2016 - Andrew Pannell - 50 Million downloads and all I got was malware

thank you uh good afternoon um hopefully you're here all here for my talk uh 50 million downloads and all I got was malware y marvelous okay so no one left the room it's always a good start okay so just a quick um typical about me um so my name is Andrew panel um call my Andy and monst other things that work um I work as a penetration tester um hacker bit red team depending on what you call it and I work for a company called pentest limited so we're based here in Manchester but I actually work in an office down in London um and I probably described myself as a bit of an avid Android User I've used it since 2008 um

I actually queed up um like the Apple Fanboys do I queed up in the Newcastle in 2008 to get the first HTC phone the first Android phone um G1 don't know if anyone else had one but it was pretty awful um to the point where as you type commands in it actually passes that to a terminal and my friend told me to Type R RF and uh my phone shut down so um I don't recognize many of your faces um and you probably don't recognize mine but you may recognize my name um so I started this work that I'm talking about today about six months ago um I started a research uh pieces on a

application flash keyboard and it started getting picked up so it got picked up first um by a website called softpedia um and then the next day it was the most read uh article on the register and it landed there for for about 2 days um and then about a week later I spoke to uh the BBC and I was on BBC Click uh worldwide service talking about this exact piece of research which I'm going to be sharing with you guys today so I'm going to mention that I'm talking about an application called flash keyboard and the whole point of Android is that you can customize a keyboard um I don't know if anyone have had install Flash

keyboard no okay cool again a good start um so you start by on Android once the kind of inception of Android you've been able to put custom keyboards on there um whether you want a custom colored keyboard or whether you want a better prediction engine and I think Apple have kind of started to adopt this approach but it's always been native Android for almost from the very start and essentially it's just to make the user experience a little bit better a little bit nicer and change the way that you're you're using your device so I as I was going to go through and preparing this talk the first thing I thought is I'll show you the um

description from Google Play when you download Flash keyboard and I don't expect you to read all of it but there's a couple of funny points that certainly intered me so the first thing is that flash keyboard values your privacy and they don't collect any your personal data without your explicit permission and whilst I'm talking I want to have can you get out to have it in the back of your head the other thing that they mentioned which I thought was quite funny is that rest assured you can use Flash keyboard safely and that little smiley face at the end maybe think are they are they being sarcastic or is that is that some kind of weird sense of

irony that's going on so just to kind of give you a guys idea if you've not seen um Android and Flash keyboard the idea is that you kind of customize a keyboard um so you can have a pretty daffodil or whatever kind of flower that is um you can have a England flag to show you nationalism um or like the internet you can also have a picture of a cat because everyone loves cats right so I got started um by looking at flash keyboard I got using the same um normal keyboard that came with Android I got a bit bored of it it was a bit laggy thought I want to try something different something that's going to be a

bit quicker a bit better um and just changed the way that I use my device and I looked through started section on the web store I found that flash keyboard was the 11th most downloaded popular app so it was actually more downloaded than Netflix Spotify WhatsApp and yet I'd never heard of this uh flash keyboard to the point where it have been stalled more than 50 million times hence the title of my talk and it was developed by a company uh called doc United so I thought fine I'll go ahead and try it and I'll you know it started off as just a user thing where I'll just go ahead and and and try and use this this new

keyboard so the first thing I did went to the uh to the Google Play Store just simply typed in Flash keyboard [Music] um and when you when you go to fine CL keyboard there's a few different examples there when you go through and click install the first thing it does is show you the the giant list of permissions um that are available to you so fine go ahead and just run through the through the uh uh permissions like I normally do click accept probably everyone's probably done this yeah whatever blah blah blah blah blah click install I just want to get on with uh you know using the app downloading my keyboard or whatever you want to do and

you didn't really think to much a bit at the time and then I started thinking back to actually for what this is this is a keyboard um it shouldn't really need that many permissions so I started looking back so if I talk about the way that Android permissions work um I'm going to be talking about Android any versions less than 6.0 which I think it's code name marshmallow that's generally running on around about 85% of devices so it's the majority of devices out of as of this month um Google dashboard gave me this figure but I'm pretty sure the NSA can also coab this uh this figure as [Laughter] well and uh the Android permission

