How an Android Application Can Drain Your Wallet

foreign [Music] computer security since 2002 and I started actually I was a member of one of the first reverse engineering groups groups back in Greece and my first years in my career I spent them uh by working as a network security engineer then I jumped to developing and the last about five years I focused on Direct Security and especially malware now about a year ago I joined Microsoft's Defender research team as a senior security researcher and the reason that I'm uh here is to show you how an Android application can drain your wallet from the sense that one android application how an Android application can actually have a financially impact on the end user and uh before we start this presentation

let me go through the outline so first of all we're going to see what is a premium subscription how this is performing how it can be used in order to enable the users to purchase Services products online and get charged in their phone bill uh next we're going to see how a malware how an Android app can perform such a subscription in let's say a deceptive way without the user being aware of it then we are going to to see how this malware how this type of malware managed to evade detection being one of the most let's say prevalent malware categories in the Google Play Store then the other thing is how it gets published in the first place on the

Google Play Store how the developers how the malware developers managed to publish the software in the Google Play Store in the first place then we're going to talk about some rough ideas on how we can detect this type of malware and finally again some rough ideas on how actually we can prevent this type of malware from even being published in Google Play Store now uh before I start explaining how this malware works let me go through some definitions that we're going to use in the next few slides and the first thing that I want to talk to you about and what to Define is what is building from so by billing fraud we refer to the

malware category which contains code that charges the user in an intentionally deceptive way and we have a couple of subcategories of building fraud we have Golf Road we have SMS Road and we have toll road with the last one being the most interesting one and the one that we are going to focus in this presentation now when it comes to toll road when it comes to this type of malware we're talking about the malware family with a multi-billion dollar yearly revenue and one of the most prevalent Marvel categories according to the Googles according to the Google Play Store transparency report uh it is also very popular I'm sure that many of you have heard about the Joker

family some of you have heard also about the bread family and uh this is um although actually there's no not a lot of posts out there how this malware works and uh it is such such a popular let's say Marvel due to the fact that it used the Google Play Store as its main distribution mean now the next thing that I want to talk about is uh what is the WAP billing mechanism it's something that we're going to use in the next slides so let me Define what is a web building mechanism so by this we refer to the billing mechanism which uses the wireless application protocol in order to allow the user to purchase products

services online in good charts in their phone bill uh here again on the right side I have an example of such a subscription flow so how someone can subscribe to such a service so first of all only customers can subscribe to be eligible for subscriber benefits and we who who are the customers here we're talking about people who are let's say registered to specific Sim operator so these uh users who are resistant to specific Sim operators May subscribe by using the respective WAP enabled website or the Android app as it points out in the 4.243 and the customer will receive an SMS which informed about will inform about the billing price uh the rates the

billing interval and the next billing date and please note on the the last one which says that the customer cannot subscribe to one's Subscription Service more than one time we're going to see how actually the malware tries to track that and how it's going to bypass that in the next slide again so let me summarize what actions a user should take in order to subscribe to a service so as I said before first of all it has to navigate to a specific website by the time that the server is going to receive this request it's going to send back what we call a landing page this landing page contains a subscription button on which the user

has to click on it and when the server receives the new request it's going to send back what we call a pin an OTP a pin this is sent usually using the nsms so by the time that the girl is going to receive this SMS it has to send it back to the server the server is going to verify it and finally send uh back the SMS that they took before which informed the user about uh the billing rate and all this kind of uh things and the other thing that please know you I mean notice that the steps four up to six are not always there this flow actually depends on each Sim operator someone may

use this one or someone maybe a little bit different but it's all about the same it's all about this this one here now what is a fraudulent subscription so a program subscription this is a subscription which takes place without user interaction the user won't interact with the software without uh user consent and actually without even being noticeable to the user so the user won't understand anything about it so the malware has to take these steps that the user did before in order to achieve this type of subscription so first of all it has to disable the Wi-Fi connection or weight for the device to switch the mobile network that's the first step then navigate to the subscription page

