Talk delivered by Chema Alonso ( https://MyPublicInbox.com/ChemaAlonso ) in Hack in the Box CyberWeek 2021 about Gremlin Apps & Gremlin Botnets. You can see the talk at: https://www.youtube.com/watch?v=yQJ5sFtOysM
11. https://MyPublicInbox.com/ChemaAlonso
Business Model: APT Provider with a Gremlin
Botnet of apps to become malicious only one
target. We sell targets, no malware.
• Create a Gremlin botnet with lot of Apps to know who you are and sell you as a target for APT:
• What Company you work for.
• Who you are in social networks
• Sell you for extorsion, data leakeage, CEO Attacks, part of a bigger APT, etc…
• Who you are in the device Gremlin app is installed:
• Accounts: Twitter, Facebook, etc…
• Phone Number: WhatsApp, Telegram, 2FA, Account Recovery.
• E-mail: Login.
• A little of OSINT on the Internet
• Dirty Business Card.
• Turn a Gremlin App into malicious only to the target we sell.
• Only one app becomes malicious.
• Steganography to connect C&C
• Opportunistic use of permissions (Install & RunTime)
14. https://MyPublicInbox.com/ChemaAlonso
Permissions to get Phone Number & Accounts
• TelephonyManager to Access phone number stored in SIM
• AccountsManager get infor for Accounts (twitter, telegram, google…)
• Some of them are:
• Email
• Phone number
15. https://MyPublicInbox.com/ChemaAlonso
Version Codename API Distribution (%) Total Afectados
Gingerbread 10 0,3 61,30 % < 8.0
2.3.3 -2.3.7
Ice Cream Sandwich 15 0,3
4.0.3 -4.0.4
4.1.x Jelly Bean 16 1,2
4.2.x 17 1,5
4.3 18 0,5
4.4 KitKat 19 6,9
5.0 Lollipop 21 3
5.1 22 11,5
6.0 Marshmallow 23 16,9
7.0 Nougat 24 11,4
7.1 25 7,8
8.0 Oreo 26 12,9
8.1 27 15,4
9 Pie 28 10,4
In 2018 (this PoC was done) almost 62% of devices
had versions < Android 8 and let Access to Accounts
(e-mail, twitter…). In 2021 (one week ago) aprox 50 %
devices are still in Android 9 or less.
Outdated (2018): Fragmentation and Update of
Android Devices
22. https://MyPublicInbox.com/ChemaAlonso
Gremlim Botnet: Oppotunistic permisions usage
• Nobody suspects of a permission if
they can explain it
• ”Yeah… it is because this is an app for
enhancing photos with beauty efects"
• Use permisions opportunisticly
• Ex: Pokemon Go & Photo Pictures
• Ex: Select a photo and take them all.
• Compiller / Lib Infections?
• Ej: XCodeGhost
• Do your own app and “be malicious”
when permission you need is in use.
23. https://MyPublicInbox.com/ChemaAlonso
Quiz App: PoC for our Gremlin Botnet
• Quiz App is a PoC.
• Quiz App is a “What do you prefer”
Game
• It´s working goodware in all devices
until one target is activated..
• Use steganography to exchange
commands and data from and to
C&C.
29. https://MyPublicInbox.com/ChemaAlonso
“Stealling” Apps with Data in Motion
• What happen when a
developer “die”?
• When app are
outdated?
• Can you re-register
developer accounts?
• Can you Steel and
app?
PROVEEDOR EXPIRATION POLICY (2018)
Gmail 9 months*
AOL Mail 3 months
FastMail End of payment
GMX Mail 6 months or end of payment
Hushmail 3 weeks or end of payment
ICloud Never
Lycos 1 month
Mail.com 6 months or end of payment
Mail.ru 6 months or end of payment
Mailfence 7 months (free) or never(paid)
Outlook.com (live
mail/Hotmail)
270 days
ProtonMail 3 months
Rackspace End of payment
Rediffmail 3 months
Runbox End of payment
Tutanota Nevers
Yahoo! 12 months
Yandex Mail 24 months
Zoho 4 months or end of payment
30. https://MyPublicInbox.com/ChemaAlonso
Tacyt: Orphan “apps” without developers
• Study for apps with developer
accounts outdated and free.
