For various reasons many Apps need to detect if the phone has been “rooted” and in this article will see different techniques for this purpose. Since it is common to see this type of questions in development forums, I thought a post on the subject would be of interest to many readers.
In this StackOverflow post we can find techniques commonly used in Apps for Rooted detection. The following code makes use of three methods for detecting Rooted: the first check for the string “test-keys”, which is a generic key for signing packages; the second method checks whether the Superuser.apk exist in disk, this App manages access to “su” command (administrator privileges) for other Apps; and finally the third method calls “su” directly and runs a root command.
/**
* @author Kevin Kowalewski
*
*/
public class Root {
private static String LOG_TAG = Root.class.getName();
public boolean isDeviceRooted() {
if (checkRootMethod1()){return true;}
if (checkRootMethod2()){return true;}
if (checkRootMethod3()){return true;}
return false;
}
public boolean checkRootMethod1(){
String buildTags = android.os.Build.TAGS;
if (buildTags != null && buildTags.contains("test-keys")) {
return true;
}
return false;
}
public boolean checkRootMethod2(){
try {
File file = new File("/system/app/Superuser.apk");
if (file.exists()) {
return true;
}
} catch (Exception e) { }
return false;
}
public boolean checkRootMethod3() {
if (new ExecShell().executeCommand(SHELL_CMD.check_su_binary) != null){
return true;
}else{
return false;
}
}
}
/**
* @author Kevin Kowalewski
*
*/
public class ExecShell {
private static String LOG_TAG = ExecShell.class.getName();
public static enum SHELL_CMD {
check_su_binary(new String[] {"/system/xbin/which","su"}),
;
String[] command;
SHELL_CMD(String[] command){
this.command = command;
}
}
public ArrayList
<string> executeCommand(SHELL_CMD shellCmd){
String line = null;
ArrayList
<string> fullResponse = new ArrayList<string>();
Process localProcess = null;
try {
localProcess = Runtime.getRuntime().exec(shellCmd.command);
} catch (Exception e) {
return null;
//e.printStackTrace();
}
BufferedWriter out = new BufferedWriter(new OutputStreamWriter(localProcess.getOutputStream()));
BufferedReader in = new BufferedReader(new InputStreamReader(localProcess.getInputStream()));
try {
while ((line = in.readLine()) != null) {
Log.d(LOG_TAG, "--> Line received: " + line);
fullResponse.add(line);
}
} catch (Exception e) {
e.printStackTrace();
}
Log.d(LOG_TAG, "--> Full response was: " + fullResponse);
return fullResponse;
}
}
</string></string></string>
Apps on a not rooted phone cannot run either of these methods, since all Android Apps by default are in a sandbox (a system of process isolation) and with limited privileges.
The three methods described may be the most common and if we reverse engineering often we can find them in well-known Apps.
Other techniques include the use of the fantastic RootTools library that facilitates the development of Apps that need root offering various tools. Many Apps use this library.
Library features include check if it exists or offers to install BusyBox (program that combines many Unix utilities in a small single executable), check if it exists or offers to install SuperUser, verify that App has root access, native tools or enough space on the SD Card.
As an exercise to test these root detection techniques, I have written the VULNEX ROOT TESTER that combines different techniques from the basic here presented to some more sophisticated that we will cover in another post. Find below some screenshots of the tool.
No doubt the ability to detect Rooted may be necessary for certain Apps that require a high level of security, but also for many legitimate Apps, such as various security Apps, that require root to function properly or take maximum advantage of the Android platform.
We have to bear in mind that to develop a secure App it is not enough to detect Rooted, but we should think about making a threat modeling of the potentials risks to our App, secure development practices (for example OWASP Mobile) and apply code obfuscation techniques among many other security measures, in order to mitigate vulnerabilities and hinder reverse engineering. My recommendation is that if you are not familiar with these concepts you should talk to some application security professional and get help.
What techniques is your App using to detect Rooted, if any?