how then simulate the user click on the subscription button intercept the pin which is sent from the server to the user send this OTB back to the server and finally keep the process silent in order for the user not to understand and not actually the process to be noticeable to the user so one very important step before performing these actions is to identify the same operator of the device the same operator actually on which the device operates and this is due to the fact that each payload each app targets specific Sim operators and as I said before each Sim operator has a specific flow so the malware has to take specific steps and this is due to the

fact that they target specific Sim operators this is why actually their target this specific Sim operators so this type of information can be retrieved from your device by using them and see and MCC codes and uh for example an app an Android app can simply call the getsim operator method or uh the get method of the system properties class and get these codes the only difference between these two goals is actually the first one can simply be invoked by importing the telephone manager class why the second one for those who are similar familiar with Java it has to be uh called using reflection now on the lower side I have a one example of one of the latest Joker payloads which

does exactly that what I said right now so it will check if the Sim operator starts with 655 and then it will start the steps that we're going to see in the next slides and uh at this point the 655 actually is the same operator which corresponds to South Africa Sim operator all right now make sure that the device operates on a mobile network so how we do that so either wait for the device to switch or either for the device switch wait for the device so get a network info objects observe this object and try to get the type of thing of the network either type of network is mobile then it's start to

do the next steps now the other way is to disable the Wi-Fi of um of uh the device and this before SDK 29 was done by using the said Wi-Fi enable of the Wi-Fi manager class and uh after SDK 28 we saw something different actually this one was deprecated in 29 so we saw something different which actually was I could say better for the malware developers so what we saw is that they were creating a request uh Builder a network request Builder object so Define some specific capabilities in this Builder then request this network from the connectivity manager and finally finally when this network was let's say uh ready by the process to the network and again

here on the right side I have an example of how this flow goes on the upper side I have the actual code wire on the lower one I have a demo code which is easier to read YouTube then have obfuscation it's not duplicated so create a network request Builder object Define some capabilities there we want the device will be able to connect to the internet and we want to use a mobile network then uh request this network user connectivity manager and then finally when the network is available just bind the process to the network and use the network now just note here that the device can also have the Wi-Fi enabled and this app can just bind to

the mobile network so it's even even better for the after this update was even better for the malware developers due to the fact that they now they don't have even to disable the Wi-Fi anyway the next step is to get offers to get the websites where the malware is supposed to navigate in order to to do this type of actions so it will communicate with the command control server the communication is usually uh customized what I mean I mean you say the encoded or they use some kind of customized encoding or encryption or a zipped or something so they will retrieve usually they retrieve some kind of a Json object which contains something similar to what

you see here so something important here is the the offer URLs so it will get one of these software urls which will lead to a redirection chain as you see here and this is the direction chain will finally lead to the landing page now this landing page will be loaded to a webview which is not visible to the user so the user again so far won't understand something now another let's say an important Android operating system component which is used from this type of malware is Android OS Handler and what is Handler is doing is actually observing the subscription process the cycle and acting according to the phase that the subscription process is currently in so

when let's say the page was loaded on the webview the malware will send a message to this Handler or when SMS has been received the malware will send a message to this Handler and according to the ID according to like what parameter of this message is going to perform some type of an action so here I have again uh an actual code which as you see gets a message checks the word parameter and Knocks accordingly according to the phase so one very important phrase is when the page is loading we are here now I mean we have loaded the landing page on the webview so how now uh the model we're supposed to simulate the click on the subscription button

so we saw a couple of ways of doing that of using for example JavaScript interface or something but a very common way of doing that is by injecting JavaScript code then JavaScript code similar to the one that you see right here so what this code is doing is actually scrapping the page and searching for elements which can be clicked or submitted then it will filter those elements let me go through the yeah so it will filter those elements searching for uh ones that they are let's say relevant to the subscription process so search for tags like confirm yes click things which like I said are relevant to the subscription process then it will send all these elements to the function C

