Last-minute paper: We know what you did this summer: Android banking trojan exposing its sins in the cloud

Thursday 1 October 09:00 - 09:30, Green room

Stephan Huber (Fraunhofer SIT)
Siegfried Rasthofer (TU Darmstadt / CASED)
Carlos Castillo (Intel Security)
Eric Bodden (TU Darmstadt / Fraunhofer SIT)
Alex Hinchliffe (Intel Security)

  download slides (PDF)

Backend-as-a-Service (BaaS) solutions are a very convenient way for developers to connect their apps easily with a cloud storage. There are different BaaS solutions on the market, offered by various vendors such as Amazon, Google and Facebook. All of them provide simple APIs for common tasks such as managing database records or files. Adding a few library classes and writing three or four lines of code is sufficient to integrate cloud storage into the app.

While usually such solutions are created for well-intentioned developers, very recently we have spotted two Android malware families that make use of BaaS solutions as well, Facebook's in this case. Using Facebook's BaaS solution, the malware stores stolen data, delivers commands executed remotely on the infected device and performs SMS banking fraud.

However, malware authors are apparently unaware of how to set up a BaaS solution securely, which gave us the possibility to easily obtain access to all data they store. This gave interesting insights into their C&C communication protocol and all sensitive data they stole, including requesting the current balance of credit cards associated with the device, and the attempt to perform payments and fraudulent transfer of funds via SMS messages during June and July 2015. To extract the necessary data from malicious applications automatically, we developed an automatic exploit generator that extracts credentials from the app, even if they are obfuscated, and provides access to the respective BaaS backend.

Click here for more details about the conference.