit B and I have this and one more and then I thank you so much for your attention so symbol remapping so this function code not great C code but it's code and it does something very simple it just opens up a
file which is taken as a CLI argument actually if I believe this was a mistake it should be arv1 RGV Z will just point to the current executing batch script doesn't matter uh um so simple C program the three is the four first four byes of a file and print them to the screen super easy program now there are four Library methods four lipy methods there is open print F read and close and my question to you right now and please answer can you redefine what those functions do in runtime anybody yes yes is this possible I got a couple of yes couple of not you can totally beautifully because we can do everything because impr protect
lets us re rewrite memory mapped memory pages and you can do anything that you want you can make those things Run Bunny Fufu print if a million times however it is that you want advertisement for our product so this is how you would do redefining of the symbols of those lipy functions um this is just one way of doing it which is um you call a function called rebind symbols from a library we'll check in a second and you basically put your own implementation there's many other ways that you can do it you can do an LD preload trick if anybody knows that name where you basically put in your own implementation of lipy you can do anything you can do a
lot of stuff it's really fun it's actually really fun to play with with runtime hooking and the library that is really good at doing this is called Facebook Fish Hook pretty [ __ ] old library and it's um got like 10K stars and it's basically a simple header file that you include and you're able to call all this stuff and it's really interesting because it deals specifically with Macho binaries with Mac OS and iOS binaries specifically and it's really good at uh basically uses impr protect and a couple of friends to rewrite the O const and data const sections which is where the symbols for lipy um would be uh located and you can rewrite them to do anything that you
want in runtime in run time no Freeda no execution nothing you just put this crap here and you just do this and it's just really fun and like obviously no network SDK would ever find the need to rewrite lipy functions right that doesn't exist why would a network SDK displaying JavaScript do yes they do yes they do it looks like this they stalled the um a merged P an unmerged PR from Facebook Fish Hook put it into their SDK obviously they didn't respect licensing because why would you um it was GPL licens by the way and they put it in here and you can see the empex calls this is the same [ __ ] blob that is
existing in Facebook Fish Hook that's the same thing they can do memory remapping what does that mean what does memory remapping mean what does symbol remapping mean it means that they can remap what any function core function forget about Objective C messaging pattern any lipy function they can remap it now imagine how beautiful is that you can rewrite open calls close calls print F you can rewrite obgc message send which means you have access to everything Objective C will give you if you're running an app on Swift you have access to the functions for Swift and you can remap what those do do something you can say easily execute the function but how about you send me um little
signal to tell me that this function was executed and very simple very easy actually I didn't there wasn't so much time in the talk to include this but there was a one of the network SDK I found they had um two things really interesting stuff this is just not there is no slides for this but I just want to mention it they had their own HTTP stack so in Android if you use HTTP you're going to use the okay HTTP stack and they had their own TCP socket encrypted TCP sockets implementation so they basically had userland TCP talking through their through that is all in an in an SDK in a Java SDK talking to their
own servers and they had an HTTP stack that didn't respect environment variables for injecting your own certificates so it doesn't allow man in the middle attacks unless you've actually looked into it you it's an Network SDK that you can't hook any um man in the middle attacks to and they use their own TCP stack beautiful this really nice that means that you effectively with some aisc they can send any traffic they want from their from the app without you as an analyst knowing about it because honestly mobile reverse engineering is not is not old it's new and most of the tools are written Open Source by people doing it as their side job it's not as
sophisticated as Windows reverse engineering it takes time for people to learn this stuff so they got away with it they got away with it very easily so that was interesting um so in the case of our Network SDK with the rce capabilities they had rce capabilities that they can dump every single method in the app however they want through a JavaScript ad and they were able to remap any function that they want want through calling this function and this is again meant for a network SDK meant to display images videos play a 5-second video for you to engage with it and press a button and that's it it was it was really bizarre when you when you see that this stuff
extremely sophisticated Tech lowlevel [ __ ] is used in this in this context is is beautiful now let's talk about the last thing on this going to be quick actually I do have time I got like 15 minutes left now we have an aisc race now we talked about Network SDK is doing the funky twice rce one time and we talk about symbol remapping now let's talk about what you would call the defenders in this space so who are the defenders in the space that we anointed as the adjudicators that understand and try to help and prevent bad things from happening to the advertisers they attribution Partners they are the platforms that try to support and help
and make sure that everything is clean and you as an Advertiser see real good data you don't see bot data you don't see emulator data you see real users that like your game and want to play with it that's what we want those are attribution Partners now this is M proxy it's an intercepted request from um one of the attribution partners and the idea behind it is that this is what you would call an install request which is a term known in the industry that when your app first launches ever you just installed the app you open the app that app would send an install request and that install request will send to the attribution partner
informing them and install just a curd and it will tell it with a few uh device information um you got like The Advertiser would want to know for example what's your device Android iOS what's your oper what's your build version device width height so that they can optimize their campaigns for you language local a few other legal uh device information all of this is pretty good and this is how it looks like and obviously this is off fiscated encrypted encoded pick your word we don't know what it is but obviously it's not Json and uh we don't know that yet it's it's what you would call a fiscated we don't know what's happening with it we need to
