A Novel Runtime Technique For Identifying Malicious Applications

thank you hey everyone Ola is that that's correct voila cool I always check them in a foreign car we're gonna use words that I read off the internet so I've got another one for later so we'll see how that goes so yeah welcome to my talk where I'm going to be sharing with you some research that I've been having with Android malware so Who am I my name is Chris I'm a security researcher slash engineer I don't really like labels but that's kind of the stuff that I do and I do this full-time at a company called Heroku and yeah you can find me on Twitter ROM pony and it's probably easiest way to find me

so yeah enough about me this slide just helps me just to remember what it is that I am discussing today so there was a problem that I experienced one of many some time ago there the interesting question that I was asked that triggered an idea which led to a PRC and some results and a conclusion and the slot also in there because I was told when you do a presentation you've got to have some sort of slides that's going to tell the audience what they are in for so this doesn't seem like something that's gonna keep you entertained for the next hour I'm not offended if you leave now so what's the problem and I'm pretty

sure that most of you in this room are looking at this and being like yeah I know this and it's a big problem that we still continue today these are just some of the headlines from the past two years but pretty much since the inception of Android it's been synonymous with my way Android my way it's kind of like coffee and the dessert that we just had was like cotton like when he said so it's a common thing and I'm not gonna go into too much about that but I saw this problem and I wondered to myself while how easy is it to create skinny my way so at the time this is a couple years

ago thinking well what's the easiest way to backdoor Android applications one thought for a ski just run a app or script and boom you've got a footie backdoored existing android application so this is a tool called quit so there are at least a couple years ago this was before MSN venom had apk backdooring capabilities and I was sharing this pool with some researchers in the desert in northern America and most of the questions I've got were mostly the usual InfoSec questions like how do I bar false antivirus I got perv ask how to use additional payloads and those are the usual questions that I was used to but I got one question from an engineer that was there and they said

Chris how do I detect on my phone or my application if it's been backdoor or tampered with and I thought well that's a great question we would have to resort to our normal reverting technique especially with malware so first thing you're gonna need to the apk so statically you're gonna tear apart that bag of bits and look at it and of course you're gonna run it in some sort of sandbox and these are the two main points of Mahanta to this engineer and I actually really wasn't happy because I started then looking into the current techniques of how it'll be tomorrow so this time I was not a male reverse' at all I was just mostly interested in

seeing techniques that I could prank my friends with the Android phones pretty much being like well this is what can happen so I dug around a bit more and these techniques aren't limited to Android or mobile but you know mostly malware reversing and good old hashes code signatures so pieces of code have popped up in apks and samples on the world you can identify it permissions is quite specific to Android for example if your grandmother comes up to you and says you know I installed this app and it turns my phone into a torch I am so excited but it's really expensive when it's in those sms's Sony's me I'm thinking while looking at the look at

the missions any thinking well a lot of the holders those torture apps need your GPS send those promise messes access your contacts and every other thing so that's quite specific to Android so it's a good place to look at the permissions to see what it's asking and in generally if it's for free you all the product which leads to reputation when I'm on the Play Store looking for malware samples always look at the free apps that's just a dead giveaway all the apps that claim to offer a service paid for so the whole free VPN service or you know free vapo or whatever if it's free it's got something other mining manera or something else dodgy in

there and of course behavior you install that app and all of a sudden your battery is being depleted very quickly or your data usage is going up those are the kind of indicators so nothing really new here but I was looking at these ways and I thought what okay those are how we reverse my way but how we protected so we have Google pay protect anybody heard of or remember Google bouncer stand up okay that's that's that makes sense a dad a slow and painful death but it's now Google pay protect which is a team and if you notice on Android you'll get that notification do you want to have this application looked at and yeah

