APPLICATION SECURITY

​

(Threats and Malpractices)

Speaker: Dimitrios Valsamaras | @Ch0pin

https://www.linkedin.com/in/valsamaras/

Common Malpractices

• Webviews
• Floating Windows
• Accessibility Service
• Administration API
• Reflection
• Dynamic Code Loading

Webviews

Usage: WebView objects allow the developers to deliver web-based content to the user as a part of an activity’s layout.

• Customization
• Increased control over the UI

Webviews - Basic Usage

Webviews - Enabling Javascript

Webviews - Enabling File Access

? ?

Webviews - Bridging Java with Javascript

function showAndroidToast(toast) {

AndroidBridge.showToast(“Hello from Java Script”);

}

​

​

​

Javascript:

Webviews - Malpractices

Intentional

Webviews - Malpractices

When misused WebViews impose a great risk for the user !!

Common Malpractices:

​

• Javascript Injection

​

• Web Scraping

​

• Backdoor-ing

​

• Silent Loading

​

​

WebViews - Javascript Injection

Using the onPageStarted, onPageFinished callbacks or the onProgessChanged (less common) we may track the loading process of a web page and append arbitrary code.

myWebView.setWebViewClient(new WebViewClient() {

@Override

public void onPageFinished(WebView view, String url) {

super.onPageFinished(view, url);

​

INJECTION POINT

}

});

WebView - Javascript Injection - Cookies

WebViews - Javascript Injection - Auto Clicks

WebView - Javascript Injection - Scrapping

WebView - Javascript Scraping

WebView - Backdooring

WebView - Silent Loading

By changing the visibility or the size of the webview all the operations can take place without being perceived by the user:

​

​

myWebView.setVisibility(myWebView.GONE)

Webviews - Malpractices

UnIntentional

WebView - Hijacking

am start -n com.training.webviews/.MainActivity --es url https://www.example.com

am start -n com.training.webviews/.MainActivity --es url "javascript:AndroidBridge.execCmd('ls -al')"

Get the code https://github.com/Ch0pin/WebViews

​

Common Malpractices

• Webviews
• Floating Windows
• Accessibility Service
• Administration API
• Reflection
• Dynamic Code Loading

Free Floating Windows

Definition: A free floating window is a category of windows that can appear freely above any other applications while its existence doesn’t depend on its parent. Additionally, its behaviour and appearance is fully customisable and controllable by the developer.

Not to be confused with Picture in Picture (e.g. Google Maps, youtube e.t.c.)

Free Floating Windows

Some Features

https://www.floatingapps.net/

FFW Implementation

• By the time that SYSTEM_ALERT_WINDOW permission is approved, an application is authorised to create a TYPE_APPLICATION_OVERLAY window type which will be displayed on top of other activities, but below critical system ones (e.g. status bar or IME).

​

• Besides a fully customizable appearance, a flag attribute will affect the event processing behaviour of a window, so a flag FLAG_NOT_TOUCHABLE will dispatch the events to the window behind, while a FLAG_WATCH_OUTSIDE_TOUCH will inform the app about the event but will omit details like the touch coordinates.

FFW Implementation (creating a floating button)

<uses-permission android:name="android.permission.SYSTEM_ALERT_WINDOW"/>

• Create a view (e.g. a button)

​

Button floatingButton = new Button(getApplicationContext());

​

• Create a Window Manager instance

​

WindowManager windowManager = (WindowManager) getSystemService(WINDOW_SERVICE);

​

• Customize via the Layout Parameters

​

WindowManager.LayoutParams params = new WindowManager.LayoutParams(width, height,

WindowManager.LayoutParams.TYPE_APPLICATION_OVERLAY,

WindowManager.LayoutParams.FLAG_NOT_TOUCHABLE | WindowManager.LayoutParams.FLAG_NOT_FOCUSABLE,

PixelFormat.TRANSPARENT);

​

​

FFW Implementation (creating a floating button - continued )

• Add the view to the FFW

​

windowManager.addView(floatingButton, params);

​

FFW

FFW Implementation (creating a floating button - continued )

• Remove the Parent

<activity android:name=".MainActivity" android:autoRemoveFromRecents="true" android:noHistory="true">

​

FFW What is wrong with that ?

Background Restrictions (Android 8.0):

​

• Apps that are running in the background now have limits on how freely they can access background services.
• Apps cannot use their manifests to register for most implicit broadcasts (that is, broadcasts that are not targeted specifically at the app).

​

More restrictions ...

​

• Android 10 (API level 29) and higher place restrictions on when apps can start activities when the app is running in the background. These restrictions help minimize interruptions for the user and keep the user more in control of what's shown on their screen.

FFW What is wrong with that ?

Exceptions to the restriction

​

Apps running on Android 10 or higher can start activities only when one or more of the following conditions are met:

​

• The app has a visible window, such as an activity in the foreground.
• The app has an activity in the back stack of the foreground task.
• The app has an activity in the back stack of an existing task on the Recents screen.

