Gremlin Apps & Botnets Explored

https://MyPublicInbox.com/ChemaAlonso
Gremlin Apps & Gremlin Botnets
Chema Alonso
https://www.MyPublicInbox.com/ChemaAlonso

Long tieme ago “FOCA is a Botnet”
https://www.elladodelmal.com/2010/12/la-foca-es-una-botnet.html

FOCA BOTNET
Command & Control
IMG with Payload
(Steganography)
Payload (IP+Command)
GET IM
G
+ ANSW
ER
GET IMG + ANSWER
ANSWER
Gremlim FOCA

Steganography (C&C)
Detection is complex = Stegoanalysis (Dinamyc App Analysis)
+ Reversing (Static Code Analysis)

Gremlin Apps: Cut Rope Christmas

Gremlin Apps: Cut Rope Christmas
Goodware app until one event trigger the transformation: Data extracted, computer installed (Stuxnet), automatic app
update, app stealing, selling/buyinng app, Company, “business strategy”

Gremlin Apps: Pixel Batery Saver
(from Battery Saver to Rogue AV)
1.- 50.000 active users
2.- Right Permisions.
3.- Cheap!
4.- Business Case works.
https://www.elladodelmal.com/2015/01/la-venta-de-
apps-al-cibercrimen.html

Tacyt: Big Data & “Data in Motion” to watch Cybercrime in apps

Data Streams for “Dorks” like “Google hacking”

Business Model: APT Provider with a Gremlin
Botnet of apps to become malicious only one
target. We sell targets, no malware.
• Create a Gremlin botnet with lot of Apps to know who you are and sell you as a target for APT:
• What Company you work for.
• Who you are in social networks
• Sell you for extorsion, data leakeage, CEO Attacks, part of a bigger APT, etc…
• Who you are in the device Gremlin app is installed:
• Accounts: Twitter, Facebook, etc…
• Phone Number: WhatsApp, Telegram, 2FA, Account Recovery.
• E-mail: Login.
• A little of OSINT on the Internet
• Dirty Business Card.
• Turn a Gremlin App into malicious only to the target we sell.
• Only one app becomes malicious.
• Steganography to connect C&C
• Opportunistic use of permissions (Install & RunTime)

Tacyt: Android Apps (Install & RT) Permisions

Permissions to get Phone Number
• <uses-permission
android:name="android.permission.
READ_PHONE_STATE"/>
• <uses-permission
android:name="android.permission.
READ_PHONE_NUMBERS "/>

Permissions to get Phone Number & Accounts
• TelephonyManager to Access phone number stored in SIM
• AccountsManager get infor for Accounts (twitter, telegram, google…)
• Some of them are:
• Email
• Phone number

Version Codename API Distribution (%) Total Afectados
Gingerbread 10 0,3 61,30 % < 8.0
2.3.3 -2.3.7
Ice Cream Sandwich 15 0,3
4.0.3 -4.0.4
4.1.x Jelly Bean 16 1,2
4.2.x 17 1,5
4.3 18 0,5
4.4 KitKat 19 6,9
5.0 Lollipop 21 3
5.1 22 11,5
6.0 Marshmallow 23 16,9
7.0 Nougat 24 11,4
7.1 25 7,8
8.0 Oreo 26 12,9
8.1 27 15,4
9 Pie 28 10,4
In 2018 (this PoC was done) almost 62% of devices
had versions < Android 8 and let Access to Accounts
(e-mail, twitter…). In 2021 (one week ago) aprox 50 %
devices are still in Android 9 or less.
Outdated (2018): Fragmentation and Update of
Android Devices

No Account pemisions? Oauth Login
• Oauth Login could be more dangerous
• Oauth: email, data, and you can
change “scope” for one device and get
everything

Dirty Business Card

Data Leakege & WebScrapping
(weapponizing leaks)
1.- Reset Password para este e-mail 2.- Error: el usuario no existe 3.- Error: el usuario sí existe

Gremlin Botnet: Buying the right app
permissionName:"android.permission.GET_ACCOUNTS"
permissionName:"android.permission.INTERNET"
permissionName:"android.permission.READ_EXTERNAL_STORAG
E" permissionName:"android.permission.READ_PHONE_STATE"
permissionName:"android.permission.ACCESS_NETWORK_STATE

Gremlin Botnet: Looking for the perfect target

mASAPP. Controls app for sale!

Gremlim Botnet: Oppotunistic permisions usage
• Nobody suspects of a permission if
they can explain it
• ”Yeah… it is because this is an app for
enhancing photos with beauty efects"
• Use permisions opportunisticly
• Ex: Pokemon Go & Photo Pictures
• Ex: Select a photo and take them all.
• Compiller / Lib Infections?
• Ej: XCodeGhost
• Do your own app and “be malicious”
when permission you need is in use.

Quiz App: PoC for our Gremlin Botnet
• Quiz App is a PoC.
• Quiz App is a “What do you prefer”
Game
• It´s working goodware in all devices
until one target is activated..
• Use steganography to exchange
commands and data from and to
C&C.

