Forensic logical acquisition of Android devices using adb backup

In digital forensics, the term logical extraction is typically used to refer to extractions that do not recover deleted data, or do not include a full bit-by-bit copy of the evidence, analogously to copying and pasting a folder in order to extract data from a system.

So, this process will only copy files that the user can access and see: if any hidden or deleted files are present in the folder being copied, they will not be in the pasted version of the folder.

Continue…

Smartphones using Broadcom Wi-Fi SOC can be hacked Over-the-Air

Security patch available only for Nexus & iOS


A stack buffer overflow issue that affects all devices using Broadcom’s Wi-Fi stack was discovered by Google’s Project Zero researcher Gal Beniamini.

The flaw affects Apple devices and also all android devices using Broadcom’s Wi-Fi stack: an attacker within the smartphone’s WiFi range could remotely execute malicious code on the Broadcom WiFi SoC.

The vulnerability allows attackers to send WiFi frames, crafted with abnormal values, to the Wi-Fi controller in order to overflow the firmware’s stack.

The researcher combined this value with the frequent timer firings of the chipset to gradually overwrite specific chunks of device’s memory until his malicious code is executed.

So, to exploit the flaw, an attacker needs to be within the WiFi range of the affected device to silently take over it:

We’ve seen that while the firmware implementation on the Wi-Fi SoC is incredibly complex, it still lags behind in terms of security. Specifically, it lacks all basic exploit mitigations — including stack cookies, safe unlinking and access permission protection (by means of an MPU).

Gal Beniamini also published a proof-of-concept RCE exploit that successfully performs remote commands on a fully updated Nexus running Android 7.1.1:


https://bugs.chromium.org/p/project-zero/issues/detail?id=1046#c2

For the really complex technical analysis, please refer to the original article on Google’s Project Zero:

https://bugs.chromium.org/p/project-zero/issues/detail?id=1046#c2


Security Patch?

Apple published an emergency iOS 10.3.1 patch update to address this vulnerability on iPhones, iPads, and iPods.

Google delivering updates via its Android April 2017 Security Bulletin, but the fix covers only Nexus devices, and the flaw still affects most Samsung flagship devices like:

  • Galaxy S7 (G930F, G930V)
  • Galaxy S7 Edge (G935F, G9350)
  • Galaxy S6 Edge (G925V)
  • Galaxy S5 (G900F)
  • Galaxy Note 4 (N910F)

References

https://bugs.chromium.org/p/project-zero/issues/detail?id=1046#c2
https://bugs.chromium.org/p/project-zero/issues/detail?id=1046#c2
https://bugs.chromium.org/p/project-zero/issues/detail?id=1046#c2
https://bugs.chromium.org/p/project-zero/issues/detail?id=1046#c2

A useful Cheat Sheet for penetration testing on mobile applications

Some Android firmwares contains a backdoor that secretly sends personal data to China

The backdoor was discovered by Kryptowire


According to the analysis made by security firm Kryptowire, some commercial firmware pre-installed on Android smartphone models sold in the US has been found to be secretly sending personal data to a third party company based in China, without users’ knowledge or consent.
The stolen data include text messages, call logs, contacts, app usage data and user’s location.

The core of the monitoring activities took place using a commercial Firmware Over The Air (FOTA) update software system that was shipped with the Android devices we tested and were managed by a company named Shanghai Adups Technology Co. Ltd.

The collected information was encrypted and transmitted over HTTPS to a server located in Shanghai:

The data transmission occurred every 72 hours for text messages and call log information, and every 24 hours for other PII data. The information was transmitted to the following back-end server domains:

– bigdata.adups.com (primary)

– bigdata.adsunflower.com

– bigdata.adfuture.cn

– bigdata.advmob.cn

All of the above domains resolved to a common IP address: 221.228.214.101 that belongs to the Adups company. 
During our analysis, bigdata.adups.com was the domain that received the majority of the information whereas rebootv5.adsunflower.com with IP address: 61.160.47.15 was the domain that can issue remote commands with elevated privileges to the mobile devices.

A full list of affected devices is not available at this point, but Kryptowire says:

In September 2016, Adups claimed on its web site to have a world-wide presence with over 700 million active users, and a market share exceeding 70% across over 150 countries and regions with offices in Shanghai, Shenzhen, Beijing, Tokyo, New Delhi, and Miami. The Adups web site also stated that it produces firmware that is integrated in more than 400 leading mobile operators, semiconductor vendors, and device manufacturers spanning from wearable and mobile devices to cars and televisions.

Comparison of Adups with 2011 CarrierIQ capabilities based on publicly available sources.

