[2014 CodeEngn Conference 11] 김호빈 - Android Bootkit Analysis EN
-
Upload
gangseok-lee -
Category
Education
-
view
177 -
download
6
Transcript of [2014 CodeEngn Conference 11] 김호빈 - Android Bootkit Analysis EN
![Page 2: [2014 CodeEngn Conference 11] 김호빈 - Android Bootkit Analysis EN](https://reader033.fdocument.pub/reader033/viewer/2022042614/55a254951a28abea378b45ab/html5/thumbnails/2.jpg)
What is Bootkit?
• Bootkit = Rootkit + Boot capability• Boot sector of a disk is infecting the host
when introduced at the boot process.
• Ex) Windows MBR Rootkit
![Page 3: [2014 CodeEngn Conference 11] 김호빈 - Android Bootkit Analysis EN](https://reader033.fdocument.pub/reader033/viewer/2022042614/55a254951a28abea378b45ab/html5/thumbnails/3.jpg)
Android Boot Partition
• Android devices’ boot partition uses RAM disk file system
• Consist of Linux kernel(zImage) & root file system ramdisk(initrd; initial ramdisk)
![Page 4: [2014 CodeEngn Conference 11] 김호빈 - Android Bootkit Analysis EN](https://reader033.fdocument.pub/reader033/viewer/2022042614/55a254951a28abea378b45ab/html5/thumbnails/4.jpg)
Android Boot Process
• init process is first process on Android
Bootloader Kernel(Linux) init(init.rc)
![Page 5: [2014 CodeEngn Conference 11] 김호빈 - Android Bootkit Analysis EN](https://reader033.fdocument.pub/reader033/viewer/2022042614/55a254951a28abea378b45ab/html5/thumbnails/5.jpg)
Stealth Technic of Android Bootkit
• Modifying devices’ boot partition and booting script during early stage of system’s booting for hiding and protecting itself
• Launching system service as root and extracting malware app as system app
![Page 6: [2014 CodeEngn Conference 11] 김호빈 - Android Bootkit Analysis EN](https://reader033.fdocument.pub/reader033/viewer/2022042614/55a254951a28abea378b45ab/html5/thumbnails/6.jpg)
Characteristics of Android Bootkit
• Bypass built-in kernel-level security restrictions
• Difficult to detect and cure by AV
![Page 7: [2014 CodeEngn Conference 11] 김호빈 - Android Bootkit Analysis EN](https://reader033.fdocument.pub/reader033/viewer/2022042614/55a254951a28abea378b45ab/html5/thumbnails/7.jpg)
Oldboot; The First Android Bootkit
• Oldboot• Reported by Qihoo360 in China• The first bootkit officially found on Android
in the wild• More than 500,000 Android devices infected
in China• Proof that the boot partition of Android
could be infected easily
![Page 8: [2014 CodeEngn Conference 11] 김호빈 - Android Bootkit Analysis EN](https://reader033.fdocument.pub/reader033/viewer/2022042614/55a254951a28abea378b45ab/html5/thumbnails/8.jpg)
How Android Can Be Infected?
• The attacker has a chance to physically touch the devices, and flash a malciousboot.img image files to the boot partition of the disk
![Page 9: [2014 CodeEngn Conference 11] 김호빈 - Android Bootkit Analysis EN](https://reader033.fdocument.pub/reader033/viewer/2022042614/55a254951a28abea378b45ab/html5/thumbnails/9.jpg)
How Android Can Be Infected? (cont)
• Qihoo360 found the infected device in big IT mall in Beijing
• the recovery partition has been replaced by a custom recovery ROM. and the timestamp of all files in the boot partition are the same.