systems almost an all on nothing type system so you install a device install the application on the device and prior to Android 6.0 you accept all those permissions and therefore you install the application or you deny the permissions and you don't use it at all so I went through and I started looking through uh each of the individual that the application's using um and why and I had a quick look why I could figure out why each of the the application was using each of the permissions so the first thing it wants to do is it wants to read your uh SMS and MMS messages and I couldn't really figure out why it wanted to do this um

it's a keyboard um why is it why does it want to access this and even through the cost of my research I couldn't really figure out a genuine reason as to why it needed to do this and there wasn't really any kind of functionality as to to explaining what it was doing with this information as I go through the list I notice it wants to take pictures of your take pictures and use your video camera and that was kind of fine the images I mentioned earlier of the cat and the uh the England flag that's because it wants to be able to customize and show a nice little pretty layout for you you want to use your or want to get

your approximate GPS location and that varies depending on whether it's Wi-Fi it's going to be using to uh get your location or whether it's um the actual GPS hardware and if it's Hardware it's accurate to around about 1 to3 M actually L being a bit nefarious about what was going on there and I'll talk about that a little bit later on as I keep going through it wanted to read my contacts again that was fine the idea it was a prediction engine and if I'm you know texting John quite a lot he wants to learn a way John I forgot someone with you know a nickname he wants to learn that nickname so that he can

insert it every time I try and predict and as I go on you see there's more and more permissions um so the they wanted to be able to redress dcard um and again I couldn't really figure out why it wanted to do this um there was no kind of reference in the code ever ever actually accessing your SD card um and Jo my research never kind of got understanding as to why maybe it's that if you've got photographs on your device and you want to be able to use that as your keyboard background but that was never never used I want to disable your lock screen and again that was something a bit nefarious and I'll talk about that

a little later on and you can see as I'm talking along this is quite a lot of permission for what is essentially a keyboard application all I'm supposed to be able to do is just type just make my life a little bit easier and a little bit prettier want to be able to change network connectivity and again I couldn't figure out why I want to do that um keep going under permissions um it wanted to uh download files without notification and that was a bit um strange so the idea that the application could on Android you have a little arrow when you download files it tells you that the files are downloading it want to do that in the background and uh that

could be um something I'll talk about later on you want to check access your Bluetooth settings and again a big red cross I'll come to that later on and again more and more permissions uh wanted to close over applications um I couldn't figure out why maybe it wants to close antivirus um yeah it was never actually used during my research but it could be something that's interesting um we wanted to draw over applications again I couldn't figure out why this isn't a permission that's needed for any other third party keyboard um we wanted to modify system settings again something quite important and that's something again I'll come on to later on so I appreciate I've done quite a lot of

teasing as to um what the application does so the first thing I did is I look at okay uh compare this to the Google stock keyboard or the stock got come for Android against a flash keyboard so just going through the permissions the stock keyboard asks for 15 permissions which you know that's that's about normal for any kind of app flash keyboard 49 three times as many permissions um for essentially what is the same job so I thought okay I'll go ahead and have aate this a little bit more I don't want to install this I'll start doing my day job on this app so the first thing I did is I thought I'll set up a proxy I'll have a

look at the traffic what going on so get my phone stick burp site in the middle and then out on the internet I mean it just allows me to look at the traffic that the keyboard's sending in clear text or um add a certificate on there to be able to decrypt any kind of SSL traffic this is what I got this weird binary uh nonsense basically um I couldn't figure out what it what it was um I tried to try to carve out a few different file formats um nothing nothing worked but one interesting thing is the uh talking dat net website that's a Chinese analytics company so um that got me interested as to what was going on and I'll come back

to that later on so one of the benefits about uh working with Android ad apps is it's pretty trivial to reverse engineer applications um this files essentially downloaded onto your device part compiled and the device goes to compile it on for your specific Hardware so I thought fine okay I can I can reverse engineer the application back to source code it's not which isn't quite true so what happens when you R engineer an Android application it's bit like going from English to French so you might start off with saying I'm talking about the flash keyboard app which translates into French as I'm not going to try saying because I don't speak French but you kind of get back I speak