Last May 10 and 11 the course of Computer Forensic Expert was held in Reus (Spain) by the Asociación Nacional de Tasadores y Peritos Judiciales Informáticos (ANTPJI), which I am member and one of the instructors, where I had the pleasure of giving a talk on two of my passions such as Python and OSINT (Open Source Intelligence).
Python is a great language to quickly develop all kinds of powerful applications with lots of libraries to perform exploits, reverse engineering, web analysis tools and more. No doubt a useful knowledge for any security expert.
Internet is immense, sheltering all unimaginable information and this is the reason why OSINT techniques are vital to collect, analyze and present this information.
For this course, I decided it would be interesting for attendees to learn how to develop simple tools (scripts) that allow them to perform OSINT using Python with a series of practical exercises with a specific objective each.
Note: I have removed from the scripts the Google Hacking query, so the reader can insert its own query.
Tool #1
Objective: search ANTPJI members on LinkedIn using Google Custom Search API.
These scripts are very simple and do the same thing but in a different way. The first one uses the Google API Client, while the second uses the fantastic Requests library.
In these scripts we are using some Google Hacking to find members of the association on LinkedIn.
# File: ex1_a.py
# Date: 05/14/13
# Author: Simon Roses Femerling
# Desc: Basic Google Hacking
#
# VULNEX (C) 2013
# www.vulnex.com
import const
from apiclient.discovery import build
import pprint
# your google hacking query
query=''
query_params=''
doquery=query+query_params
service = build("customsearch","v1",developerKey=const.cse_token)
res = service.cse().list(
q=doquery,
cx=const.cse_id,
num=10).execute()
pprint.pprint(res)
# VULNEX EOF
When running any of these scripts, we get the following result:
Not too interesting for the moment :)
Tool #2
Objective: obtain photos of the ANTPJI members LinkedIn profiles using Google Custom Search API.
The following script gets the photos of the members of the association on LinkedIn and also extracts picture metadata ;) The script generates an HTML page with all the photos.
# File: ex2.py
# Date: 05/14/13
# Author: Simon Roses Femerling
# Desc: Download picture and extract metadata
#
# VULNEX (C) 2013
# www.vulnex.com
import const
from apiclient.discovery import build
import pprint
import os
from PIL import Image
from StringIO import StringIO
from PIL.ExifTags import TAGS
import requests
import markup
def do_query(istart=0):
if istart == 0:
res = service.cse().list(
q=doquery,
cx=const.cse_id,
num=10).execute()
else:
res = service.cse().list(
q=doquery,
cx=const.cse_id,
num=10,
start=istart).execute()
return res
pic_id=1
do_stop=10
cnt=1
page=markup.page()
# Set page title
page.init(title="ANTPJI OSINT")
page.h1("ANTPJI OSINT")
# Set output directory
out_dir = "pics_gepl"
# Your Google Hacking query
query=''
query_params=''
doquery=query+query_params
service = build("customsearch","v1",developerKey=const.cse_token)
if not os.path.exists(out_dir):
os.makedirs(out_dir)
res=[]
while True:
if cnt==1:
res = do_query()
else:
if not res['queries'].has_key("nextPage"): break
res = do_query(res['queries']['nextPage'][0]['startIndex'])
cnt+=1
if cnt > do_stop: break
if res.has_key("items"):
for item in res['items']:
name=""
if not item.has_key('pagemap'): continue
if not item['pagemap'].has_key('hcard'): continue
hcard = item['pagemap']['hcard']
for card in hcard:
pic_url=""
if 'title' in card:
if 'fn' in card: name = card['fn']
if 'photo' in card: pic_url = card['photo']
if pic_url != "":
image = requests.get(pic_url)
pic_n = os.path.join(out_dir,"%s.jpg") % pic_id
file = open(pic_n,"w")
pic_id+=1
try:
i = Image.open(StringIO(image.content))
if hasattr(i,"_getexif"):
ret = {}
info = i._getexif()
if info:
for k,v in info.items():
decode = TAGS.get(k,v)
ret[decode] = v
print ret
i.save(file,"JPEG")
page.p(name.encode('ascii','ignore'))
page.img(src=pic_n)
page.br()
page.br()
except IOError, e:
print "error: %s" % e
file.close()
# Set your output filename
with open('index_gepl.html','w') as fp:
fp.write(str(page))
# VULNEX EOF
And this is the result:
With few lines of code we have got a very interesting tool.
