Join the phishing dots to detect suspicious mobile apps
Carlos Díaz presents this study that shows how with the help of Tacyt and Sinfonier it is easy to find apps on Google Play that make reference to other different apps in alternative locations, which represent potential “downloaders” or “adware”. The goal is to visually present the relationships existing between these “embedded” programs, the GP apps that reference them and the developers. By analyzing the aspect of these graphs, an analyst can identify patterns of embedded apps that could be potentially malicious.
Oh! the BIOS
David Barroso, CTO of ElevenPaths, will be talking about the BIOS, that component we have all heard of, but whose operation we know nothing about. In theory, it is the ideal place for running malicious code, since it is the first thing that runs when we turn on a computer. The perfect place for storing malicious code because (almost) nobody is going to look if there’s something unusual there… Although there have been public investigations of BIOS infections for nearly 10 years, it became really popular with the #BadBIOS controversy and later with Snowden’s documents, giving rise to much concern on this issue. There have been investigation groups for many years in several countries that are investigating how to take control of the BIOS (or UEFI in the latest computers) and Snowden has shown that some countries are actively using these investigations in CNE operations.
Chasing Shuabang in App Stores
We will also present in detail the investigation we carried out in the lab in late-2014, which discovered a completely new malware model hosted on Google Play. It was Shuabang. ElevenPaths detected dozens of malicious apps hosted on Google Play that were intended for Shuabang, or BlackASO (Black Hat App Store Optimization). The malicious apps linked false accounts with the victim’s actual device, thus achieving very credible accounts. With these accounts, the attacker would send tasks to the victims so they would download new apps. The user’s account remained safe, but not their personal data on the phone. The attacker needed a database with more than 12,000 Gmail accounts to complete the attack, which represented a real novelty in the world of malware for Android. .