Black Hat Asia March 29, Singapore. ANDROID COMMERCIAL SPYWARE DISEASE AND MEDICATION by Mustafa Saad. ENTERPRISE APPS: BYPASSING THE IOS GATEKEEPER by Avi Bashan & Ohad Bobrov. HEY YOUR PARCEL LOOKS BAD - FUZZING AND EXPLOITING PARCEL-IZATION VULNERABILITIES IN ANDROID by Qidan He. SU-A-CYDER: HOMEBREWING MALWARE FOR IOS LIKE A B0$$! by Chilik Tamir.
I guess it is still too early in the year for conference programs. ShmooCon just concluded, Infiltrate doesn't have any mobile talks, and SyScan didn't post accepted talks yet. This weekend I attended the first BSidesNYC. The conference was pretty good, some expected and some unexpected good talks. The conference venue was pretty nice and spacious. I will go again.
If you are into NFC research checkout: ChameleonMini - A Versatile NFC Card Emulator a new kickstarter project. The guys who run it definitely know what they are doing.
Updated Android malware steals voice two factor authentication
Phone Hackers: Britain's Secret Surveillance Video by vice
Android-based Smart TVs Hit By Backdoor Spread Via Malicious App (not mobile but close enough)
Create an anonymous Signal phone number w/ Android
Covert Communication in Mobile Applications (paper)
Vulnerability in Blackphone Puts Devices at Risk for Takeover
spectrum monitoring system for GSM providers (a tool)
Nexus Security Bulletin - January 2016 has a bunch of critical stuff
(Un)Trusted Execution Environments (slides)
Parsing iOS Frequent Locations
A Forensic Analysis of Tinder (iOS)
How to Bypass Factory Reset Protection on your Nexus 6P, 5X, 5, & 6 (YouTube video)
[CVE-2015-7292] Amazon Fire Phone kernel stack based buffer overflow
Mediatek/Obi nerfed ALL property space security any user can control any property, even ro ones
CopperheadOS's OpenBSD malloc port uncovered a use-after-free in Android's fancy new over-the-air update sorcery
Added support to crack Android FDE (Samsung DEK) to oclHashcat v2.10! 171kH/s @ 290x, 217.7 kH/s @ 980Ti
DIVA (Damn insecure and vulnerable App) for Android
A pattern based Dalvik deobfuscator which uses limited execution to improve semantic analysis and the slides for it.
Experimental version of QEMU with basic support for ARM TrustZone (security extensions)
How to NOT disable SELinux on Android
I've gotten a little lazy with this blog but I promise I will post more often in 2016.
32c3 27-30 December, Hamburg, Germany. Iridium Update: more than just pagers by Schneider and Sec. Running your own 3G/3.5G network: OpenBSC reloaded by LaForge. (Un)Sicherheit von App-basierten TAN-Verfahren im Onlinebanking (in German) by Vincent Haupert.
ShmooCon January 15 - 17, Washington D.C. Hiding from the Investigator: Understanding OS X and iOS Code Signing to Hide Data by Joshua Pitts. LTE Security and Protocol Exploits by Roger Piqueras Jover.
BSides NYC January 16, NYC. 99 Problems but a Microkernel ain't one! by Alex Plaskett. Mobile implants in the age of cyber-espionage by Dmitry Bestuzhev.
Black Hat ASIA March 31 - April 1, Singapore. HEY YOUR PARCEL LOOKS BAD - FUZZING AND EXPLOITING PARCEL-IZATION VULNERABILITIES IN ANDROID by Qidan He.
NDSS 2016 February 21 - 24, San Diego. Has a good number of Android related papers. Some titles look quite interesting.
As I said before, I'm neither attending 32c3 nor Shmoocon. I'll be attending BSides NYC tho.
Google suspended Android-vts the only up to date Android device vulnerability scanner. No idea if Google would allow it back after fixing the issues. On the other side I rather have a tool that can find a large number vulnerabilities rather than having a crippled version in the Play Store.
Palo Alto Networks - Mobile Malware Research Engineer
We at Square are looking for Security people and Engineers.