Tool #3
Objective: what is the relationship of ANTPJI members on LinkedIn?
With this script we are looking for the relationship between the members of the association at LinkedIn and create a graph that relates the words.
# File: ex3.py
# Date: 05/14/13
# Author: Simon Roses Femerling
# Desc: Build graph from profiles
#
# VULNEX (C) 2013
# www.vulnex.com
import const
from apiclient.discovery import build
import networkx as nx
import matplotlib.pyplot as plt
def do_query(istart=0):
if istart == 0:
res = service.cse().list(
q=doquery,
cx=const.cse_id,
num=10).execute()
else:
res = service.cse().list(
q=doquery,
cx=const.cse_id,
num=10,
start=istart).execute()
return res
do_stop=10
cnt=1
# Your Google Hacking query here
query=''
query_params=''
doquery=query+query_params
service = build("customsearch","v1",developerKey=const.cse_token)
G=nx.DiGraph()
res=[]
while True:
if cnt==1:
res = do_query()
else:
if not res['queries'].has_key("nextPage"): break
res = do_query(res['queries']['nextPage'][0]['startIndex'])
cnt+=1
if cnt > do_stop: break
if res.has_key("items"):
for item in res['items']:
name=""
if not item.has_key('pagemap'): continue
if not item['pagemap'].has_key('hcard'): continue
hcard = item['pagemap']['hcard']
for card in hcard:
if 'title' in card:
if 'fn' in card: name = card['fn']
G.add_edge(name,card["fn"])
plt.figure(figsize=(30,30))
nx.draw(G)
# Set your output filename
plt.savefig('antpji_rela_map.png')
# VULNEX EOF
And this is the graph generated:
Tool #4
Objective: what’s hot on Twitter account of the association?
This script downloads the latest tweets from the account of the association and generates a tag cloud. Useful to quickly view what are they talking about.
# File: ex4.py
# Date: 05/14/13
# Author: Simon Roses Femerling
# Desc: Create word cloud
#
# VULNEX (C) 2013
# www.vulnex.com
import requests
import json
import urllib
import const
from pytagcloud import create_tag_image, make_tags
from pytagcloud.lang.counter import get_tag_counts
site="http://search.twitter.com/search.json?q="
# Your query here
query=""
url=site+urllib.quote(query)
response = requests.get(url)
tag = []
for res in response.json["results"]:
tag.append(res["text"].encode('ascii','ignore'))
text = "%s" % "".join(tag)
tags = make_tags(get_tag_counts(text),maxsize=100)
# Set your output filename
create_tag_image(tags,"antpji_word_cloud.png", size=(600,500), fontname="Lobster")
# VULNEX EOF
And this is the tag cloud:
Tool #5
Objective: do the ANTPJI usernames from Twitter exist on social networks sites?
The following script extracts the usernames that have been published or mentioned in the Twitter of the association and checks in 160 social networks sites.
# File: ex5.py
# Date: 05/14/13
# Author: Simon Roses Femerling
# Desc: Check usernames on 160 social network sites
#
# VULNEX (C) 2013
# www.vulnex.com
import requests
import json
import urllib
import const
import pprint
site="http://search.twitter.com/search.json?q="
# Your query here
query=""
url=site+urllib.quote(query)
print "Recolectando alias en Twitter: %s\n" % query
response = requests.get(url)
users = []
for res in response.json["results"]:
if res.has_key('to_user'):
if not res['to_user'] in users: users.append(str(res["to_user"]))
if res.has_key('from_user'):
if not res['from_user'] in users: users.append(str(res["from_user"]))
print "ALIAS-> %s" % users
print "\nComprobrando alias en 160 websites\n"
for username in users:
for service in const.services:
try:
res1 = requests.get('http://checkusernames.com/usercheckv2.php?target=' + service + '&username=' + username, headers={'X-Requested-With': 'XMLHttpRequest'}).text
if 'notavailable' in res1:
print ""
print username + " -> " + service
print ""
except Exception as e:
print e
# VULNEX EOF
And the result is as follows:
Tool #6
Objective: can we extract metadata from ANTPJI photos?