![Page 10: [2014 CodeEngn Conference 11] 김호빈 - Android Bootkit Analysis EN](https://reader033.fdocument.pub/reader033/viewer/2022042614/55a254951a28abea378b45ab/html5/thumbnails/10.jpg)
How Android Can Be Infected? (cont)
• based on Qihoo’s cloud security technology, they figured out almost infected devices are only well-known device such as the Galaxy Note II
![Page 11: [2014 CodeEngn Conference 11] 김호빈 - Android Bootkit Analysis EN](https://reader033.fdocument.pub/reader033/viewer/2022042614/55a254951a28abea378b45ab/html5/thumbnails/11.jpg)
Oldboot Bootkit’s Components
• Oldboot.a• init.rc (modified)• imei_chk (located at /sbin)• libgooglekernel.so (located at /system/lib)• GoogleKernel.apk (located at /system/app)
![Page 12: [2014 CodeEngn Conference 11] 김호빈 - Android Bootkit Analysis EN](https://reader033.fdocument.pub/reader033/viewer/2022042614/55a254951a28abea378b45ab/html5/thumbnails/12.jpg)
Analyzing init process(init.rc)
• Content of the modified init.rc• Adding imei_chk service as root
![Page 13: [2014 CodeEngn Conference 11] 김호빈 - Android Bootkit Analysis EN](https://reader033.fdocument.pub/reader033/viewer/2022042614/55a254951a28abea378b45ab/html5/thumbnails/13.jpg)
Analyzing imei_chk
• Extract so files
![Page 14: [2014 CodeEngn Conference 11] 김호빈 - Android Bootkit Analysis EN](https://reader033.fdocument.pub/reader033/viewer/2022042614/55a254951a28abea378b45ab/html5/thumbnails/14.jpg)
Analyzing imei_chk (cont)
• Extract apk files
![Page 15: [2014 CodeEngn Conference 11] 김호빈 - Android Bootkit Analysis EN](https://reader033.fdocument.pub/reader033/viewer/2022042614/55a254951a28abea378b45ab/html5/thumbnails/15.jpg)
Analyzing imei_chk (cont)
• Socket listening & read
![Page 16: [2014 CodeEngn Conference 11] 김호빈 - Android Bootkit Analysis EN](https://reader033.fdocument.pub/reader033/viewer/2022042614/55a254951a28abea378b45ab/html5/thumbnails/16.jpg)
Analyzing imei_chk (cont)
• executes received commands
![Page 17: [2014 CodeEngn Conference 11] 김호빈 - Android Bootkit Analysis EN](https://reader033.fdocument.pub/reader033/viewer/2022042614/55a254951a28abea378b45ab/html5/thumbnails/17.jpg)
Analyzing GoogleKernel.apk
• GoogleKernel.apk’s AndroidManifest.xml
![Page 18: [2014 CodeEngn Conference 11] 김호빈 - Android Bootkit Analysis EN](https://reader033.fdocument.pub/reader033/viewer/2022042614/55a254951a28abea378b45ab/html5/thumbnails/18.jpg)
Analyzing GoogleKernel.apk (cont)
• GoogleKernel.apk’s AndroidManifest.xml
![Page 19: [2014 CodeEngn Conference 11] 김호빈 - Android Bootkit Analysis EN](https://reader033.fdocument.pub/reader033/viewer/2022042614/55a254951a28abea378b45ab/html5/thumbnails/19.jpg)
• BootRecv service
Analyzing GoogleKernel.apk (cont)
![Page 20: [2014 CodeEngn Conference 11] 김호빈 - Android Bootkit Analysis EN](https://reader033.fdocument.pub/reader033/viewer/2022042614/55a254951a28abea378b45ab/html5/thumbnails/20.jpg)
• EventsRecv service
Analyzing GoogleKernel.apk (cont)
![Page 21: [2014 CodeEngn Conference 11] 김호빈 - Android Bootkit Analysis EN](https://reader033.fdocument.pub/reader033/viewer/2022042614/55a254951a28abea378b45ab/html5/thumbnails/21.jpg)
• Dalvik service
Analyzing GoogleKernel.apk (cont)
![Page 22: [2014 CodeEngn Conference 11] 김호빈 - Android Bootkit Analysis EN](https://reader033.fdocument.pub/reader033/viewer/2022042614/55a254951a28abea378b45ab/html5/thumbnails/22.jpg)
Analyzing GoogleKernel.apk (cont)
• Incomplete malicious function