Grab'n Run, a simple and effective Java Library for Android projects to secure dynamic code loading.
Exploring Android's SELinux Kernel Policy
(In)secure iOS Mobile Banking Apps - 2015 Edition
Samsung patched the Pwn2Own baseband bug within 1 month
Android-classyshark for looking at Android APKs/decompiling
This tool is used to extract dex files from oat file.
Android Data Residue Vulnerability
New Android 'enjarify' Decompile Tool
Droid Turbo Bootloader Unlock on now with SunShine 3.2 Beta
Windows Phone Internals
Huawei is disclosing 'Security Advisory' for baseband bugs
Google can remotely bypass the passcode of at least 74% of Android devices if ordered I thought this was more widely known?
Hacking Team - how they infected your Android device by 0days (slides from Hack.Lu)
Unblocking Stolen Mobile Devices Using SS7-MAP Vulnerabilities: Exploiting the Relationship between IMEI and IMSI for EIR Access (paper)
POC for CVE-2015-6620, AMessage unmarshal arbitrary write
iOS Trojan 'TinyV' Attacks Jailbroken Devices
Attacking Bound Services on Android
BytecodeViewer - A Java Reverse Engineering Suite. GUI Java And APK Decompiler, Editor, Debugger And More
Using "system" privileges by abusing mobile remote support tools (slides)
List of Android apps to detect fake mobile towers
Defeating iOS Jailbreak detection for Mobile Application Testing
Abusing Android ClipData
50 smartphone users in Singapore hit by malware targeting mobile banking customers
BareDroid allows for bare-metal analysis on Android devices.
Apparently if install an accessibility service, FDE password is reset to default on Android 5.x+.
Capstone Engine on Android
upcoming: 32C3 (December), ShmooCon (January)
$10 Android Phone Walmart has a $10 Android phone. It is an LG device with Android 4.4 specs. I agree with Patrick McCanna on Smartphones @ featurephone prices will be a significant milestone towards monetizing mobile hacking. These prices really mean everybody is going to have a smartphone. Like everybody. I ordered two of those to play with.
Mobile pwn2own: two interesting results. (1) baseband of a Samsung S6 Edge, the payload was able to redirect incoming calls. This was done by my buddies Nico Golde and Daniel Komaromy. Here a picture of their setup. Story by various sites: 1, 2 (German), 3. (2) drive by APK install on Nexus 6 without user interaction by Guang Gong. tweets: 1 2 (with picture).
LTE Security: pretty interesting talk and paper about LTE design and implementation vulnerabilities. slides white paper. Blogpost by the same people: Practical attacks against 4G (LTE) access network protocols. One thing I didn't notice is how cheap LTE research is already. Their setup is just over $1000, which seems rather cheap for LTE.
We at Square are looking for engineers, jobs should be super interesting for those who read this blog!
the GSMA is looking for a Cyber Security Director
FakeDebuggerd.D, AFAIK the first Android Trojan infecting system binaries just like traditional virus (in Chinese)
tiny USB drive sized Qualcomm LTE base station
Samsung Mobile Security Blog I didn't know this existed
32c3 again has a GSM network
Remote Code Execution as System User on Android 5 Samsung Devices abusing WifiCredService (Hotspot 2.0)
Hey @sprint @sprintcare, what's up with sprint installing MDM profile on a new iPhone 6s at the store? sprint seems to install MDM profiles on to iPhones at the store, more investigation needed!
A vulnerability known as Wormhole affects the Baidu Moplus SDK and potentially exposes more than 100 Million users to cyber attacks.
VTS for Android vulnerability scanner for Android that is constantly updated!
Hack The Galaxy: Hunting Bugs in the Samsung Galaxy S6 Edge Google P0 takes a look at the S6 and finds 11 high impact issues.