​

Can it be invisible ?

​

btn.setAlpha(0);

FFW Abuse

From Free Floating Windows to Free Popping Windows

SPAM

Ransomware

FFW Abuse, TapJacking

Creating more than a simple View...

​

• A LayoutInflater instantiates a layout XML file into its corresponding View objects

LayoutInflater layoutInflater = getLayoutInflater();

View mLayout = layoutInflater.inflate(R.layout.tapjacking_dialog,null);

windowManager.addView(mLayout,params);

​

​

​

​

​

FFW Abuse, TapJacking

WindowManager windowManager = (WindowManager) getSystemService(WINDOW_SERVICE);

WindowManager.LayoutParams params = new WindowManager.LayoutParams(1200,1200,

WindowManager.LayoutParams.TYPE_APPLICATION_OVERLAY,

WindowManager.LayoutParams.FLAG_NOT_TOUCHABLE | WindowManager.LayoutParams.FLAG_NOT_FOCUSABLE,

PixelFormat.TRANSPARENT);

Click through:

​

Send touches to the window behind

Picture In Picture

Definition: PiP is a special type of multi-window mode mostly used for video playback. It lets the user watch a video in a small window pinned to a corner of the screen while navigating between apps or browsing content on the main screen.

Popular Applications that use PiP:

​

Picture In Picture - Implementation

No special permissions !!

​

<activity android:name="VideoActivity"

android:supportsPictureInPicture="true"

android:configChanges=

"screenSize|smallestScreenSize|screenLayout|orientation"

public void onActionClicked(Action action) {

if (action.getId() == R.id.lb_control_picture_in_picture) {

getActivity().enterPictureInPictureMode();

return;

}

...

}

Add the specific entry in the AndroidManifest

Call the enterPictureInPictureMode

Picture In Picture

• Applications in PiP mode maintain their foreground state

​

• A PiP window is enclosed in a shadowed frame, which is a fact that renders it visible to the user even if the activity has been set up to be transparent.

​

• No size restrictions though as it can be arbitrary small or large

<activity android:name=".MainActivity"

android:supportsPictureInPicture="true"

android:theme="@style/Theme.AppCompat">

<layout android:defaultHeight="1dp"

android:defaultWidth="1dp"

android:gravity="top|end"

android:minHeight="1dp"

android:minWidth="1dp" />

Common Malpractices

• Webviews
• Floating Windows
• Accessibility Service
• Administration API
• Reflection
• Dynamic Code Loading

Accessibility Service

The accessibility service provides user interface enhancements to assist users with disabilities, or who may temporarily be unable to fully interact with a device. For example, users who are driving, taking care of a young child might need additional or alternative interface feedback.

? ?

A powerful set of API calls, used by many popular apps including Google Assistant, Google maps, password managers, app lockers

​

but also from ….

​

Trojans, backdoors, bots, phishing apps e.t.c.

Accessibility Service from a security perspective

An application for which the accessibility service has been granted can run in the background and…

​

• Read the UI of any other application
• Parse the entire Android UI to check which layouts are in the screen
• Check whether the screen has changed or the screen content has changed
• Read notifications coming from/for any application
• Perform Clicks / Swipes
• Set text to textviews

​

… Pretty much, it can act in behalf of the user

Accessibility Service - How to enable (Android 10)

Settings → Accessibility →

Click on the app →

Use Service→ Allow

Accessibility Service - Implementation

Implementation Class

Intent filter

Permission

Configuration

AccessibilityService_accessibilityEventTypes: The event types this service would like to receive as specified in AccessibilityEvent. This setting can be changed at runtime by calling

Accessibility Service - Java Code Implementation

Override Required

Class name declared in the Manifest

Accessibility Service - Accessibility Event

• An accessibility event is fired by an individual view which populates the event with data for its state and requests from its parent to send the event to interested parties. The parent can optionally modify or even block the event based on its broader understanding of the user interface's context.

​

• The main purpose of an accessibility event is to communicate changes in the UI to an AccessibilityService.

​

• The service may inspect, if needed the user interface by examining the View hierarchy, as represented by a tree of AccessibilityNodeInfo (snapshot of a View state) which can be used for exploring the window content.

Accessibility Service - View Hierarchy Example

Figure by: https://stackoverflow.com/questions/18004148/android-what-is-view-hierarchy

Accessibility Service - Event Lifecycle

UI changed

Accessibility Event

Match ?

Ignore

No

Yes

Trigger Callback

Accessibility Service - Abuse

• Flutbot Abuses the accessibility service to get the foreground app.

​

• If the application is in its target list, it will trigger an overlay which will cover the legitimate application with a fake one

​

• After getting the credentials inserted to the fake view, it sends them to a Command and Control server

Video by: https://www.threatmark.com/flubot-banking-malware/

Accessibility Service - Abuse

• Overlays targeting legitimate applications

Figure by: https://www.threatmark.com/flubot-banking-malware/

Accessibility Service - Abuse, Overlays

Monitoring the API calls performed by the accessibility service implementation.

