...stuff I do and things I like...

Saturday, January 05 2019

Getting 'rid' of pre-installed Malware on my YellYouth Android Tablet

In November I bought a cheap Android Tablet for a wall-mounted display (see this blog post: Android InfoPanel). After a couple of days (or weeks?) suddenly some overlay ads and warnings from Google Play about malicious apps appeared. I didn't have time to investigate so I just tried to close the apps and ads. This got more complicated since all of it was in Chinese. I ended up navigating the menu of what looked like a 3rd-party app store to uninstall an app named Retipuj that was flag by Google Play for ad-fraud. All of this using Google Translate on my phone.



This solution worked for a couple of days. Returning back from my Holiday trip I was greeted by overlay ads once again. Luckily I had some time on my hands to investigate. Here a short write-up.

Part 1, observations and hoping for an easy way out:
    I found one app that I didn't install (com.hero.filter), I uninstalled it via adb uninstall com.hero.filter. I tried Googling the package name but without success.

    Removing the app didn't seem to do anything. Judging by the task bar there still seem to be a number of apps running but checking via Settings/Apps and on the filesystem (/data/apps) no apps are installed. Every now and then a pop-up appears that looks like a 3rd party market trying to download and install apps. Installation is blocked by Google Play (verified apps I assume).

Part 2, looking at processes:
    I found two interesting looking processes net.atlas.utopia and android.hb.uys.pbuild looking at the SeLinux context they seem to be platform apps (u:r:platform_app:s0). These could be candidates (spoiler - they are). Using pm list packages -f I determined that net.atlas.utopia is install in /system/priv-app/Kyz2203 with the data in /data/data/net.atlas.utopia.

    pm list packages -f (only showing some interesting packages):
      package:/data/app/com.hero.filter-1/base.apk=com.hero.filter
      package:/system/app/AutoDialer/AutoDialer.apk=com.example
      package:/system/priv-app/Kyz2203/Kyz2203.apk=net.atlas.utopia
      package:/system/priv-app/reanimation/reanimation.apk=android.hb.uys.pbuild
      

Part 3, a quick peak into net.atlas.utopia:
    Permissions: this app has like every permission you can think off including install and delete packages, send SMS, read and write any setting and file. Further it has a number of app permissions that correspond to lenovo, oppo, huawei, and htc devices.

    The app registers intent filters for a number of events: boot up, time zone change, packages install/remove, outgoing calls, etc. It basically monitors everything that is going on on the device. Pretty shitty.

    The data directory also contained a dex file with the name whatsappui1.dex. A quick Google search on whatsappui1 has one hit on team cymru's hash list: whatsappui1 with not much details but identify the file as being associated with ad-based malware.

    The most interesting thing I found in this app is the use of a 3rd party library called DroidPlugin. DroidPlugin is a plugin framework for Android that allows to run any third-party apk without installation, modification or repackage. Seems like the perfect tool for malware distribution.

Part 4, a quick peak into android.hb.uys.pbuild:
    Permissions are very similar to the net.atlas.utopia including the permissions corresponding to specific device manufacturers.

    The manifest contains traces of ad related things. The library directory contains libiohook.so. The library contains symbols from Cydia Substrate. The library name appears in various search results that indicate ad related malware.

    The asset directory contains a certificate ky_dsa_public.crt with no interesting issuer. jar file that contains a dex file and two .png files that contain ascii/text.

Part 5, getting rid of it all:
    How do we get rid of pre-installed software? The system partition is read-only so we can't uninstall it! The best idea, that does not involve rooting and flashing new firmware, is disabling the package using the package manager (pm disable net.atlas.utopia) this however requires system privileges. You don't have system privileges without rooting. You can disable apps via Settings but you can only disable them if they are in the list. The ones we want to disable are not in the list.

    How do we get system? The tablet still runs a 3.10.72 kernel so it might be vulnerable to dirtycow. I checked using the tools from timwr and yes it is vulnerable to dirtycow. Using my modified version of run-as as shown in my SafetyNet Talk we can become the system user and disable any package we want by running: pm disable PACKAGE.

    Here the list of packages I disabled, so far no APKs are getting installed and I haven't seen any more ads.

    pm list packages -d
      package:com.mediatek.schpwronoff
      package:android.hb.uys.pbuild
      package:com.mediatek.ygps
      package:com.android.htmlviewer
      package:com.android.browser
      package:com.hero.filter
      package:com.example
      package:com.svox.pico
      package:com.opera.max.global
      package:com.android.dreams.phototable
      package:net.atlas.utopia
      package:com.mediatek.weather
      package:com.opera.max.loader
      package:com.qihoo.appstore
      package:com.fw.upgrade.sysoper
      package:com.android.vpndialogs
      

Part 7, Dirtycow trickery:
    As described on my slides you can modify run-as.c from timwr to become any UID with almost any SELinux context (depending on the device's SeLinux policy!). For our purpose we can become any UID and context that we require. Below some notes on how this works.