which you see here and what this function does is actually acting in two steps so the first step is to call the jdh function now this jdh function will check for a specific cookie so if this cookie has been set already it will return files if this cookie has not been set it will return true and we'll set the cookie now what this cookie does is actually marking the page in order to for the malware to to understand that this page has been visited in the past so we subscribe the user already to the service we don't have to subscribe the user again we can't subscribe the user again so this cookie does exactly that

just marking the page which the malware already subscribes the user so it will send back to the function C that I explained to you before true or false and depending on this uh parameter the function will just click or submit the specific element now okay now we are the point that the malware let's say simulate the click on the subscription button now the next step is uh to intercept the pin which is sent from the server to the user and we saw a couple of ways of doing that so one way is using an SMS broadcast receiver another way is binding the notification listener service another way is using the SMS content Observer and let's see how this thing

works so uh in short the the app has to declare some specific permissions and it needs these permissions in order some of these permissions actually in order to define a broadcast receiver which broadcast receiver in the receive pullback it will just get the message then coming SMS examine the body of a message and search for specific keywords which let's say are corresponding to the specific Sim operators to the specific service provider so it will extract the PIN and use an API called the send text message for example in order to send this message back to the server another way which actually is the most common one and it has the same logic although it's a

little bit different when it comes to implementation is by the notification listener service so extend the notification relation service create a class and when notification you know these notifications that they are posted in your device when this notification is posted check the body of notification and if again it has something let's say relevant to the subscription process extract the pin and send it back to the uh yeah I missed the the steps so send it back to the server uh the last one is using on the Observer so what the content Observer does is receiving callbacks one changes to a specific content happen and what we care more here is about the SMS content so

when the device receives an SMS this content is going to change so the specific callback there the on change is going to be triggered and again the same process is going to filter out the body of the message and send the text to the server final step of this long process is to keep everything silent right and in order to do that and since SDK 18 every app which extends notification listener service is authorized to suppress notifications from other apps either way anyway and they are there are a couple of uh API calls in order to do that using the cancel or notifications or cancel specific one or cancel an area of them another way of doing that although it's

a little bit more tricky due to the fact that the app has to be the default SMS up is to abort the broadcast when an SMS has been received so they extend the broadcast receiver the SMS has been received and they just abort the broadcast in order to dismiss this notification okay so just summarize the process because we said we talk about a lot of steps so what we talked so far the Web building mechanism so what is a web building mechanism it is a mechanism which can be used in order to let you purchase Services products online and don't have to pay directly you can't just get charging your phone bill this process requires from the user to

take some specific steps right then this type of malware simulates the steps and these steps include to navigate to the website simulate the user clicks intercept the pin and submit it back to the to the service provider and suppress all the notifications in order to keep the process silent from the user all right cool so we're talking about the very long process we're talking about a lot of API calls we're talking about a lot of permissions so it can't be that hard many of you might wonder right now that it can be that hard to detect this type of malware how it can be so uh prevalent in the Google Play store since actually 2017. so the answer here is actually

that this model is very difficult to detect and it's very difficult to detect because it uses steganography it will use iconography the payloads are hidden in seemingly Banning files for example PNG files JPEG files in the assets folder or I mean the APK is huge so you can just hide it anywhere uh cryptography with keys different keys from one sample to the other so even let's say you create a signature which let's say detects some some of these samples or let's say one specific version of the samples then even each sample can have a different uh key and you can't just miss one sample to to another the other thing of course sophistication in order to evade static type signatures

and the dynamical loading what I mean by Dynamic code loading the code which does the steps is doing the steps that you saw before is not actually there it's going to be downloaded from the web it's going to be loaded it's going to be executed and finally clocking and what is clocking clocking uh we refer actually to the set of um actions which the malware performs in order to detect if it's running in some kind of a VM or some specific condition doesn't apply for example it's not published in a Google Play or um there are actually funny things that we saw on how this malware tries to to evade actual to detect if it's running