of the application of flash keyboard and the meaning and the intent is you know kind of the same it's not quite the same thing as a source code but you kind of get an idea what the developer was trying to do so fine I reverse engineer the Andro application flash keyboard and I start looking through the uh the modules and this is what I got so uh it actually gives me a hint straight away that it's using gzip to uh depress the data so that's fine I can I can use gzip I can carve out that file um that binary data I mentioned earlier I can actually see exactly what format they're using the other thing is that um is

interesting is that they've hardcoded uh a couple of details so they've hardcoded the IP address and bearing in mind that this application's got 50 million downloads they're obviously knowing that they're going to be able to process 50 million pieces of data at least that's one per user and therefore that's some hell of a back end they've got and for all this data that's been processed and there's the hardcoded IP and there's the hardcoded URL so fine I can car I can carve out um the data that is being sent from the gzip format I can pull it out and actually have a look at what what uh what data is being sent so the first

thing it's doing is it's pulling through my device manufacturer model it's not that critical but it's interesting is you know this is all being sent um over Over The Air to China second thing it's sending out is my IMEI which is specific to my device so it's not quite personal identify of information it doesn't identify me but it certainly identifies my device what is interesting is it sends out my email address so I don't know about you but I have my first name. surname at my work so if I'm using a corporate phone it comes through on that and yeah so it's certainly makes that personal identifiable information it's identifying me and sending that across

the China it also sends out uh your GPS coordinates if you get bored have a look at that location later um but yeah that's that and like I mentioned earlier that's 1 to 3 MERS long 1 3 met of accuracy on the street view it also pulls out my mobile network uh and that's all being transmitted and then it also pulls out any details of any hotspot any VPN or proxy I'm using which initially might not sound that interesting but you've actually got quite a lot of information about an individual to be able to perform a targeted attack that's 50 million users data going to China so if they say um I want to I want to get hold

of um you know Edward Snowden and Hillary Clinton they can specifically Target that individual they can pull their um GPS location and find out um where they are the other thing I found interesting was that they started sending information about my Wi-Fi access point address so they send um not only um the data I mentioned earlier but uh they actually sent them my Mac address of my my device the Sid of my uh access point I was connecting to and also the MAC address of the Wi-Fi access point I was connecting to but they also sent it of neighboring Wi-Fi access points as well so they're actively scanning using my device to look for nearby access

points they know where they are because they've got my GPS location I'm not sure about you but when I go through a pentest I go through quite a bit of work I have to make sure I've got authorization and I'm not sure if this is in breach of computer misuse act in the UK but they're actively getting information about nearby locations and when I go on a pentest I have specific guidelines that I have to follow so I'm not sure how legally that sits one other thing uh I mentioned earlier is it it modifies your lock screen so this is a standard Android lock screen um tells you the time tells you if you've got any recent downloads

and it tells you the charging status of the device what wonderful thing that uh flush keyboard did is it improved it for me and actually made changes to the device and when I say improved it definitely didn't improve the application whatsoever they actually overlaid adverts uh onto the device and the only reason I can think that it was doing this was some kind of financial gain so it they could cost them you know the app theyve downloaded the application distributed it for free it cost them money to make the application so as soon as anyone clicks on that advert you know maybe they're getting a couple of pennies if that's 50 million people clicking on those adverts

a few times a day that's quite a few pennies so just to kind of recap uh what we know about the device or about Flash keyboard rather so we know it's inserted by it's been uh installed by 50 million users on several devices um as we confirmed earlier we know it takes all of our personal data and sends it across to an analytics server in China it transmits that data over HTTP so the IP address the URL I mentioned earlier doesn't actually encode that information information so it sends it in the clear so if you're a Wi-Fi hotspot Access Wi-Fi access point like a coffee shop that's pretty trivial for someone to man in and build and take all

your personal data and it inserts adverts onto uh your device so when I was thinking about preparing this talk um I looked at that's the advert sorry I thought about the definition of malware so and I found this from Wikipedia probably not the best place um but they defined it as malware short for malicious software is any software used to disrupt computer operations sensitive information gain access to private systems or displaying wanted advertising and we've got two out of four there we've got the uh the Gathering sensitive information so it's pulling all of my information and it's also displaying unwanted advertising so I can pretty surely say that that application flash keyboard is malware so what do you do with malware