    Dirtycow lets you overwrite any file that is how you replace /system/bin/run-as with your own binary. The binary cannot be bigger then the one you are overwriting. This might be a problem when you have a very very small run-as (9k in my case).
    1|shell@KT107:/data/local/tmp $ ls -al /system/bin/run-as                      
    -rwsr-s--- root     shell        9444 2018-09-27 03:44 run-as
    
    The workaround I took was not using ndk-build to build run-as.c and instead manually running arm gcc. This will reduce the binary size due to discarding complier flags used by the ndk. Another solution would be to just load a shared library from run-as to keep the binary size small.

    Once you have my version of run-as you can become (almost) any user.
    shell@KT107:/data/local/tmp $ run-as 1000 u:r:platform_app:s0
    shell@KT107:/data/local/tmp $ id
    uid=1000(system) gid=1000(system) groups=1003(graphics),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats) context=u:r:platform_app:s0
    
    System (UID 1000) allows you to poke around /data/app/* and /data/data. If you want to explore /data/data/APP you need to assume the UID and context of that app.
    shell@KT107:/data/data $ ls -al
    drwxr-x--x u0_a13   u0_a13            u:object_r:app_data_file:s0 net.atlas.utopia
    run-as 10013 u:r:platform_app:s0
    shell@KT107:/data/data $ id
    uid=10013(u0_a13) gid=10013(u0_a13) groups=1003(graphics),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats) context=u:r:platform_app:s0
    shell@KT107:/data/data/net.atlas.utopia $ ls -al
    drwx------ u0_a13   u0_a13            2017-12-31 19:00 Plugin
    drwxrwx--x u0_a13   u0_a13            2017-12-31 19:00 app_dex
    drwxrwx--x u0_a13   u0_a13            2017-12-31 19:00 cache
    drwxrwx--x u0_a13   u0_a13            2017-12-31 19:00 databases
    drwx------ u0_a13   u0_a13            2017-12-31 19:00 fankingbox
    lrwxrwxrwx install  install           2015-12-31 19:00 lib -> /data/app-lib/net.atlas.utopia
    drwxrwx--x u0_a13   u0_a13            2019-01-03 15:56 shared_prefs
    -rw------- u0_a13   u0_a13       9572 2019-01-03 15:54 whatsappui1.dex
    

    Below is my patch for run-as.c. My version sets the UID from the first argument and the SELinux context from the second argument.
    --- run-as-crm.c	2019-01-03 17:54:41.153471054 -0500
    +++ run-as.c	2019-01-03 17:58:39.378353437 -0500
    @@ -28,6 +28,8 @@
     {
     	LOGV("uid %s %d", argv[0], getuid());
     
    +	int duid = atoi(argv[1]);
    +
     	if (setresgid(0, 0, 0) || setresuid(0, 0, 0)) {
     		LOGV("setresgid/setresuid failed");
     	}
    @@ -56,7 +58,7 @@
     				LOGV("dlsym setcon error %s", error);
     			} else {
     				setcon_t * setcon_p = (setcon_t*)setcon;
    -				ret = (*setcon_p)("u:r:shell:s0");
    +				ret = (*setcon_p)(argv[2]);
     				ret = (*getcon_p)(&secontext);
     				LOGV("context %d %s", ret, secontext);
     			}
    @@ -66,6 +68,12 @@
     		LOGV("no selinux?");
     	}
     
    +	if (setresgid(duid, duid, duid) || setresuid(duid, duid, duid)) {
    +		LOGV("setresgid/setresuid failed");
    +	}
    +	LOGV("uid %d", getuid());
    +
     	system("/system/bin/sh -i");
     
    -}
    \ No newline at end of file
    +}
    +
    

Conclusions:
    Overall I would have preferred to not get pre-installed malware on my Android Tablet as I would rather have spent my time on my InfoPanel app or on other projects. However it was impossible for me to ignore this issue and simply buy a different tablet. Tracking down the malware still was kinda fun. It was the first time I experienced the issue of pre-installed malware first hand. I' also fairly happy that I didn't have to modify the firmware since this would have cost way more time. The most interesting thing I found was definitely the DroidPlugin project that allows running APKs without installing them. I wish I had more time to reverse engineer all the different apps and how they work together. I uploaded a zip file containing most components I talked about in this blog post here: yellyouth.zip.

