Saturday, 24 January 2015

Blackhat Movie Review

Blackhat movie review (with SPOILERS): It's been awhile since i did a movie review here and since this movie, with its title, about hacking, i think it's wise for me to write a thing or two (well probably more) about what i feel about it.

Blackhat movie poster

First off, just for general movie knowledge, when this movie was initially scripted there were a lot of protests within the industry about the synopsis that the American government is working with the Chinese government to tackle a foreign hacker while in fact, there's a huge friction between the two in the cyber war arena in the real world. (the latter was briefly mentioned in the movie)

The start of the movie was quite cool, we see a hacker clicking the Enter button and showed the movement of the data in a matrix-ial format from the computer right to the destination, a power plant. I enjoyed the first 10 mins of the movie as it showed the HMI (Human Machine Interface) of the SCADA systems and how it was hijacked. Those who know how Stuxnet works can relate to the movie since the RAT (remote access trojan) or 'virus' in this movie was probably inspired by the Stuxnet worm (where it was able to destroy many nuclear centrifuges causing it to be replaced and renewed costing millions of dollars) What a huge coincidence that i talked about this SCADA and Power Plants security talks last year.

Power Plant Meltdown from the Blackhat movie


HMI interface for a SCADA system

However, the way the things was handled by the US government and the Chinese government (cooperating with each other) was unrealistic. From the book, 'WORMS' by Mark Bowden, back when the famous Conficker virus was going on a rampage in the US, affecting millions of computers, the US government did not even bother to take further action especially when being educated that the Conficker has the ability to start a Cyber Pearl Harbor back in the days so to see that the US government providing assistance to the Chinese government was quite far fetched (but hey, who knows this movie could entice a possible cooperation between them). 

WORM by Mark Bowden

Everything went well until when they decided to kill the direction of the movie. Im not going to comment on this as i was utterly disappointed.. its like watching the latest Transformers scene in China...pointless! Chris Hemsworth, the hacker in the movie was somehow good at martial arts and even know how to use a gun better than the villains. (Seriously??? Now i missed Hugh Jackman in Swordfish). 

Swordfish the movie

My verdict: It was all positive hype in the first 30 mins until it went totally downhill the rest. Don't expect a Blackhat vs Blackhat cyber battle or a Die Hard 4.0 kind of vibe. The villains were lame and making the 90s movie Hackers way better than this.

Sunday, 18 January 2015

Analyzing FlappyBird: How Codenomicon's AppCheck saved my Android

Introduction

Early last year, an article was published in ZDNET [1] summarizing the rise of Android phones in the mobile world showing statistics that to date, Android is the number one and most used platform on smartphones. This has led not only to the rise of the platform but also the rise of malware and cyber criminals taking advantage of this to enhance their criminal operations and profiteering from it. While scamming is an age old criminal tactic, it has also been heavily utilized and engineered for the cyber world aiming at clueless and gullible people who download anything that is famous and free. This paper aims to share about the famous Flappy Bird game application in Android and how its fame was used by opportunists to spread malware and how a dynamic analysis of both the genuine and fake application allow analysts and organizations to understand what it does and how organizations can prevent it on their smartphones.

FlappyBird in the Media

Everyone have heard of this Flappy Bird [2] game. It was created and designed by Dong Nguyen, a Vietnam based developer and published by .GEARS studios [3]. Release in May 2013 and rise to popularity in early 2014, Flappy Bird was downloaded by an estimated amount of 50 million times and making an average amount of $50,000 a day [4]. But its fame comes with a price as the game was heavily criticized for both its design and its difficulty [5] which later it was stopped and removed from the application store by the developer himself [6]. It was during this ‘cut-off’ period that other developers also wanted to have a piece of the cake, developing clones of the software, taking advantage of the situation and gamers. This also led to opportunists developing its own Flappy Bird containing malware as reported by McAfee that almost 79% of Flappy Bird clones were riddled with Malware [7].