This script downloads the photos related to ANTPJI from Google and extracts the metadata.
# File: ex6.py
# Date: 05/14/13
# Author: Simon Roses Femerling
# Desc: Download pictures from Google and extract metadata
#
# VULNEX (C) 2013
# www.vulnex.com
import const
from apiclient.discovery import build
import pprint
import os
from PIL import Image
from StringIO import StringIO
from PIL.ExifTags import TAGS
import requests
import markup
def do_query(istart=0):
if istart == 0:
res = service.cse().list(
q=doquery,
cx=const.cse_id,
num=10).execute()
else:
res = service.cse().list(
q=doquery,
cx=const.cse_id,
num=10,
start=istart).execute()
return res
pic_id=1
do_stop=10
cnt=1
page=markup.page()
# Set your page title
page.init(title="ANTPJI OSINT")
page.h1("ANTPJI OSINT")
# Set output directory
out_dir = "pics_gepl"
# Define your Google hacking query here
query=''
query_params=''
doquery=query+query_params
service = build("customsearch","v1",developerKey=const.cse_token)
if not os.path.exists(out_dir):
os.makedirs(out_dir)
res=[]
while True:
if cnt==1:
res = do_query()
else:
if not res['queries'].has_key("nextPage"): break
res = do_query(res['queries']['nextPage'][0]['startIndex'])
cnt+=1
if cnt > do_stop: break
if res.has_key("items"):
for item in res['items']:
name=""
if not item.has_key('pagemap'): continue
if not item['pagemap'].has_key('hcard'): continue
hcard = item['pagemap']['hcard']
for card in hcard:
pic_url=""
if 'title' in card:
if 'fn' in card: name = card['fn']
if 'photo' in card: pic_url = card['photo']
if pic_url != "":
image = requests.get(pic_url)
pic_n = os.path.join(out_dir,"%s.jpg") % pic_id
file = open(pic_n,"w")
pic_id+=1
try:
i = Image.open(StringIO(image.content))
if hasattr(i,"_getexif"):
ret = {}
info = i._getexif()
if info:
for k,v in info.items():
decode = TAGS.get(k,v)
ret[decode] = v
print ret
i.save(file,"JPEG")
page.p(name.encode('ascii','ignore'))
page.img(src=pic_n)
page.br()
page.br()
except IOError, e:
print "error: %s" % e
file.close()
# Set your output filename
with open('index_gepl.html','w') as fp:
fp.write(str(page))
# VULNEX EOF
A picture is worth a thousand words!
As we have seen throughout this article we can easily write sophisticated OSINT tools with a little bit of Python that allows us to gather lots of information about individuals or collectives.
If you would like me to go into any topic in Python and OSINT in depth let me know :)
Few weeks ago the media did publish that the US Air Force has classified 6 tools as cyber weapons, no doubt a hot topic. For this post I will do the same and put a list of 10 tools that could be Cyber weapons, my list.
My selection is based in the following criteria: its usefulness, features and open source or free at least.
Logically there are more tools that I like or that I use, but I think that this list is a great collection to carry out attacks in networks and systems, reverse engineering, traffic analysis, social engineering, vulnerability discovery and exploits development, for sure tools that should be in the toolkit of all pentester :)
The other day helping out a client to develop secure software it came to my mind that this topic could be of interest to my readers. Obviously this topic is quite wide, but in this article I will focus in a patch for the GCC compiler, which improves the protection of stack protector (stack canary) mitigating buffer overflow vulnerabilities.
