Android App: Keyboard or Malware
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
1
Android App: Keyboard or Malware
Andrew Pannell, Pentest Limited
------------------------------------------------------------ ------------------------------------------------------------
1 INTRODUCTION
A N DROID is the m ost popu lar m obile operating system .
Over 1.5 m illion new And roid d evices are activated d aily
[1], w ith over 2 m illion app s available for d ow nload from
Prior to And roid 6.0 (Marshm allow ) w hen an application w as
the official Google Play Store [2]. This rapid grow th has m eant
installed , perm issions w ere accepted or d enied in fu ll, i.e. if an
a rapid release of ap plications as d evelopers try to cash in on
ap plication requ ests access to the cam era and cont act
the latest technology. And roid has been a target for m alw are
inform ation u pon the p oint of install, the u ser w ou ld either
d u e to its w id e ad option across a large u ser base (over 1.4 billion
agree to both of these and therefore the ap plication w ou ld be
active d evices w orld w id e).
granted these perm issions and the application w ou ld install. Or
This p aper w ill look at an ap plication w ith over 50 m illion the u ser d enied these perm issions to the application and the
d ow nload s, and exam ines how the application is abu sing ap plication w ou ld fail and not be installed .
And roid perm issions in ord er to harvest personal p rivate u ser
d ata and insert ad verts m aliciou sly.
4 ANDROID APPLICATIONS
And roid app lications are w ritten in Java, and becau se of the
2 PREVIOUS WORK vast form factors of And roid d evices the ap plications are
Previou s w ork relating to the And roid operating system by the d ow nload ed to the d evice in Java cod e form at. When the
au thor of this paper inclu d es; ap plication is installed And roid u ses its And roid Ru ntim e to
fu lly com pile the application from its cod e, to generate a
Wireless backu p ap plications, netw ork and d ata secu rity test, com piled ap p execu table specific for the d evice. Therefore it is
2014 trivial to take the ap plication and reverse it into the Java classes
it cam e from . Althou gh d ecom pilation of And roid applications
And roid Operating System : A Forensic Exam iners Per spective, is a com m only d iscu ssed top ic, it is w orthw hile d escribing the
2012 process in this p aper for the sake of clarity.
And roid Operating System : Vu lnerabilities, exploits and The And roid ap plication is d ow nload ed onto the d evice in a file
m aliciou s cod e, 2012 w ith an apk extension, for exam ple FlashKeyboard .apk. This
apk file is a zip ped d irectory containing the resou rces requ ired
for the ap plication . These resou rces inclu d e im ages, the
previou sly m entioned And roid Manifest.xm l file and a
3 ANDROID SECURITY
classes.d ex file. The d ex (Dalvik execu table) file contains the
Part of the And roid secu rity architectu re is d eveloped arou nd com piled Java cod e that w e’re interested in reverse engineering.
an ap plication ‘‘perm ission’’ m od el. An application starts w ith To convert the classes.d ex file to a read able form at is a tw o-step
zero perm issions, w hich m eans that by d efau lt it shou ld not be process. Firstly, it need s to be converted to a jar file u sing the
able to d o anything to impact any d ata on the d evice. An tool d ex2jar [3]. Second ly, the jar file can read u sing a Java
ap plication w ill have an And roid Manifest.xm l file w hich Decom piler su ch as JD-GUI.
presents inform ation to the And roid operating system abou t
the application. The Manifest file w ill inclu d e:
Details of application com ponents 5 FLASH KEYBOARD
The m inim u m version of the And roid API requ ired At the tim e that this research began (25th Febru ary 2016) the
Details of the system perm issions requ ired ap plication Flash Keyboard d eveloped by DotC United w as the
11th m ost popu lar d ow nload ed And roid application available
on the Google Play Store. Th e ap plication had at that tim e been
The requ est for perm issions are d eclared in the m anifest file as:
installed betw een 50 m illion and 100 m illion tim es. The
, for exam ple if an ap plication requ ests
ap plication is so popu lar it had been d ow nload ed m ore tim es
access to the d evices storage (either internal or external su ch as
that other w ell recognized ap plications su ch as WhatsApp , this
a m icro SD card ) the m anifest d eclaration w ou ld be:
PENTEST LIMITED © 2016
2
is show n in Figu re 1, w hich show s the top 20 d ow nload s for the Figure 2. Flash Keyboard
Am erican Play Store for April 2016. Flash keyboard is 11th .
