SlideShare a Scribd company logo

Dragon lady

Lookout
Lookout
TechnologyBusiness
1 of 52
Download to read offline
DRAGON LADY AN INVESTIGATION OF RUSSIAN SMS FRAUD RYAN W SMITH & TIM STRAZZERE Lookout, Inc. Read the report
WHO ARE WE - RYAN W SMITH • Senior Research and Response Engineer @ Lookout • Contributing member of the Honeynet Project for more than 10 years • Worked on automated x86/Windows shellcode deobfuscation and malware sandboxing and before starting Android reversing • Previously spoke about scalable Android reversing @ AppSec USA and IEEE HICSS Read the report
WHO ARE WE - “DIFF” @TIMSTRAZZ • Lead Research & Response Engineer @ Lookout • Reversed the Android Market/Google Play Protocol • Junkie for reversing mobile malware, creating write ups and teaching other to help raise the bar • Spoke previously about anti-/analysis/ decompilation/emulation at BH’11/12, EICAR’12, HiTCON13, SySCAN ’13 etc. Read the report
WHY DEEP DIVE? • Stats are extremely misleading; but get headlines! • Did it just go from 100 samples to 163? 163 / 100 == 1.63 == 163% • Different (zip) hash? Different (unique) sample? • Correlation by SENDS_SMS is not good enough! Read the report
WHY DEEP DIVE? • New hash != new “sample” -- need context! • Impressive... “server-side polymorphism” bebop:alphasms tstrazzere$ shasum *apk e780f49dd81fec4df1496cb4bc1577aac92ade65 mwlqythh.rwbkulojmti-1.apk 8263d3aa255fe75f4d02d08e928a3113fa2f9e17 mwlqythh.rwbkulojmti-2.apk 521d3734e927f47af62e15e9880017609c018373 mwlqythh.rwbkulojmti-3.apk bebop:alphasms tstrazzere$ shasum *.dex* 14e46f0330535cb5e8f377a6c2bb2c858de6f414 classes.dex-1 14e46f0330535cb5e8f377a6c2bb2c858de6f414 classes.dex-2 14e46f0330535cb5e8f377a6c2bb2c858de6f414 classes.dex-3 Read the report
FAMILY INTEL. Threat Sends SMS Downloads Apps Exfiltrates PII Obfuscation (non-commercial) ALPHASMS     BADNEWS   CONNECTSMS    DEPOSITMOBI  FAKEBROWS    SMSACTOR   NOTCOMPATIBLE Read the report
FAMILY INTEL. Threat Sends SMS Downloads Apps Exfiltrates PII Obfuscation (non-commercial) ALPHASMS     BADNEWS   CONNECTSMS    DEPOSITMOBI  FAKEBROWS    SMSACTOR   NOTCOMPATIBLE FakeInst / SMSSend / Other generic name Read the report
SAMPLE EVOLUTION IS IMPORTANT e6d823... Packaged: 07-30-12 No obfuscation / crypto Debug information available ConnectSMS.a 00f35f... Packaged: 12-13-12 SMS Endpoints / URL crypted Debug info stripped Added contact exfiltration ConnectSMS.f 355d6f... Packaged: 01-11-13 SMS Endpoints / URL crypted Debug info stripped Removed contact exfiltration ConnectSMS.p 383069... Packaged: 04-03-13 SMS / URL remotely pull & decrypted Debug info re-added ConnectSMS.s Same Crypto Read the report
• Underlying code still similar • “Polymorphism” easily confused with “omg sky is falling” • Trends across different distributing organizations DECIPHERING OBFUSCATION AlphaSMS Read the report
AGILE THREAT RELEASES Read the report
BEYOND SMS FRAUD - NOTCOMPATIBLE • Interesting exercise in malware component commoditization • Relates directly to PC malware • Used mass compromised web sites, compromised swaths of accounts (AOL, Yahoo, etc.) for distribution (likely purchased?) • Actively used for evading fraud detection   DRAG + DROP IMAGE HERE   Attacker in Europe Purchasing Service, inside US Block by fraud detection Infected proxy device, inside US Read the report
Read the report
Read the report
Read the report
Read the report
Read the report
Read the report
Read the report
Read the report
Read the report
Read the report
Read the report
Read the report
Read the report
Read the report
Read the report
Read the report
Read the report
Read the report
Read the report
Read the report
Read the report
Read the report
Read the report
Read the report
Read the report
Read the report
Read the report
Read the report
Read the report
Read the report
Read the report
CONCLUSIONS • Top 10 Russian SMS fraud organizations account for over 30% of worldwide malware detections • SMS Fraud is a diverse threat, and requires careful categorization • SMS Fraud has effectively been commoditized in Russia and has a thriving support system • By taking a “full-stack” approach to tracking these threats we avoid the typical “whack-a- mole” AV strategy Read the report
THE GIANTS ON WHICH WE STAND • Thanks to: • The entire R&R and security team at Lookout • The Honeynet Project • Mila @ Contagio Dump • @jduck @pof @osxreverser @thomas_cannon @adesnos @Gunther_AR @TeamAndIRC @cryptax Read the report
Keep in touch with @lookout /mylookout blog.lookout.com contact@lookout.com http://bit.ly/dragon-lady

