This week's lectures were given by Fernando Ruiz who is a mobile malware researcher from Santiago Chile. The topic of interest was mobile malware, ranging from historical malware for devices based on Symbian OS to the types of malware we encounter today for Android devices.
The overview of mobile devices beginning from the early analog devices in the 80s was very interesting. Even on analog devices there were 'malware' type attacks such as Jamming and Cell Phone cloning. It seems the problem of malicious actors on networks has been with us for as long as the networks themselves have.
As seen above it was very surprising to me to visualize just how long the Symbian and Palm OS ecosystems continued to exist and must have been a concern for malware researchers to protect, well past their days at the forefront of public consciousness. Can a single malware researcher or even a single team of researchers be expected to cover the full gamut of operating systems? Munchamon mac os. Or do malware companies need to assign teams/individuals on a per OS basis.
Starting with iOS as the first point of interest in 'second generation' smartphone operating systems, we learned that iOS essentially started the smartphone revolution in 2007 with the release of the first iPhone. iOS is derived from Mac OS X, uses a XNU Kernel, and stores binaries in a Mach-O file format. A competing OS, Windows Phone, like iOS, had integration with prior services made by its parent company (in Windows' case: IE, Office, Bing, etc). It was released in 2010 as a successor of Windows Mobile. It's last version 8.1, was released in 2014.
As Android is so integrally associated with Google these days it was surprising to hear that Android was not initially developed by Google, but instead created by an entirely independent corporation known as Android Inc before being acquired by Google in 2007. I also did not realize that Android was (mostly) open source. I wonder if being open source is either helpful or hurtful when it comes to malware concerns, as it could allow would-be attackers intimate insight into how the system works at a low level but may also allow good actors and anti malware companies the ability to sniff out security flaws before they become exploited.
Having been an Android user all my life I had heard of Jailbreaking as a means of installing unauthorized Apps on iPhones but never considered the security ramifications that ensue for people who jailbreak their phones. All SSH root passwords becoming set to 'alpine' seems particularly bad. I wonder why the jailbreaking process would require something like this, or at least not prompt the user to reset to a new one upon completion? The analogue of Jailbreaking for Android would be Rooting, which works to gain root privileges in the system, useful in some cases like where you'd want to enable tethering without paying those pesky fees to your service providers.
Mac OS X, iPod, and iPhone Forensic Analysis DVD Toolkit; ISBN-973 Mac Computer: i5 with 8GB of RAM and 500GB HDD (Lab computers will be available) Description: Mac Forensics (CFRS 764) presents the student with the concepts, tools, and techniques used for forensic analysis of Macintosh based computers and iOS. To function network operating system requires an existing operating system. The most common network operating systems are Microsoft Windows Server 2003, Microsoft Windows Server 2008, UNIX, Linux, Mac OS X, and Novell NetWare.
When moving on to discussing the beginning of malware for mobile devices, it's interesting to me that the first few malware attacks on the Symbian OS, Epoc.Fake and SymbOS.Cabir had seemingly purely mischievous goals without any sort of financial incentive. Epoc.Fake only pretended to format the users hard drive, and SymbOS.Cabir just caused high battery consumption. What were the goals of the people creating these attacks? Were they simply having fun pushing the limits of how far they could exploit this system? From my understanding of the lecture it seems that SymbOS.PbStealer in 2005 was the first malware to actually serve a more clear purpose by stealing a users contacts via bluetooth. By 2008 it seems attackers became much more targeting and sophisticated with malware attacks appearing that were designed to place a users phone into a botnet or do things such as demand ransoms for releasing control of the phone.
Instances of Android malware began in 2010 but really picked up in the 2011-2012 period. Geinimi is an interesting case as it was primarily distributed in China, as many Android users had to rely on third-party, untrusted sources of Android app packages in order to obtain apps, due rarely having a legal means to do so via the official Play store. The makers of Geinimi were able to exploit this by repackaging legitimate applications with their malware bundled in, infecting the phones of these users as they unsuspectingly install apps they wanted. To me this highlights the dangers of blocking legitimate means to obtain software in a countries market. A black market for the software people desire will inevitably arise and be inherently less safe than a legitimate alternative.