Figure 1. Top 20 Downloaded applications
Ad d itionally, a p ost w as also m ad e on the Flash Keyboard
Facebook p age on 16th Febru ary 2016 w hich states:
‘‘Flash keyboard valu es you r privacy. The w arning that ou r
keyboard m ay collect ' all the text you type, inclu d ing personal
d ata like passw ord s and cred it card nu m bers' is p art of And roid
notification that ap pears w hen you install AN Y third -party
keyboard . We are ju st a keyboard not 007 and you r tru st m eans
a lot to u s. Don't give u s 1-star ju st becau se of that w arning,
please~~~’’
This show s that the d evelopers of Flash Keyboard present
them selves as taking the privacy of their u sers’ d ata seriou sly.
6 PERMISSIONS
When an ap plication is installed on And roid , the u ser is
presented w ith a list of perm ission the ap plication requ ires, so
they can m ake an inform ed choice before installing . Table 1
show s the perm issions requ ired by the Flash Keyboard
This paper w as w ritten against version 1.0.27 of the And roid ap plication.
ap plication. The ap plication is intend ed to be u sed as a
replacem ent to the stock keyboard and can be seen in Figu re 2. Google have d eveloped And roid ’s perm ission system to allow
non-technical u sers to m ake inform ed d ecisions w hen installing
The id ea of a 3rd party keyboard ap plication is to im prove the an ap plication. H ow ever, it is evid ent from the nu m ber of
stock keyboard in som e w ay, w hether that’s extra installations of Flash Keyboard that m any u sers d o not read the
cu stom isation, im proved au to-correct or otherw ise. requ ested perm ission or d o not u nd erstand the risk related to
them . Maybe becau se the application is listed in the top 20
The d evelopers m ake a nu m ber of statem ents regard ing ap plications or the statem ents of privacy from the d evelopers
Privacy. First, on the application’s Play Store d escription the reassu res the u sers to overrid e their concerns.
d eveloper m ake the follow ing statem ent:
‘‘Privacy. Flash keyboard valu es you r privacy. We d on’t collect
any personal d ata w ithou t you r explicit perm ission. ‘‘
PENTEST LIMITED © 2016
3
Table 1. List of permissions shown on Play Store 6.1 Excessive Permissions
Pentest consid er a nu m ber of the requ ested perm issions to be
particu larly ‘‘d angerou s’’. These are perm issions that are in
excess of w hat w ou ld be requ ired for the norm al operation of a
keyboard ap plication. Fu rther explanation is provid ed below of
the requ ested perm ission s of particu lar concern .
6.1.1 Bluetooth
BLUETOOTH & BLUETOOTH_ADMIN These perm issions allow the
Flash Keyboard application to ‘‘connect to paired Blu etooth
d evices as w ell as d iscover and p air Blu etooth d evices’’. It is not
clear w hy Flash Keyboard requ ests these perm issions.
6.1.2 Camera
CAMERA This is a strange perm ission for a keyboard ap plication
to requ est, there isn't a com m on u se case w here a keyboard
ap plication w ou ld regu larly requ ire access to the hard w are
cam era. Fu rther analysis of the ap plications cod e show s this
perm ission is u sed for a cu stom ‘‘sticker’’ generator.
6.1.3 Contacts
READ_CONTACTS This perm ission is u sed to allow the
ap plication to read the u ser's contacts d ata. It is u nd erstood this
is so that Flash Keyboard can ad d the u ser ’s contacts to the
d ictionary for pred ictive text.
6.1.4 Device Admin
BIND_DEVICE_ADMIN This perm ission is u sed to grant
ad m inistrator access to the application. Device ad m in is
d eveloped in m ind for enterprise environm ents in ord er to
place certain restrictions on the d evice. Figure 3a and Figu re 3b
show the d etails of w hich parts of the d evice ad m in API is u sed
by Flash Keyboard . These are ‘‘allow shortcu t fu nctions’’, w hich
isn’t d ocu m ented or cu rrently u sed in the ap plication and ,
‘‘prevent u nexpected u ninstallations’’, w hich m akes it d ifficu lt
for u sers to u ninstall the ap plication. Lastly, ‘‘lock the screen’’,
w hich controls how the lock screen w orks.
PENTEST LIMITED © 20164
Figure 3. (a) and (b) Device Admin This perm ission in conju nction w ith the DEVICE_ADMIN
perm ission, allow s Flash Keyboard to replace the stand ard
And roid lock screen w ith its ow n cu stom lock screen. This
cu stom lock screen allow s the d evelopers to m onitise the
ap plication by d isplaying paid for ad vertisem ents on the
lockscreen. Figu re 5a show s the And roid lock screen on the
d evice prior to installation of Flash Keyboard . Figu re 5Error!