that's interesting story they on how they scaling at then of course you have the Google Play Store so you know you download an app from any of the Play Store that's been verified so it's legit so that's a defense mechanism I'm being a little bit sarcastic now fYI I've aware sighs forget axiom so sometimes my sarcasm doesn't come through so I just reiterated so don't worry if you're not understanding me I don't understand myself either so we're in the same boat together and it of course we have third-party software I'm really gonna crank up the sarcasm we have antivirus so glass submit your giggling antivirus and mobile is an oxymoron well just in general I mean okay I

understand Tobias's great tool in your house you're gonna get system you know as a great prevents mechanism you know I don't make it too easy anyway I'm gonna sharpen antivirus might as you can see I'm a big fan then of course there's operating system supports you know Copperhead I'm not gonna say CyanogenMod day or oxygen OS but there have been some operating systems that have implemented some mechanisms to protect against malware so nice example is actually second head abilities that the Linux or that the Android kernel I release the walk back to actually limit thesis calls that processes can access on the operating system and this was actually due to malware and privilege privilege escalation bugs on Android and

of course you've got to indium and your man's and all those things that don't really work too well but you know if you're in a large corporate and you want to control what apps are being installed you want to put a VPN profile you want enforce a positive policy those things can help support more way to some extent so what are the shortcoming so what I realized while static analysis is hard for me it is in the Android space is really interesting because you can stay at Java or Cottenham if you want or you can go level over and stare at smiley which is X all right and if you really hate yourself you can look at all the

different arm variants you can look at ya are the x86 or maps if you feeling really adventurous but if you're just looking at all 7v a eight 64 bits that stuff gets hot me at least because if I'm just looking at 32-bit on that's alright I can kind of navigate it give me 64-bit no thank you no it's not gonna happen so it's difficult especially with malware then all those other points which I'm sure none of you have read by now all my animations I disabled due to hearing stories about the set up four sides no mod bashing the set up to style so lemme decrease the amount of things that can go wrong in animation generally the

first thing so all those things on the board and the contract cook you on your phone so you get enough mol/s on 43rd on cuckoo gives them information I can't do that on my phone I'm here in Lisbon and I think and HAP's dodgy on my phone unless you have not my laptop you know get the sample off portion scales and scalability so at blackhat this year Mehdi stone from Google paper takes gave a really good talk on how she spends a considerable amount of time reversing a sample that had very awesome NT instrumentation techniques anti tampering techniques and this is a prime example of scalability they couldn't detect the sample automatically the swamp all had to be

put in front of an analyst and the analyst had just sits for any for a considerable amount of time a couple of weeks if not months to actually understand this code and then add signatures to detectives so for every piece of malware that comes out there you're gonna need hundreds if not thousands of analysts and that's just not a reality that we have today so yeah other shortcomings you know what if the absent on an official spot man who's never know start loaded an application or you know wanted to get hold of an app that wasn't in their Play Store exactly we has a problem when these best app ever pokemon gold came out we didn't

have it in South Africa so what did we do oh we got from third-party SATs and yeah I've told my friends big time but that was wedg occasional purposes of course forensics is really cool for analyzing but try do forensics on a mobile phone using a mobile phone to detect to analyze the web often different story probably future research and of course a bar parking AV is just too easy now there's been a lot of time with that was quite set honey Tom keen has changed the permutations just to bypass that device because I mean who's not heard of an interpreter payloads like who doesn't detect it well if you just change a couple of strings my ladies weren't that

was some time ago but that's still quite easy and then last point and I'm sorry for all these points in one slide or not I fall asleep when I see things like this sir oh and if you do - but I'm static analysis only show you a subset or functionality of what an applications going to do space when it comes to droppers and I'll go on a bit about that these are some of the shortcomings on a fall and I'm sure that this moves that you see more please tell me but the main thing that was irritating me and probably reliable for me losing a lot of hair that's why I wear hats not just to

blend in with the local hipsters but um this is know there was also is really no reliable way to detect malware on a device using the device you need to open up your hat top you need to fire up a DB meter up of the apk it's just not a viable thing and that irritated me but because I am super lazy so if the CoffeeScript that automated it I'm like well whatever so I wanted to do that so then I had an idea and these don't come along very often and I thought well this heaps of data bad dress number one I always said it was what I'm sorry I apologize for the bad jokes but they're gonna happen so