The Zerodium 1 Million $ iOS 0day bounty was claimed on Nov. 2
ZipFury: Yet another Zip arbitrary file write with system privileges (Samsung Android)
SafetyNet doesn't detect a device as rooted if using the new system-less SuperSU
Characterizing SEAndroid Policies in the Wild (paper)
SEAL: SEAndroid Analytics Library for live device analysis (tool)
Long Term Exploitation - LTE security (slides)
Nexus 6P has two levels of bootloader unlocking
Xposed now for Android 6.0
Copperhead CTO: Nexus Phones Already More Secure Than BlackBerry Priv
AndroBugs Framework is an efficient Android vulnerability scanner that helps developers or hackers find potential security vulnerabilities in Android applications. No need to install on Windows.
android app capable of "self-compilation, mutation and viral spreading" (paper) and code
When providing a native mobile app ruins the security of your existing web solution(slides)
Why Does My Android Phone Have eFuses And Why Should I Care About Them?
AFL on Android
As Of Android 6.0, OEMs Will Be Required To Provide Secure Factory Reset On Their Devices (If They Haven't Already)
Nexus Security Bulletin November 2015
Remote attestation for TEEs and Verified Boot will be possible on Android N
the Ubuntu phone as security issues
ARMageddon: Last-Level Cache Attacks on Mobile Devices (paper)
GOOGLE AOSP EMAIL APP HTML INJECTION
The Terminator to Android Hardening Services (slides)
Android developer hotlinks an image on some guy's server, DDoS's it. He has no idea who to contact. (reddit)
ARMv8 has unprivileged cache flush instructions. (slides)
Mount Android phones on Linux with adb. No root required.
BlackBerry's PaX / grsecurity configuration
MalwAirDrop: Compromising iDevices via AirDrop (slides)
Android now has Signal too
don't jailbreak your iPhone (or else forensics)
... encrypted com app security scorecard ...
ekoparty October 21-23, Buenos Aires. ARM disassembling with a twist by Agustin Gianni and Pablo Sole. Exploiting GSM and RF to Pwn you Phone by Manuel Moreno and Francisco Cortes. Faux Disk Encryption: Realities of Secure Storage on Mobile Devices by Drew Suarez and Daniel Mayer. New Age Phreacking: Tacticas y trucos para fraudes en Wholesale by David Batanero.
Hackito Ergo Sum October 29-30, Paris, France. Malicious AVPs: Exploits to the LTE Core by Laurent Ghigonis & Philippe Langlois. Android malware that won't make you fall asleep by By Lukasz Siewierski.
The RIM BlackBerry PRIV looks like a real interesting device. The PRIV seems to focus on security. The website claims a hardend linux kernel, and indeed they seem to run a grsec kernel as you can see in this picture (lower left corner) posted on the Crackberry forum. Some comments about this in this series of tweets.
There is a new security news outlet with focus on the consumer angle it is called The Parallax. It is super new and does not have many articles yet. But I think the consumer focus could be interesting.
Job Section (just because I know about a bunch of stuff)
Intern at Siemens with focus on Mobile Security (Germany)
I know that Button Inc in NYC is looking for mobile developers.
Square is looking to hire multiple security people.
Pangu iOS 9 jailbreak
Cryptfs Password Manager with Android 6 support
Android banking Trojan delivers customized phishing pages straight from the cloud
OpenKeychain Audit (PDF)
The AuditDroid Project is a fully functional and self-contained environment for learning about Android security
Android Vulnerability Test Suite - now detects CVE-2015-6602
Attackers with brief physical access can enable WiFi MITM on Android 6.0
A "shim" for loading native jni files for Android active debugging
Androguard: A simple step by step guide
Interesting Twitter thread about HTC and Security updates for Android including the HTC USA President
Same Sh*t Different Android Browser
Nexus 5X and Nexus 6P review: The true flagships of the Android ecosystem contains a large section disk encryption performance on various Android devices
A Look at Marshmallow Root & Verity Complications
SELinux in Android Lollipop and Marshmallow (PDF)
Current State of Android Privilege Escalation (PDF)
AOSP 4.4.4 ROM for grouper (Nexus7) with DexHunter automatic unpacker built in
Android Xposed Module to bypass SSL certificate validation (Certificate Pinning).