Reference source not found.b show s the lock screen after the
ap plication has been installed .
Figure 5. (a) and (b) Lockscreen
Figu re 4 show s the m essage received w hen attem pting to
u ninstall the ap plication. The u ninstall process fails becau se the
ap plication has been granted d evice ad m inistrator privilege.
Figure 4. Uninstallation
6.1.6 Location
ACCESS_COARSE_LOCATION & ACCESS_FINE_LOCATION These
perm issions allow approxim ate location and precise location
respectively. These leverage Wi-Fi triangu lation, Cell tow ers,
and GPS in ord er to provid e accu racy. The fine location
perm ission has been know n to provid e betw een 1 and 3 m eters
of accu racy d epend ing on the hard w are im plem ented in the
d evice. Location is consid ered sensitive inform ation.
6.1.7 Logs
READ_LOGS Allow s an ap plication to read the low -level system
Althou gh only a lim ited su bset of d evice ad m in API featu re are log files. The And roid d eveloper ’s site m akes the
im plem ented . Ad d itional d evice ad m in API fu nctions cou ld be recom m end ation that this p erm issions is not for u se by third -
ad d ed in fu tu re u pd ates w ithou t notification to the u ser, as the party ap plications, becau se Log entries can contain the u ser ’s
u ser has granted the application the overall d evice ad m in private inform ation. For exam ple, research has show n that it is
perm ission. For exam ple the d evelopers cou ld u p d ate the not u nheard of to find d evelopers w riting u ser cred entials to the
ap plication to rem otely lock the d evice im m ed iately, set a log file.
screen u nlock p assw ord essentially hold ing the u ser to ransom ,
d isable the d evice’s cam era, and rem otely w ipe the d evice.
6.1.8 Network/Wi-Fi State
ACCESS_NETWORK_STATE & ACCESS_WIFI_STATE &
6.1.5 Keyguard CHANGE_NETWORK_STATE & CHANGE_WIFI_STATE These
DISABLE_KEYGUARD Allow s the application to d isable the perm issions allow the application to toggle Wi-Fi on and off, as
keygu ard , this in And roid m eans the lock screen. w ell as toggling m obile d ata. It is not clear w hy Flash Keyboard
PENTEST LIMITED © 20165
requ ests these perm issions. 6.1.12 Download Notification
DOWNLOAD_WITHOUT_NOTIFICATION This perm ission allow s an
6.1.9 Processes ap plication to rem ove the notification to the u ser that the
ap plication is d ow nload ing external files. Facebook and
KILL_BACKGROUND_PROCESSES allow s an application to call
WhatsAp p have previou sly u sed this perm ission to silently
killBackgroundProcesses(String) This m eans that the
u pd ate applications w ithou t u pd ating the application via the
ap plication cou ld m ake calls to kill other processes. For
Play Store. This is a violation of the term s and cond itions
exam ple, this cou ld be abu sed for d isabling other ap plications
provid ed by the Play Store and these ap ps have since rem oved
su ch as anti-viru s.
this perm ission.
6.1.10 SMS 6.1.13 Keypresses
READ_SMS Allow s the application to read SMS m essages stored
BIND_INPUT_METHOD This perm ission allow s the ap plication to
on the d evice and SIM card . This perm ission is u sed by Flash
act as a keyboard , connecting to the inpu t m ethod ed itor. This
Keyboard to ad d term s to the d ictionary for pred ictive text.
allow s keypresses to be sent to the Flash Keyboard ap plication
Figu re 6 show s an exam ple of the cod e u sed . The application
be to be processed . By its very d efinition and u se case, a
read s the contents of text m essages, and ad d s each w ord into
keyboard requ ires access to keypresses, therefore having
the u ser ’s d ictionary.
interaction w ith everything the u ser types. And roid brings this
Figure 6. uv.class to u ser ’s attention by presenting a w arning w hen enabling the
keyboard as show n in Figu re 7.