well okay there's the heap on Android hoody the stack alone for now I thought well when I'm looking import statements are useful but what's even better than Android apps make use of objects you can import a class to train object but you may not necessarily instantiate it but when it comes to objects if it's been instantiated the means that it's probably being used unless they are really terrible death like me if someone's tapping at object x equals new object they probably going to use it if they're not well maybe they should consider an alternate career path but instantiate objects are a lot of fun because they have data when something is sitting in an object is there for a

reason and when actions need to be performed that's a great way just to look at what it's doing so we want to look at objects for Android applications so they live somewhere special they live on the heap so first thing in here keep Linux you behave yourself co-op or PID and you look at Maps anybody familiar with this talk eeep region of the Android or Linux operating system yes and you can look at the heap regions pretty useful the mappings are pretty cool but yeah unless you know the our medical journal je Malik really well then it's gonna be difficult to deduce that information so the next best thing is HP rock files right I mean you know attach

a debugger process you dump the HP rar file you make a cup of coffee have some dessert you have a nap you come back and you might have a HP Rockpile dump which then you know you're gonna run extreme amounts of grapes over and hopefully you'll find something not so great next step forensics volatility and Lam really great but not that feasible because it requires each patch kernels and of course it takes snapshots of the entire devices memory not just specific processes so plug in the PRD Maps is for specific process that's running forensic tools are mostly designed towards the entire devices memory contents which then requires additional processing last but not least my favorite good old gdb

and I don't know why I came to this option loss but what I realized was especially on dalvik is that if you just fire the gdb process and if you run hash code so on any object in Java you'll get a nice and weird-looking string that is actually the starting base address of an object and if you go to that in gdb you'll see object especially involving AR T different story one game today but this is the first disease of a je malloc and DL malloc and it's actually a really fun way to scan the need and have a look at what is actually running there so cool now no way anything is running so I

can see what objects are on the heap I can deduce what this app is doing so extending on this idea for while yeah gdb is fun but do I really want to interact with gdb over some mechanism by an Android app I mean sounds like I really hate myself at that point so for while okay objects are accessible of course we have interesting instrumentation got old P threads and of course on this frame will grab Frida anybody here Frida yeah if you don't know freedom such a freedom em boy like really like play with it is amazing one of my favorite instrumentation frameworks so I thought well this is relatively easy I want to do some object carving and the object

carving capability just blew my mind it works really really well on AI see the dalvik support is somewhat lacking because I mean thovex dinosaur unless in the archeology you know you might want to look at it but I thought great let's see what we can do with Frida and aterna you can do it really really easy Frida if you say given this process tell me if it has object X instantiated so forth okay well wouldn't it be cool if at runtime I'm using my phone you got an Android phone but yeah in this case an Android phone and I thought well with objects and that decision if I could see all of this which objects are instantiated and what

are the values for these objects because everything that you typically doing in an Android app translates to an object if you're making an HTTP connection there's going to be some HTTP object or a TCP object some way with some data inside of it so called cool this is really awesome because this would give me an idea as to what an app is doing and how which relates to reversing anyway when you're reverting an app you want to see what those Epogen you want to understand it you want to know why is it making connections to spaces to RP spaces in Asia you want to understand that you know why you want to scratch that itch so I

thought well for example we're gonna look at something and very familiar with meterpreter yeah it's a nice platform to play with it's a good start so what well if I was analyzing if my friends came up does it hey Chris you know install this app and it's acting a bit dodgy and I got it form you know a friend you was talking about metaphor okay cool so I'm probably gonna be looking for a matter of the backdoor and experience tells me to look for a couple of things but most notably Dex class loader or any class loader and what that injected code does because that's how the typical works the stub is really small or the core functionality gets

loaded on his drive at runtime often infection of course TCP objects because the terms that communicates of a TCP or HTTP there's no DNS x4 yet which tells me that it's an ACK born actually if an application at runtime had an instance of a Dex cross murder object and a whole bunch of TCP objects this will tell me that the app is learning a functionality at runtime and establishing remote communications which would send a long box because why on earth does it have want to use the Dex class loader instance which ironically happens to be a very common technique to update apps because the place or doesn't say for one update you asked me to go through the