Using Android's tamper detection securely in your app
An Xposed and adbi based module which is capable of hooking both Java and Native methods targeting Android OS.
microG GmsCore is a FLOSS (Free/Libre Open Source Software) framework to allow applications designed for Google Play Services to run on systems, where Play Services is not available.
Nexus Security Bulletin—October 2015
The Nexus 5X And 6P Have Software-Accelerated Encryption, But The Nexus Team Says It's Better Than Hardware Encryption
Reverse Shell Over SMS (Exploiting CVE-2015-5897) (OS X)
Nexus 6P has a hardware fuse that blows irreversibly when bootloader unlocked.
BoringSSL runs Android M and other stuff...
YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS Devices by Abusing Private APIs (not actually the FIRST)
Black Hat Europe November, Amsterdam NL. ALL YOUR ROOT CHECKS BELONG TO US: THE SAD STATE OF ROOT DETECTION by Azzedine Benameur & Nathan Evans & Yun Shen. ANDROBUGS FRAMEWORK: AN ANDROID APPLICATION SECURITY VULNERABILITY SCANNER by Yu-Cheng Lin. AUTHENTICATOR LEAKAGE THROUGH BACKUP CHANNELS ON ANDROID by Guangdong Bai. FAUX DISK ENCRYPTION: REALITIES OF SECURE STORAGE ON MOBILE DEVICES by Daniel Mayer & Drew Suarez. FUZZING ANDROID: A RECIPE FOR UNCOVERING VULNERABILITIES INSIDE SYSTEM COMPONENTS IN ANDROID by Alexandru Blanda. LTE & IMSI CATCHER MYTHS by Ravishankar Borgaonkar & Altaf Shaik & N. Asokan & Valtteri Niemi & Jean-Pierre Seifert. TRIAGING CRASHES WITH BACKWARD TAINT ANALYSIS FOR ARM ARCHITECTURE by Dongwoo Kim & Sangwho Kim.
Secret Conference October 9th, NYC. Talks by Jon Callas and Dan Ford from Silent Circle / Blackphone.
Ruxcon October 24-25 Melbourne, Aus. TEAM PANGU on DESIGN, IMPLEMENTATION AND BYPASS OF THE CHAIN-OF-TRUST MODEL OF IOS. MARK DOWD on MALWAIRDROP: COMPROMISING IDEVICES VIA AIRDROP. JOSHUA KERNELSMITH SMITH on HIGH-DEF FUZZING: EXPLORING VULNERABILITIES IN HDMI-CEC. BABIL GOLAM SARWAR on HACK NFC ACCESS CARDS & STEAL CREDIT CARD DATA WITH ANDROID FOR FUN &PROFIT. COLBY MOORE on SPREAD SPECTRUM SATCOM HACKING: ATTACKING THE GLOBALSTAR SDS.
ToorCon San Diego October 24-25, San Diego, CA. The Phr3$h Pr1nc3 0f Bellk0r3 on Fuzzing GSM for fun and profit.
SyScan360i October 21-22 Beijing China. Fuzzing Android System Service by Binder Call to Escalate Privilege by Guang Gong.
PacSec November, Tokyo JP. BlueToot / BlueProx - when Bluetooth met NFC by Adam Laurie.
ZeroNights 25-26 November, Russia. Extracting the painful (Blue)tooth by Matteo Beccaro and Matteo Collura.
HP / ZDI will not run Mobile Pwn2Own at PacSec (in Japan) due to export restrictions. Source Dragos Ruiu. This is unfortunate.
Personal note: Since September I'm working for Square doing mobile security engineering. This blog will only be temporarily affected by the job switch as I get settled I will return to more then one post per month.
Motorola Marketed The Moto E 2015 On Promise Of Updates, Is Now Apparently Ending Them After 219 Days
ANDROID PAY: PROXY NO MORE Super interesting post on the insides of Android Pay and Google Wallet
iOS 9 code vulnerability lets hackers steal thousands of dollars worth of in-app purchases
AndFix is a library that offer hot-fix for Android App. some parts looks very very similar to PatchDroid. I have to look closer at this.