Even the legitimate markets aren't entirely safe however, as DroidDream, a malware program uploaded by a developer to the official Android market in 21 repackaged apps in 2011 demonstrated. This was the first malware uploaded to the official Android Market and forced several actions from Google in response. Apart from removing all accounts from the malicious developers, Google also remotely removed malicious apps from affected devices using built in kill switches in Android.
From there we delved deeper into the components and structure of Android applications. Each Android app has a manifest xml file, which describes among other things its package name (a unique id for the app), it's components, it's permissions on how it is allowed to interacted with components or other apps, as well as its minimum level of Android API access required to run the app. As we explored exploits in more detail I thought the RATC (Rage against the Cage) was really quite cool, if I'm understanding it correctly it continuously fork()-ed new threads until reaching the limit of max threads per user ID (RLIMIT_NPROC) and then KILLed the Android Debug Bridge process which fails setuid() and ultimately this would combine to run adb shell as the root user. After taking Operating Systems here at OSU I'm familiar with fork()ing processes and basic Linux signals so it's fun to see how intimate knowledge of these and how the kernel works can be used to make a target system perform in unintended ways.
Banking trojans were novel to me in that its the first exploit that we've learned about that requires the attackers to simultaneously ensure that they have infected two different types of a user's platform at the same time. In order for them to work, they need to infect both a user's PC, in order to detect when a banking transaction is made and it's details, as well as their mobile device in order to intercept the two-factor authentication token that banks often send via SMS to users in order to verify a transaction. Generally it seems the attackers achieve this by infecting the computer first, and redirecting the users to a fake bank page which recommends the installation of the fake security app for their mobile device. The mobile malware will even block the SMS message from reaching the user screen so the user will have no notification of ever receiving a 2FA code.
This week's lectures were given by Fernando Ruiz who is a mobile malware researcher from Santiago Chile. The topic of interest was mobile malware, ranging from historical malware for devices based on Symbian OS to the types of malware we encounter today for Android devices.
The overview of mobile devices beginning from the early analog devices in the 80s was very interesting. Even on analog devices there were 'malware' type attacks such as Jamming and Cell Phone cloning. It seems the problem of malicious actors on networks has been with us for as long as the networks themselves have.
As seen above it was very surprising to me to visualize just how long the Symbian and Palm OS ecosystems continued to exist and must have been a concern for malware researchers to protect, well past their days at the forefront of public consciousness. Can a single malware researcher or even a single team of researchers be expected to cover the full gamut of operating systems? Munchamon mac os. Or do malware companies need to assign teams/individuals on a per OS basis.
Starting with iOS as the first point of interest in 'second generation' smartphone operating systems, we learned that iOS essentially started the smartphone revolution in 2007 with the release of the first iPhone. iOS is derived from Mac OS X, uses a XNU Kernel, and stores binaries in a Mach-O file format. A competing OS, Windows Phone, like iOS, had integration with prior services made by its parent company (in Windows' case: IE, Office, Bing, etc). It was released in 2010 as a successor of Windows Mobile. It's last version 8.1, was released in 2014.
As Android is so integrally associated with Google these days it was surprising to hear that Android was not initially developed by Google, but instead created by an entirely independent corporation known as Android Inc before being acquired by Google in 2007. I also did not realize that Android was (mostly) open source. I wonder if being open source is either helpful or hurtful when it comes to malware concerns, as it could allow would-be attackers intimate insight into how the system works at a low level but may also allow good actors and anti malware companies the ability to sniff out security flaws before they become exploited.
Having been an Android user all my life I had heard of Jailbreaking as a means of installing unauthorized Apps on iPhones but never considered the security ramifications that ensue for people who jailbreak their phones. All SSH root passwords becoming set to 'alpine' seems particularly bad. I wonder why the jailbreaking process would require something like this, or at least not prompt the user to reset to a new one upon completion? The analogue of Jailbreaking for Android would be Rooting, which works to gain root privileges in the system, useful in some cases like where you'd want to enable tethering without paying those pesky fees to your service providers.
