Mobile Security - TV interview and demo

By

In one of the TV programs I was interviewed a few years ago, an active internet user was invited to participant in a test to assert her awareness of security when using her mobile phone. She was asked to join an interview about all the things she would do online, and during the few minutes amid the interview I was tasked to take over her PayPal account. As a matter of fact, she was quite vigilant about protecting herself online and to avoid any liability issue, both mobile devices used by her and the TV program host were prepared by me ahead of time, and new PayPal accounts, both owned by the TV program producer and host, were created on-site during the test. She was asked to open a PayPal account and setup a password during the interview, and the host immediately transferred HKD 10,000 to her account. After a few minutes, I signalled the host that I was done, and the participant was asked to check her account balance, and obviously she failed to login back to her account. She suspected her password got changed and proceeded to reset her password to login back again, finding that all her money was gone. I haven't got a copy of the TV show but luckily someone made a cut and posted it here - https://www.youtube.com/watch?v=WNbxkzN2irY&t=8s

This illustrates the problem of mobile malware. On the device used by the host to transfer money to the participant's account, I patched a popular keyboard app by modifying the Java bytecode of the software, inserting instructions to capture and send out all keystrokes to my computer, while on the participant's device I patched the SMS app to intercept her SMS OTP when I requested password reset on PayPal for her account using the "Forgot Password" flow, at the same time the SMS OTP was removed from her phone. On the other hand, I also patched the TV app to inject a Meterpreter payload, which I could command and control, and as a result, the entire interview was recorded on the phone's microphone as well as camera without the knowledge of the users, even though the phone was put into standby mode.

Modifying Java bytecode may not be as hard as many people think, though it requires certain level of technical skills. Here is a simple illustration from my Youtube channel of patching a desktop Java application - https://www.youtube.com/watch?v=bRQP1yhKu5c&t=6s The major difference is, the Windows JVM uses only virtual stack while on Android virtual registers are also used, but the principles are the same. Apktool is my favourite tool when working with Android apps.

Then the final question is, how does the malicious app get into the victim's device in the first place? Well there are many means especially for Android. Of course there are chances to slip through the vetting process to get the app published, also an unsuspecting user may install the untrusted app, but there are other ways as well. In future posts I will demonstrate infecting a device using a rogue charger and in another example a fileless malware is used to first infect the victim's computer, which is often trusted, and we can then use the compromised computer as a stepping stone to plant a malware to the victim's mobile device. Stay tuned.

My Youtube channel - https://www.youtube.com/channel/UCXSZyDvr7tpT62t3XvdCc3w

Popular posts from this blog

Cloud Security - Exploring the AWS Lambda runtime execution environment

By
Serverless computing has been gaining popularity especially in the cloud. While the service provides much convenience for most users who have no access to the underlying environment, hackers are interested in understanding how things work behind the scene, and we want to answer some basic cybersecurity questions. For instance, what is the software used, including operating system and middleware, in the application stack? Where does the service store credentials in the environment? And most importantly, how can a serverless deployment be hacked or leveraged in an attack if ever possible? In the following video demonstration, we try to explore the AWS Lambda runtime execution environment, which is used in lots of use cases from developing application APIs to configuring cloud resources. A malicious Lambda reverse shell backdoor function is written and deployed allowing us to explore the runtime execution environment interactively - https://www.youtube.com/watch?v=khF1PMjQv_E&t=10s T
Read more

AirGap Hacking - Malware infiltration via USB HID driver and data exfiltration via near ultrasound

By
This is my favourite piece of work that I published and presented in conference a few years ago. Here is the original demo video from my Youtube channel -  https://www.youtube.com/watch?v=a0kpUNOfoQM&t=5s  (with subtitles, no audio) Or you may visit my interview by an online media in which I explained how it works briefly - https://www.youtube.com/watch?v=pZwwuHwmyhM&feature=youtu.be In this demonstration, the computer on the left is the victims's machine with no network connectivity. Here we refer to it as an airgap computer. Moreover, USB drive is disabled and our best friend, antivirus, is enabled on this locked down machine. It is a common setup in certain environment such as OT network and highly secure financial trading system, with the assumption that the isolated machine cannot be hacked.  However, there has been high profile malware attack on such environment including utilities plant and closed financial network. In real life scenarios the targeted machine may not
Read more

Cloud Security - Stealing temporary AWS access key via SSRF to access S3

By
This is a copy of my hacking demo published on Youtube some time ago. For the original video please check out my Youtube channel -  https://www.youtube.com/watch?v=gwsooCD7liU&t=27s Cloud security has been a hot topic. As more and more organizations go to the cloud, security breaches and incidents hitting the news headlines have been catching the eyes of the general public, making some people skeptical to embracing the cloud. However, when we look at the security controls of the cloud services providers, we find that most of them have actually been doing quite a nice and decent job, but then what actually happened in those cases to cause such perception? Human learns best by examples, let's look at a simulated attack to discover some common themes and patterns. We have created a demo illustrating a chained exploit, which takes advantage of different mistakes made by the customer in cloud deployment. It is also how a serious breach might have happened in US hitting the news head
Read more