analyze it a little bit as I said here it helps um Publishers and advertisers understand their customer basee um and it also provides payouts how does the advertisement Network know that a user has just installed a new app a new uh that we just got a new user who installed the app through this through a c request through a c request that will include a token that will say ah there's this publisher they installed your app they're amazing publisher we love them and the user is going to engage forever and ever it's amazing and this is how they get their payout to repeat they get their payout through a call request so an HTTP request which is very
interesting now you can see suff fiscated to deter Hackers from making a quick payout obviously as an attacker I don't want to give you a Playbook but you can for example run a Carl request you can make yourself into a publisher and say I gave this Advertiser a million installs and you basically just ran million times Carl request and that is possible obviously each attribution partner has their own fraud prevention Suite yada y y but we're looking at this guy right now and most importantly how good is their alisation because there is a pretty controversial feel about security through obscurity and it depends about how you decide to tackle it in my opinion it is really hard to
reverse an a well a fiscated binary it's really goddamn hard it's not fun it's it's it it it it requires a very high level of neuroticism I would say and it's I don't I don't subscribe to that and it's just really hard so the what the [ __ ] per seconds increase from zero to here so I it does it doesn't make me happy so um reversing an a fiscated binary is just not fun especially when it's reversed when it's aisc with like virtualization or um really like you forked your own com llvm and started doing some funky stuff with it it's not fun but how good is their aisc here is an decompiled um AES encryption function
AES Cipher that they used and as you can see they Ed the ultra powerful 16 byte constant zero Vector as their IV you might call it as the salt it is constant never changing never has changed in any version of the SDK and the key is the name of the
app amazing and again I am did make a disclaimer that I'm not kicking anybody in the balls because this is not my intention in here but it's also my intention to point out this stuff so that well we can learn Push It Forward try to maybe figure out something better and here's a hashing function from another attribution SDK now this hashing function is supposed to make sure that all requests are temper proof this is something that the attacker shouldn't know shouldn't have access to it's a sha one of the first seven characters of the app ID which is the name of the app the how much memory do you have in your Hardware HW and the Tim stamp and if you sh one
that together that's supposed to be an ultra tamperproof Watermark that will deter any attacker from ever replicating this requests and not being able to understand anything obviously I'm being sarcastic this is trash but the thing is it's not easy to come up with a with a system that is proof it's really not and this might be a little bit not the best approach but honestly it's not easy being a Defender at all um as I mentioned and here it's like sending the key with the locked box but I as I mentioned maybe four times right now Defenders spend a lot of time doing things that has nothing to do with this and a Joker with a stupid computer
like me coming and telling them kicking this and it's like break break it fix your [ __ ] is not going to be super helpful because they have other priorities they need to run sh [ __ ] on CI an attribution is DK is supposed to run on every single Hardware successfully do scheduling they have to attend meetings to take care of of of integrating other partners that have nothing to do with security while the attackers have one job it's a really really hard arms race and to be honest the odds are stacked and I it's not my purpose right now to give a solution because well a complicated problem requires a complicated solution but I just wanted
to Showcase how this works right now how most of the industry works right now with extremely few exceptions and I come to the conclusion and the conclusion is going to be basically talking about Miss Michelle bonan if I'm saying her name right uh which I actually like the new movie I really liked it and it the advertisement industry the mobile ad space reminds me a little bit of this it's a bit like walking through allice in Wonderland it's psychedelic it's weird Network sdks supposed to display HTML are doing symbol remapping for lipy functions and JavaScript ads that's supposed to engage with users are doing rce capabilities with debugger capabilities and what else we have attribution Partners trying to defend
with poor man's techniques relating to hashing and package names used as keys for a ciphers with Zer null Vector 16 bytes feels weird and to be honest it I don't think I've said the word user you ever in this talk because you don't matter at all none of you you don't nobody cares about you it's all about getting the advertiser's money running on your devices doing things that you most probably don't know about unbeknownst to you and that's how it goes and to be honest as I said all of those people have jobs they have nineo fives they're doing their best to try to do things while attackers try to basically Break Stuff and again they break it for like what 3
hours and they have to implement a solution to make [ __ ] automated and work like the network sdk's people yeah they're doing dark stuff but honestly if they paid I'm I'm I'm I can point a finger in here but if they paid enough money to someone what do you do it uh don't answer that question but it's a gray it's a gray world it's really weird and um it just reminds me of a of a really fun quote in here which is like when Alice met the Red Queen which is really portrayed nicely in the movie when she met the Red Queen and she said it's like oh in our country you generally get somewhere if you're on
very fast and then the Red Queen was like ah it's a really slow country where I come from you need to do all the running just to stay in the same place which is really fun because I believe the status quo now is that that everybody is enjoying all of this and there's a lot more dark stuff and they're enjoying it and what's the solution um as I said I don't I I'm not here to talk about Solutions I'm just here to show you a few things thank you so much this is my talk I really appreciate your [Applause] attention I think I finished in good time right so do we have any any question in
audience you can always find me outside I'm going to be in the after party ideally getting stoned is it legal in Prague no okay I'm not ignore am I still being [Laughter] recorded holy crap oh thank you so much
Related talks
23:23
39:20
30:48
46:54
3:20
3:25