Intention of this Article

In this paper, I will illustrate, with the help of AppCheck to analyze the genuine and malware-ridden Flappy Bird (apk file) and perform additional manual analysis to differentiate what they do and how it impacts the Android users even before installing it on the smartphone. I will also explore the differences of permissions used as well as the behavior of the applications when performed dynamic analysis so that we are transparent of what the application was intended when it was created.

The Analysis

In this analysis, I downloaded and used 2 APK files downloaded from the following: 


The AppCheck Interface


Analyzing the Details of the Application via AppCheck


Analyzing the Certificate Details


Findings: Using third party tools to analyze the certificates, the fake application’s cert is shown to use a freeware email provider as its owner name. The MD5 checksum for the genuine application remains consistent to the other Flappy Bird application provided by trusted source like Google Play, however, the fake Flappy Bird has different checksum and certificate details. This observation proves the multiple clones of malicious Flappy Bird application.

Analyzing the Android Permission via AppCheck


Findings: Looking at the genuine game application, the permissions were pretty standard for most gaming application making use of the ‘Wake_Lock’, ‘Internet’ and ‘Access_Network_State’, however, the permissions for the Malware-Ridden application are using additional activities besides the one used in the genuine application. They are ‘Send_SMS’, ‘System_Alert_Window’, ‘Read_SMS’ and ‘Receive_SMS’. One surely question why the additional activities are required for such a harmless gaming application.

Analyzing the Stats via AppCheck


Findings: There were no information for the genuine application. For the Malware-Ridden application, 2 unique domains were contacted. There are


Browsing to the respective sites, we get the following results:

For wap4android.info


For serviceappsite.com


Using Scamadviser.com to check for the genuinity of the website, the following results were seen:

For wap4android.info


For serviceappsite.com


Findings: The 2 websites that was found by AppCheck seemed to be unable to access and one stated as ‘Account Suspended’. Based on the scamadviser.com, the registrant of the wap4android.info seemed to be suspicious with its address to be non-existent and the owner name as gibberish.

Network Events via AppCheck

There were no network events or activity found from the genuine application. For the malware-ridden application, there were a few findings.


In this analysis, I shall focus only the following as highlighted.



Below is the detailed finding captured from the network analysis via AppCheck:


Findings: As shown here, during the installation of the application, the application tried to contact the domain ‘serviceappsite.com’ with a GET request of the url ‘/services/payment.php’. If this application is meant to be free, then why would it contact a website with such a url suspicious of asking for payment?

Sophos Take on Flappy

Andras Mendik from SophosLabs wrote an article detailing the process of the installation result for both the genuine and fake application [8]. It shows clearly how the application make use of the SMS to exploit user ignorance and allowed them to profit from it.

The Malicious Flappy Bird in Action*

Below screenshots detailed how the malicious application exploit on the SMS application.



Processes*:

1) FlappyBird Fig 1: The imposter pretends to be a trial version that has expired; all you need to do is send an SMS to reactivate it
2) FlappyBird Fig 2: That's a premium-rate SMS account, and you do get a warning - most users, we assume, will be rightly suspicious by now
3) FlappyBird Fig 3: If you decide not to send the SMS and not to use the app, it offers to exit, as you might expect
4) FlappyBird Fig 4: But it doesn't exit at all. The app screen disappears, but the software keeps running in the background, as you will see if you click "Yes" to exit and then go to the list of recent apps

*(Credits to Sophos for the Flappy Bird screenshots and processes)

Conclusion

With thousands of applications being created every day, organizations and developers must find a way to address such potential issues before being installed or deployed in critical organizations. It could be in a form of mobile application or other binary format, provided or downloaded from third party sites. While AppCheck is used to find known vulnerabilities and not a product to check for infections or Malware, this paper demonstrates how AppCheck can be used to analyze the behavior of the application and analysts can detect suspicious behavior and flag unintended activities that are used in malware. 

For more information on Codenomicon and AppCheck, click on the image to visit: 

References