Defending Against The Shadows: GoldDigger And The New Rules Of Mobile Threats

[Music] Good afternoon everybody. Hope everybody's awake now after the uh after the long day. So good afternoon fellow security enthusiasts. Glad you made it to the third large talk of the day. Initially my slot was 45 minutes but I had to bring it down to 15 minutes. My talk I provides an overview of gold digger uh mobile malware uh as well as a um look into the new rules of my mobile threats. My talk covers five key topics. Who am I? discussing various um mobile malware, the evolution of mobile malware, uh various uh processes development teams can implement to protect against mobile malware, and then ending off with a a questionnaire section. So, first, who am I? I'm a a software

developer with a keen interest in cyber security and specializing in mobile security. I've recently completed my PhD in computer science with a dissertation uh titled Glondoa a secure software development framework for mobile applications. So, variants of mobile malware. Although there are a range of mobile uh malware currently in in the wild, today I'll only be discussing three of them. Rebot, which is a remote accessing a Trojan application with screen sharing capabilities. Ceros, which is a malicious mobile application that can be downloaded from the dark web forums that's associated with fake banking applications and TrickMo, which is a malicious application that can bypass two-actor authentication OTPs. So, what do we know? So, if you've recently watched the news articles,

there will be uh a wide by range of um mobile malware articles such as unmasking the overlap between gold digger and the gigabyte Android campaign Android malware search hits devices with overlays, virtualization fraud, and NFC theft, dangerous uh malware targeting uh US banking applications as well as a new Android attack could trick you into compromising your phone. So how has mobile malware evolved? Mobile uh malware usually started by fooling the user into downloading a malicious application. But now uh it uh hijacks your session, abuses overlays as well as bypassing by security checks. Further on malware change to using by legitimate services such as accessibility service against the customers. An example of accessibility services are um those kind of accessibility services

enhance the um end users um experience on the device such as font size increase reading back the content of the of that specific application. Gold digger malware is an example of this whereby the malware invokes gestures and does screen screen capturing by capabilities. Further on with the latest enhancement to malware, malware has moved to using a virtualization framework such as uh virtual app and virtual um exposed whereby it creates a a virtualized sandbox to load, execute and run legitimate applications. The Godfather mobile app is using such a method whereby the criminal will with the use of social engineering techniques will need to download an application with and that application creates a sandbox. Then it loads a

legitimate application, hooks into all the gestures and actions that that user it it taps on the screen and then they are basically got within the mobile app. So here's an example of the golder application. Here you can see uh the criminal constructing this specific application used an open- source tool called the DPT DPT shell to hide the inner workings of that application. You'll see on the left hand side there isn't much code there whereby it's obvious escaped and hidden away from any security um analyst. Here's a another example of the gold digger application whereby the a creator of the application used a different mechanism to obiscate and hide the code. Although it's a different mechanism here

you can see more of the inner workings of that application. Um but you can more or less guess okay what the what this application is doing. Um just if if we go back you'll see the fake application that that the user was tricked into downloading was a SAPS application and hereby it's a DSTV stream application. So how can we protect against these kinds of malware? Although there exist uh a range of methods to detect against malware today I'm just going to discuss two first of all when your application loads up check if accessibility services are enabled then filter on those uh accessibility services filter out any um services that do uh gesture capabilities as well as window capture

capabilities. Also check if your application is running inside a virtualized environment and then end off by determining the authenticity of that accessibility app such as did it come from a a specific app store which your app only uh conforms to. The second method uh is um where the mobile application uh contains a list of permissions that can extract sensitive personal information from the device such as reading SMSS, enabling audio, enabling video, uh greeting contacts uh um contacts. then construct uh a signature of various malware based upon those specific permissions. So once your application loads up, you need to filter out any uh or block any applications that run on that specific device that conforms to

these malware signatures. And then further on uh check if your app is running inside a virtualized environment and also check the authenticity or the trusted source for that application. So, if there's one thing you have to take away today, um, go home or on your friends and family's phones, check what kind of accessibility services are enabled because that basically allows to some extent admin rights for that application on by your device. uh only well try to only install from uh approved stores as well as if you have to in a uh in a specific case have to install um a mobile application not uh uh from a store trust well validate the a developer authenticity and here I've

given you a screenshot of uh how it looks if you enable accessibility services. You'll basically see there uh and most users don't read what's on the screen. They just click click tap install, life goes on. But installing a a custom keyboard, even an anti- virus, yes, it protects us. But please note that you basically give give the uh the developers of that application the keys to the castle. So here here you can see full control uh is given to that application. Are there any questions? Can't see them like it's quite light up here. So doesn't look like there's any questions. Okay, cool. Thank you.