Recommended

3 Perspectives Around Data Breaches
3 Perspectives Around Data Breaches3 Perspectives Around Data Breaches
3 Perspectives Around Data BreachesSymantec
 
TLS 1.2 Internet Security Protocol: What it Means & Why You Should Give a ¢®@ϸ
TLS 1.2 Internet Security Protocol: What it Means & Why You Should Give a ¢®@ϸTLS 1.2 Internet Security Protocol: What it Means & Why You Should Give a ¢®@ϸ
TLS 1.2 Internet Security Protocol: What it Means & Why You Should Give a ¢®@ϸAppointmentPlus
 
Dragon Lady
Dragon LadyDragon Lady
Dragon LadyLookout
 
5 Types of Shady Apps
5 Types of Shady Apps5 Types of Shady Apps
5 Types of Shady AppsLookout
 
Trial by Fire: Security @ DEF CON 21
Trial by Fire: Security @ DEF CON 21Trial by Fire: Security @ DEF CON 21
Trial by Fire: Security @ DEF CON 21Lookout
 
03 estrategia-ddos
03 estrategia-ddos03 estrategia-ddos
03 estrategia-ddosPavel Odintsov
 
DDoS detection at small ISP by Wardner Maia
DDoS detection at small ISP by Wardner MaiaDDoS detection at small ISP by Wardner Maia
DDoS detection at small ISP by Wardner MaiaPavel Odintsov
 
Blackholing from a_providers_perspektive_theo_voss
Blackholing from a_providers_perspektive_theo_vossBlackholing from a_providers_perspektive_theo_voss
Blackholing from a_providers_perspektive_theo_vossPavel Odintsov
 

Recommended

3 Perspectives Around Data Breaches
3 Perspectives Around Data Breaches3 Perspectives Around Data Breaches
3 Perspectives Around Data BreachesSymantec
 
TLS 1.2 Internet Security Protocol: What it Means & Why You Should Give a ¢®@ϸ
TLS 1.2 Internet Security Protocol: What it Means & Why You Should Give a ¢®@ϸTLS 1.2 Internet Security Protocol: What it Means & Why You Should Give a ¢®@ϸ
TLS 1.2 Internet Security Protocol: What it Means & Why You Should Give a ¢®@ϸAppointmentPlus
 
Dragon Lady
Dragon LadyDragon Lady
Dragon LadyLookout
 
5 Types of Shady Apps
5 Types of Shady Apps5 Types of Shady Apps
5 Types of Shady AppsLookout
 
Trial by Fire: Security @ DEF CON 21
Trial by Fire: Security @ DEF CON 21Trial by Fire: Security @ DEF CON 21
Trial by Fire: Security @ DEF CON 21Lookout
 
03 estrategia-ddos
03 estrategia-ddos03 estrategia-ddos
03 estrategia-ddosPavel Odintsov
 
DDoS detection at small ISP by Wardner Maia
DDoS detection at small ISP by Wardner MaiaDDoS detection at small ISP by Wardner Maia
DDoS detection at small ISP by Wardner MaiaPavel Odintsov
 
Blackholing from a_providers_perspektive_theo_voss
Blackholing from a_providers_perspektive_theo_vossBlackholing from a_providers_perspektive_theo_voss
Blackholing from a_providers_perspektive_theo_vossPavel Odintsov
 
GoBGP : yet another OSS BGPd
GoBGP : yet another OSS BGPdGoBGP : yet another OSS BGPd
GoBGP : yet another OSS BGPdPavel Odintsov
 
Nanog66 vicente de luca fast netmon
Nanog66 vicente de luca fast netmonNanog66 vicente de luca fast netmon
Nanog66 vicente de luca fast netmonPavel Odintsov
 
Detecting and mitigating DDoS ZenDesk by Vicente De Luca
Detecting and mitigating DDoS ZenDesk by Vicente De LucaDetecting and mitigating DDoS ZenDesk by Vicente De Luca
Detecting and mitigating DDoS ZenDesk by Vicente De LucaPavel Odintsov
 
FastNetMon - ENOG9 speech about DDoS mitigation
FastNetMon - ENOG9 speech about DDoS mitigationFastNetMon - ENOG9 speech about DDoS mitigation
FastNetMon - ENOG9 speech about DDoS mitigationPavel Odintsov
 
Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)
Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)
Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)Pavel Odintsov
 
Ripe71 FastNetMon open source DoS / DDoS mitigation
Ripe71 FastNetMon open source DoS / DDoS mitigationRipe71 FastNetMon open source DoS / DDoS mitigation
Ripe71 FastNetMon open source DoS / DDoS mitigationPavel Odintsov
 
