Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
1
Rowland Yu & William Lee
WILL ANDROID TROJAN, WORM OR ROOTKIT SURVIVE IN SEANDROID AND CONTAINERIZATION?
Email: {rowland.yu, william.lee}@sophos.com.au
2
Agenda
• Why SEAndroid and Containeriza?on? • What are SEAndroid and Containeriza?on? • Doom to fail • We prove • The future • Conclusion
3 3
Why SEAndroid and ContainerizaHon?
4
SEAndroid and ContainerizaHon
Access Control
5
Goals of SEAndroid and ContainerizaHon
6
Malware Trend VS Security Enhancements Version Codename API DistribuHon Release Date
4.3 Jelly Bean 18 4.7% Jul 2013 4.4 KitKat 19 39.3% Sep 2013 5.0 Lollipop 21 15.5% Nov 2014 5.1 22 2.6%
0
200000
400000
600000
800000
1000000
1200000
1400000
1600000
1800000
2000000
2013-‐01
2013-‐02
2013-‐03
2013-‐04
2013-‐05
2013-‐06
2013-‐07
2013-‐08
2013-‐09
2013-‐10
2013-‐11
2013-‐12
2014-‐01
2014-‐02
2014-‐03
2014-‐04
2014-‐05
2014-‐06
2014-‐07
2014-‐08
2014-‐09
2014-‐10
2014-‐11
2014-‐12
2015-‐01
2015-‐02
2015-‐03
2015-‐04
2015-‐05
2015-‐06
Malware vs PUA Growth CumulaHve
Malware
PUA
62%
399K
1M
1.95M
SEAndroid released
7 7
What is SEAndroid?
8
Android Security Model
• DAC (Discre?onary Access Control) ○ Each App has its own UID/GID for app isola?on.
○ The file owner makes decision for the file access.
○ Owner(rwx):Group(rwx):Others(rwx) ‒ drwxr-‐x-‐-‐x system system com.android.seZngs
‒ drwxr-‐x-‐-‐x u0_a15 u0_a15 com.android.browser
• App Permissions ○ Each App has requested Permissions such as SEND_SMS/INTERNET.
○ Granted Permissions are allowed.
9
DAC Weaknesses
• No system-‐wide security policy as Access control is based on the discre?on of the file owner.
• Flawed or malicious applica?ons can bypass permission system and escalate their privileges.
• Inability to confine any system daemons or setuid programs that run with the root.
10
Mandatory Access Control (MAC)
Process #0 Domain
Subject
Access?
Rules Database
Objects
Class
<av_acHon> <subject...> <object...>:<class...> { <permissions...> } allow appdomain system_data_file:dir r_dir_perms;
ps -‐Z u:r:system_app:s0 system com.android.selngs u:r:untrusted_app:s0 u0_a15 com.android.browser
11
SELinux Policy and ConfiguraHon Files
Mac Permission
Context Files
ConfiguraHon Files
Policy Files
Security Server
zygote init installd
AcHvityManagerService
PackageManagerService
Libselinux (support security policy, file aoributes and process APIs)
SELinux Linux Security Module (LSM)
Security Server
Access Vector Cache
User Space
SELinux File System read/write
lookup
Kernel Space
SELinux uHliHes & commands
LSM Hooks Various Linux Kernel Services
reload
Cache Miss
The overview
of S
EAnd
roid Framew
ork
12
mac_permissions.xml – Middleware MAC (MMAC)
The file is used for the install-‐Hme check of applica?on permissions against the MAC policy. It u?lizes the value of signature and seinfo tags to assign policy stanzas for a given app or all apps from either pladorm or third-‐par?es.
13
<?xml version="1.0" encoding="utf-‐8"?> <policy> <!-‐-‐ Sample signer stanza for install policy Rules: Sample stanzas are given below based on the AOSP developer keys. -‐-‐> <!-‐-‐ Platform dev key with AOSP -‐-‐> <signer signature="....b357" > <allow-‐all /> <seinfo value="platform" /> </signer> <!-‐-‐ shared dev key in AOSP -‐-‐> <signer signature="...6f84" > <allow-‐permission name="android.permission.ACCESS_COARSE_LOCATION" /> <allow-‐permission name="android.permission.CALL_PHONE" /> .... <seinfo value="shared" /> </signer> <!-‐-‐ All other keys -‐-‐> <default> <seinfo value="default" /> <deny-‐permission name="android.permission.ACCESS_COARSE_LOCATION" /> <deny-‐permission name="android.permission.CALL_PHONE" /> .... </default> </policy>
14
mac_permissions.xml from a Nexus 5 running on Android 5.1
<?xml version="1.0" encoding="iso-‐8859-‐1"?> <!-‐-‐ AUTOGENERATED FILE DO NOT MODIFY -‐-‐> <policy> <signer signature="...e26a"> <seinfo value="platform"/> </signer> <default> <seinfo value="default"/> </default> </policy>
15
SEAndroid with Root Exploits
• GingerBreak ○ Following MAC policy rejected execu?on of a binary from the data
par??on from vold.