Announcing Android Vulnerability Test Suite
PoC code for 32 bit Android OS - ping pong root
Android 5.x Lockscreen Bypass (CVE-2015-3860)
Defeating SSL Pinning in Coin's Android Application
Assessing Android Applications Using Command-Line Fu (slides)
The Latest on Stagefright: CVE-2015-1538 Exploit is Now Available for Testing Purposes
SunShine - The #1 Bootloader Unlock tool For Your HTC or Motorola Smartphone! not new but not too many people know about this
DexHunter General Automatic Unpacking Tool for Android Dex Files
SafetyNet Helper wraps the Google Play Services SafetyNet.API and verifies Safety Net API response with the Android Device Verification API.
SafetyNet: Google's tamper detection interesting insights in the on-device parts of SafetyNet.
Zimperium zLabs is Raising the Volume: New Vulnerability Processing MP3/MP4 Media.
The Nexus 5X And 6P Have Software-Accelerated Encryption, But The Nexus Team Says It's Better Than Hardware Encryption
Android Now Shows Your Device's "Android Security Patch Level" In Marshmallow
The road to efficient Android fuzzing
An IDA Pro based Dex Dumper plugin
Kernel Vulnerabilities in the Samsung S4
Mobile Security Challenge Organized by Alibaba
Ruminations on App CVEs
Spoofing and intercepting SIM commands through STK framework (Android 5.1 and below) (CVE-2015-3843)
DexHook is a small xposed module for hooking BaseDexClassLoader and capturing dynamically loaded jars/dex files without interfering with the normal run of the application.
Android M Begins Locking Down Floating Apps, Requires Users To Grant Special Permission To Draw On Other Apps
Hack Brief: Upgrade to iOS 9 to Avoid a Bluetooth iPhone Attack
Android Security Symposium - all slides online
Unbillable: Exploiting Android In App Purchases by Alfredo Ramirez at Derbycon 2015 I haven't watched this yet.
The problems with JNI obfuscation in the Android Operating System by Rick Ramgattie at Derbycon 2015 Haven't watched this yet.
Black Hat Europe Nov 12-13 Amsterdam. (IN-)SECURITY OF BACKEND-AS-A-SERVICE by Siegfried Rasthofer & Steven Arzt. ALL YOUR ROOT CHECKS BELONG TO US: THE SAD STATE OF ROOT DETECTION by Azzedine Benameur & Nathan Evans & Yun Shen. AUTHENTICATOR LEAKAGE THROUGH BACKUP CHANNELS ON ANDROID by Guangdong Bai. LTE & IMSI CATCHER MYTHS by Ravishankar Borgaonkar & Altaf Shaik.
Ruxcon Oct 25. Melbourne Australia. HIGH-DEF FUZZING: EXPLORING VULNERABILITIES IN HDMI-CEC by JOSHUA 'KERNELSMITH' SMITH. DESIGN, IMPLEMENTATION AND BYPASS OF THE CHAIN-OF-TRUST MODEL OF IOS by Team Pangu.
Hacker Halted September 17th, Atlanta GA. One SMS to hack a company by Dmitry Chastuhin. Why You'll Care More About Mobile Security in 2020 by Tom Bain.
Virus Bulletin September 29th, Prague. Mobile banking fraud via SMS in North America: who's doing it and how by Cathal Mc Daid. Will Android trojan, worm or rootkit survive in SEAndroid and containerization? by William Lee and Rowland Yu. Dare 'DEVIL': beyond your senses with Dex Visualizer by Jun Yong Park and Seolwoo Joo. Android ransomware: turning CryptoLocker into CryptoUnlocker (live demo) by Alexander Adamov.
toorcon San DiegoUnfortunately I had to cancel my talk at Android Security Symposium in Vienna due to a scheduling conflict. It is a real bummer but I can't do anything about it. The replacement talk is done by my friend and research buddy Matthias he is doing a talk on one of our previous mitigation projects.
