2. WHO ARE WE - RYAN W SMITH
• Senior Research and Response Engineer @
Lookout
• Contributing member of the Honeynet Project
for more than 10 years
• Worked on automated x86/Windows shellcode
deobfuscation and malware sandboxing and
before starting Android reversing
• Previously spoke about scalable Android
reversing @ AppSec USA and IEEE HICSS
Read
the
report
3. WHO ARE WE - “DIFF” @TIMSTRAZZ
• Lead Research & Response Engineer @
Lookout
• Reversed the Android Market/Google Play
Protocol
• Junkie for reversing mobile malware, creating
write ups and teaching other to help raise the
bar
• Spoke previously about anti-/analysis/
decompilation/emulation at BH’11/12,
EICAR’12, HiTCON13, SySCAN ’13 etc.
Read
the
report
4. WHY DEEP DIVE?
• Stats are extremely misleading; but get headlines!
• Did it just go from 100 samples to 163?
163 / 100 == 1.63 == 163%
• Different (zip) hash? Different (unique) sample?
• Correlation by SENDS_SMS is not good enough!
Read
the
report
5. WHY DEEP DIVE?
• New hash != new “sample” -- need context!
• Impressive... “server-side polymorphism”
bebop:alphasms tstrazzere$ shasum *apk
e780f49dd81fec4df1496cb4bc1577aac92ade65 mwlqythh.rwbkulojmti-1.apk
8263d3aa255fe75f4d02d08e928a3113fa2f9e17 mwlqythh.rwbkulojmti-2.apk
521d3734e927f47af62e15e9880017609c018373 mwlqythh.rwbkulojmti-3.apk
bebop:alphasms tstrazzere$ shasum *.dex*
14e46f0330535cb5e8f377a6c2bb2c858de6f414 classes.dex-1
14e46f0330535cb5e8f377a6c2bb2c858de6f414 classes.dex-2
14e46f0330535cb5e8f377a6c2bb2c858de6f414 classes.dex-3
Read
the
report
8. SAMPLE EVOLUTION IS IMPORTANT
e6d823...
Packaged: 07-30-12
No obfuscation / crypto
Debug information available
ConnectSMS.a
00f35f...
Packaged: 12-13-12
SMS Endpoints / URL crypted
Debug info stripped
Added contact exfiltration
ConnectSMS.f
355d6f...
Packaged: 01-11-13
SMS Endpoints / URL crypted
Debug info stripped
Removed contact exfiltration
ConnectSMS.p
383069...
Packaged: 04-03-13
SMS / URL remotely pull & decrypted
Debug info re-added
ConnectSMS.s
Same
Crypto
Read
the
report
9. • Underlying code still
similar
• “Polymorphism” easily
confused with “omg sky
is falling”
• Trends across different
distributing organizations
DECIPHERING OBFUSCATION
AlphaSMS
Read
the
report
11. BEYOND SMS FRAUD - NOTCOMPATIBLE
• Interesting exercise in malware component
commoditization
• Relates directly to PC malware
• Used mass compromised web sites,
compromised swaths of accounts (AOL, Yahoo,
etc.) for distribution (likely purchased?)
• Actively used for evading fraud detection
DRAG + DROP
IMAGE HERE
Attacker
in Europe
Purchasing Service,
inside US
Block by fraud detection
Infected proxy device, inside US
Read
the
report
50. CONCLUSIONS
• Top 10 Russian SMS fraud organizations
account for over 30% of worldwide malware
detections
• SMS Fraud is a diverse threat, and requires
careful categorization
• SMS Fraud has effectively been commoditized
in Russia and has a thriving support system
• By taking a “full-stack” approach to tracking
these threats we avoid the typical “whack-a-
mole” AV strategy
Read
the
report
51. THE GIANTS ON WHICH WE STAND
• Thanks to:
• The entire R&R and security team at
Lookout
• The Honeynet Project
• Mila @ Contagio Dump
• @jduck @pof @osxreverser
@thomas_cannon @adesnos
@Gunther_AR @TeamAndIRC @cryptax
Read
the
report
52. Keep in touch with
@lookout
/mylookout
blog.lookout.com
contact@lookout.com
http://bit.ly/dragon-lady