![Page 23: [2014 CodeEngn Conference 11] 김호빈 - Android Bootkit Analysis EN](https://reader033.fdocument.pub/reader033/viewer/2022042614/55a254951a28abea378b45ab/html5/thumbnails/23.jpg)
• Communicate with libgooglekernel.so by JNI
Analyzing GoogleKernel.apk (cont)
![Page 24: [2014 CodeEngn Conference 11] 김호빈 - Android Bootkit Analysis EN](https://reader033.fdocument.pub/reader033/viewer/2022042614/55a254951a28abea378b45ab/html5/thumbnails/24.jpg)
Analyzing libgooglekernel.so
• Connecting to its C&C Servers to download configuration files
![Page 25: [2014 CodeEngn Conference 11] 김호빈 - Android Bootkit Analysis EN](https://reader033.fdocument.pub/reader033/viewer/2022042614/55a254951a28abea378b45ab/html5/thumbnails/25.jpg)
Analyzing libgooglekernel.so (cont)
• Location of C&C Server
![Page 26: [2014 CodeEngn Conference 11] 김호빈 - Android Bootkit Analysis EN](https://reader033.fdocument.pub/reader033/viewer/2022042614/55a254951a28abea378b45ab/html5/thumbnails/26.jpg)
Analyzing libgooglekernel.so (cont)
• Location of C&C Server
![Page 27: [2014 CodeEngn Conference 11] 김호빈 - Android Bootkit Analysis EN](https://reader033.fdocument.pub/reader033/viewer/2022042614/55a254951a28abea378b45ab/html5/thumbnails/27.jpg)
Analyzing libgooglekernel.so (cont)
• Downloading APK file
![Page 28: [2014 CodeEngn Conference 11] 김호빈 - Android Bootkit Analysis EN](https://reader033.fdocument.pub/reader033/viewer/2022042614/55a254951a28abea378b45ab/html5/thumbnails/28.jpg)
Analyzing libgooglekernel.so (cont)
• Downloading APK file
![Page 29: [2014 CodeEngn Conference 11] 김호빈 - Android Bootkit Analysis EN](https://reader033.fdocument.pub/reader033/viewer/2022042614/55a254951a28abea378b45ab/html5/thumbnails/29.jpg)
Analyzing libgooglekernel.so (cont)
• Installing downloaded APK as system application
![Page 30: [2014 CodeEngn Conference 11] 김호빈 - Android Bootkit Analysis EN](https://reader033.fdocument.pub/reader033/viewer/2022042614/55a254951a28abea378b45ab/html5/thumbnails/30.jpg)
Analyzing libgooglekernel.so (cont)
• Deleting system application
![Page 31: [2014 CodeEngn Conference 11] 김호빈 - Android Bootkit Analysis EN](https://reader033.fdocument.pub/reader033/viewer/2022042614/55a254951a28abea378b45ab/html5/thumbnails/31.jpg)
Oldboot.a Running Flow Chart
system server
init process init.rc
imei_chk
GoogleKernel.apk libgooglekernel.soJNI
socket
![Page 32: [2014 CodeEngn Conference 11] 김호빈 - Android Bootkit Analysis EN](https://reader033.fdocument.pub/reader033/viewer/2022042614/55a254951a28abea378b45ab/html5/thumbnails/32.jpg)
Preview point of Android Bootkit Malware
• Totally new malware attack method on Android
• Not only apk can be infected
![Page 33: [2014 CodeEngn Conference 11] 김호빈 - Android Bootkit Analysis EN](https://reader033.fdocument.pub/reader033/viewer/2022042614/55a254951a28abea378b45ab/html5/thumbnails/33.jpg)
References
• Oldboot: the first bootkit on Android, Zihang Xiao, Qing Dong, HaoZhang & Xuxian Jiang, Qihoo 360
• Advanced Bootkit Techniques on Android, Zhangqi Chen & Di Shen @SyScan360
• Android Hacker’s handbook, Drake, Oliva Fora, Lanier Mulliner, Ridley, Wicherski, Wiley
• 인사이드 안드로이드, 송형주, 김태연, 박지훈, 이백, 임기영, 위키북스• 안드로이드의 모든 것 분석과 포팅, 고현철, 유형목, 한빛미디어• http://contagiominidump.blogspot.kr/
![Page 34: [2014 CodeEngn Conference 11] 김호빈 - Android Bootkit Analysis EN](https://reader033.fdocument.pub/reader033/viewer/2022042614/55a254951a28abea378b45ab/html5/thumbnails/34.jpg)
Q & AAny question so far?
www.CodeEngn.com2014 CodeEngn Conference 11