public class uv
implements SharedPreferences.OnSharedPreference Figure 7. Warning
ChangeListener
{
static final String PREF = "sms";
static final String PREF_KEY_MAX_ID = "max_id";
static final Logger jdField_a_of_type_OrgSlf4jL
ogger = LoggerFactory.getLogger("SmsDictionaryLoa
der");
private final Context jdField_a_of_type_Android
ContentContext = MainApp.a();
private final SharedPreferences jdField_a_of_ty
pe_AndroidContentSharedPreferences;
private final ContentObserver jdField_a_of_type
_AndroidDatabaseContentObserver = new ContentObse
rver(null)
{
jdField_a_of_type_OrgSlf4jLogger.debug("id: " + p
aramLong + " addWordsToDictionary success: " + a(
localuq.a) + str);
At this point there is no evid ence to su ggest Flash keyboard is
6.1.11 System Overlay logging keys entered by the u ser.
SYSTEM_ALERT_WINDOW This perm ission allow s an ap plication
to create w ind ow s u sing the TYPE_SYSTEM_ALERT, show n on
top of all other ap p s. The And roid d eveloper ’s site d irectly 6.2 Internet Access
states ‘‘Very few ap ps shou ld u se this perm ission; these From Ju ne 2015 Google enabled Internet access by d efau lt for
w ind ow s are intend ed for system -level interaction w ith the ap plications from And roid 6.0 [4]. Prior to this point
u ser.’’ ap plication has to requ est Internet access. The ap plication still
need s to d eclare the android.permission.INTERNET in the
It is not clear w hy Flash Keyboard requ ests th is perm ission. m anifest, bu t this is option is no longer presented to the u ser. To
This perm ission can be abu sed in a sim ilar w ay to Clickjacking confirm ; the INTERNET perm ission is d eclared in Flash
in Web Applications. Keyboard ’s m anifest file, and is therefore the granted access to
the Internet.
PENTEST LIMITED © 20166
7 TRANSMITTED DATA Analysis of the d ecod ed GZIP d ata reveals that the follow ing
inform ation w as being sent:
Analysis of the ap plication m ad e it clear it w as com m u nicating
ou t to servers in variou s cou ntries. This inclu d ed the United Device m anu factu rer
States, the N etherland s and China. The d ata going to China is
Device m od el nu m ber
possibly for the u se of analytics. Figu re 8Error! N ot a valid
bookmark self-reference. show s an exam ple a H TTP POST Device IMEI
requ est m ad e by the application w hich send encod ed d ata to And roid version
the ad d ress td cv3.talkingd ata.net. TalkingData is China’s Ow ners em ail ad d ress
largest ind epend ent Big Data service platform w ith focu s on the Wi-Fi SSID
m obile Internet. Wi-Fi MAC
Figure 8. Example of transmitted data Mobile N etw ork (e.g. Vod afone)
GPS co-ord inates accu rate to 1-3 m eters
POST /g/d HTTP/1.1 Inform ation abou t nearby Blu etooth d evices
Content-Length: 2305
Host: tdcv3.talkingdata.net Details of any proxies u sed by the d evice
Connection: close
U&?¯3õp¢cFø=k×·X3hÊiÍ•ÇzÕ±Á׆acÚ0•møÀð•‘XìäÉ•Ï•bŸ–
It is w orth noting that the Wi-Fi SSID and MAC inclu d ed all
ÄÀtpÂA:KI"£B nearby Wi-Fi access p oint not ju st the access point that d evice
---SNIP--- w as connected to.
Evid ently the application send s personal inform ation su ch as
By d ecom piling application and analysing the cod e for the em ail ad d ress and location to this Chinese analytical server
relevant class, it w as id entified that the d ata w as being encod ed w ithou t the know led ge of the u ser.
u sing GZIP. Figu re 9 show s the d ecom piled class w hich m akes
reference to GZIPOu tpu tStream and the Talking Data URL.
Figure 9. com.tendcloud.tenddata.s 8 DECEPTIVE BEHAVIOUR
Google forbid s d eceptive behaviou r and the And roid
package com.tendcloud.tenddata;
Developer Policy Center states:
import android.os.SystemClock;
import android.util.Log; ‘‘We d on’t allow ap ps that attem pt to d eceive u sers. Ap ps m u st
import java.io.ByteArrayOutputStream; provid e accu rate d isclosu re of their fu nctionality and shou ld
import java.util.Map;
import java.util.TreeMap;
perform as reasonably expected by the u ser. Apps m u st not
import java.util.zip.GZIPOutputStream; attem pt to m im ic fu nctionality or w arnings from the operating
system or other ap ps. Any changes to d evice settings m u st be
public final class s m ad e w ith the u ser ’s know led ge and consent and be easily
{
private static final di a = new di("", "tdcv3.t reversible by the u ser.’’
