[2014 CodeEngn Conference 11] 김호빈 - Android Bootkit Analysis EN
1 like1,339 views
The document analyzes Android bootkit malware, focusing on the Oldboot bootkit, which infects the boot partition of Android devices. It highlights the stealth techniques employed by bootkits to bypass kernel-level security, making them difficult to detect. The analysis includes details about the infection process, components, and the functionality of the malware, demonstrating a new method of attack on Android systems.
[2014 CodeEngn Conference 11] 김호빈 - Android Bootkit Analysis EN
- 1. Android Bootkit Malware Analysis Kim, Hobin [email protected] www.CodeEngn.com 2014 CodeEngn Conference 11
- 2. What is Bootkit? • Bootkit = Rootkit + Boot capability • Boot sector of a disk is infecting the host when introduced at the boot process. • Ex) Windows MBR Rootkit
- 3. Android Boot Partition • Android devices’ boot partition uses RAM disk file system • Consist of Linux kernel(zImage) & root file system ramdisk(initrd; initial ramdisk)
- 4. Android Boot Process Bootloader Kernel(Linux) init(init.rc) • init process is first process on Android
- 5. Stealth Technic of Android Bootkit • Modifying devices’ boot partition and booting script during early stage of system’s booting for hiding and protecting itself • Launching system service as root and extracting malware app as system app
- 6. Characteristics of Android Bootkit • Bypass built-in kernel-level security restrictions • Difficult to detect and cure by AV
- 7. Oldboot; The First Android Bootkit • Oldboot • Reported by Qihoo360 in China • The first bootkit officially found on Android in the wild • More than 500,000 Android devices infected in China • Proof that the boot partition of Android could be infected easily
- 8. How Android Can Be Infected? • The attacker has a chance to physically touch the devices, and flash a malcious boot.img image files to the boot partition of the disk
- 9. How Android Can Be Infected? (cont) • Qihoo360 found the infected device in big IT mall in Beijing • the recovery partition has been replaced by a custom recovery ROM. and the timestamp of all files in the boot partition are the same.
- 10. How Android Can Be Infected? (cont) • based on Qihoo’s cloud security technology, they figured out almost infected devices are only well-known device such as the Galaxy Note II
- 11. Oldboot Bootkit’s Components • Oldboot.a • init.rc (modified) • imei_chk (located at /sbin) • libgooglekernel.so (located at /system/lib) • GoogleKernel.apk (located at /system/app)
- 12. Analyzing init process(init.rc) • Content of the modified init.rc • Adding imei_chk service as root
- 13. Analyzing imei_chk • Extract so files
- 14. Analyzing imei_chk (cont) • Extract apk files
- 15. Analyzing imei_chk (cont) • Socket listening & read
- 16. Analyzing imei_chk (cont) • executes received commands
- 17. Analyzing GoogleKernel.apk • GoogleKernel.apk’s AndroidManifest.xml
- 18. Analyzing GoogleKernel.apk (cont) • GoogleKernel.apk’s AndroidManifest.xml
- 19. Analyzing GoogleKernel.apk (cont) • BootRecv service
- 20. Analyzing GoogleKernel.apk (cont) • EventsRecv service
- 21. Analyzing GoogleKernel.apk (cont) • Dalvik service
- 22. Analyzing GoogleKernel.apk (cont) • Incomplete malicious function
- 23. Analyzing GoogleKernel.apk (cont) • Communicate with libgooglekernel.so by JNI
- 24. Analyzing libgooglekernel.so • Connecting to its C&C Servers to download configuration files
- 25. Analyzing libgooglekernel.so (cont) • Location of C&C Server
- 26. Analyzing libgooglekernel.so (cont) • Location of C&C Server
- 27. Analyzing libgooglekernel.so (cont) • Downloading APK file
- 28. Analyzing libgooglekernel.so (cont) • Downloading APK file
- 29. Analyzing libgooglekernel.so (cont) • Installing downloaded APK as system application
- 30. Analyzing libgooglekernel.so (cont) • Deleting system application
- 31. Oldboot.a Running Flow Chart init process init.rc system server imei_chk GoogleKernel.apk libgooglekernel.so JNI socket
- 32. Preview point of Android Bootkit Malware • Totally new malware attack method on Android • Not only apk can be infected
- 33. References • Oldboot: the first bootkit on Android, Zihang Xiao, Qing Dong, Hao Zhang & Xuxian Jiang, Qihoo 360 • Advanced Bootkit Techniques on Android, Zhangqi Chen & Di Shen @SyScan360 • Android Hacker’s handbook, Drake, Oliva Fora, Lanier Mulliner, Ridley, Wicherski, Wiley • 인사이드 안드로이드, 송형주, 김태연, 박지훈, 이백, 임기영, 위키북스 • 안드로이드의 모든 것 분석과 포팅, 고현철, 유형목, 한빛미디어 • http://contagiominidump.blogspot.kr/
- 34. Q & A Any question so far? www.CodeEngn.com 2014 CodeEngn Conference 11