Facebook but I mean who reads the TMC's anywhere so we're gonna start with a infection not to apologize for the resolution it is a bit weird but in that case we got an Android device and what I've done is I've just back toward the Twitter application for shit's and gigs I mean why not you can do this to any app and this is the infection that we're gonna work with going forward so we can see we've run the Twitter app and we get a meterpreter session and what we're then going to do is interact with the device that's been infected so that we actually have a process that's running and something that we can look at and

what we're going to do is we're going to take a screenshot of the user putting in their credentials of course in this case interpreter you can do it because a napkin screenshot itself not other apps this is because the interpreter is running in the context of the Twitter application or the back door took the application so take a screenshot and cause definitely much slower when I when I made this video definitely much but we had less caffeine as well but we are paired up and moving we have an infected device so once we have that how do we this using freedom so what I'm going to do now is yes it's written in JavaScript I do apologize but it is quite literally

the easiest way to interact with the feeder demon these scripts and all that all online so don't worry you just have to believe me when I tell you what's happening here don't question anything sarcasm once again but what I'm doing over here is I'm saying to Frieda I'm connecting to you from our workstation and that JavaScript that you see over here I'm going to say look for these kinds of objects so in this case I'm looking for java.net dot socket dalvik that system that dex class loader java dot URL connection and I'm saying connect to the Twitter process now you see all this information yet these are all the instantiated objects that I've looked for so we can see that there are

a whole bunch of objects of java.net socket that have been instantiated and there are currently living on the heap I then go ahead and our query these objects and I can see up here dresses and host names that have been resolved so I can see at this point in time this Twitter application has a connection to 100 - 1 6 8 1.1 20 on port quad 4 I wonder what that is quite for I mean who knows what runs on quite for but most in most installations at the bottom is that there are two instantiated objects of Dex classloader and you may be wondering why on earth with this application the two instantiated object of Dex class loader

well like I said if I'm looking for meterpreter I know that this is how meterpreter loads the functionality and you can do this for any objects if you're looking for overlay attacks there are specific object patterns that you can look for to say here's process X tell me if it is using these objects what are the values of these objects if they are there you can then infer some information so that's how we do it via freedom and it's very interesting to say tell me if these objects exist yes on earth so let lazy man's way to MLR stuff how does this look on other apps so this is a dump of the YouTube app on Android

and as you can see when you run it it has a whole bunch of Java the socket objects that are instantiated and then it has instantiated instance of Dex class loader that is called new readers of the screen now it is called abs I don't know what ATS means but a double seven eight - double four job so that's what the YouTube app is doing it's downloading a jar when you're at it and it's taking the contents of their jaw and the functionality and invoking it at runtime just as interpreted us pretty cool I love the G functionality so what's the difference between static and runtime analysis so I mentioned earlier that static analysis is not

going to show you some stuff and what it won't show you is the runtime injection of cross loaders why because when you load it at runtime you need access of that additional jar apk that isn't loaded into memory if you just have the natural apk you're not going to see that other apks or drawers that are injected so you're not going to see the information unless you run it in cuckoo on some environment where remotely you download the jar apk and then you reverse that as well so you're not going to have that then there's also in probably my least favorite driver packet is Java clang not because it's Java but because every process gets an instance of this class

and subclasses and for those of you who may be familiar with Java payloads there's a very interesting object and method called ransom dot exec so every single Java process has its own singleton of runtime and if you want to run a shout come on you say that exec or you use process folder now you don't need an import statement because every person is automatically given and instantiate an instance of this I say it's kind of beautiful because it's very difficult to control the contents of those objects so you kind of just hope that whatever process is using those objects that kind of gives you data but I'll go on a bit about that so that's