alkingdata.net", b, 443);
public static final String a = "tdcv3.talkingda Pentest believe that the Flash keyboard is in breaches this p olicy
ta.net"; for the follow ing reasons:
private static String b = "211.151.164.164";
private static final String c = "http://tdcv3.t
alkingdata.net/g/d"; Mim ics operating system fu nctionality by replacing
the bu ilt-in lock screen w ith its ow n.
public static boolean a(du paramdu)
{
Does not d isclose that it replaces the lock screen to
TreeMap localTreeMap = new TreeMap(); d isplay ad vertisem ents.
try Allow s ap plication u pd ates and intentionally hid es
{
ByteArrayOutputStream localByteArrayOutputS operating system notifications that w ou ld alert the
tream = new ByteArrayOutputStream(1024); u ser to the u pd ate.
GZIPOutputStream localGZIPOutputStream = ne
w GZIPOutputStream(localByteArrayOutputStream); Makes it d ifficu lt for the average u ser to u ninstall.
new co(localGZIPOutputStream).a(paramdu); Send s personal inform ation to a 3 rd party site w ithou t
localGZIPOutputStream.finish();
localGZIPOutputStream.close(); the u ser ’s know led ge.
PENTEST LIMITED © 20167
9 CONCLUSION REFERENCES
It is Pentest’s opinion that this ap plication w as not w ritten by
the d evelopers to be intentionally m aliciou s. H ow ever throu gh
d isregard for And roid ’s d evelopm ent policy and a d esire to [1 "1.5m And roid d evices activated d aily," [Online]. Available:
m onitise a free ap plication, have created an ap plication that ] http:/ / w w w.pocket-lint.com / new s/ 122459-1-5m -
d eceives u sers, gathers personal inform ation and obstru cts and roid -d evices-activated -d aily-1-billion -total-d evices-on-
u ninstallation. horizon.
In m ore sinister hand s, this ap plication cou ld covertly [2 "N u m ber of available ap plications in the Google Play
d ow nload u p d ates that w eaponises the ap plication; to exploit ] Store," [Online]. Available:
the granted privileges for m ass or even targeted su rveillance. http:/ / w w w.statista.com / statistics/ 266210/ nu m ber-of-
available-applications-in-the-google-play-store/ .
Pentest Lim ited attem pted to m ake contact w ith the d evelopers
of Flash Keyboard in ord er to m ake them aw are of this research, [3 "GitH u b - Dex2Jar," [Online]. Available:
the find ings, and to offer an explanation bu t received no ] https:/ / githu b.com / pxb1988/ d ex2jar.
resp onse.
[4 "N orm al Perm issions," [Online]. Available:
Pentest also notified Google on the 22 nd Ap ril 2016. Althou gh no ] https:/ / d eveloper.and roid .com / gu id e/ topics/ secu rity/ n
official response has been received , as of 6 th Ju ne 2016 Flash orm al-perm issions.htm l.
Keyboard appears to be rem oved from the Google Pla y Store.
Follow ing its rem oval, another ap plication called ‘‘Flash
Keyboard Lite’’ by a d eveloper called ‘‘Flash Keyboard team ’’
has since ap peared on the Google Play store. An initial
inspection this ‘‘new ’’ application ap pears to be bu ilt from the
sam e original cod ebase as Flash Keyboard .
10 TECHNICAL SPECIFICS
This section p rovid es the d etails abou t the equ ipm ent u sed
d u ring testing.
H ard w are d evice: Motorola G (3rd Generation), And roid
version 5.1.1, Bu ild N u m ber LPI23.72-47.
Ap plication: Flash Keyboard , Version: 1.0.27, MD5 H ash:
e5e2323a48959b12113206f83a094220
ABOUT PENTEST
Established in 2001, Pentest Lim ited is a lead ing international
provid er of IT secu rity, specialising in Web Ap plication Secu rity
and Penetration Testing services. Pentest consu ltants offer
expertise, flexibility, clear com m u nication and extensive
su pp ort before, d u ring and after any assessm ent. Pentest is an
ISO 27001 & 9001 accred ited organisation, com m itted to
provid ing an u np aralleled service in the Inform ation Secu rity
ind u stry. For m ore inform ation, or for fu rther d etails abou t
Pentest's services, please visit w w w.pentest.co.u k or call +44 (0)
161 233 0100.
PENTEST LIMITED © 2016You can also read