    I hope I finally disabled all of the components and have an ad free device.

Tuesday, November 27 2018

Android InfoPanel aka Home InfoPanel Redux

In 2007/2008 I built a InfoPanel for my apartment to show me news, the weather and other interesting and fun things. The original InfoPanel was built using a VIA x86 micro ITX board and a 17" touchscreen all fitted in a self made wooden case. The InfoPanel survived until 2012 when I moved to the U.S. It was too old and too big to bring so I dismantled it.

I always missed it and thought about brining it back. For a brief time I used an old Samsung Galaxy Tab 10" but the device was just not right. Starting with a proprietary Samsung USB connecter that didn't allow for nice looking cabling, the device was black and silver so it didn't look too nice on the wall and finally the device was just old and slow. Long story short it only stayed on the wall for a couple of weeks and I just ran a full screened web browser.

The new InfoPanel

Hardware: Android 10" tablet in a white case with a USB connector on the long side.
Software: custom Android app that hides the Android navigation elements and status bar.



Hardware
    I chose a Yellyouth Android 10" tablet, those tablets are damn cheap (just under $100) but also kinda tricky. The good parts: 4GB ram and a fast processor. The tricky parts: The product description says the resolution is 2560x1600 my device reports that resolution in the system infos but the screen reports 1216x800 pixels. The device does not contain any sensors such as a light or proximity sensor (you will see why that matters later). The GSM modem does not support T-Mobile/AT&T SIM cards, I thought this was a joke but I tried a Google Fi data-only SIM (T-mobile) and the device couldn't connect to any network (this is fine since I only use WiFi).

Software
    I wrote a small Android application that basically shows a full screen webview. I've added a back and reload button to allow returning to the main page from links I clicked. The application hides all system UI (navigation and status bar). The user can swipe from bottom to top or top to bottom to reveal the back and reload buttons. The buttons auto hide after a short timeout. A really basic Android app!

    I wanted to conserve power and turn of the screen when I'm not using the InfoPanel. Luckily saving power is a default function of Android (you can just set the inactivity timeout after which the screen will be dimmed and eventually turned off).

    The catch: how do I turn the screen back on (without pressing the power button - since that is not super practical!)?

    Ideas:
    • Motion detection using the camera: several projects exist and I've got it integrated but was not able to get it working while the screen was off (I also didn't want so spent a lot of time on this part)
    • Motion detection using the light sensor: I implemented this using a Nexus 7 tablet, a background service monitors the sensor and wakes up the device once it detects a significant change in brightness - sadly the Yellyouth device does not have a light sensor.
    • Audio activation: the idea is to monitor the ambient noise and wake up the tablet when there is a loud noise (finger snap or clap), I implemented this using a background task that records audio and discards the content and only monitors the amplitude (there is a built-in method in the SDK to query the amplitude!)
Result


All in all a fun weekend/evening project of a few hours.

Friday, January 26 2018

Third Party Android App Stores

I wrote an article for the Parallax about the security of third party Android app stores.

Tuesday, October 24 2017

Mobile Security News Update October 2017

Conferences
    PacSec Nov 1-2, Tokyo, Japan. Grandma's old bag, how outdated libraries spoil Android app security by Marc Schoenefeld. When encryption is not enough: Attacking Wearable - Mobile communication over BLE by Kavya Racharla. The Art of Exploiting Unconventional Use- after-free Bugs in Android Kernel by Di Shen.

    DeepSec Nov 14-17, Vienna, Austria. Normal Permissions In Android: An Audiovisual Deception by Constantinos Patsakis.

    Black Hat Europe 2017 Dec 4-7, London, UK. ATTACKING NEXTGEN ROAMING NETWORKS by Daniel Mende, Hendrik Schmidt. ATTACKS AGAINST GSMA'S M2M REMOTE PROVISIONING by Maxime Meyer. BLUEBORNE - A NEW CLASS OF AIRBORNE ATTACKS THAT CAN REMOTELY COMPROMISE ANY LINUX/IOT DEVICE by Ben Seri, Gregory Vishnepolsky. DIFUZZING ANDROID KERNEL DRIVERS by Aravind Machiry, Chris Salls, Jake Corina, Shuang Hao, Yan Shoshitaishvili. HOW SAMSUNG SECURES YOUR WALLET AND HOW TO BREAK IT by HC MA. INSIDE ANDROID'S SAFETYNET ATTESTATION by Collin Mulliner, John Kozyrakis. JAILBREAKING APPLE WATCH by Max Bazaliy. RO(O)TTEN APPLES: VULNERABILITY HEAVEN IN THE IOS SANDBOX by Adam Donenfeld.