the first thing I thought right okay I've installed it I've now used it I need to want to install it straight away um unfortunately it wasn't quite that simple I went to an uninstall the application I'm sorry can't do that so I had a look as to why when you just when you install Android applications you simply press uninstall you get a little warning screen um and it processes through and I'll L picture for you it says can't uninstall this package because the device because the package is an active device administrator they've actually privilege escalated they've gone from a stand um Android application and they've granted themselves admin access to your device so they have access to all your

applications and this this does have a genuine um use case so if you've got a corporate device you want to set a password policy on the device you want to set a lock screen you want to make sure that people only uninstall certain things you don't want people just be no it's fine I can just uninstall that and get around it but what also I did mention earlier it allows that for silent updates so in theory although the application didn't do this and they're not suggesting that they could are they they did rather but what they could do is allow a malicious update which then puts randomware on your screen CU they've got the ability

to to lock your screen to change your password and say actually unless you pay us some money we won't unlock your device so who knows what the uh the next update could do and I figured out that then that would that was the system permission earlier that allows it to to change lock screen and that's the only thing that it had um the having access to being granted but it does make it inevitably hard as to want to install so when I I started this research out in February so I thought okay you know I work for for a robable company we'll go ahead and disclose this so the first thing I did was in February

contact the developers let them know I found a problem and it was just ignored um no response from the from the developers um so I went ahead and wrote to Google and said Google this this application on the Play Store um I've not heard from the developers I've tried multiple times can you have a look at this for me and then the application just disappear so I can only assume Google pulled it on the basis that actually is in breach of the uh of the uh conditions about a week later after the application um disappeared um I went ahead and disclosed um this information to the Press which is the um information I mentioned earlier and then in June about

a week later the application returned yeah I know so it returned in two Fashions the first thing they did is just change themselves to flash keyboard light completely the same code base just just push it out there the problem with that is if you're a company and you want the idea you want the idea of a reputation you lose the 20 the 50 million downloads so they actually did half fix the uh the problem they took away all malicious code but left the permissions so it would be pretty trivial for them to go ahead and then put them back in run all a malicious code ignore um Google's protections so I've just got some things

for you uh to hopefully think about and before you say start downloading random Android applications the first thing is just because something's popular [Music] doesn't always mean it's a good idea and that it's so hard to find a picture where Justin Bieber does not look like ell degenerous the next thing is just simp because an application on the Google Play Store does not necessarily mean it's safe and secure about a few weeks uh couple weeks ago I was looking through and found that um there was quite a lot of Android applications that disguised to be Pokémon go and there was all essentially just um bundle malware so read the permissions when you install an application from the Play Store read

what it's looking for think about the rationale this is a keyboard it's you know it's only trying to to make my life a little bit easier why is it getting access to all this information and think before you think before you click the link one other thing I would say is that apparently malware does pay so after I did this research C the company which developed flash keyboard got $45 million in financing from a a Chinese bank I'll let you think about that as much as as you want I'd just like to thank you very much for listening today um I am on Twitter so um yeah tweet me use the uh bide Manchester flash

keyboard hashtags um and if you've got any questions I'd be happy to answer [Applause]

them sure did you know that flash Keyboard emojis and more is in the Play Store and when you click it it's got 50 million downloads and under its permissions it still has quite a lot of them in there yeah so it still has the permissions they've just removed the um the kind of naughty code behind it but it would be trivial for them to just put that back in um yeah they have they've only really half fixed the issue y sorry did you get a response from Google no no response from Google no response from the developers um so I can only I can only assume that Google pulled it because of what I told them um

there's certain parts of the Google Play conditions where you don't pretend to do something else so if you're a keyboard app you don't pretend to add add lock screens and you have to clearly Define that and they with in breach of that amongst the other sending data um that's what Google do not what flash keyb do they like data so yeah I'm assuming that uh assuming that they just pulled it because of what I told them but they never come back and said yeah that's why we've pulled it