• Re-register again and take control of
the Google developer account..
• How many installations affected.
• We selected Outlook and a sample
of 217 e-mail accounts for old apps.
0 50 100 150 200 250
Cuentas sin caducar
Cuentas caducadas
Cuentas sin caducar Cuentas caducadas
Total 209 8
Cuentas caducadas Outlook
31. https://MyPublicInbox.com/ChemaAlonso
“Dead Poets Society”
Cuenta de correo Apps# Nombre de las apps Downloads#
XXXXXcolla@outlook.com 12
1.Insta Mirror
1,256,150
2.Insta Face
3.Insta Eyes
4.Face Blender
5.Insta Effects
6.Insta Collage
7.Insta Color
8.Animal Face
9.Insta Frames
10.Photo Shape for
Instagram
11.Insta Camera
12.Insta Square
XXXXXXloperapps@outlook.
com
1
1.Download Video
Downloader Free
1,000,000
XXXXXenes@outlook.com 1
1.Imágenes para
Whatsapp
1,000,000
XXXXXXnloader@outlook.co
m
1
1.IDM+ Download
Manager free
500,000
XXXXXtudios@outlook.com 1 1.Super Artie World 500,000
XXXXXkit4u@outlook.com 12 346,200
2.Military Armor Mod Installer
3.Poke Cube Mod Installer
4.Elsa Mod Installer
5.RhanCandia Elevator
Installer
6.Instant Structure Mod
Instaler
7.Better Lucky Blocks Installer
8.AutomatedCraft Mod
Installer
9.Christmas Bosses Mod
Installer
10.MineKart Mod Installer
11.Security Camera Mod
Installer
12.Morph Victim Mod
Installer
XXXXXX.sp@outlook.com 1 1.Video player for android 100,000
XXXXXX.rocha@outlook.co
m
6
1.Quiz Millonario Español
Gratis
152,000
2.Millionaire
3.Millionaire Quiz English
4.Quiz Milionario Italiano
5.Millionnaire Quiz Français
8 accouts = 4,854,350 downloads
33. https://MyPublicInbox.com/ChemaAlonso
Bring Your Own Device vs Take Your Own Device
• BYOD
• User has a personal account with
Google or Apple.
• User onws the device.
• Installs corporate apps IF they
agree to that.
• When employeer/empoloyee
relationship ends user manages
device to restore it as it was
before.
• TYOD (not a SMDM)
• User has a personal account
with Google or Apple.
• Company owns the device.
• User is ”forced” to Install apps
• Whe employeer/empoloyee
relationship ends.. Who
manages device?
34. https://MyPublicInbox.com/ChemaAlonso
Corporate Gremlin Botnet & BYOD
• Corporate & Event Apps
• Sideloading & Testflight (No Apps Store)
• No Audit / No Open Source
• Opportunistic usage of permisions
• BYOD: Your Own Device
• Your own Photos
• Your own Contacts
• Your own Messages
• TYOD or Corporate device
• Apple Contract / Google Contract?
36. https://MyPublicInbox.com/ChemaAlonso
Thanks!
• Every installed app (even your
Company one) can do in your device
everything permisions allow it to do,
therefore, always think the worst.
• Trust is not enought –> Zero Trust.
• Security for Top excutives means to
control security for every single app
installed in their profesional devices
and teach them to do it in their
personal ones.
• Any app can become a Gremlin App
eventually just because:
• An evil developer
• A bug in its code
• App is sold
• Apps is stolen
Contact to Chema Alonso at MyPublicInbox.com
https://MyPublicInbox.com/ChemaAlonso
”Dad, mum… can I play a free game
in your device that my friends play?
No.”