Quick conference review: both 44con and ekoparty were great. Ekoparty was especially awesome since I got to check the last continent off my list. Also the size of ekoparty was way beyond what I was expecting. They managed to have a really good conference that is professionally run while stilling maintaining the vibe of a hacker / underground con <3

Two weeks ago there was a post on Medium about two companies that provide a mobile identification service. That service basically can be used to convert your phone's IP address into real information about the owner of the phone (the contract owner). This is done via APIs that are provided by multiple Mobile Network Operators (such as AT&T). The medium article linked to demo pages of those two service providers (payfone and danal inc) that show not only your phone number but also your operator's name, your name and address.

I played with the two demo sites for a bit (while they were still online - offline now). I'm on Google Fi with a number proted from T-Mobile (pre-paid). Payfone only had my phonenumber and old carrier (T-Mobile) while Danal inc showed no data at all. I never provided any data to T-Mobile since it is not required for a pre-paid card. Google has all the data but likely does not share it with 3rd parties.

Overall this is a service that I really don't want to exist. I don't want an abritary company to be able to identify me while visiting their website from my mobile phone. I hope those companies don't just sell their services to anybody. Read the Medium article again: AT&T consumer choice opt-out doesn't affect this!

iOS 11 the tragedy continues: 11.0 had a bunch of flaws that were annyoing. Now 11.0.3 randomly frezzes my phone for minutes. Also I have some issues with voice call audio not working sometimes. Highly disaspointing!

Pictures of the month:






Links

Tuesday, September 19 2017

Mobile Security News Update September 2017

Conferences
    ekoparty Sep 27-29, Buenos Aires. Blue Pill for your phone by Oleksandr Bazhaniuk. Unbox Your Phone - Exploring and Breaking Samsung's TrustZone Sandboxes by Daniel Komaromy. Inside Android's SafetyNet Attestation: Attack and Defense by Collin Mulliner. How to cook Cisco: Exploit Development for Cisco IOS by George Nosenko. Bypass Android Hack by Marcelo Romero.

    Virus Bulletin 4-6 Oct, Madrid Span. Last-minute paper: Publishing our malware stats by Jason Woloz (Google) [This is about Android Malware]. Android reverse engineering tools: not the usual suspects by Axelle Apvrille.
Some comments on BlueBorne: I've been involved with Bluetooth security since like forever (not active in the last 10+ years). The early Bluetooth vulnerabilities were mostly logic bugs and issues such as missing authentication. Bluetooth devices could not be set to hidden and would always show up when scanning for devices. Stuff like that. BlueBorne is different as it is a remote exploitable memory corruption vulnerability in Linux, Android, and Windows. This is quite a novelty since we haven't seen a bug that is more ore less the same on two platforms. Even more interesting is that this bug is pre-authentication and gives you kernel privileges (code exec in the kernel).

In theory this set of vulnerabilities can be bad, bad. In practice the issue is much less of an issue. Exploit mitigations and built variances help mitigating the risk. Devices are not always visible therefore the attacker cannot easily find your device and attack it.

Also see: Hackers Could Silently Hack Your Cellphone And Computers Over Bluetooth.

FaceID: I think it is a really horrible idea! Do not put biometric systems in to consumer products ever! I will not buy products with mandatory biometrics so far iOS allows me to turn it off and use a passphrase - thats why I even consider buying iOS devices. I hate this change -- biometrics are bad.

Pics:


I agree ^^^



Links

Tuesday, August 22 2017

Mobile Security News Update August 2017

Conferences
    toorcon san diego Aug 28th - Sep 3rd. Dig Deep into FlexiSpy for Android by Kai Lu(@k3vinlusec).

    HITB Singapore August 21-25. The Original Elevat0r - History of a Private Jailbreak by Stefan Esser. The Nightmare of Fragmentation: A Case Study of 200+ Vulnerabilities in Android Phones by BAI GUANGDONG and ZHANG QING.

    Tencent Security Conference, August 30-31. Pointer Authentication by Robert James Turner. Finding iOS vulnerabilities in an easy way by Tiefel Wang and Hao Xu. Bare-metal program tracing on ARM by Ralf-Philipp Weinmann.

    44con 13-15 September London, UK. Inside Android's SafetyNet Attestation: What it can and can't do lessons learned from a large scale deployment by Collin Mulliner.