what you're not going to see what static analysis so I'm now going to show you that well I'm going to show video and then tell you why you should believe that these videos are all online as well you can see my very shitty code but what I'm doing over here is to the left yes so there's a vanilla Android application and what it is going to do it is going to load at runtime in apk that is Gen generated from this so here is an application I take this and I bundle it into a jar at runtime I then go ahead and load the contents of this jar at runtime over here and that's the

functionality I then have my freedom script that is then going to say look at this process and tell me what's in memory at runtime so of course there's application and I'm actually gonna debug as well so at the first point that we're going to do we're gonna run the script and when you say at this point it's not picking up any other dangerous objects that you're looking at earlier let's picked up nothing which actually makes sense but then we run our breakpoint we ran the run stuff method and at this point all that's done is just created a file we run our script again and we'll get nothing yes okay I got that right point we then step over and what we're

now going to do and even my screen resolution has gone really small so what we're going to do next is trail instance of X plus loader yes so we just stepped over that method we instantiate an object of X class loader we ran our script on what did we get we saw that in instance was on the heap every about the contents of it we didn't step out of a whole bunch of stuff and we're now stepping through the functionality that we've now loaded into memory from this additional jaw over here which you won't see so we just ran a print learn method we ran our script again and we're not picking up anything more or to it excuse

me what we're going to do next is actually issue a HTTP request sorry they shall come on that's the next one and we've just basically run an LS and we can see the contents so all we've done is run exact than LS and we can see the content over the logcat because that's what the code is doing and what's gonna be used to deny that when we run out field script where should not can see anything interesting because the runtime object is very difficult to inspect to see if someone has run a shell come on if you do not have - please tell me I have not found a way yet well I find a hacky way to find

it but it's quite difficult next we're then going to actually run an HTTP request over here which is this functionality so this app is gonna run an HTTP request which is defined in this JA over here and my favorite way to see if an HTTP request has been made is that Android throws a lovely foot because you're not supposed to run HTTP requests in the main threat of an Android app I mean who's gonna tell me how to make my HTTP requests but anyway we see that request coming up so we know it's been executed and what we then go ahead is actually run our Frida script to actually see okay I've now run an HTTP

HTTP request what is the content of the object are their objects and that should be the next one of the day that we ran and my video just have roughly ended hold on let me find the right but there we go sorry I just stopped at the end so at the end of here after we ran at HTTP request we then scan the heap and said tell me if you see any java.net that your are objects or any TCP socket objects and we did we get the information over here so static analysis won't show you that unless you have both the apk which in some cases you do but in most cases you don't so I'm a big fan of this method

because a I don't have to 12 code I mean like I said as you probably picked up I'm a big fan of static analysis and it's very cool to identify specific anomalies you don't have to do this read lines of someone else's rubbish code you can just say look at those process and tell me if you see any of these specific objects easy-peasy but it also some frustration and I'm going back to Java lanes on run time so if I want to do see if the process was running shell commands on my system I'd have to inspect the run time object but what you see over here and if you had ninja as you might make out that I'm going to

look at my screen though this is what I run some object looks at run time I just loaded it up in a debugger and you'll see that it is full of information that makes no sense to me whatsoever but there is no way to say hey this process just read then PS they there's no way to find it there probably is I just don't I haven't figured it out yet but it's not obvious so that's annoying but of course we make a path so what is fundamental to objects of course the rest of the points say that but methods and what's really cool that we can do with instrumentation is that we can cook methods method sizzling it's the

greatest way to you know if you're reversing that actor you wanna get past opening yeah you just bypass that check so we can do the same with Frida we can say for this particular object every time this method is called tell me about it and it's a classic way that we use to basically poem mobile apps but I thought why don't I use this to hook the exact method for the ransom object so that every time a process issues that method on that object I will see what's happening so I first have to apologize for showing your Java documentation and ha ha at 5 o'clock on a Saturday I do apologize but it's crucial for those