Stack Protector Strong is a patch developed at Google and applied to the Chromium project (browser Chromium and Chromium OS) that substantially improves this defense (StackGuard). By default on GGC we have the switches -fstack-protector and -fstack-protector-all that we can use to compile software: the first switch analyzes each function in the code and if it detects a possible vulnerability applies the defense when compiling the program (the programmer does not have to do anything, well just develop secure ;)), while the second switch applies the defense to ALL functions in the program without validating if they are vulnerable.
Both options have their respective problems: the first switch (-fstack-protector) is limited by the code it considers vulnerable while the second switch (-fstack-protector-all) is too aggressive affecting the performance of the application.
Because of these problems at Google they decided to develop a third switch, -fstack-protector-strong, covering more cases of vulnerable code without sacrificing performance. In figure 1 we can see a comparison between – fstack-protector and -fstack-protector-strong.
Fig. 1 – -fstack-protector vs. –fstack-protector-strong
Clearly a substantial improvement covering more types of possible vulnerabilities in code, but enough theory for today, let’s move on to a practical exercise where we will install the patch to the latest GCC 4.8.0 version, recently posted, on a Linux Debian 6.0.
The first step is to download GCC version that we want to patch. The patch was written for version 4.6, although I have tested with versions 4.7 and 4.8 and it works correctly. So we run the command wget with GCC URL and then unzip it (see figure 2).
Fig. 2 – GCC Download
To compile GCC we must have the following libraries installed and to install them we will use the command apt-get (see figure 3):
Build-essential
libgmp3-dev
libmpfr-dev
libmpc-dev
zip
autogen
Fig. 3 – Installing required packages to compile GCC
Now let’s download the -fstack-protector-strong patch from here. The patch is composed of 5 diff files.
Fig. 4 – Downloaded patches
We then proceed to patch GCC and we must follow the order that is showed in figure 5. Pay special attention to the order of the directories within the GCC.
Fig. 5 – Applying patches to GCC
Once we have patched GCC we can compile it, for install it in the system we need to have root privileges (see figure 6). While the command is running you can read other articles on this blog since the process takes a while to complete :)
Fig.6- Compiling and installing GCC
Now we are ready to compile programs with the latest version of GCC and a better defense against buffer overflow vulnerabilities.
At figure 7 we compile a vulnerable program with the parameter -fstack-protector-strong.
Fig. 7 – Testing –fstack-protector-strong
When disassembling (reversing) myapp we can see that this defense has been applied to several functions that -fstack-protector would have not applied (although I leave this exercise for another article).
This patch is not currently in GCC by default but let us hope that it will be in future versions as well as new and better defenses.
It is true that there are attack vectors to bypass this protection, but all defenses are welcome when building software and currently all modern compilers (GCC, Visual Studio and LLVM) include a variety of defenses that programmers should always use.
No doubt the use of these defenses in compilers does not remove the need for developing secure software using a secure development framework such as the MS SDL or OpenSAMM.
Which security parameters do you use when compiling software?
If you like reverse engineering and want to learn all the secrets of IDA Pro, this is your book. This work written by Chris Eagle, a top expert on the subject, reveals the power of the best tool for reverse engineering. The IDA Pro, 2nd Edition (ISBN-13: 978-1593272890) along its 26 chapters describes how to use IDA Pro and all its options, as well as the decompiler, debugger and the emulator, and of course the development of scripts using IDC and Python (IDAPython) languages.
IDA Pro is a complex tool to analyze all types of binaries, but this book makes it easy for novices to learn and those who are already experts can benefit from reading it as well.
The advanced sections of extending IDA Pro using IDC or Python are priceless; the author includes many scripts very well explained. Personally I’m a big fan of Python so all the chapters related to IDAPython for me are the most interesting.
On the book website we can find more resources and a number of plugins for IDA Pro, of special interest the x86 Emulator plugin.
The code that the book analyzes is for x86 under Windows, but IDA Pro supports many more platforms such as ARM or binaries for Linux (ELF) and MacOS (Mach-o) among others.
Certainly a must-read for any cybersecurity professional where it is vital to possess the necessary skills to find vulnerabilities in software or analyze malware.
