APPLICATION SECURITY

​

(Threats and Malpractices)

Speaker: Dimitrios Valsamaras | @Ch0pin

https://www.linkedin.com/in/valsamaras/

Common Malpractices

• Webviews
• Floating Windows
• Accessibility Service
• Administration API
• Reflection
• Dynamic Code Loading

Accessibility Service

The accessibility service provides user interface enhancements to assist users with disabilities, or who may temporarily be unable to fully interact with a device. For example, users who are driving, taking care of a young child might need additional or alternative interface feedback.

? ?

A powerful set of API calls, used by many popular apps including Google Assistant, Google maps, password managers, app lockers

​

but also from ….

​

Trojans, backdoors, bots, phishing apps e.t.c.

Accessibility Service from a security perspective

An application for which the accessibility service has been granted can run in the background and…

​

• Read the UI of any other application
• Parse the entire Android UI to check which layouts are in the screen
• Check whether the screen has changed or the screen content has changed
• Read notifications coming from/for any application
• Perform Clicks / Swipes
• Set text to textviews

​

… Pretty much, it can act in behalf of the user

Accessibility Service - How to enable (Android 10)

Settings → Accessibility →

Click on the app →

Use Service→ Allow

Accessibility Service - Implementation

Implementation Class

Intent filter

Permission

Configuration

AccessibilityService_accessibilityEventTypes: The event types this service would like to receive as specified in AccessibilityEvent. This setting can be changed at runtime by calling

Accessibility Service - Java Code Implementation

Override Required

Class name declared in the Manifest

Accessibility Service - Accessibility Event

• An accessibility event is fired by an individual view which populates the event with data for its state and requests from its parent to send the event to interested parties. The parent can optionally modify or even block the event based on its broader understanding of the user interface's context.

​

• The main purpose of an accessibility event is to communicate changes in the UI to an AccessibilityService.

​

• The service may inspect, if needed the user interface by examining the View hierarchy, as represented by a tree of AccessibilityNodeInfo (snapshot of a View state) which can be used for exploring the window content.

Accessibility Service - View Hierarchy Example

Figure by: https://stackoverflow.com/questions/18004148/android-what-is-view-hierarchy

Accessibility Service - Event Lifecycle

UI changed

Accessibility Event

Match ?

Ignore

No

Yes

Trigger Callback

Accessibility Service - Abuse

• Flutbot Abuses the accessibility service to get the foreground app.

​

• If the application is in its target list, it will trigger an overlay which will cover the legitimate application with a fake one

​

• After getting the credentials inserted to the fake view, it sends them to a Command and Control server

Video by: https://www.threatmark.com/flubot-banking-malware/

Accessibility Service - Abuse

• Overlays targeting legitimate applications

Figure by: https://www.threatmark.com/flubot-banking-malware/

Accessibility Service - Abuse, Overlays

Monitoring the API calls performed by the accessibility service implementation.

Accessibility Service - Abuse

• Click

• Home

Accessibility Service - Abuse

​

​

• log typed keys (keyloggers)

​

• auto-enable permissions

​

• auto-enable access to services

​

​

When correctly coordinated it can perform chain of actions to automate more complex tasks (e.g. screen recording)

Common Malpractices

• Webviews
• Floating Windows
• Accessibility Service
• Administration API
• Reflection
• Dynamic Code Loading

Device Admin

Definition: The Device Administration API provides device administration features at the system level. These APIs allow you to create security-aware apps that are useful in enterprise settings, in which IT professionals require rich control over employee devices.

Device Admin

• Set password quality.
• Specify requirements for the user's password, such as minimum length, the minimum number of numeric characters it must contain, and so on.
• Set the password. If the password does not conform to the specified policies, the system returns an error.
• Set how many failed password attempts can occur before the device is wiped (that is, restored to factory settings).
• Set how long from now the password will expire.
• Set the password history length (length refers to number of old passwords stored in the history). This prevents users from reusing one of the last n passwords they previously used.
• Specify that the storage area should be encrypted, if the device supports it.
• Set the maximum amount of inactive time that can elapse before the device locks.
• Make the device lock immediately.
• Wipe the device's data (that is, restore factory settings).
• Disable the camera.

​

Device Admin - Implementation

DeviceAdminReceiver subclass

Permission

Filter

Device Admin - Callbacks

Permission

Common Malpractices

• Webviews
• Floating Windows
• Accessibility Service
• Administration API
• Reflection
• Dynamic Code Loading

Java Reflection

Reflection is commonly used by programs which require the ability to examine or modify the runtime behavior of applications running in the Java virtual machine. This is a relatively advanced feature and should be used only by developers who have a strong grasp of the fundamentals of the language. With that caveat in mind, reflection is a powerful technique and can enable applications to perform operations which would otherwise be impossible.

​

​

Figure from: https://techvidvan.com/tutorials/reflection-in-java/

Java Reflection

url: https://techvidvan.com/tutorials/reflection-in-java/

Java Reflection

The Test class users reflection to get the ReflectionDemo class characteristics and invoke its defined methods.

https://techvidvan.com/tutorials/reflection-in-java/

Java Reflection - Misuse

Example: “java.lang.Runtime” , “1”

Can be used to “hide” suspicious API calls

[PGP.]P_V.cD_EX\T

Return

Class cls = Class.forName(decrypt(“[PGP.]P_V.cD_EX\T”));

Common Malpractices

• Webviews
• Floating Windows
• Accessibility Service
• Administration API
• Reflection
• Dynamic Code Loading

Dynamic Code Loading - DCL

DCL(Dynamic code loading) allows an application to load code that is not part of its static, initial codebase. The additional code can be retrieved from a remote location and executed at runtime.

• Code Reuse

​

• Extensibility

​

• Self-upgrade

Dynamic Code Loading - Implementation

DexClassLoader(String dexPath, String optimizedDirectory, String librarySearchPath, ClassLoader parent)

​

Dynamic Code Loading - Implementation

Fetch the dex, jar, apk e.t.c

​

String dexPath = context.getFilesDir().getAbsolutePath() + “/” +"dexPath.dex";

​

Final DexClassLoader nClazz = new DexClassLoader(dexPath,mContext.getCodeCacheDir().getAbsolutePath(), null,getClass().getClassLoader()).loadClass(clazz);

​

​

DexClassLoader(String dexPath, String optimizedDirectory, String librarySearchPath, ClassLoader parent)

​

Dynamic Code Loading - what is wrong with this ?

https://www.fortinet.com/blog/threat-research/unmasking-android-malware-a-deep-dive-into-a-new-rootnik-variant-part-ii

Dynamic Code Loading - what is wrong with this ?

https://www.fortinet.com/blog/threat-research/unmasking-android-malware-a-deep-dive-into-a-new-rootnik-variant-part-ii

• Name can be encrypted

• Content can be encrypted

References

https://developer.android.com/guide/topics/ui/accessibility/service

https://www.javatpoint.com/java-reflection

https://kalpeshchandora12.medium.com/dynamic-code-loading-in-android-dea83ba3bc85