Studying the trojan apps for Android used in Hacking Team leakElevenPaths 9 julio, 2015 Between the information leaked these days about #HackingTeam, several trojan Android APK files have been found. A first approach with Tacyt shows interesting relations with legitimate apps, the ones leaked a few days ago, some leaked last year… and some other notable stuff. We have studied some details of the leaked APKs. They were not public until this recent attack, and they were not detected by many antivirus engines until the leak. It is not the first time that we know about this company’s APKs. During 2014 summer, some remote control Android apps were known to belong to this HackingTeam, and they were used to spy mobile devices. A certificate for binaries in an APK. waste and a mistake To digitally sign an executable file in Windows, an Authenticode certificate is necessary. It may be expensive, between 200 and 500 euros a year, depending on the CA that issues them. To sign an APK, Android doesn’t require anything. It may be «self signed» and, therefore, free. And that is the way most of developers work. In fact, from our database, less than 100 APKs (0,002% approximately) use certificates signed by a CA. The APKs from HackingTeam were signed by this certificate that allows signing executable files as well. The three views of the Authenticode certificate used to sign the APKs And the problem is not only the waste, but the exposition. These certificates were already known since early 2013, when the tools used by HackingTeam to spy remotely were discovered. So, these APKs have been signed after that, in March. We already knew, by then, that they have been used to sign malicious code (at least, since February 2013, as this link states). An unnecessary mistake from HackingTeam. The certificate expires in November 2015. As a side note, in the executable files (in the APK, it does not make any sense) it’s revoked and is not countersigned. That means that, even if it wasn’t revoked, it would stop working in November 2015. Binary file signed with the same certificate What apps they were pretending to be A quick search by the packageName allows us to know what apps were trying to be simulated and contained the trojan. These are some of them that we found. Some examples of legitimate apps used as a decoy for the trojans All of them may be downloaded right now from aptoide or Google Play (although in the latest you may find the earliest versions). The topics are different. From the Quran to spy cameras. Legitimate apps used to create the malware Obviously they differ from the good ones in several aspects. Comparing the legitimate and the trojanized app Much more permissions are needed and a Google Map link is always in the code. We guess they locate victims this way. All the HackingTeam apps keep a Google Maps link in them We insist: these apps shown in their markets are innocuous, it’s just that HackingTeam uses them as trojans (in the more classic meaning of the word) to encourage or disguise the malware installation. More notable facts Both in this leak and previous analyses made to HackingTeam programs (like the one on 2014 summer, where some trojanized APKs were discovered as well), we can see some that could have allowed the early detection of these trojans (aside from using the same certificate). For example, all the APKs share a singularity: between their /assets/, they keep binary files named with a single letter. HackingTeam Android malware contains this kind of files, with these singular names Searching by this kind of file or some of these hashes, we found no other sample containing them in our databases. Some of the files shared by HackingTeam samples are a singularity for them Finally, all the APKs in this leak (except one) were created «2013-04-09» roughly at 11:40, local timezone from the computer they were compiled in. 6 apps were created March, 9th, except one Sergio de los Santos ssantos@11paths.com @ssantosv Adolfo Hernández adolfo.hernandez@11paths.com Pequeño análisis de los troyanos Android encontrados en el leak de HackingTeamGestión de vulnerabilidades con pentesting persistente, una visión global (I)
Nacho Palou Typosquatting: cómo detectarlo y protegerse No siempre es fácil detectar y protegerse del typosquatting. Estas recomendaciones de nuestros expertos te ayudan a reducir el riesgo.
Nacho Palou El poder de la digitalización sostenible en la lucha contra el cambio climático El cambio climático es considerado el mayor desafío de nuestro tiempo. Sus efectos abarcan desde la desertización y sequías hasta inundaciones y aumento del nivel del mar. Algunas de...
Telefónica Tech Boletín semanal de Ciberseguridad, 27 de mayo – 2 de junio Descubierta puerta trasera en cientos de placas base Gigabyte Investigadores de ciberseguridad de Eclypsium descubrieron una puerta trasera secreta en el firmware de cientos de modelos de placas base Gigabyte,...
Nacho Palou Cómo el lenguaje pone en riesgo la Ciberseguridad de las empresas La Ciberseguridad es un asunto fundamental para las empresas y organizaciones, de cualquier tamaño y sector. Los ciberataques pueden tener consecuencias graves o muy graves —incluso fatales— para los...
Carlos Rebato Criptografía, una herramienta para proteger los datos compartidos en la red Actualmente, la Ciberseguridad representa un aspecto primordial en las empresas. No obstante, cada día surgen nuevos modos de atentar contra ella. Muchos se han preguntado: ¿de qué manera las...
Roberto García Esteban ChatGPT y Cloud Computing: un matrimonio bien avenido ChatGPT (quizá no sepas que son las siglas de Chat Generative Pre-Trained Transformer) está en boca de todos por su impresionante habilidad para generar textos que parecen escritos por...