in a VM or something so let's see a specific case of one of the which which actually uh up let's say it concentrates all these things that we we talked so far so actually we're talking about the messenger app many of you have already installed this app in your device it's got quite a lot of installs it was actually published in Google Play Store before a few months so the first thing that this app is doing is simply check if it was published if it's still published in the Google Play Store so it will just send the request to the Play store and see if the specific package is still published so if it's still published then it will go

to this process here so this project is doing the following so we are we are entering the stage one so what is going on here the malware will check the assets folder and try to find announce it which ends with 355 right now please note that the first versions of this uh APK didn't have this asset there so it was weaponized it was actually this specific asset was added in the later versions so it will check for specific assets it will get this asset and then on the next step it will try to it will decrypt this asset actually using a key which is which was found to be hard-coded in the specific Dex file so it will decrypt this file

using is and it will drop another file which is actually a net file in the data folder of the app uh this is the NL file it will be loaded using the system.load function and then it will call a native function which is implemented in the native layer so we are now on the native side and um when these uh elf gets let's say decrypted and dropped in the in the data directory you won't see much there if you try to decompile it all the strings work short uh so we have to go through the each one of them in order to decrypt it because they have different keys for each one and um for example this one has a key

which was a gif another one has different something so by decrypting these strings show them back we found calls to the Dex class loader and actually we found calls to another class which wasn't anywhere I mean in the initial APK so it was proved that that when everything was there where all these let's say strings are decrypted everything is on set the malware will check for another asset file so this asset file actually is this one here which ends this time with three zero zero this asset file turns to be decrypted and turned to Dex file so it will decrypt this file it will solve this file with a key which is sent from the Java side

so this file will decrypt it will be dropped to the data folder and then again it will be loaded using the dexclass loader and the load class which this time will load the class that I said before now this cloud.com.ads view is actually the Dex file which was just right now let's say decrypted finally we'll perform a jni called goal static void method uh using this specific call in order to uh call a function from this class this specific class and here we are in the dex5 now so here we found uh the command control server which was hardcoded there and what these actual decks will do it's not much besides communicating with the command control server and download

another file so this file now is a jar file and this jar file is going to be again loaded using the next class loader and when executed is going to perform the last step which is to check the Sim operator if the Sim operator is starting with 655 then it's going to start the process the cycle that I talked to you about in the first few slides so let's summarize this also because it's quite long as I said we have an APK we have an SMS app the first thing that it's going to do is just check if it's published get a file from the assets decrypt this file and drop it as a null

file Dell file will get another file which is a DEX file decrypted and then this Dex file is going to communicate with a command to control server download the jar file and finally the jar file will check if the Sim operator is targeted this starts with 655 and start to do the cycle that I talked to you about before uh so now you have an idea why we can't detect disabled one but it's still hard to detect it so another thing now that we have a nice overview of how the how a debate detection how does the this uh let's say tall for process how it does its um problem subscription is how it's managed to get this malware

published in the Google Play Store in the first place how they do that and how I mean Google let's say allows that in the first place so there is a strategy used from malware developers this strategy includes specific steps for example use open source of apps which are very easy I mean they're very popular they're very easy to install they're very easy to get a lot of installs very quick get popular very quick that's that's the ultimate Target so these apps are wallpapers lock screens Beauty editors cameras communication apps messaging apps so they will upload clean versions of these apps the first few versions are going to be clean not weaponized I think of let's say specific thresholds

let's say if they are bridge a specific number of installs then they're going to update the app and uh add let's say weaponize the app and not actually the payloads that I talked to you about before another thing is try to stay as much as they're going to be detected at some point but just try to make this time as long as you can so they're going to separate the malicious flow from the initial APK as much as they can so as I said before they're going to download the Dex file and load it and execute it instead of have the text file this deck file the malicious text file in the APK from the