points but if we look at the exact method signature it has got 1 2 3 4 5 6 different combinations different signatures so that we have to do in Frida is cater for that so we have one method signature that just takes a string one method signature that takes all the other stuff and we overload that and of course there's a video that you you'll see if you have ninja as but in this case what we're going to do is we're gonna use the same sample that we were using earlier that shitty app that um I wrote that just ran min PS and these are all the signatures that are gonna catch so I'm the top reader hook on to the

process now this is very intrusive here we are modifying basically functions here but that's besides the point so what that means is that every time the process that we've hooked on to it has executed the exact method we'll get we'll get some information so we're gonna run our app that ran the bin PS and hopefully we will see something and that is that message right over here and remember this functionality has been loaded at runtime so we've taken the draw that route that executes the bin PS command and thrown it into memory and we go ahead and we will run it at some point I'm not running this emulator by the way I'm using Vassell so the

streaming of the device really really handy and we just ran a exec modding you see a whole bunch of information and what you'll see actually over here this is saying exactly system than PS so now we can see that this process is executing shell commands now this video was originally for developers only so I made it very slow and repeated a lot I'm gonna jump to the interesting stuff so let's go back to our Twitter app I remember you can do a lot of fun stuff with meterpreter we've got a session and we want to now run a little script over there that is going to hook exact methods for particular process and we're gonna get the session that we have so

now we've got a meterpreter session and meterpreter android you can run shall come on straight through and you can see we ran an LS over here but nothing came up in our script no hook came that means of doing something different but what you can do it with her place you can drop down to add interactive salt we just ran that command and we see something came up in our terminal which says a call came to and the the parameter that was sent to exec was sh - see SH those of you familiar with reversals in the Java space on or on Linux that is fast for merchants to have doing that I'd get a bit of a pract but

of course we've infected this one and you can go ahead and we actually play with the shell and we see what happens then we run some commands and nothing else actually comes up because it's using SH - see SH it's using that pup so it's actually not running runs I'm not exact every time on every command it's running at once to get a shell session and then running it within that pot so that's one way that you can use two instruments and see how applications are using random dot exec so this is all fun this is all format desktop and at this point we have the ability to analyze I'm objects on the heap so that's the

important area that we are looking at we can hook functions we can do all of this at runtime under the bus and we can see more than static analysis hope that convince you of that but we're doing more of this from a workstation now earlier I was ranting a bit about wall don't want to do this from a workstation I want to do this from an Android device I don't know one place in the button of water got a point of thing and before I get into that I'm going to introduce the excitation APR very cool anybody heard of it yeah if you into mobile and Android stuff I highly recommend you look at this it's

very interesting but basically it in the Android ecosystem it allows you a way to gather information about the device bad examples is the device rooted is it using a signed ROM from Android is it using something else so basically apps can use this API to queries in ramen in which they're running in so apps most easy to say hey it has the third store for this device being compromised is it rooted so on and so forth so it's an API with a lot of things that go on so our fourth wall there is an API that exists already in the Android operating system to query the device and that you look at the architecture so I once

again I apologize for showing you architecture diagrams on a Saturday but at this point over here it runs on the device and as the client you query that so our fourth wall what if we could do something here what if we provide an API that could allow an organization that could lie as something to query the system and say hey process X that is using a lot of battery interests we give you some information about it yes I know alarm belleville going off and I mentioned that later but that was idea but and when I landed up hacking together with something called egg cake so if so this is reason of a constant size would you speak Dutch you'll

understand why it's called H cake um so yeah Google phones there might be a friend or I'll tell you later but you can use this API to basically query the function answer that I've showed you now you can do this from an Android application so basically it's a custom Android frita library so you can interact with Frida via Android application so I'm not from a desktop but he sends me d-bus over TCP yes I hated la life very much after looking into the world of divas and this basically is you full freedom server integration so if you not familiar with Frida basically it's an agent that you query you drop it on the device or you