Score (1 rose, very bad / 5 roses, very good): 5 Roses (Mandatory Reading)
Last Thursday 14 and Friday 15 March the Conference Black Hat Europe was held in the great city of Amsterdam, a mandatory event for cyber security experts.
For second year running I presented on R&D outlining the security posture of Anti-Theft programs for computers and Smartphones.
As always the event had interesting lectures and other not that much, but I recommend the reader to check them all and decide what you like most. The topics were quite varied such as forensics, pentesting, vulnerabilities and secure development.
Regarding my talk, you can find the presentation on the website of VULNEX (here).
From here I would like to greet the people of MundoHacker and the other Spaniards at the conference!
In time of crisis there is much speak about entrepreneurship as the engine to lift the economy, or at least in the Spanish crisis. Now well, who assists entrepreneurs?
As readers know I am the founder of VULNEX, a technology startup that offers highly specialized offensive and defensive cyber security services. In recent months I have been talking with tech giants such as Dell and IBM Spain to acquire a few servers that will allow us to improve our platform for R&D and services to our customers.
Obviously the purchase amount is small for these giants but for us it is a significant amount so we are interested in getting financing for the purchase and to our surprise: none of these 2 giants finance startups, they tell us that they only finance companies with more than 2 years of life. INCREDIBLE and SHAMEFUL!
I guess these companies have forgotten their roots and above all how and where they began. In my opinion it is disappointing that they do not even evaluate the project to determine their potential and just say NO. How easy is to say NO to small companies!
Now I understand why Dell has recently presented bad results, with that sales policy it is not surprising. And what to say about IBM, the monster patent…
But hey, so is the world of entrepreneurs, a constant struggle that unfortunately you get used to. Of course in VULNEX we are evaluating other options in order to execute this operation and improve our services despite all.
Be ready for some excited announcements in Q1 of 2013 ;)
Dear readers, what is your opinion on the support given by large enterprises to startups?
You know you are in Texas when you get out of the plane and hear country music through the airport and I was there indeed because the 25 and 26th of October the OWASP AppSec USA conference was taking place in Austin, Texas, where I participated with a presentation on Web Honeypots.
The conference had more than 800 attendees, free and paid courses on different application security topics during the days 23 and 24, and of course an impressive selection of speakers.
My experience as a speaker was unbeatable since the organization, the same people who organized LASCON, put much effort and desire to ensure that everything went well. They even organized a barbecue Texas style for the speakers in a popular restaurant overlooking a lake.
And what to say about the Happy Hour for the entire conference where there was a mechanical bull, super music rapper Dual Core and authentic armadillos for racing, no doubt I was in Texas, yee haw!
With so many talks to choose from too often I did not know which to choose but luckily for us all the videos and slides will be released soon to be able to see them with all the calm and discipline that they deserve.
I had the pleasure of talking about Web honeypots, a topic I find very interesting and with much work to be done. Specifically I talked about a project that I’ve been working for some time and that I have rescued from the trunk of memories and that through VULNEX can devote professional resources :)
We can really see how American companies have a different attitude as being more agile as opposite Spanish companies, just see the photo of the Job Board with well-known companies looking for all kind of roles in application security.
From here I would like to thanks the entire organization for the super event and see you at the next appointment AppSec USA 2013 in New York.
Note: In a couple of weeks the videos should be online, I will keep you posted!
Last June a malware that infected AutoCAD for Windows was identified and is responsible for the theft of thousands of documents. AutoCAD is a popular program for 2D and 3D drawings that is used to design all kinds of products, such as homes, cars, aerospace and in defense, so it is really interesting for industrial espionage. In this post we will study a malware known as Medre.
From a technical point of view is a simple malware, written in AutoLISP and scripts/payloads in VBS, but ingenious since it infects multiple AutoCAD versions in Windows (see Fig. 1) with the aim of stealing files and send them by mail to servers in China.
Fig. 1 – Supported versions of AutoCAD by Medre
In Fig. 2 we can see the Chinese servers where the stolen information is sent, Medre uses various email accounts on these servers. Despite using Chinese servers it is not entirely clear if the source of the attack comes from there.