In Our PoC e-mail, Phone # or Twitter account activated Gremlin App.

Banner is, in our, case Activation Channel

Gremlin App in Gremlin Botnet

Quiz App: Gremlin Botnet C&C.
Sell the target

Gremlin Botnet C&C

“Stealling” Apps with Data in Motion
• What happen when a
developer “die”?
• When app are
outdated?
• Can you re-register
developer accounts?
• Can you Steel and
app?
PROVEEDOR EXPIRATION POLICY (2018)
Gmail 9 months*
AOL Mail 3 months
FastMail End of payment
GMX Mail 6 months or end of payment
Hushmail 3 weeks or end of payment
ICloud Never
Lycos 1 month
Mail.com 6 months or end of payment
Mail.ru 6 months or end of payment
Mailfence 7 months (free) or never(paid)
Outlook.com (live
mail/Hotmail)
270 days
ProtonMail 3 months
Rackspace End of payment
Rediffmail 3 months
Runbox End of payment
Tutanota Nevers
Yahoo! 12 months
Yandex Mail 24 months
Zoho 4 months or end of payment

Tacyt: Orphan “apps” without developers
• Study for apps with developer
accounts outdated and free.
• Re-register again and take control of
the Google developer account..
• How many installations affected.
• We selected Outlook and a sample
of 217 e-mail accounts for old apps.
0 50 100 150 200 250
Cuentas sin caducar
Cuentas caducadas
Cuentas sin caducar Cuentas caducadas
Total 209 8
Cuentas caducadas Outlook

“Dead Poets Society”
Cuenta de correo Apps# Nombre de las apps Downloads#
XXXXXcolla@outlook.com 12
1.Insta Mirror
1,256,150
2.Insta Face
3.Insta Eyes
4.Face Blender
5.Insta Effects
6.Insta Collage
7.Insta Color
8.Animal Face
9.Insta Frames
10.Photo Shape for
Instagram
11.Insta Camera
12.Insta Square
XXXXXXloperapps@outlook.
com
1
1.Download Video
Downloader Free
1,000,000
XXXXXenes@outlook.com 1
1.Imágenes para
Whatsapp
1,000,000
XXXXXXnloader@outlook.co
m
1
1.IDM+ Download
Manager free
500,000
XXXXXtudios@outlook.com 1 1.Super Artie World 500,000
XXXXXkit4u@outlook.com 12 346,200
2.Military Armor Mod Installer
3.Poke Cube Mod Installer
4.Elsa Mod Installer
5.RhanCandia Elevator
Installer
6.Instant Structure Mod
Instaler
7.Better Lucky Blocks Installer
8.AutomatedCraft Mod
Installer
9.Christmas Bosses Mod
Installer
10.MineKart Mod Installer
11.Security Camera Mod
Installer
12.Morph Victim Mod
Installer
XXXXXX.sp@outlook.com 1 1.Video player for android 100,000
XXXXXX.rocha@outlook.co
m
6
1.Quiz Millonario Español
Gratis
152,000
2.Millionaire
3.Millionaire Quiz English
4.Quiz Milionario Italiano
5.Millionnaire Quiz FranÃ§ais
8 accouts = 4,854,350 downloads

“Dead Poets Society”

Bring Your Own Device vs Take Your Own Device
• BYOD
• User has a personal account with
Google or Apple.
• User onws the device.
• Installs corporate apps IF they
agree to that.
• When employeer/empoloyee
relationship ends user manages
device to restore it as it was
before.
• TYOD (not a SMDM)
• User has a personal account
with Google or Apple.
• Company owns the device.
• User is ”forced” to Install apps
• Whe employeer/empoloyee
relationship ends.. Who
manages device?

Corporate Gremlin Botnet & BYOD
• Corporate & Event Apps
• Sideloading & Testflight (No Apps Store)
• No Audit / No Open Source
• Opportunistic usage of permisions
• BYOD: Your Own Device
• Your own Photos
• Your own Contacts
• Your own Messages
• TYOD or Corporate device
• Apple Contract / Google Contract?

Corporate Gremlin Botnet in BYOD&TYOD

Thanks!
• Every installed app (even your
Company one) can do in your device
everything permisions allow it to do,
therefore, always think the worst.
• Trust is not enought –> Zero Trust.
• Security for Top excutives means to
control security for every single app
installed in their profesional devices
and teach them to do it in their
personal ones.
• Any app can become a Gremlin App
eventually just because:
• An evil developer
• A bug in its code
• App is sold
• Apps is stolen
Contact to Chema Alonso at MyPublicInbox.com
”Dad, mum… can I play a free game
in your device that my friends play?
No.”

Gremlin Apps & Botnets Explored

Recommended

Recommended

More Related Content

Similar to Gremlin Apps & Botnets Explored

Similar to Gremlin Apps & Botnets Explored (20)

More from Telefónica

More from Telefónica (20)

Recently uploaded

Recently uploaded (20)

Gremlin Apps & Botnets Explored