The iOS KeyRaider malware looks rather interesting. It combines a lot of different functionality. Such as steeling AppStore credentials and a ransomware module. This malware again only targets jailbroken iOS devices, users specifically had to download apps from third-party Cydia repositories. So this is not a general threat but a threat to people who jailbreak their device. If you jailbreak you likely have a very specific need and you hopefully know what you are doing. If not, just don't jailbreak your device (no matter what OS is runs).
I just found this recently published paper titled: Header Enrichment or ISP Enrichment? Emerging Privacy Threats in Mobile Networks. The paper studies HTTP header modifications and injection that is done by mobile network operators. The paper more or less is a direct follow up to my paper on the same subject titled: Privacy Leaks in Mobile Phone Internet Access. Their paper looks at what happens to smart phones that actually use HTTP (my work was mostly focused on phones that used the WAP technology - even though WAP was translated to HTTP to access regular web pages). Anyway their paper provides a good insight in what is happening. If you run a website that get a lot of mobile traffic you should look if you see some of the HTTP headers that are injected by the mobile carriers.
QARK - Quick Android Review Kit
Android Cross-Reference covers every single Android release (all 133) ever made
Android linux kernel privilege escalation (CVE-2014-4323)
Effectively bypassing kptr_restrict on Android
Offensive and Defensive Android Reverse Engineering by Tim, Jon, and Caleb (slides)
Remote Code Execution in Dolphin Browser for Android
Changes made to AOSP from m-preview-1 to m-preview-2
Tim Strazzere: So I'm guessing @YotaPhone never expected to send updates? Since the OTA keys are the compromised, test-keys (good find, but WTF?)
Very interesting blog post from the T-Mobile USA CEO. He basically says their are going after people who modify their phones to get free tethering. The outcome will be interesting.
World Writable Code Is Bad, MMMMKAY
Ask Us Almost Anything about Android Security, Privacy or Malware with beaups, Tim "diff" Strazzere, Joshua "jduck" Drake, and Jon "jcase" Sawyer
Android 6.0 with Runtime Permissions
Video of jduck's Black Hat talk: Stagefright: Scary Code in the Heart of Android
A rather short updates this time. Until next time!
Finally I have time to write a new blog post again. The last couple of weeks have been super busy for me. I had to finish a project, prepare a talk about it, and give a bunch of talks at various places in July and August.
T2 Helsinki, Finland. LTE (in) Security Ravishankar Borgaonkar & Altaf Shaik.
BalcCon Novi Sad, Vojvodina, Serbia. Private communications with mobile phones in the post-Snowden world, the _open_source_ way by Bojan Smiljanic.
APPSEC USA San Francisco, CA. QARK: Android App Exploit and SCA Tool by Tushar Dalvi and Tony Trummer. SecureMe - Droid' Android Security Application by Vishal Asthana and Abhineet Jayaraj. OWASP Reverse Engineering and Code Modification Prevention Project (Mobile) by Jonathan Carter. ShadowOS: Modifying the Android OS for Mobile Application Testing by Ray Kelly.
GrrCon Grand Rapids, MI. Phones and Privacy for Consumers by Matthew and David
I recently bought an Apple Watch. The primary reason was fun. Also since I switched to Two-Factor Authentication (2FA) for all my private infrastructure and all my web accounts that support it I though it would make life easier. I use Duo 2FA for my own stuff and they have a Watch app which is pretty convenient. Before I owned the first pebble watch. I liked that a lot even tho I had a lot of issues with the Bluetooth connection between the pebble and my Nexus 5. Sometimes it worked great and sometimes it just didn't work at all. I also got a LG G Watch R (W110) (Android Wear) but I didn't really use it. It was much too big for my wrist. Also the round display was kinda strange. Some of the apps seem to not be designed for it and cut off parts of the information that should be displayed. I also found the interface to be confusing, but this might be due to my very very short trial run of the watch. Between the pebble and the LG Watch I also had a Toq but the Toq had many issues besides its size so I never really used it. I tried to wear it like once.
Anyway the only reason I write about smartwatches is because I really like the Duo 2FA watch app. This makes 2FA much much easier and user friendly. I known I'm not the first to write about smartwatches or wearables in the security context but the user friendliness could really make a difference. Also a watch is harder to loose then a token (if you still use one of those).
