Many Android talks on the 2nd day of VB2013! Actually, the importance of mobile threats is something everybody has observed here, and Helen Martin even started the conference mentioning the fact. What a difference compared to conferences 2 or 3 years ago!
In America or Europe, people often tend to think that malware are only "important" if found in Google Play. Rowland however stated an important fact: in China, there are over 400 popular stores, it's not just Google Play or Amazon's store. He continued with explanation & video of how Android/GinMaster works (Fortinet's description is here).
He also presented the economic model of the malware. The malware author has agreements to promote some legitimate applications and gets revenue from their installation. He also gets revenue by generating ad traffic. Rowland estimates he makes up to 160,000 $ per month...
The paper is really worth reading too!
Samir went into several obfuscation techniques for Dalvik executables. - building the app in debug mode to include useless debug information - encrypt strings and have them decrypted at runtime (e.g Android.Obad.A) - use proguard (free, and promoted by Android) - obfuscate Dalvik byte-code with several goto instruction to jump here and there in the code - split a constant in two - obfuscate byte code via JNI Once again, the paper is really worth reading too, far more detailed and well organized.
Ross presented how they managed to sinkhole ~500,000 bots of the ZeroAccess P2P botnet (more than half). Each bot has a small list of other peers to contact (16 exactly) and whenever they communicate with another peer they exchange lists and keep the most recent entries. So, they sinkholed bots by sending them invalid peer entries with recent timestamps. End of June 2013, a second version of the botnet was however released, and much more resilient to sink holing. You can read more about this in this white paper.
Robert presented Hesperbot, a new botnet, whose peek activity was reported between July and September 2013. The implementation appears to have been written from scratch (it is not just a new instance of ZeuS). Hesperbot starts with some phishing emails (in UK and CZ, the emails come from fake postal services) which trick the victims into installing a dropper (W32/Hesperbot). The dropper downloads malware that performs man in the browser attacks (web injection) and several other functionalities: keystroke logging, screenshots, video capture, socket proxying and a hidden VNC server. That's for the component on Windows. Like ZeuS or SpyEye, there is a mobile component - that we actually have written a description for.
Hesperbot kits are not (yet?) found on the underground market. They are however already stealing real money from banks, and banks have been receiving complaints from customers who lose money.
-- the Crypto Girl
Come back for Part 3 on Monday! VB 2013 Day 3