start now thankfully uh this let's say penetration strategy which the malware developers are using creates what we call secondary signals and this signal secondary signals include the following for example we have an excessive set of permissions which actually I wouldn't say excessive but I would say more not up to the applications functionality for example you have an app which is a wallpaper app and this wallpaper app requests you to buy notification listener what the wallpaper app will do with the notification listen it does make sense so another thing is uh they might request SMS permission so while they're requesting it doesn't let's say uh it's not on page with the functionality of the app another thing is that they have a lot of

common user characteristics uh interface characteristics where you can icons policy Pages buttons all these things seem to be quite common between these apps another thing is similar package names uh suspicion developer profiles you're going to see developer profiles that they are very common between them they're just a page with a name which name seems to come from some kind of an automated process so it's let's say easy to understand from this type of I at least to get suspicious from these type of signals right not 100 to say that this is actually malware and finally we have the user complaints although here sometimes you shouldn't rely on the user called complaints especially if these complaints are

um not complaints actually I would say comments if these comments are let's say all right you've got a great app or something like that you shouldn't rely on this type of uh method of comments due to the fact that we saw cases that the malware itself tries to post um comments on the specific on the pages which is posted all right okay now now we have a I guess a nice a good overview of how this malware Works how it gets published how the base detection and how actually uh performs the steps that I told you about in order to to do this uh let's say subscription now let's see some rough ideas on how we can

detect what what options do we have in order to detect this type of malware and let's start from the client side right you have your AV your device what this AV can do in order to detect this type of malware and the truth is that we can't do much at the client side so the Android operating system imposes huge serious restrictions on what one application can get for another app it's very difficult let's say to get some info for another app each application is trapped in its own sandbox and the info that one app can retrieve for another app is let's say control from the system so you don't have many chance at that point I think

that you can do of course is let's say do some kind of static scan which again some help from the cloud or maybe observe the HTTP Communication in order to see some kind of let's say suspicious communication with the command control server and of course maintain some type of a blacklist of command and control servers it gives you such a communication then just alert the user or in order to allow some kind of suspicious suspicion now on the cloud side though we have a lot of options although they don't see seem to be so far like I said very um they can have a nice result but the the the pipeline that you are going to see

here is actually a pipeline which we try in order to achieve the best results using the less amount of resources so we start with a steady field we have a feed of apks this feed might be something like uh researchers which let's say feed our system with apks or even a Play Store itself or a device I mean we can just the user can submit an APK from the device so you have a feed and the first step of this pipeline the first step is to uh filter the apps for secondary signals secondary characteristics the ones that I talked to you about before for example if the app has uh similarities with other uh let's say

uh TOEFL the second secondary signal again developers profile number of installs and the result at this point is going to be either the app is going to go on the next stage all the app is going to be suspicious simple suspicion is going to be respond or finally it's going to just skip due to the fact that we can't let's say we didn't reach a specific threshold of this type of characteristics so the next step is to start to scan the app for specific let's say to perform a static scan so scan for specific API calls or specific strings or specific permissions and again the result is going to be the same but we're not going to be sure due

to the facts that I as I told you before we have this evasion detection mechanism so either is going to be suspicious or either it's going to be uh skipped due to the fact that it's missing some let's say important permissions or it will go to the next stage with the next stage is the most let's say demanding when it comes has to do with resources because we have to first of all interact with the app with let's say a clever way we have to clever interact with app and how how you do that right I mean it's uh we try to uh let's say cause as much functionality as we can by interacting with app and this is

actually a very difficult problem because you might have some kind of a logging wall or something that the humor has to interact in order for them to proceed to the next steps so actually this is a big problem how to do that let's say that you solve this problem now then the other thing is to perform a dynamic the dynamic analysis part which is intercept https communication uh perform some binary instrumentation log the API calls uh intercept the API calls and what I mean intercept so change the return values in order to trigger additional Behavior additional functionality uh then we have um to dump the memory for Dex files uh because many of these apps are using Packers or uh