9534715
95347159534715
9534715Pavel Odintsov
 
Jon Nield FastNetMon
Jon Nield FastNetMonJon Nield FastNetMon
Jon Nield FastNetMonPavel Odintsov
 
Netflix security monkey overview
Netflix security monkey overviewNetflix security monkey overview
Netflix security monkey overviewRyan Hodgin
 
Distributed Denial of Service Attack - Detection And Mitigation
Distributed Denial of Service Attack - Detection And MitigationDistributed Denial of Service Attack - Detection And Mitigation
Distributed Denial of Service Attack - Detection And MitigationPavel Odintsov
 
Keeping your rack cool
Keeping your rack cool Keeping your rack cool
Keeping your rack cool Pavel Odintsov
 
Борьба с DDoS в хостинге - по обе стороны баррикад / Константин Новаковский (...
Борьба с DDoS в хостинге - по обе стороны баррикад / Константин Новаковский (...Борьба с DDoS в хостинге - по обе стороны баррикад / Константин Новаковский (...
Борьба с DDoS в хостинге - по обе стороны баррикад / Константин Новаковский (...Ontico
 
Protect your edge BGP security made simple
Protect your edge BGP security made simpleProtect your edge BGP security made simple
Protect your edge BGP security made simplePavel Odintsov
 
pegasus-whatyouneedtoknow-160916194631 (1).pdf
pegasus-whatyouneedtoknow-160916194631 (1).pdfpegasus-whatyouneedtoknow-160916194631 (1).pdf
pegasus-whatyouneedtoknow-160916194631 (1).pdf064ChetanWani
 
Pegasus Spyware - What You Need to Know
Pegasus Spyware - What You Need to KnowPegasus Spyware - What You Need to Know
Pegasus Spyware - What You Need to KnowSkycure
 
Stop expecting magic fairy dust: Make apps secure by design
Stop expecting magic fairy dust: Make apps secure by designStop expecting magic fairy dust: Make apps secure by design
Stop expecting magic fairy dust: Make apps secure by designPatrick Walsh
 
Best Practice TLS for IBM Domino
Best Practice TLS for IBM DominoBest Practice TLS for IBM Domino
Best Practice TLS for IBM DominoJared Roberts
 
Cisco connect winnipeg 2018 anatomy of an attack
Cisco connect winnipeg 2018 anatomy of an attackCisco connect winnipeg 2018 anatomy of an attack
Cisco connect winnipeg 2018 anatomy of an attackCisco Canada
 
Безопасность данных мобильных приложений. Мифы и реальность.
Безопасность данных мобильных приложений. Мифы и реальность.Безопасность данных мобильных приложений. Мифы и реальность.
Безопасность данных мобильных приложений. Мифы и реальность.Advanced monitoring
 
2017 Cyber Risk Grades by Industry: Normshield Executive Presentation
2017 Cyber Risk Grades by Industry: Normshield Executive Presentation2017 Cyber Risk Grades by Industry: Normshield Executive Presentation
2017 Cyber Risk Grades by Industry: Normshield Executive PresentationNormShield, Inc.
 
Cisco Connect Toronto 2017 - Anatomy-of-attack
Cisco Connect Toronto 2017 - Anatomy-of-attackCisco Connect Toronto 2017 - Anatomy-of-attack
Cisco Connect Toronto 2017 - Anatomy-of-attackCisco Canada
 
Cisco Connect Vancouver 2017 - Anatomy of Attack
Cisco Connect Vancouver 2017 - Anatomy of AttackCisco Connect Vancouver 2017 - Anatomy of Attack
Cisco Connect Vancouver 2017 - Anatomy of AttackCisco Canada
 

More Related Content

Viewers also liked

GoBGP : yet another OSS BGPd
GoBGP : yet another OSS BGPdGoBGP : yet another OSS BGPd
GoBGP : yet another OSS BGPdPavel Odintsov
 
Nanog66 vicente de luca fast netmon
Nanog66 vicente de luca fast netmonNanog66 vicente de luca fast netmon
Nanog66 vicente de luca fast netmonPavel Odintsov
 
Detecting and mitigating DDoS ZenDesk by Vicente De Luca
Detecting and mitigating DDoS ZenDesk by Vicente De LucaDetecting and mitigating DDoS ZenDesk by Vicente De Luca
Detecting and mitigating DDoS ZenDesk by Vicente De LucaPavel Odintsov
 
FastNetMon - ENOG9 speech about DDoS mitigation
FastNetMon - ENOG9 speech about DDoS mitigationFastNetMon - ENOG9 speech about DDoS mitigation
FastNetMon - ENOG9 speech about DDoS mitigationPavel Odintsov
 
Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)
Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)
Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)Pavel Odintsov
 
Ripe71 FastNetMon open source DoS / DDoS mitigation
Ripe71 FastNetMon open source DoS / DDoS mitigationRipe71 FastNetMon open source DoS / DDoS mitigation
Ripe71 FastNetMon open source DoS / DDoS mitigationPavel Odintsov
 
Netflix security monkey overview
Netflix security monkey overviewNetflix security monkey overview
Netflix security monkey overviewRyan Hodgin
 
Distributed Denial of Service Attack - Detection And Mitigation
Distributed Denial of Service Attack - Detection And MitigationDistributed Denial of Service Attack - Detection And Mitigation
Distributed Denial of Service Attack - Detection And MitigationPavel Odintsov
 
Keeping your rack cool
Keeping your rack cool Keeping your rack cool
Keeping your rack cool Pavel Odintsov
 
Борьба с DDoS в хостинге - по обе стороны баррикад / Константин Новаковский (...
Борьба с DDoS в хостинге - по обе стороны баррикад / Константин Новаковский (...Борьба с DDoS в хостинге - по обе стороны баррикад / Константин Новаковский (...
Борьба с DDoS в хостинге - по обе стороны баррикад / Константин Новаковский (...Ontico
 
Protect your edge BGP security made simple
Protect your edge BGP security made simpleProtect your edge BGP security made simple
Protect your edge BGP security made simplePavel Odintsov
 

Viewers also liked (13)

GoBGP : yet another OSS BGPd
GoBGP : yet another OSS BGPdGoBGP : yet another OSS BGPd
GoBGP : yet another OSS BGPd
 
Nanog66 vicente de luca fast netmon
Nanog66 vicente de luca fast netmonNanog66 vicente de luca fast netmon
Nanog66 vicente de luca fast netmon
 
Detecting and mitigating DDoS ZenDesk by Vicente De Luca
Detecting and mitigating DDoS ZenDesk by Vicente De LucaDetecting and mitigating DDoS ZenDesk by Vicente De Luca
Detecting and mitigating DDoS ZenDesk by Vicente De Luca
 
FastNetMon - ENOG9 speech about DDoS mitigation
FastNetMon - ENOG9 speech about DDoS mitigationFastNetMon - ENOG9 speech about DDoS mitigation
FastNetMon - ENOG9 speech about DDoS mitigation
 
Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)
Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)
Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)
 
Ripe71 FastNetMon open source DoS / DDoS mitigation
Ripe71 FastNetMon open source DoS / DDoS mitigationRipe71 FastNetMon open source DoS / DDoS mitigation
Ripe71 FastNetMon open source DoS / DDoS mitigation
 
9534715
95347159534715
9534715
 
Jon Nield FastNetMon
Jon Nield FastNetMonJon Nield FastNetMon
Jon Nield FastNetMon
 
Netflix security monkey overview
Netflix security monkey overviewNetflix security monkey overview
Netflix security monkey overview
 
Distributed Denial of Service Attack - Detection And Mitigation
Distributed Denial of Service Attack - Detection And MitigationDistributed Denial of Service Attack - Detection And Mitigation
Distributed Denial of Service Attack - Detection And Mitigation
 
Keeping your rack cool
Keeping your rack cool Keeping your rack cool
Keeping your rack cool
 
Борьба с DDoS в хостинге - по обе стороны баррикад / Константин Новаковский (...
Борьба с DDoS в хостинге - по обе стороны баррикад / Константин Новаковский (...Борьба с DDoS в хостинге - по обе стороны баррикад / Константин Новаковский (...
Борьба с DDoS в хостинге - по обе стороны баррикад / Константин Новаковский (...
 
Protect your edge BGP security made simple
Protect your edge BGP security made simpleProtect your edge BGP security made simple
Protect your edge BGP security made simple
 

Similar to Dragon lady

pegasus-whatyouneedtoknow-160916194631 (1).pdf
pegasus-whatyouneedtoknow-160916194631 (1).pdfpegasus-whatyouneedtoknow-160916194631 (1).pdf
pegasus-whatyouneedtoknow-160916194631 (1).pdf064ChetanWani
 
Pegasus Spyware - What You Need to Know
Pegasus Spyware - What You Need to KnowPegasus Spyware - What You Need to Know
Pegasus Spyware - What You Need to KnowSkycure
 
Stop expecting magic fairy dust: Make apps secure by design
Stop expecting magic fairy dust: Make apps secure by designStop expecting magic fairy dust: Make apps secure by design
Stop expecting magic fairy dust: Make apps secure by designPatrick Walsh
 
Best Practice TLS for IBM Domino
Best Practice TLS for IBM DominoBest Practice TLS for IBM Domino
Best Practice TLS for IBM DominoJared Roberts
 
Cisco connect winnipeg 2018 anatomy of an attack
Cisco connect winnipeg 2018 anatomy of an attackCisco connect winnipeg 2018 anatomy of an attack
Cisco connect winnipeg 2018 anatomy of an attackCisco Canada
 
Безопасность данных мобильных приложений. Мифы и реальность.
Безопасность данных мобильных приложений. Мифы и реальность.Безопасность данных мобильных приложений. Мифы и реальность.
Безопасность данных мобильных приложений. Мифы и реальность.Advanced monitoring
 
2017 Cyber Risk Grades by Industry: Normshield Executive Presentation
2017 Cyber Risk Grades by Industry: Normshield Executive Presentation2017 Cyber Risk Grades by Industry: Normshield Executive Presentation
2017 Cyber Risk Grades by Industry: Normshield Executive PresentationNormShield, Inc.
 
Cisco Connect Toronto 2017 - Anatomy-of-attack
Cisco Connect Toronto 2017 - Anatomy-of-attackCisco Connect Toronto 2017 - Anatomy-of-attack
Cisco Connect Toronto 2017 - Anatomy-of-attackCisco Canada
 
Cisco Connect Vancouver 2017 - Anatomy of Attack
Cisco Connect Vancouver 2017 - Anatomy of AttackCisco Connect Vancouver 2017 - Anatomy of Attack
Cisco Connect Vancouver 2017 - Anatomy of AttackCisco Canada
 
A Vision for Shared, Central Intelligence to Ebb a Growing Flood of Alerts
A Vision for Shared, Central Intelligence to Ebb a Growing Flood of AlertsA Vision for Shared, Central Intelligence to Ebb a Growing Flood of Alerts
A Vision for Shared, Central Intelligence to Ebb a Growing Flood of AlertsPriyanka Aash
 
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming NextThe Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming NextPriyanka Aash
 
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming NextThe Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming NextPriyanka Aash
 
Blueprint for Security Architecture & Strategy.pdf
Blueprint for Security Architecture & Strategy.pdfBlueprint for Security Architecture & Strategy.pdf
Blueprint for Security Architecture & Strategy.pdfFetri Miftach
 
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated IndustriesCASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated IndustriesNowSecure
 
Anatomy of Java Vulnerabilities - NLJug 2018
Anatomy of Java Vulnerabilities - NLJug 2018Anatomy of Java Vulnerabilities - NLJug 2018
Anatomy of Java Vulnerabilities - NLJug 2018Steve Poole
 
Hands-On Security Breakout Session- Disrupting the Kill Chain
Hands-On Security Breakout Session- Disrupting the Kill ChainHands-On Security Breakout Session- Disrupting the Kill Chain
Hands-On Security Breakout Session- Disrupting the Kill ChainSplunk
 
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?NowSecure
 
Can You Steal From Me Now? Mobile and BYOD Security Risks
Can You Steal From Me Now? Mobile and BYOD Security RisksCan You Steal From Me Now? Mobile and BYOD Security Risks
Can You Steal From Me Now? Mobile and BYOD Security RisksMichael Davis
 
Amphion Forum 2013: What to Do About Attacks Against MDMs
Amphion Forum 2013: What to Do About Attacks Against MDMsAmphion Forum 2013: What to Do About Attacks Against MDMs
Amphion Forum 2013: What to Do About Attacks Against MDMsLacoon Mobile Security
 
Anatomy of an Attack
Anatomy of an AttackAnatomy of an Attack
Anatomy of an AttackCisco Canada
 

Similar to Dragon lady (20)

pegasus-whatyouneedtoknow-160916194631 (1).pdf
pegasus-whatyouneedtoknow-160916194631 (1).pdfpegasus-whatyouneedtoknow-160916194631 (1).pdf
pegasus-whatyouneedtoknow-160916194631 (1).pdf
 
Pegasus Spyware - What You Need to Know
Pegasus Spyware - What You Need to KnowPegasus Spyware - What You Need to Know
Pegasus Spyware - What You Need to Know
 
Stop expecting magic fairy dust: Make apps secure by design
Stop expecting magic fairy dust: Make apps secure by designStop expecting magic fairy dust: Make apps secure by design
Stop expecting magic fairy dust: Make apps secure by design
 
Best Practice TLS for IBM Domino
Best Practice TLS for IBM DominoBest Practice TLS for IBM Domino
Best Practice TLS for IBM Domino
 
Cisco connect winnipeg 2018 anatomy of an attack
Cisco connect winnipeg 2018 anatomy of an attackCisco connect winnipeg 2018 anatomy of an attack
Cisco connect winnipeg 2018 anatomy of an attack
 
Безопасность данных мобильных приложений. Мифы и реальность.
Безопасность данных мобильных приложений. Мифы и реальность.Безопасность данных мобильных приложений. Мифы и реальность.
Безопасность данных мобильных приложений. Мифы и реальность.
 
2017 Cyber Risk Grades by Industry: Normshield Executive Presentation
2017 Cyber Risk Grades by Industry: Normshield Executive Presentation2017 Cyber Risk Grades by Industry: Normshield Executive Presentation
2017 Cyber Risk Grades by Industry: Normshield Executive Presentation
 
Cisco Connect Toronto 2017 - Anatomy-of-attack
Cisco Connect Toronto 2017 - Anatomy-of-attackCisco Connect Toronto 2017 - Anatomy-of-attack
Cisco Connect Toronto 2017 - Anatomy-of-attack
 
Cisco Connect Vancouver 2017 - Anatomy of Attack
Cisco Connect Vancouver 2017 - Anatomy of AttackCisco Connect Vancouver 2017 - Anatomy of Attack
Cisco Connect Vancouver 2017 - Anatomy of Attack
 
A Vision for Shared, Central Intelligence to Ebb a Growing Flood of Alerts
A Vision for Shared, Central Intelligence to Ebb a Growing Flood of AlertsA Vision for Shared, Central Intelligence to Ebb a Growing Flood of Alerts
A Vision for Shared, Central Intelligence to Ebb a Growing Flood of Alerts
 
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming NextThe Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
 
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming NextThe Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
 
Blueprint for Security Architecture & Strategy.pdf
Blueprint for Security Architecture & Strategy.pdfBlueprint for Security Architecture & Strategy.pdf
Blueprint for Security Architecture & Strategy.pdf
 
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated IndustriesCASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
 
Anatomy of Java Vulnerabilities - NLJug 2018
Anatomy of Java Vulnerabilities - NLJug 2018Anatomy of Java Vulnerabilities - NLJug 2018
Anatomy of Java Vulnerabilities - NLJug 2018
 
Hands-On Security Breakout Session- Disrupting the Kill Chain
Hands-On Security Breakout Session- Disrupting the Kill ChainHands-On Security Breakout Session- Disrupting the Kill Chain
Hands-On Security Breakout Session- Disrupting the Kill Chain
 
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
 
Can You Steal From Me Now? Mobile and BYOD Security Risks
Can You Steal From Me Now? Mobile and BYOD Security RisksCan You Steal From Me Now? Mobile and BYOD Security Risks
Can You Steal From Me Now? Mobile and BYOD Security Risks
 
Amphion Forum 2013: What to Do About Attacks Against MDMs
Amphion Forum 2013: What to Do About Attacks Against MDMsAmphion Forum 2013: What to Do About Attacks Against MDMs
Amphion Forum 2013: What to Do About Attacks Against MDMs
 
Anatomy of an Attack
Anatomy of an AttackAnatomy of an Attack
Anatomy of an Attack
 

More from Lookout

The New Assembly Line: 3 Best Practices for Building (Secure) Connected Cars
The New Assembly Line: 3 Best Practices for Building (Secure) Connected CarsThe New Assembly Line: 3 Best Practices for Building (Secure) Connected Cars
The New Assembly Line: 3 Best Practices for Building (Secure) Connected CarsLookout
 
Looking Forward and Looking Back: Lookout's Cybersecurity Predictions
Looking Forward and Looking Back: Lookout's Cybersecurity PredictionsLooking Forward and Looking Back: Lookout's Cybersecurity Predictions
Looking Forward and Looking Back: Lookout's Cybersecurity PredictionsLookout
 
5 Ways to Protect your Mobile Security
5 Ways to Protect your Mobile Security5 Ways to Protect your Mobile Security
5 Ways to Protect your Mobile SecurityLookout
 
Feds: You have a BYOD program whether you like it or not
Feds: You have a BYOD program whether you like it or notFeds: You have a BYOD program whether you like it or not
Feds: You have a BYOD program whether you like it or notLookout
 
What Is Spyware?
What Is Spyware?What Is Spyware?
What Is Spyware?Lookout
 
Mobile Security: The 5 Questions Modern Organizations Are Asking
Mobile Security: The 5 Questions Modern Organizations Are AskingMobile Security: The 5 Questions Modern Organizations Are Asking
Mobile Security: The 5 Questions Modern Organizations Are AskingLookout
 
2015 Cybersecurity Predictions
2015 Cybersecurity Predictions2015 Cybersecurity Predictions
2015 Cybersecurity PredictionsLookout
 
The New NotCompatible
The New NotCompatibleThe New NotCompatible
The New NotCompatibleLookout
 
Relentless Mobile Threats to Avoid
Relentless Mobile Threats to AvoidRelentless Mobile Threats to Avoid
Relentless Mobile Threats to AvoidLookout
 
When Android Apps Go Evil
When Android Apps Go EvilWhen Android Apps Go Evil
When Android Apps Go EvilLookout
 
Scaling Mobile Development
Scaling Mobile DevelopmentScaling Mobile Development
Scaling Mobile DevelopmentLookout
 
Visualizing Privacy
Visualizing PrivacyVisualizing Privacy
Visualizing PrivacyLookout
 
Hiring Hackers
Hiring HackersHiring Hackers
Hiring HackersLookout
 
How to (Safely) Cut the Cord With Your Old iPhone
How to (Safely) Cut the Cord With Your Old iPhoneHow to (Safely) Cut the Cord With Your Old iPhone
How to (Safely) Cut the Cord With Your Old iPhoneLookout
 
3 Ways to Protect the Data in Your Google Account
3 Ways to Protect the Data in Your Google Account3 Ways to Protect the Data in Your Google Account
3 Ways to Protect the Data in Your Google AccountLookout
 
3 Ways to Protect the Data in Your Apple Account
3 Ways to Protect the Data in Your Apple Account3 Ways to Protect the Data in Your Apple Account
3 Ways to Protect the Data in Your Apple AccountLookout
 
The Back to School Smartphone Guide
The Back to School Smartphone GuideThe Back to School Smartphone Guide
The Back to School Smartphone GuideLookout
 
Mobile Security at the World Cup
Mobile Security at the World CupMobile Security at the World Cup
Mobile Security at the World CupLookout
 
Spring Cleaning for Your Smartphone
Spring Cleaning for Your SmartphoneSpring Cleaning for Your Smartphone
Spring Cleaning for Your SmartphoneLookout
 
Mobile Threats, Made to Measure
Mobile Threats, Made to MeasureMobile Threats, Made to Measure
Mobile Threats, Made to MeasureLookout
 

More from Lookout (20)

The New Assembly Line: 3 Best Practices for Building (Secure) Connected Cars
The New Assembly Line: 3 Best Practices for Building (Secure) Connected CarsThe New Assembly Line: 3 Best Practices for Building (Secure) Connected Cars
The New Assembly Line: 3 Best Practices for Building (Secure) Connected Cars
 
Looking Forward and Looking Back: Lookout's Cybersecurity Predictions
Looking Forward and Looking Back: Lookout's Cybersecurity PredictionsLooking Forward and Looking Back: Lookout's Cybersecurity Predictions
Looking Forward and Looking Back: Lookout's Cybersecurity Predictions
 
5 Ways to Protect your Mobile Security
5 Ways to Protect your Mobile Security5 Ways to Protect your Mobile Security
5 Ways to Protect your Mobile Security
 
Feds: You have a BYOD program whether you like it or not
Feds: You have a BYOD program whether you like it or notFeds: You have a BYOD program whether you like it or not
Feds: You have a BYOD program whether you like it or not
 
What Is Spyware?
What Is Spyware?What Is Spyware?
What Is Spyware?
 
Mobile Security: The 5 Questions Modern Organizations Are Asking
Mobile Security: The 5 Questions Modern Organizations Are AskingMobile Security: The 5 Questions Modern Organizations Are Asking
Mobile Security: The 5 Questions Modern Organizations Are Asking
 
2015 Cybersecurity Predictions
2015 Cybersecurity Predictions2015 Cybersecurity Predictions
2015 Cybersecurity Predictions
 
The New NotCompatible
The New NotCompatibleThe New NotCompatible
The New NotCompatible
 
Relentless Mobile Threats to Avoid
Relentless Mobile Threats to AvoidRelentless Mobile Threats to Avoid
Relentless Mobile Threats to Avoid
 
When Android Apps Go Evil
When Android Apps Go EvilWhen Android Apps Go Evil
When Android Apps Go Evil
 
Scaling Mobile Development
Scaling Mobile DevelopmentScaling Mobile Development
Scaling Mobile Development
 
Visualizing Privacy
Visualizing PrivacyVisualizing Privacy
Visualizing Privacy
 
Hiring Hackers
Hiring HackersHiring Hackers
Hiring Hackers
 
How to (Safely) Cut the Cord With Your Old iPhone
How to (Safely) Cut the Cord With Your Old iPhoneHow to (Safely) Cut the Cord With Your Old iPhone
How to (Safely) Cut the Cord With Your Old iPhone
 
3 Ways to Protect the Data in Your Google Account
3 Ways to Protect the Data in Your Google Account3 Ways to Protect the Data in Your Google Account
3 Ways to Protect the Data in Your Google Account
 
3 Ways to Protect the Data in Your Apple Account
3 Ways to Protect the Data in Your Apple Account3 Ways to Protect the Data in Your Apple Account
3 Ways to Protect the Data in Your Apple Account
 
The Back to School Smartphone Guide
The Back to School Smartphone GuideThe Back to School Smartphone Guide
The Back to School Smartphone Guide
 
Mobile Security at the World Cup
Mobile Security at the World CupMobile Security at the World Cup
Mobile Security at the World Cup
 
Spring Cleaning for Your Smartphone
Spring Cleaning for Your SmartphoneSpring Cleaning for Your Smartphone
Spring Cleaning for Your Smartphone
 
Mobile Threats, Made to Measure
Mobile Threats, Made to MeasureMobile Threats, Made to Measure
Mobile Threats, Made to Measure
 

Recently uploaded

The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationKnoldus Inc.
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...panagenda
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...AliaaTarek5
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 

Recently uploaded (20)

The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog Presentation
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 