I guess I don't have to say much about the Stagefright series of Android security vulnerabilities. The vulnerabilities are present in Android's media format handling library (named stagefright). Several factors make this bugs interesting. First, every Android version after 2.2 was vulnerable (at the time of discovery) that was around 95% of all devices. Second, the bug can be remotely triggered via MMS. Yes MMS once again provides the ultimate attack vector against smartphones. Who would have known? ;-)Links
The bug was patched relatively fast by Google since Joshua provided patches. Google started shipping OTA updates for their Nexus devices relatively fast. Still most Android devices will not get patched or will receive their patches super late (and thus users will not be protected in a timely fashion). The reason for this is mostly the mobile ecosystem which is largely not suited for fast patch deployment. I provided some comments about this issue on NPR in late July.
While patches/updates were rolled out Jordan from Exodus found that the patches are not complete and contain more vulnerabilities in the exact code that was fixed in the update. His blog post describing the issue is here.
The only way to protect yourself is to update your device to firmware version that does not contain the vulnerability. If you are one of the many people who own phones that did not yet receive an update your only chance is to disable MMS auto-download. This will not kill the bug since you can still be attacked using other vectors (e.g. download and play a .mp4 file) but disabling MMS auto-download will at at least remove the automatic remote exploitation problem. A step by step way to disable MMS auto-download for various MMS clients is provided by Lookout here.
Demo video is: here.
Joshua's Black Hat slides are: here
Android detector app is: here
There is even a wikipedia page for Stagefright_(bug)
StageFright, Telegram Stage-Left & WhatsApp Stage-Right
disarm - Quick & (very) dirty command line instruction lookup for ARM64
JEB Plugin for decrypt DexGuard encrypted Strings.
Android linux kernel privilege escalation vulnerability and exploit (CVE-2014-4322)
Fuzzing utility which enables sending arbitrary SCMs to TrustZone
Full TrustZone exploit for MSM8974
Android Security Toolkit
First public Android Security Bulletin
Locker: an Android ransomware full of surprises
Remote Exploitation of an Unaltered Passenger Vehicle (white paper) I link this because the cars were sitting on cellular networks with OPEN ports that allowed to issue D-Bus commands to activate the wipers or change volume on the radio. CRAZINESS
Exploring Qualcomm's TrustZone implementation
HTC "zerodays" from our Defcon workshop
Qualcomm LPE vuln from our #defcon workshop
Black Hat slides are online now
New acquisition method based on firmware update protocols for Android smartphones
Boxify: Full-fledged App Sandboxing for Stock Android
Android Market Downloaders
ONE CLASS TO RULE THEM ALL 0-DAY DESERIALIZATION VULNERABILITIES IN ANDROID (paper)
Universal Android rooting (slides Black Hat USA 2015)
Faux Disk Encryption - Realities of Secure Storage on Mobile Devices slides (Black Hat 2015)
Koodous collaborative platform for Android malware analysts
Windows Phone PIN cracking
Hardening Android's Bionic libc
How to use old GSM protocols/encodings to know if a user is Online on the GSM Network AKA PingSMS 2.0
imgtool quick tool to unpack Android images
Android M: A Security Research Perspective (Part 1)
SnooperStopper: Automatically prompts you to change FDE password if lockscreen PIN/password is changed (needs root) Android App
HackingTeam's Android Exploit < nice review by Tencent Sec Response Center.
PGP on Android using GPG applet on Yubikey, via NFC. Useful to PGP while mobile without storing priv key on dev.
Android Vulnerability that Can Lead to Exposure of Device Memory Content
dexposed enable 'god' mode for single android application (fork of exposed)
Xposed for lollipop (5.0) now allows hooking native methods, also arm64 and x86
A Program Analysis Toolkit for Android
Could it be true that Android 5.1.1_r5 enables both dm-verity *and* HW accelerated FDE? Great success if so.
Password storage in Android M
lecture: Advanced interconnect attacks Chasing GRX and SS7 vulns