References

http://www.kryptowire.com/adups_security_analysis.html
http://www.kryptowire.com/adups_security_analysis.html
http://www.kryptowire.com/adups_security_analysis.html

http://www.adups.com/index.php

Drammer: a ‘Deterministic Rowhammer Attack’ to gain root permissions on Android devices

A new attack technique that exploits the Rowhammer hardware vulnerability on Android devices


Earlier last year, security researchers from Google’s Project Zero discovers Rowhammer, a hardware bug that allows attackers to manipulate data in memory without accessing it: by reading many times from a specific memory location, somewhere else in memory a bit may flip (a one becomes a zero, or a zero becomes a one).

As a result, hammering a memory region can disturb neighboring row, causing the row to leak electricity into the next row which eventually causes a bit to flip. And since bits encode data, this small change modifies that data, creating a way to gain control over the device.

Now, this designing weakness has been exploited to gain unfettered “root” access to millions of Android smartphones, allowing potentially anyone to take control of affected devices.

Researchers of VuSec has created a new proof-of-concept exploit, dubbed DRAMMER, that can alter crucial bits of data in a way that completely roots big brand Android devices like Samsung, OnePlus, LG and Motorola.

Drammer has the potential to put millions of users at risk, especially when combined with existing attack vectors like Stagefright or BAndroid: practically all devices are possibly vulnerable and must wait for a fix from Google in order to be patched.

From the project page:

We developed an Android app — not yet in Google Play, but available directly — to test your device for the Rowhammer bug. The app uses a native binary for which we also released the source code. After a successful run, the app uploads anonymized output. We will use this to get a better understanding of how widespread the Rowhammer bug is. Of course, you can opt out of sharing results.

Please note the following:

  • Currently, when finished its hammering session, the app does not give you a nice popup that tells you whether you are vulnerable or not. We will try to add this as soon as possible. Meanwhile, you can easily spot induced bit flips by glancing over the output and looking for the obvious keyword FLIP.
  • Your phone might still be vulnerable, even if the app detected zero flips! There are two main reasons for this. First, our current implementation of address selection is conservative: we recently discovered that the current code is only hammering half of the rows on a Nexus 5. On your device, the DRAM geometry might be different enough for our app to completely fail selecting addresses for double-sided rowhammer. Second, the app may only have tested a very small fraction of your DRAM. Ideally, a single run takes at least an hour and scans a couple hundred of MB. The current code already tries to free as much memory as possible to hammer (affected by the aggressiveness factor), but there are probably better ways of doing this.

VuSec has also developed a Rowhammer simulator that allows researchers and practitioners to simulate hardware bit flips in software, using bit-flip patterns (or fliptables) from a large set of DRAM chips.

The sourcecode is available on GitHub:

https://github.com/vusec/hammertime

Here a video of DRUMMER attack on Android 6.0.1

…and a video of DRAMMER attack combined with Stagefright bug:


The original paper

https://vvdveen.com/publications/drammer.pdf


Links and references

https://github.com/vusec/hammertime
https://github.com/vusec/hammertime
https://github.com/vusec/hammertime

How much is difficult realize a malware ignored by antimalware solutions?

Pretty simple, according to recent researches!


A group of the researchers from the Iswatlab team at the University of Sannio demonstrated how is easy to create a mobile malware that eludes antivirus solutions.

The research was conducted by Corrado Aaron Visaggio and Francesco Mercaldo, who realized an engine that applies the following transformations chain to an android malware code which alter the code’s shape, but not the behavior of the malware:

        Disassembling
|
V
Changing Package Name
|
V
Data Encoding
|
V
Code Reordering
|
V
Insert Junk Instruction NOP
|
V
Insert Junk Instruction Branch
|
V
Insert Junk Instruction Garbage
|
V
Identifiers Renaming Package
|
V
Identifiers Renaming Class
|
V
Call Indirection
|
V
Reassembling
|
V
Repacking

We developed a framework which applies a set of transformations to Android applications smali code. We then transformed a real world malware data-set and then we submitted the applications to the website www.virustotal.com, in order to evaluate the maliciousness before and after the transformations (we submitted every sample pre and post transformation process).

Some sites named this solution the “Malware Washing Machine“.


The tests

We worked on a data-set, composed of 5560 malwares belonging to 178 different malware families.
We applied all the transformations combined together on the malware data-set.

The malware data-set is available at: http://user.informatik.uni-goettingen.de/~darp/drebin/


The results?

The results is impressive: the antimalware is not able to recognize the transformed malware (given that it was able to recognize the original malware)

From the paper:

Percentage ratio of antimalwares that detect as malicious more than 
90% of the malwares that analyze.

  • Original malware set : 47%
  • Transformed malware set: 7%


The simple transformation of malwares can turn a known and recognizable malware into an undetectable malware.

This should lead research and industry to develop detection mechanisms which are robust against this trivial evasion techniques.

For more information about result and more technical details regarding the transformation chain, refer to the original paper:

https://www.iswatlab.eu/wp-content/uploads/2015/09/mobile_antimalware_evaluation.pdf


The source code

Freely available on GitHub:

https://github.com/faber03/AndroidMalwareEvaluatingTools