can use the gadget and embed it into an application I won't go into that but what's cool about this is that you can run all the tests that I demoed earlier you can run this via 8k you can say give me the processes for system or you can say process X tell me if reducing objects a B and C and give me the values of these objects at runtime from an Android app so for example if you already say from the freezer CLR on your horse you say hey Frida give me all the running prices on the device you would say Frida - PS - you for USB and you get this stuff pretty useful if

you want to do it by 8 take your and I said the word instantiate is probably way too many times in this talk but your instantiate an object of a cake and you would just say okay cute or whatever you decide to call it dot feeder PS you give it the name of the demon and the ports that you want to connect to and I'll go ahead and return those results to you if we look at the early examples I didn't do anything that wasn't me haha cool I think that's the Sun even even even even the presentation is getting annoyed with my voice mana so that's the sound for me to hurry up but

yeah those are the scripts earlier member analyzing process and saying hey if these objects exist give me the information for my workstation this is how you could do an eight cake so it's just two lines of code there so y8k eight cake well there was not Android fritter library there's no way to interact with it on Android through an Android application I wanted to use feeder for its object carving capability that I think is that strongest use I wanted a client-server model to interact and integrate with the existing at station APR then you query something in response and I've done one pain and that comes from this text which is highlighted which says so I realize that

poodles using D bus and I thought well I want to speak D bus in Android and there is no offering system level there is libraries but not in the Android layer and when I look at the D bus documentation homepage it literally says if you use this low-level API directly you're signing up for some pain I should do not it is he go to divas divas dot freedesktop.org Docs and says that you have exactly so you know my reaction in order just GG effort but of course I didn't I continued and basically what I did was snuffed a whole bunch of free sessions between a device and a host and basically implement a TCP socket daemon

to initiate that implements the D bus over TCP that's ugly markers I do not give us got it from sniffing Freda sessions and basically try to identify what debug flags I could send from the Android library to the demon and basically if you look at the source code you'll just see a whole bunch of parts because a lot of them I don't know what they do but it works and I just highlighted I looked for the box that I needed to change in the protocol for example to specify pills so I don't want to look at heard 1 2 3 4 every time lopez's change so I had to man in me hands down the bats in the protocol and

all bunch of other stuff and that's really what it looks like a lot of trial and error and a lot of swearing and yeah but the kind of works this was the original PLC so Robin even had the thought of that cool let's get this to work and if you familiar with give us you'll see basically a dot off and what's interesting about d-bus is that there is really not all if you send an old packet you will always get a anonymous author anonymous rejected reply so if you're scanning any socket and you get that kind of reply that d-bus so there's some really nasty particle code and why I like to show it is that it actually worked the first

time this kind of thing so it's basically a replay attack and I was not expecting that so yeah and then decided well let's turn it into a Android library which is this demo over yet so once again we've got our Twitter infection so this Twitter app is infected as you can see that is why I am NOT an Android developer I stick to the default default default Android blue very soft or loud so the first corner and there was system processes and that is basically Peter PS - you but from the Android app and we can see we've got our witch of the session I'm not providing it the hood of the Twitter application and I said hunt malware we give it some

time don't go for coffee break run enough time but we'll get some information back and you'll see I'm just displaying the raw ID potata to get back but would be some from those Frida scripts all the information about the next class letters and the TCP sockets we're not getting that add runtime by the application so now if I don't know if this was an app that said hey look for dodgy-looking apps you could use as and say hey so the app is using object X and it has these values you can implement some logic so that's how a tape works yeah that's a lot of fun I enjoy it besides what I've been going about my

pain that's just d-bus but the curtain scripts are there the videos that I just show you are available you can trust that you know as many pod link the fan but if you google you'll find out so all the stuff living over there and of course yeah they are obviously shortcomings with this kind of stuff this is an increased attack surface I mean if I was trying to pull an Android and I find out that there is a process that analyzes the memory of other objects oh my word that sounds delicious so yeah I I'm full actively researching how to maybe isolate that I think it would be a great APR 4 in ternal Android