Accessibility Service - Abuse

• Click

• Home

Accessibility Service - Abuse

​

​

• log typed keys (keyloggers)

​

• auto-enable permissions

​

• auto-enable access to services

​

​

When correctly coordinated it can perform chain of actions to automate more complex tasks (e.g. screen recording)

Common Malpractices

• Webviews
• Floating Windows
• Accessibility Service
• Administration API
• Reflection
• Dynamic Code Loading

Device Admin

Definition: The Device Administration API provides device administration features at the system level. These APIs allow you to create security-aware apps that are useful in enterprise settings, in which IT professionals require rich control over employee devices.

Device Admin

• Set password quality.
• Specify requirements for the user's password, such as minimum length, the minimum number of numeric characters it must contain, and so on.
• Set the password. If the password does not conform to the specified policies, the system returns an error.
• Set how many failed password attempts can occur before the device is wiped (that is, restored to factory settings).
• Set how long from now the password will expire.
• Set the password history length (length refers to number of old passwords stored in the history). This prevents users from reusing one of the last n passwords they previously used.
• Specify that the storage area should be encrypted, if the device supports it.
• Set the maximum amount of inactive time that can elapse before the device locks.
• Make the device lock immediately.
• Wipe the device's data (that is, restore factory settings).
• Disable the camera.

​

Device Admin - Implementation

DeviceAdminReceiver subclass

Permission

Filter

Device Admin - Callbacks

Permission

Common Malpractices

• Webviews
• Floating Windows
• Accessibility Service
• Administration API
• Reflection
• Dynamic Code Loading

Java Reflection

Reflection is commonly used by programs which require the ability to examine or modify the runtime behavior of applications running in the Java virtual machine. This is a relatively advanced feature and should be used only by developers who have a strong grasp of the fundamentals of the language. With that caveat in mind, reflection is a powerful technique and can enable applications to perform operations which would otherwise be impossible.

​

​

Figure from: https://techvidvan.com/tutorials/reflection-in-java/

Java Reflection

url: https://techvidvan.com/tutorials/reflection-in-java/

Java Reflection

The Test class users reflection to get the ReflectionDemo class characteristics and invoke its defined methods.

https://techvidvan.com/tutorials/reflection-in-java/

Java Reflection - Misuse

Example: “java.lang.Runtime” , “1”

Can be used to “hide” suspicious API calls

[PGP.]P_V.cD_EX\T

Return

Class cls = Class.forName(decrypt(“[PGP.]P_V.cD_EX\T”));

Common Malpractices

• Webviews
• Floating Windows
• Accessibility Service
• Administration API
• Reflection
• Dynamic Code Loading

Dynamic Code Loading - DCL

DCL(Dynamic code loading) allows an application to load code that is not part of its static, initial codebase. The additional code can be retrieved from a remote location and executed at runtime.

• Code Reuse

​

• Extensibility

​

• Self-upgrade

Dynamic Code Loading - Implementation

DexClassLoader(String dexPath, String optimizedDirectory, String librarySearchPath, ClassLoader parent)

​

Dynamic Code Loading - Implementation

Fetch the dex, jar, apk e.t.c

​

String dexPath = context.getFilesDir().getAbsolutePath() + “/” +"dexPath.dex";

​

Final DexClassLoader nClazz = new DexClassLoader(dexPath,mContext.getCodeCacheDir().getAbsolutePath(), null,getClass().getClassLoader()).loadClass(clazz);

​

​

DexClassLoader(String dexPath, String optimizedDirectory, String librarySearchPath, ClassLoader parent)

​

Dynamic Code Loading - what is wrong with this ?

https://www.fortinet.com/blog/threat-research/unmasking-android-malware-a-deep-dive-into-a-new-rootnik-variant-part-ii

Dynamic Code Loading - what is wrong with this ?

https://www.fortinet.com/blog/threat-research/unmasking-android-malware-a-deep-dive-into-a-new-rootnik-variant-part-ii

• Name can be encrypted

• Content can be encrypted

References

https://ink.library.smu.edu.sg/cgi/viewcontent.cgi?article=4724&context=sis_research

​

https://valsamaras.medium.com/tapjacking-attacks-a-thorough-guide-2cd6486d0fc9

https://developer.android.com/guide/topics/ui/picture-in-picture#:~:text=PiP%20is%20a%20special%20type,content%20on%20the%20main%20screen

​

https://www.tutorialspoint.com/android/android_user_interface_layouts.htm

​

https://www.zdnet.com/article/this-new-malware-uses-remote-overlay-attacks-to-hijack-your-bank-account/

​

https://developer.android.com/reference/android/webkit/WebView

​

https://developer.android.com/guide/topics/ui/accessibility/service

https://www.javatpoint.com/java-reflection

https://kalpeshchandora12.medium.com/dynamic-code-loading-in-android-dea83ba3bc85

​