BSides Toronto 2019 Kristina Balaam

I can hear me alright so thanks for coming out to this talk I'm gonna try it and go through this in 25 minutes and keep us on track so I'm gonna really skip who I am you could read about it in the little brochure thing if you really want to but long story short I am a security intelligence engineer for a company called lookout and that is a fancy way of saying that I'm a malware analyst so today we're gonna talk about a few things we're gonna go over quickly what adware really is I'm sure most of you have heard that term before or possibly experienced it yourself we're going to look at a case study from one

particular family that was pretty interesting and then we're gonna talk about why we should even care about adware I mean it's usually pretty boring right we're gonna look at some interesting technical details about this case study and then we're gonna talk about the aftermath of this particular family and the future of the adware industry so adware like I said I'm sure most of you have heard this term before but in case you haven't I'm sorry I'm gonna burst your bubble now and bring you over to the dark side of the Internet honey not that dark but it's not fun to deal with it's basically software that bombards you with disruptive or intrusive advertisements on your device

so you know it's it's not necessarily often the height of sophistication for malware it's normally financially motivated and often really poorly built not typically off you skated as well sometimes it gets kind of interesting because you'll have certain malware family or adware families that will actually collect sensitive information about your device or about who you are and that's typically in a way to kind of try and improve the advertisements you're being served in an interesting report from look out in 2013 demonstrated that 6.5 percent of all free apps contained adware so good times all right so let's look at this case study it started like most great stories do with a Zendesk ticket and a user

contacted us and said that they were seeing out of app ads on their device and they were able to look at the Android multitasking window and see that these ads were coming from something called beta plugin and that's all we knew but what we were able to doubt through you know the good old Google verse is that there was exactly one mention of beta plugin and it was in this Android forum that dated back to 2018 and essentially all of these people in the forum were complaining about the same problem they were seeing out of app ads their phones were becoming almost unusable battery life was in the toilet and they were listing all of the apps

that they had recently downloaded that they thought were the culprits so the interesting thing about all of these apps was that they were from the same developer and they also contained thousands of reviews that were outlining the same kind of adware functionality and basically what they were outlining was a flagrant disregard for Google's ad policies and so I've put the ad policies there but you probably understand already from using a device yourself what those could be essentially don't do anything to mess up my device don't show me ads when I'm not using an application and you know be a good guy so with some investigation that I will spare you all of the details for because we've only

got 25 minutes beta plug-in which you can see a screenshot of my test phone right there ended up being a really well obvious cated advertising plug-in that was hidden within a whole bunch of different apps so at the end of the investigation it turned out there were 238 unique applications on Google Play and the plugin was loaded as a dex file via a loading class called Chi who 360 and probably saying it wrong but that company is actually considered the largest Chinese cyber security company and they make an AV software so you know didn't detect their own stuff apparently what's interesting is the loaded plugin is never actually installed to the device so if you were to look through

the packages on your device you wouldn't actually see beta plug-in or anything like that you'd only see the the kind of like dropper application that was responsible for loading it and the features that it brought to your device were battery depletion lockscreen advertisements like this great tax cycle ad advertisements that actually prevented you from operating the device as you normally would so people reported that they would get a phone call they'd go to answer the phone call and they'd get like a full screen 30-second video ad and they'd miss their phone call so you know that's not operating as it should and then advertisements with accompanying sound this actually happened on my red phone I

had the phone sitting on my desk at work and then I just heard like ghost music from somewhere and realized it was an app or an ad on my phone that was playing music well my phone was asleep so that would be embarrassing in certain situations so 238 applications with two things in common beta plugin and developed by the company KU Tech so this is where the story gets kind of interesting because ku Tech is actually a publicly traded company on the New York Stock Exchange they were founded in 2008 and Shanghai they now have an office in San Francisco they were awarded one of the top ten most innovative companies in China by Fast

Company they were awarded one of Google play's best apps of 2015 and the IP ode in 2018 so as of June 2019 they say that their global products reached an average of two hundred and fifty five point five million monthly users around the world some of you have probably seen this app before this is their flagship app it's called touch Pal it's basically a keyboard that you can skin to like make look really cool and they also have a bunch of other apps fitness apps like water trackers step trackers all that kind of fun stuff a lot of the apps they've published are actually developed by ku tech but are published under different names of other

companies that aren't really other companies so that's kind of fun and at the end of the investigation all of the cumulative downloads for the 238 applications totaled half a billion users so a lot of people were hit with this so let's talk about why we should even care I mean you know if you work in malware everyone kind of jokes about adware it being the crappy apps that you have to deal with that are typically overloaded with packages that don't really do anything they're really poorly built their clunky they're kind of garbage so you know if all the apps are doing is really generating fake ad revenue for some company you've never heard of who cares so this is where it

gets interesting sting in this particular case these advertisements were so aggressive that people were having to do factory resets of their devices and again I mean no one's dying presumably but it's not something you want to have to deal with maybe you lost your kids dance recital when you did that factory reset it's not so much fun the other thing that you have to think about when you're talking about aggressive advertising plugins is what kind of ads are actually being served to the device so there have been reports recently of certain ads that are you know serving pornographic images or phishing sites or click to download or click to play ads and that's where things get a little dicey because then

you're not just dealing with you know kind of harmless advertisements that are annoying but they're also potentially compromising your device further and then as I said there are those ads or add plugins that collect sensitive information and exfiltrate it to kind of like bring you the best ads they can great people the other reason why I think it's important to care about adware is because it targets everyone it is most likely the type of malware that you will be targeted by because it doesn't discriminate it's not looking for you know political dissidents or activists it's just sending out a huge net and trying to grab as many devices as a can an interesting report from checkpoint in

2019 they have the state of the malware state of the malware report they basically list all of the most popular threats they've seen they list adware as the most common ad whereas most common malware affecting both consumers and businesses year over year so I mean everybody's seeing it and I mean to a lesser extent unless you have a company maybe you don't care about this as much but if you there we go if you have if you have an ad company that's paying for clicks or views that are not actually getting clicked or viewed then that company is being affected ok so let's look at some fun technical details how did never wants to hear me okay I feel like I'm cutting

into it good ok thanks thank you how did this particular family of apps get past Google bouncer so what was interesting about this and what made it particularly difficult to figure out if this actual functionality was was happening is that they wouldn't actually trigger any malicious functionality the the actual plug-in wouldn't get triggered until after a specific amount of time so they had a time delay they had conditional checks in place to Mesa cailli check whether the device was an emulator whether USB debugging or ADB was enabled even whether the device was using auto time or auto time zones basically trying to find any way that they they might be essentially being viewed by a researcher

and they had a bunch of anti debug measures too so if you step through the actual loading of the plug-in and a debugger everything would crash every single time the only real success I had was installing the application on a red phone which is like a test device and just waiting and like I said thankfully I got that ghost music and I knew that this was the app responsible so another interesting thing they tried to do was hide the executable so you can see right here there's this icon icon moon - Gemini dot re NC file that is the actual executable file that is the beta plug-in in early early versions back in early 2018 they just named it beta dot re C

and the the plugin wasn't encrypted or anything like that and later versions they renamed it to this icon icon moon thing and they actually encrypted the plug-in with AES so in both cases you know it's actually an executable file it's a text file but what's interesting is that icon moon apparently is an application that gives designers and developers icons and like vectors for use in building applications and there's even one pack called Gemini so presumably they were trying to make this look like it's just like I don't know fonts or vectors for a particular apps assets because it was located in the assets directory so now we're gonna look at did I skip something no good so now

we're gonna look at kind of the most interesting class or package within this particular family it's it's aptly named Hades as DK and this is the this collection of class is the package that's basically responsible for loading the plug-in and kind of leads you to figuring out how the plug-in is actually loaded to the device so what's interesting about the Hades SDK is that it is containing the AES encryption key but it does this through a series of connected methods and then you can see this get encrypted key function there I'll spare you the really boring details of stepping through all those functions because it required a lot of coffee and maybe a glass of wine and so what was

interesting about this class is that not only was it actually loaded under or located under comm dot Android utils not trying to hide at all but it's actually responsible for retrieving the asset path where the plugins located configuring the plug-in to be loaded with other plug-in frameworks or like the the Chi hoo loader and then pretty much all of the interaction between the plug-in and additional ad library it's once it's loaded so it was doing a lot of stuff it performs checks for whether the plugins been decrypted whether it's loaded specifies the output source for jar files that were generated and then sets alarms to trigger add related intents and even specifies the spaces where those ads are going to appear like

this one that says lockscreen function and then get space that's just basically saying we're gonna show it on the lockscreen now another interesting way that this was kind of hidden is that you couldn't necessarily see how Hades was being initialized from the from the outset you kind of had to step through a whole bunch of functions so there was a class that was a subclass defined in the manifest called comm scanner qrc application that you can kind of hopefully see up there and we've got a little video you see that cool that shows how if you go to qrc application and you kind of step back through all of the oncreate methods you realize it

actually lives or it's actually calling methods from Hades once again and then if you go within Hades and you click through them it's probably hard to see but basically that's the Jihu plugin loader right there so you had to step through a whole bunch of different methods essentially to figure out that qrc application is actually just loading Haiti's stuff okay so once again we talked about how there were earlier versions that had kind of different naming techniques for this plugin but there were also different versions that had kind of I guess classes that weren't really assault be skated so what was fun was that the earliest versions had hard-coded strings not obvious gate had not encrypted at all you could see

exactly what the class was doing and then later in the ico moon sort of variation of the plug-in all the strings were XOR encrypted and then base64 encoded using this open source third-party library called string fog you too can get it on github and every single class that facilitates anything to do with loading the plug-in had its own separate key so the Hades package all of the classes in there were decrypted using this robin high string up there okay so I mean that's a very quick overview of some of the more interesting ways that they tried to hide a lot of the functionality here or at least see that this plug-in was being loaded from the particular applications