    BalCCon2k17 Novi Sad, Vojvodina, Serbia. September 15-17. Mobile phone surveillance with BladeRF by Nikola Rasovic.

    T2 October 26-27 Helsinki, Finland. Breaking Tizen by Amihai Neiderman.

    DeepSec Vienna 13-17 November. Normal permissions in Android: An Audiovisual Deception by Constantinos Patsakis. How secure are your VoLTE and VoWiFi calls? by Sreepriya Chalakkal.
Quick Conference Review
    It was good to see everybody in Vegas, even better meeting new people. Especially some folks I wanted to meet for a long time. I had a good time at WOOT, meeting old friends was especially good. Maybe it helped that it was in the CanSecWest hotel. I link a few relevant papers below.

Stefan Esser is running a kickstarter for an iOS Kernel Exploitation Training Course for Development of a freely available online iOS kernel exploitation training course based on iOS 9.3.5 on 32 bit devices. If you are into iOS security you should support Stefan's project!


Ralf is on point as usual:
Pictures of the month:



Links

Thursday, July 13 2017

Mobile Security News Update July 2017

Conferences
    Black Hat USA Las Vegas, July 26-27. ALL YOUR SMS & CONTACTS BELONG TO ADUPS & OTHERS by Angelos Stavrou, Azzedine Benameur, Ryan Johnson. NEW ADVENTURES IN SPYING 3G AND 4G USERS: LOCATE, TRACK & MONITOR by Altaf Shaik, Andrew Martin, Jean-Pierre Seifert, Lucca Hirschi, Ravishankar Borgaonkar, Shinjo Park. SS7 ATTACKER HEAVEN TURNS INTO RIOT: HOW TO MAKE NATION-STATE AND INTELLIGENCE ATTACKERS' LIVES MUCH HARDER ON MOBILE NETWORKS by Martin Kacer, Philippe Langlois. FIGHTING TARGETED MALWARE IN THE MOBILE ECOSYSTEM by Andrew Blaich, Megan Ruthven. GHOST TELEPHONIST LINK HIJACK EXPLOITATIONS IN 4G LTE CS FALLBACK by Haoqi Shan, Jun Li, Lin Huang, Qing Yang, Yuwei Zheng. HONEY, I SHRUNK THE ATTACK SURFACE – ADVENTURES IN ANDROID SECURITY HARDENING by Nick Kralevich. DEFEATING SAMSUNG KNOX WITH ZERO PRIVILEGE by Di Shen. BLUE PILL FOR YOUR PHONE by Oleksandr Bazhaniuk, Yuriy Bulygin. CLOAK & DAGGER: FROM TWO PERMISSIONS TO COMPLETE CONTROL OF THE UI FEEDBACK LOOP by Chenxiong Qian, Simon Pak Ho Chung, Wenke Lee, Yanick Fratantonio.

    Defcon Las Vegas. Jailbreaking Apple Watch by Max Bazaliy. Inside the "Meet Desai" Attack: Defending Distributed Targets from Distributed Attacks by CINCVolFLT (Trey Forgety). macOS/iOS Kernel Debugging and Heap Feng Shui by Min(Spark) Zheng & Xiangyu Liu. Using GPS Spoofing to Control Time by David "Karit" Robinson. Phone System Testing and Other Fun Tricks by "Snide" Owen. Unboxing Android: Everything You Wanted To Know About Android Packers by Avi Bashan & Slava Makkaveev. Ghost in the Droid: Possessing Android Applications with ParaSpectre by chaosdata. Ghost Telephonist' Impersonates You Through LTE CSFB by Yuwei Zheng & Lin Huang. Bypassing Android Password Manager Apps Without Root by Stephan Huber & Siegfried Rasthofer. Man in the NFC by Haoqi Shan & Jian Yuan.

    USENIX Workshop on Offensive Technologies (WOOT) Vancouver Canada, 14-15 August. Shattered Trust: When Replacement Smartphone Components Attack by Omer Shwartz, Amir Cohen, Asaf Shabtai, and Yossi Oren. White-Stingray: Evaluating IMSI Catchers Detection Applications by Shinjo Park and Altaf Shaik, Ravishankar Borgaonkar, Andrew Marti, Jean-Pierre Seifert. fastboot oem vuln by Roee Hay.
Black Hat and Defcon have a really good number of mobile related talks this year.

It was a busy month and July will be even busier. I'll be at GSMA DSG, Black Hat and Defcon July and Usenix WOOT in mid August



Picture of month:


There is a lot happening in the Android boot loader world at the moment. I guess this is what happens when the devices get more and more locked down - people go after the root of trust.

Links: