Android Malware Analysis : Dissecting Hydra Dropper
Includes GDB debugging of its native library
https://pentest.blog/android-malware-analysis-dissecting-hydra-dropper/
Includes GDB debugging of its native library
https://pentest.blog/android-malware-analysis-dissecting-hydra-dropper/
Android Analysis: Solving Flaggy Bird mobile challenge (Google CTF 2019)
https://blog.nviso.be/2019/07/18/solving-flaggy-bird-google-ctf-2019/
https://blog.nviso.be/2019/07/18/solving-flaggy-bird-google-ctf-2019/
NVISO Labs
Solving Flaggy Bird (Google CTF 2019)
A few weekends ago we participated in the Google CTF. While we didn’t make it to the top 10, we did manage to solve quite a few challenges. This is my writeup of FlaggyBird, the only mobile c…
DEXCALIBUR: AUTOMATE YOUR ANDROID APP REVERSE
or hooking for dummies
https://2019.pass-the-salt.org/files/slides/02-Dexcalibur.pdf
or hooking for dummies
https://2019.pass-the-salt.org/files/slides/02-Dexcalibur.pdf
QR code app requests €104,99 per year - subnoscription scam
https://twitter.com/jag_chandra/status/1152146311778635777?s=19
https://twitter.com/jag_chandra/status/1152146311778635777?s=19
Twitter
jagchandra
This QR code reader with 1M+ installs deducts $95 after 3 day trial, wants payment details upfront at installation, also has request install packages ,https://t.co/I9nDEsztuF
FaceApp PRO apps from YouTube gets you in trouble
Two scams:
1)Fake websites (iOS & Android): deliver ads,surveys, subnoscription,PPI,unrelated browser notifications.
2)Fake apps: From YouTube videos with link to adware
In one case with 95,000+ link clicks
https://www.welivesecurity.com/2019/07/19/faceapp-spotlight-scams-emerge/
Two scams:
1)Fake websites (iOS & Android): deliver ads,surveys, subnoscription,PPI,unrelated browser notifications.
2)Fake apps: From YouTube videos with link to adware
In one case with 95,000+ link clicks
https://www.welivesecurity.com/2019/07/19/faceapp-spotlight-scams-emerge/
WeLiveSecurity
With FaceApp in the spotlight, new scams emerge | WeLiveSecurity
ESET research shows how the hype around FaceApp has also attracted scammers, who launch fraudulent schemes piggybacking on the app's popularity.
Android KicoBotnet malware
https://twitter.com/virqdroid/status/1152216041830981633
https://twitter.com/virqdroid/status/1152216041830981633
Twitter
Nikolaos Chrysaidos
🆕Android #KicoBotnet malware it seems in active development. Features: - Exfiltration of the full call log, contacts, SMS - Crypto-ransomware / AES - appends .xdrop to the encrypted files (hardcoded key🤦♂️)
Tinder is another app to bypass the Play Store to avoid Google’s 30 percent cut
TINDER WILL NOW TAKE YOUR PAYMENT INFO DIRECTLY, INSTEAD OF LETTING GOOGLE PROCESS THE TRANSACTION
https://www.theverge.com/2019/7/19/20701256/tinder-google-play-store-android-bypass-30-percent-cut-avoid-self-install
TINDER WILL NOW TAKE YOUR PAYMENT INFO DIRECTLY, INSTEAD OF LETTING GOOGLE PROCESS THE TRANSACTION
https://www.theverge.com/2019/7/19/20701256/tinder-google-play-store-android-bypass-30-percent-cut-avoid-self-install
The Verge
Tinder is now bypassing the Play Store on Android to avoid Google’s 30 percent cut
Match Group joins Fortnite maker Epic Games
Gaza Cybergang's attack on the Arabic via Android platform #chinese
http://blog.avlsec.com/2019/07/5455/gaza-cybergang%e5%9c%a8%e7%a7%bb%e5%8a%a8%e7%ab%af%e5%af%b9%e9%98%bf%e6%8b%89%e4%bc%af%e8%af%ad%e5%9c%b0%e5%8c%ba%e7%9a%84%e6%94%bb%e5%87%bb%e4%ba%8b%e4%bb%b6/
http://blog.avlsec.com/2019/07/5455/gaza-cybergang%e5%9c%a8%e7%a7%bb%e5%8a%a8%e7%ab%af%e5%af%b9%e9%98%bf%e6%8b%89%e4%bc%af%e8%af%ad%e5%9c%b0%e5%8c%ba%e7%9a%84%e6%94%bb%e5%87%bb%e4%ba%8b%e4%bb%b6/
HiddenAd Trojan found on Google Play
Info: https://twitter.com/Maler360/status/1153260314902708225?s=19
Info: https://twitter.com/Maler360/status/1153260314902708225?s=19
Analyzing iOS Stalkerware Applications
https://ivrodriguez.com/analyzing-ios-stalkerware-apps/amp/?__twitter_impression=true
https://ivrodriguez.com/analyzing-ios-stalkerware-apps/amp/?__twitter_impression=true
Ivan R Blog
Analyzing iOS Stalkerware Applications
Stalkerware (a.k.a. Spouseware) applications are invasive applications that an
individual installs on a target's device (usually their partner) to spy on them,
snooping in as much data as they can. They aim to collect phone calls history,
private messages…
individual installs on a target's device (usually their partner) to spy on them,
snooping in as much data as they can. They aim to collect phone calls history,
private messages…
Looks like someone successfully created PoC for Android CVE-2019-2107 RCE
PoC: You can own the mobile by viewing a video with payload. Should works on Android 7.0, 7.1.1, 7.1.2, 8.0, 8.1, 9.
https://github.com/marcinguy/CVE-2019-2107
PoC: You can own the mobile by viewing a video with payload. Should works on Android 7.0, 7.1.1, 7.1.2, 8.0, 8.1, 9.
https://github.com/marcinguy/CVE-2019-2107
Story wrap-up about PoC CVE-2019-2107 with the comments from PoC author and Google.
▪️ Google - vulnerability wasn't exploited in the wild yet
▪️ PoC author - exploit wouldn't work if the video will be shared on Facebook, YouTube, Instagram...because of encoding
https://thenextweb.com/security/2019/07/24/google-android-vulnerability-malicious-video/
▪️ Google - vulnerability wasn't exploited in the wild yet
▪️ PoC author - exploit wouldn't work if the video will be shared on Facebook, YouTube, Instagram...because of encoding
https://thenextweb.com/security/2019/07/24/google-android-vulnerability-malicious-video/
TNW
Android vulnerability lets hackers hijack your phone with malicious videos
A vulnerability in Android ( found in versions between 7.0 and 9.0) enables hackers to hijack your phone by tricking you into watching malicious videos.
Monokle
The Mobile Surveillance Tooling of the Special Technology Center
https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf
The Mobile Surveillance Tooling of the Special Technology Center
https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf
Android Security & Malware
Monokle The Mobile Surveillance Tooling of the Special Technology Center https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf
Monokle - Mobile Surveillance ToolHighlights
▪️ on rooted devices can install own certificate to MitM TLS traffic
▪️ steals user defined words used for predictive text input
▪️ records the user unlocking device to get PIN
▪️ spread as Trojanized: Signal, ES explorer, Porn Hub...
▪️ via Xposed module can create hooks and hide presence in process list
▪️ via accessibility services can capture data from: Microsoft Word, Google Docs, Facebook messenger, Whatsapp, imo, Viber, Skype, WeChat, VK, Line, and Snapchat.
▪️ developed by Special Technology Center (STC) - a Russian defense contractor
▪️ there is also iOS version
▪️ can execute 33 commands on infected devices
👍1
jnitrace
A Frida module to trace usage of the JNI API in Android apps.
https://github.com/chame1eon/jnitrace
A Frida module to trace usage of the JNI API in Android apps.
https://github.com/chame1eon/jnitrace
GitHub
GitHub - chame1eon/jnitrace: A Frida based tool that traces usage of the JNI API in Android apps.
A Frida based tool that traces usage of the JNI API in Android apps. - chame1eon/jnitrace
Mobile banking malware: With over 50% increase in attacks when compared to 2018 - via Check Point
https://www.checkpoint.com/press/2019/check-point-research-from-supply-chain-to-email-mobile-and-the-cloud-no-environment-is-immune-to-cyber-attacks/
https://www.checkpoint.com/press/2019/check-point-research-from-supply-chain-to-email-mobile-and-the-cloud-no-environment-is-immune-to-cyber-attacks/
👍1
Android Pentesting/Bug Hunting 101
-set-up Burp
-bruteforce OTP
-ADB leaks
-IDOR vulnerability
-list of static & dynamic vulnerabilities you should always check
https://link.medium.com/Ohrs3M1eFY
-set-up Burp
-bruteforce OTP
-ADB leaks
-IDOR vulnerability
-list of static & dynamic vulnerabilities you should always check
https://link.medium.com/Ohrs3M1eFY
Medium
Android Pen-testing/Hunting 101
Currently I’m Pen-testing on private projects so if you have any project to test kindly reach me on Twitter @hst_kishan
Scareware Youtube ads "Your Phone has Virus ⚠️" techniques are misused to promote lousy Android antivirus app.
BTW, this app has 100K+ installs and has been available on Google Play only since Jul 5, 2019 without any reference or web site.
https://t.co/efC3Rh30NX
BTW, this app has 100K+ installs and has been available on Google Play only since Jul 5, 2019 without any reference or web site.
https://t.co/efC3Rh30NX
Twitter
Lukas Stefanko
Scareware Youtube ads "Your Phone has Virus ⚠️" techniques are misused to promote lousy Android antivirus app. BTW, this app has 100K+ installs and has been available on Google Play only since Jul 5, 2019 without any reference or web site P.S. So, my phone…
SQL Injection found in NextCloud Android App Content Provider
https://hackerone.com/reports/291764
https://hackerone.com/reports/291764
HackerOne
Nextcloud disclosed on HackerOne: SQL Injection found in NextCloud...
Using Drozer, we identified com.nextcloud.client is vulnerable to Sql Injection
here is output from drozer:
dz> run scanner.provider.injection -a com.nextcloud.client
Scanning...
here is output from drozer:
dz> run scanner.provider.injection -a com.nextcloud.client
Scanning...
Bypassing lock protection in Nextcloud Android app
https://hackerone.com/reports/490946
https://hackerone.com/reports/490946
HackerOne
Nextcloud disclosed on HackerOne: Bypassing lock protection
Nextcloud allows multi account within the android client app and relies on a single lock
Based on the (exposed) intent nc://login, it is possible to add a new account under attacker domain and...
Based on the (exposed) intent nc://login, it is possible to add a new account under attacker domain and...