as I said before they can just drop something and then load it in the memory so you can just dump the memory in order to get these text files observe of course the data directory of the app in order to uh find in order to monitor for dropped files and see if the application is dropping something and just loads loads it and finally dump the memory on the native space because we especially recently especially the last maybe year we saw a lot of uh malware developers moving on the native side all right so what is the final result of this let's say process of this pipeline not much again we have to create signatures right we have to create

signatures we have to enrich our database and actually what we want is to be able to catch this to detect these samples before let's say reach to the final point to detect them in much earlier stages all right and um uh reaching now to let's say the end of this uh presentation of I want to talk about how we can prevent this uh this type of apps of being published in the Google Play Store in the first place so starting from November 3rd 2021 Google took an initiative in regards to the permissions that can be allowed it I mean to specific app for example the knob which let's say requests some permissions that they are

going to retrieve some personal information or SMS permissions or the kinds of stuff have to be let's say Justified so the developer has to complete a permission declaration form in order to justify why how I'm using this type of permission what I'm doing with this type of permissions what we didn't see so far and this is the let's say the unfortunate of this uh action that Google took is uh the notification listener right so as I said before all the majority of these malware actually use the notification list abuses notification listener in order to do this type of actions so we still see apps for example wallpapers so this type of apps that I talked to

you about before the mob the most um uh abused ones to still be able to use this type of service in order to to do the steps that I told you I talked to you about before and uh with this I mean that was uh uh let's say a wrap up of all these things if you have any questions please feel free to to ask [Applause]

okay so thank you Dimitris um thank you very much any questions okay you want to hear hello there hello um when you're doing the analysis for the Android malware do you use an emulator or real devices and what's the advantages yeah uh we can't let's say afford not I mean we can't afford it's something that you can't have uh many real devices so you have to end up with some kind of an emulator at the end so you have to use an emulator yeah usually that's that's a common case except if you have some kind of special case which can be let's say a H forced to a different pipeline in order to pass through a real device but

the the common case is uh is an emulator okay thank you another one here first thank you so for me to play is pretty clear why you can't detect using static analysis these types of applications but it seems like an easy job to detect them using Telemetry so in runtime of course why do we think Google doesn't make an effort to detect these types of exploitations in runtime using their own Telemetry because these API calls seem to be really specific and only for for these types of purposes when used in uh in a group all right so imagine you you are Google right I mean you have uh you're a Play Store you have the app installed on the

device what type of information you can retrieve for one app I mean you don't have like I said before you still have you still have restrictions when it comes to I mean even Google despite the fact that uh it is Googling this is the one that actually uh uh let's say develops a specific Frameworks all the Frameworks and let's say it can interfere in this process they simply it it is very hard for them to be able let's say to detect this due to the fact that we have they have also restrictions that they have to follow the restrictions that they apply by themselves right so they can't let's say break uh the sandbox they can't

break uh these kind of things they can't they can't be that intrusive if if uh I mean that satisfies your your question yeah makes sense thank you uh hi uh I was very surprised to see that the notification permission is not included and that Google agreement so couldn't this be used to steal one-time passwords like Steam and yeah just just make sure when enough requests for notification listener I mean to access your notifications just make sure that you trust this up yeah yeah it's one of the most yeah it can it can use it can be used actually to get a lot of info out of the device it depends actually on on what is boosting the specific

notification while the app actually is getting from this notification so if there is a pin there whatever there is there it can be retrieved from the app which extends notification listener service so yeah yeah it's really anything like emails yeah I mean whatever whatever that's that's a good point actually and this is what uh this is on the developer side whether developer I mean uh let's say exposes on the specific service right so if you as a developer expose uh they mail there or you expose the pin there or you expose some kind of a financial transaction then yeah it's not it's something which is going to be retrieved from uh from uh this type of uh software yeah

actually this this notification listener service is used from uh spyware also it is it is very yeah it's very important to trust the apps that you have approve this type of service yeah thank you very much yeah more questions

I guess not so again thank you Dimitrius and thank you very much now we have no [Music]