we were analyzing but what actually happened so we reported all of these apps to Google and we published our research in June 2019 and then Khoo Teck stock dropped 20% in like a day that was fun you never really want to get DMS yeah you don't really want to get DMS from their PR people on Twitter that's never fun the plug-in some of the plug-in was removed from different applications there were like 40 or 50 where they took out the plug-in and then there were some were they just re-upped loaded new versions with the same plugin and in some versions they actually and in their own words refactored the code and and said that it wasn't the exact same

plugin which it wasn't it was just you know the same code but it continued to violate Google Play policies so we again discussed this with Google and Google temporarily removed all of the apps that Khoo Teck developed and then actually banned them from the advertising platform and then their stock dropped to 40 percent from the original value so yeah basically a good good lesson to be good guys so I really like this quote it's from a researcher at checkpoint in a wired article that I think is worth reading it's you know you can't see it but you'll get these slides after and he says you're starting to see actors realizing that just regular adware won't do these days if you want

the big money you need to invest in infrastructure and research and development and so that's what we're seeing I mean adware it's a shifting industry you know this is not an isolated incident for 2019 earlier in April there was a company called do global they had about a hundred apps in the Play Store that accounted for about 600 million installs and they were removed from Google Play for violating ad policies and this ended up at that point was it this was the biggest ban that Google Play had kind of brought upon major developers and again we're seeing a considerable increase in the level of a fistic a few skate obfuscation I was trying to merge the two words and

sophistication there are a few examples here just from 2019 alone pre ammo is a particular adware family that connects to not one but three different ad frameworks using three different methods and implementing specific delays and checks to avoid detection through things like Google bouncer that are you know essentially sandbox tests for malicious activity for shared is a file storage app and they used invisible overlays to submit fraudulent clicks and views so I mean that's kind of genius right I mean bad but genius Agent Smith is another one from this year for I believe in the summer and it started actually in 2018 as a really clunky and just kind of crappy piece of adware but then they

they refactored it you know like all great software developers do and they improve their code base and their functionality and so instead of just serving ads they would actually have the applications search through the users device find all third-party installed applications and reinstall those with a more I guess like ad heavy frame work and that would be their way to kind of improve the revenue that they were gaining and so aside from these and kind of all add were in general in the last year at least we're seeing more actors relying on legitimate infrastructure and basically approaching ad we're not as you know some some kind of crappy app that you're building but more like a

full-fledged software development project and what's interesting about the use of legitimate infrastructure is that it makes it more difficult to determine whether network trough is actually legitimate so what does this mean for the future basically increased obfuscation means there's less low-hanging fruit for ad we're out there in in you know official Play stores or elsewhere and it makes it more challenging to convict because it used to be that you would see ad where you could figure out what it was doing right away and then you know you can't kind of like take it off your list and move on to something a little bit more sophisticated but now that we're seeing all of these new ways that developers

and these big companies are actually off you skating their code bases this is not going to be as easy we're also going to continue to see the introduction of add plugins and this functionality that you know really toes the line of breaking official official Store policies or just like full-on jumps over the line and then these larger reputable companies we see them investing rnd dollars to produce more sophisticated and novel approaches for basically avoiding AV detection or avoiding the detection of particular you know AV situations like Google Play is and generating that fraudulent advertising revenue and this is something that you know actually a journalist mentioned that they often receive kind of like whistleblower emails from developers who are either

competitors of larger companies or work for larger companies who are saying you know what these guys are trying to break the rules and they're getting away with it because they're big and they have the money to invest in kind of a more sophisticated code base so that is all I have if you have any questions I am more than happy to answer them if we have time cool

really degrees hey thanks a lot thanks a lot for the talk it was very interesting as always to questions what tools do you use to analyze any of the samples that come your way and the second question is are you seeing a lot of code reuse among the base which makes it easier to identify or do these developers just sort of from start to finish come up with their own code which makes your job harder that's a good question so the tools that we use the biggest one that you're seeing screenshots from is a piece of software called Jeb and it's specifically for reversing Android applications it's great it's pricey I think a license is like two grand I know

that the NSA tool Hydra is apparently going to be implementing some functionality for doing Android reversing as well so that's a good free option and that's kind of the main one other than some Python scripts to automate like pouring through different files within the apk package and then in terms of code reuse so within this particular family there was tons of it but I don't really see that much between different adware families this was made a lot easier by the fact that I could look at earlier versions that weren't office gated that well and see where they kind of iterated and improved improved on their code base and then where they did actually encrypt the

strings but yeah most of what I've seen is not there's not really that much reuse between different adware families

so for this it was only Android there wasn't an iOS component cool thank you I'll be around to if you want to come talk to me and ask questions in person [Applause]