Fig. 2 – Chinese servers
And in Fig. 3 we can see part of the code responsible for compressing the stolen files using WinRAR by setting the password “1”.
Fig. 3 – WinRAR code
If we think that AutoCAD is one of the most popular design programs that runs on multiple platforms such as Windows, MacOS and mobile (Android and iOS) it calls our attention the ingenious of this attack, simple and effective. Perhaps future malware versions will be multiplatform?
Without a doubt attacks to the industrial fabric either to SCADA systems or using malware like Medre to steal information are really interesting and dangerous to many organizations and Nation-States.
Which industrial espionage malware you found interesting?
[Español] La semana pasada Kaspersky publicó un artículo sobre un nuevo malware que afectaba a iPhone y Android, y esta App estaba disponible en sus mercados oficiales. Al ser el primer malware que aparece en el iPhone Market he pensado que seria interesante examinarla, así que una vez obtenidas copias de ambas Apps hemos procedido a su análisis.
[English] Last week Kaspersky published an article about a new malware affecting Android and iPhone, and this App was available in their official markets. This is the first malware that appears in the iPhone Market, so I thought it would be interesting to examine it, once obtained copies of both Apps we have proceeded to their analysis.
Este software malicioso de origen ruso recolecta la lista de contactos de nuestro dispositivo y la envía a un servidor sin que el usuario lo haya consentido. Si miramos la Fig. 1 podemos ver parte de la información recogida en su versión Android como nombres, números de teléfono, correos y webs, facebook, skype, etc. Desde luego una buena cantidad de informacion PII.
This malicious software of Russian origin collects the list of contacts of our device and sends it to a server without user consent. If we look at the Fig. 1 we can see part of the information recollected in the Android version such as names, phone numbers, emails and websites, facebook, skype, etc. A good amount of PII.
br>
Fig. 1 – Información recolectada en Android / Information collected on Android
En la Fig. 2 tenemos el código que envía toda esta información al servidor.
In Fig. 2. we have the code that sends this information to the server
br>
Fig. 2 – Enviado al servidor / Submit information to server
La Fig. 3 es la versión maliciosa para iPhone donde hemos buscado la función encargada de recoger y enviar la información.
Fig. 3 is the malicious version for iPhone where we searched for the function responsible for collecting and submitting the information
br>
Fig. 3 – Versión iPhone del malware / iPhone malware version
La Fig. 4 tenemos la función desensamblada para el disfrute del lector :)
Fig. 4 we have the function disassembled for the enjoyment of the reader :)
Como se puede apreciar es un código bastante sencillo pero lo interesante en mi opinión es que la App estaba disponible tanto para IPhone como Android en sus respectivos mercados poniendo de manifiesto lo relajados que son Apple y Google con la seguridad de las Apps.
Cierto es que muchas Apps hacen lo mismo que esta y siguen en los Markets, y que con el tiempo se irán identificando.
As you can appreciate it is a fairly simple code but the interesting thing to me is that the App was available for iPhone and Android in their respective markets becoming apparent how relaxed Apple and Google Apps Security are.
It is true that many Apps do the same and remain in the Markets but eventually they will be identified.
Como curiosidad resaltar que esta App sufre de varias vulnerabilidades como las contraseñas almacenadas en texto claro y canales inseguros ya que toda la información y contraseñas son enviadas mediante HTTP así como otras vulnerabilidades, todo un desastre de desarrollo seguro ;)
En mi opinión es sólo cuestión de tiempo que comencemos a ver malware multiplataforma para iPhone, Android y Windows Phone.
Qué opinas de la seguridad en los Markets?
As a curiosity, just highlight that this App suffers from several vulnerabilities such as passwords stored in clear text and insecure channels since all information and passwords are sent using HTTP as well as other vulnerabilities, a disaster of secure development ;)
In my opinion it is only a matter of time before we begin to see cross-platform malware for iPhone, Android and Windows Phone.