Dragon lady

  • 1. DRAGON LADY AN INVESTIGATION OF RUSSIAN SMS FRAUD RYAN W SMITH & TIM STRAZZERE Lookout, Inc. Read the report
  • 2. WHO ARE WE - RYAN W SMITH • Senior Research and Response Engineer @ Lookout • Contributing member of the Honeynet Project for more than 10 years • Worked on automated x86/Windows shellcode deobfuscation and malware sandboxing and before starting Android reversing • Previously spoke about scalable Android reversing @ AppSec USA and IEEE HICSS Read the report
  • 3. WHO ARE WE - “DIFF” @TIMSTRAZZ • Lead Research & Response Engineer @ Lookout • Reversed the Android Market/Google Play Protocol • Junkie for reversing mobile malware, creating write ups and teaching other to help raise the bar • Spoke previously about anti-/analysis/ decompilation/emulation at BH’11/12, EICAR’12, HiTCON13, SySCAN ’13 etc. Read the report
  • 4. WHY DEEP DIVE? • Stats are extremely misleading; but get headlines! • Did it just go from 100 samples to 163? 163 / 100 == 1.63 == 163% • Different (zip) hash? Different (unique) sample? • Correlation by SENDS_SMS is not good enough! Read the report
  • 5. WHY DEEP DIVE? • New hash != new “sample” -- need context! • Impressive... “server-side polymorphism” bebop:alphasms tstrazzere$ shasum *apk e780f49dd81fec4df1496cb4bc1577aac92ade65 mwlqythh.rwbkulojmti-1.apk 8263d3aa255fe75f4d02d08e928a3113fa2f9e17 mwlqythh.rwbkulojmti-2.apk 521d3734e927f47af62e15e9880017609c018373 mwlqythh.rwbkulojmti-3.apk bebop:alphasms tstrazzere$ shasum *.dex* 14e46f0330535cb5e8f377a6c2bb2c858de6f414 classes.dex-1 14e46f0330535cb5e8f377a6c2bb2c858de6f414 classes.dex-2 14e46f0330535cb5e8f377a6c2bb2c858de6f414 classes.dex-3 Read the report
  • 6. FAMILY INTEL. Threat Sends SMS Downloads Apps Exfiltrates PII Obfuscation (non-commercial) ALPHASMS     BADNEWS   CONNECTSMS    DEPOSITMOBI  FAKEBROWS    SMSACTOR   NOTCOMPATIBLE Read the report
  • 7. FAMILY INTEL. Threat Sends SMS Downloads Apps Exfiltrates PII Obfuscation (non-commercial) ALPHASMS     BADNEWS   CONNECTSMS    DEPOSITMOBI  FAKEBROWS    SMSACTOR   NOTCOMPATIBLE FakeInst / SMSSend / Other generic name Read the report
  • 8. SAMPLE EVOLUTION IS IMPORTANT e6d823... Packaged: 07-30-12 No obfuscation / crypto Debug information available ConnectSMS.a 00f35f... Packaged: 12-13-12 SMS Endpoints / URL crypted Debug info stripped Added contact exfiltration ConnectSMS.f 355d6f... Packaged: 01-11-13 SMS Endpoints / URL crypted Debug info stripped Removed contact exfiltration ConnectSMS.p 383069... Packaged: 04-03-13 SMS / URL remotely pull & decrypted Debug info re-added ConnectSMS.s Same Crypto Read the report
  • 9. • Underlying code still similar • “Polymorphism” easily confused with “omg sky is falling” • Trends across different distributing organizations DECIPHERING OBFUSCATION AlphaSMS Read the report
  • 11. BEYOND SMS FRAUD - NOTCOMPATIBLE • Interesting exercise in malware component commoditization • Relates directly to PC malware • Used mass compromised web sites, compromised swaths of accounts (AOL, Yahoo, etc.) for distribution (likely purchased?) • Actively used for evading fraud detection   DRAG + DROP IMAGE HERE   Attacker in Europe Purchasing Service, inside US Block by fraud detection Infected proxy device, inside US Read the report
  • 41.
  • 42.
  • 43.
  • 44.
  • 45.
  • 46.
  • 49.
  • 50. CONCLUSIONS • Top 10 Russian SMS fraud organizations account for over 30% of worldwide malware detections • SMS Fraud is a diverse threat, and requires careful categorization • SMS Fraud has effectively been commoditized in Russia and has a thriving support system • By taking a “full-stack” approach to tracking these threats we avoid the typical “whack-a- mole” AV strategy Read the report
  • 51. THE GIANTS ON WHICH WE STAND • Thanks to: • The entire R&R and security team at Lookout • The Honeynet Project • Mila @ Contagio Dump • @jduck @pof @osxreverser @thomas_cannon @adesnos @Gunther_AR @TeamAndIRC @cryptax Read the report
  • 52. Keep in touch with @lookout /mylookout blog.lookout.com contact@lookout.com http://bit.ly/dragon-lady