○ neverallow appdomain system_file:dir_file_class_set { create write
setagr relabelfrom relabelto append unlink link rename }
• RageAgaintTheCage ○ Following MAC policy rejected transi?ons to the privileged security
context and remoun?ng system par??on.
○ neverallow { appdomain -‐shell userdebug_or_eng(`-‐su') } { domain -‐
appdomain }:process { transi?on dyntransi?on };
16 16
What is ContainerizaHon?
17
ContainerizaHon (Secure Container)
• Design for BYOD (bring your own device)
• Be Adopted in mobile device management (MDM)
• Securely access to corporate data
• Prevent the misuse of malware, intruders or other apps
18
ContainerizaHon (Secure Container)
• Corporate Apps
Secure Container
Personal App1
Personal App2
Personal App3
Corporate Data
Business Email
Contacts
File Shares
Intranet Browsing
Secure Access
19 19
Doom to Fail
20
Why?
• Permissions are the key to control access
• Social Engineering
• Vulnerabili?es and exploits subvert Android system
• Compa?bility problems then break other func?onali?es
• Android Fragmenta?on
• …….
21 21
We Prove
22
The survival of exisHng Android malware
SMS 55.6%
Backdoor 20.7%
Spyware 16.2%
Others 2.7%
FakeApp 1.5%
Downloader 1.2% Rootkit
0.7% Banker 0.7%
Ransomware 0.5%
ClassificaHons of Android Maware in last 12 months
23
Premium SMS Sender
• Easiness ○ Permission: "android.permission.SEND_SMS" ○ sendTextMessage () method
• Social engineering
• Demo…
24
Backdoor
• Set up or distribute via mobile Botnet • Send or intercept SMS messages • Download, install, or ac?vate any Android app without user knowledge
• Make arbitrary phone call • Clear user data, uninstall exis?ng applica?ons, or disable system applica?ons
• Upload sensi?ve informa?on including device id, loca?ons, applica?on usage, call log and SMS history to remote websites
• Execute command & control services • Quick Demo ……
25
Backdoor Cont.
CoolReaper hidden in a legi?mate ROM image
26
Spyware & Banker Trojan
Social Engineering
27
Spyware & Banker Trojan cont.
Permissions: ○ INTERNET ○ ACCESS_NETWORK_STATE ○ WRITE_EXTERNAL_STORAGE
28
FakeAV and Ransomware
• Fake alerts to scare vic?ms to pay money • Permissions: uses-‐permission:'android.permission.WAKE_LOCK’ Or uses-‐permission:'android.permission.SYSTEM_ALERT_WINDOW’ uses-‐permission:'android.permission.READ_EXTERNAL_STORAGE' uses-‐permission:'android.permission.WRITE_EXTERNAL_STORAGE'
29
FakeAV and Ransomware
30
FakeAV and Ransomware
• Demo…
31
VulnerabiliHes
• Samsung Pre-‐installed Swiv Keyboard Security Risk : Over 600M+ Devices Worldwide Impacted
• CVE-‐2015-‐4640 and CVE-‐2015-‐4641
○ Language files are downloaded via HTTP
○ Keyboard was signed with Samsung’s private key
aapt d xmltree SamsungIME.apk AndroidManifest.xml | grep shared A: android:sharedUserId(0x0101000b)="android.uid.system" (Raw: "android.uid.system")
32
VulnerabiliHes cont.
• Stagefright – C++ sovware library for playing mul?media files
• Agack vector exploits contain integer overflow vulnerabili?es
33
MiHgaHon Summary of StageFright
ASLR (�Address space layout randomizaHon) is the ONLY challenge.
MiHgaHon Applicability SELinux/SEAndroid N/A Stack Cookies N/A FORTIFY_SOURCE N/A ASLR Only Android >= 4.0 NX Bpass with ROP GCC new[] mi?ga?on N/A*
^ From Joshua "jduck" Drake August 5th 2015 Black Hat USA
34
Rootkit & Bootkit
• Customized ROM • Oldboot …
35 35
The Future
36
• Android permission model is the key to control (Android M)
• Uprising trends will keep domina?ng Android malware agacks
• GeZng smarter and aiming to generate more profit ○ SMS Sender – (game, fakeapp, porn …) ○ Social Engineering ○ Diversified and Mul?channel ○ Taking advantage of Android Fragmenta?on ○ …
37 37
Conclusion
38
Conclusion
• Everything is in enforcement since the 5.0 release • By 2017, 65 percent of enterprises will adopt MDM • Volume and sophis?cated • Android M 6.0 introduces a new permissions model • More agack vectors than before • Vehicle and wearable based malware
39 © Sophos Ltd. All rights reserved.
Q&A