Mac OS X, iPod, and iPhone Forensic Analysis DVD Toolkit; ISBN-973 Mac Computer: i5 with 8GB of RAM and 500GB HDD (Lab computers will be available) Description: Mac Forensics (CFRS 764) presents the student with the concepts, tools, and techniques used for forensic analysis of Macintosh based computers and iOS. To function network operating system requires an existing operating system. The most common network operating systems are Microsoft Windows Server 2003, Microsoft Windows Server 2008, UNIX, Linux, Mac OS X, and Novell NetWare.
When moving on to discussing the beginning of malware for mobile devices, it's interesting to me that the first few malware attacks on the Symbian OS, Epoc.Fake and SymbOS.Cabir had seemingly purely mischievous goals without any sort of financial incentive. Epoc.Fake only pretended to format the users hard drive, and SymbOS.Cabir just caused high battery consumption. What were the goals of the people creating these attacks? Were they simply having fun pushing the limits of how far they could exploit this system? From my understanding of the lecture it seems that SymbOS.PbStealer in 2005 was the first malware to actually serve a more clear purpose by stealing a users contacts via bluetooth. By 2008 it seems attackers became much more targeting and sophisticated with malware attacks appearing that were designed to place a users phone into a botnet or do things such as demand ransoms for releasing control of the phone.
Instances of Android malware began in 2010 but really picked up in the 2011-2012 period. Geinimi is an interesting case as it was primarily distributed in China, as many Android users had to rely on third-party, untrusted sources of Android app packages in order to obtain apps, due rarely having a legal means to do so via the official Play store. The makers of Geinimi were able to exploit this by repackaging legitimate applications with their malware bundled in, infecting the phones of these users as they unsuspectingly install apps they wanted. To me this highlights the dangers of blocking legitimate means to obtain software in a countries market. A black market for the software people desire will inevitably arise and be inherently less safe than a legitimate alternative.
Even the legitimate markets aren't entirely safe however, as DroidDream, a malware program uploaded by a developer to the official Android market in 21 repackaged apps in 2011 demonstrated. This was the first malware uploaded to the official Android Market and forced several actions from Google in response. Apart from removing all accounts from the malicious developers, Google also remotely removed malicious apps from affected devices using built in kill switches in Android.
From there we delved deeper into the components and structure of Android applications. Each Android app has a manifest xml file, which describes among other things its package name (a unique id for the app), it's components, it's permissions on how it is allowed to interacted with components or other apps, as well as its minimum level of Android API access required to run the app. As we explored exploits in more detail I thought the RATC (Rage against the Cage) was really quite cool, if I'm understanding it correctly it continuously fork()-ed new threads until reaching the limit of max threads per user ID (RLIMIT_NPROC) and then KILLed the Android Debug Bridge process which fails setuid() and ultimately this would combine to run adb shell as the root user. After taking Operating Systems here at OSU I'm familiar with fork()ing processes and basic Linux signals so it's fun to see how intimate knowledge of these and how the kernel works can be used to make a target system perform in unintended ways.
Banking trojans were novel to me in that its the first exploit that we've learned about that requires the attackers to simultaneously ensure that they have infected two different types of a user's platform at the same time. In order for them to work, they need to infect both a user's PC, in order to detect when a banking transaction is made and it's details, as well as their mobile device in order to intercept the two-factor authentication token that banks often send via SMS to users in order to verify a transaction. Generally it seems the attackers achieve this by infecting the computer first, and redirecting the users to a fake bank page which recommends the installation of the fake security app for their mobile device. The mobile malware will even block the SMS message from reaching the user screen so the user will have no notification of ever receiving a 2FA code.
Week 9 Disintegration Mac Os Catalina
Overall this week's lectures were very eye opening in that they showed me how Android's deeper workings are at once similar to Linux's deeper working, but also have many unique properties and that in order to be effective at malware defense, especially mobile malware defense, a researcher needs to gain intimate knowledge of many many more operating systems and at deeper levels than perhaps other software engineers building software would need to. As we can see from the below graph from lecture, the domain of mobile devices seems liable to be way more fragmented than even desktop systems, as updates are more frequent, and there is more competition in the OS space (the below graph shows just Android). As mobile increasingly becomes the dominant platform type across the world, I wonder when, if not already, malware companies will need to devote more resources to protecting mobile devices than they do for desktop devices.