services and only you read access for particular objects so kind of like that dangerous and normal permissions model that maybe in system process could only be allowed to look for maybe dangerous objects or like objects specific to overlay attacks or certain view gadgets and maybe anonymizer I don't know so yeah it opens up for abuse this kind of stuff could be abused and of course the pessimist me is just like well we still struggle to get basic security right so how something like this that's going to be actively looking at the memory of other persons are going to work out I mean that kind of exists in desktop environments I'm not gonna mention any names but I'm to see how that worked out

so of course the shortcoming stood but let's research it's fun host a is a conclusion so one of the stuff it's a journey I think it's a step in the right direction I think some very clever person once said and I'm walking up quite directly but they said something but if you're doing the same thing over and over and expecting different results something might not be right so my wallet struck something different you know for certain gigs why not these are silver bullet in security this is definitely not going to solve all your problems I have alternative solutions but this might help but maybe defense in depth maybe but at the end of the day I think the

Angela princess needs key to protecting itself third-party applications don't have the capabilities they're not provided the capabilities actually anything meaningful besides run a grip of an apk so I mean yeah that's the kind of stuff that we're looking at and yeah so how'd you know tong khoo I'll report any questions yes especially there's a microphone nice you were talking about still tracking the things like run the process of execute the the one that executed commands on there on the on the EOS yes that's a static class if I'm not mistaken right yes yeah have you tried to dig into the dungeon area memory area of the resolve ik because the presence by singing at least from my

memory of my heart lahars are times of Java Java development this were class metadata and static variables and all that stuff is stored so you probably will hit something there about the reserved areas of the last values used on some of those stuff so probably you wouldn't try not yes that's a great idea yeah unfortunately I've opened up the Pandora's box of Android memory on this like what am i doing that's a great idea I'm listening actually gonna look into that because yeah that seems about coming that should be predictable so yeah thanks I appreciate that any more questions at the beginning of the talk you say that there was no efficient way of scanning for malware on Android and even

this solution I think it's not for the common user of Android because from what I know only Friday freida you need to have root or you need to disable the the package to to inject Frida's so it's not a solution from the common user do you think there could be a solution for the most of the people or it's something that sort of scope yeah I think it it takes away the need of example uses having to set up reader and do their own thing so I think if it somehow bundled as a system service that the user doesn't see but the system service has this kind of capability then it could add value it could say well

okay at runtime this app is using these kinds of objects they said that it doesn't need to but it is send off some alarm bells so I would definitely not recommend this stuff being exposed directly to a user unless we really hate them and make them wonder suffer but I think if it if it's abstracted and bundled in as a system service where the system take does the heavy lifting interface to the user hey there's something wrong here maybe submit it or you know throw your phone in the nearest Ben so I don't think it solves a problem entirely but I think it's kind of step in the right direction does it on to your question

cool I actually have a question whether I thank you for the excellent presentation thank you for had this this has to run this is a yoke that there has to be a thread in a process so that attaches to the - to the application and dumps 2d objects what happens if the attacker or the the Trojan Trojan eyes application has a timer that instantiates an object does the evil pains and then destroy the object is any trace that could be looked for so is the question so it would they be a way to detect if an evil process is instantiating objects doing what needs to then getting rid of it yeah great question I would probably look for

any garbage collector calls anything to GC that would foster or any yeah done any other way that would be able to force that off the heat you may try to call to force the heap to force the garbage collected skin itself by the system is something else but it's a it's a it's actually a cue when you call that method it places something inside the internal EQ and the next time it runs it goes over that it will take that thing off and call you see so even if you try to instantiate something do some evil sketchy thing it's not guaranteed that will be out of the memory before you can try it so if you monitoring the thing

you'll probably get it yeah any more questions thank you thank you thank you