Beware! Zombies are Coming

Wednesday 5 October 12:00 - 12:30, Red room

Zhi Xu (Palo Alto Networks)
Tongbo Luo (Palo Alto Networks)
Cong Zheng (Palo Alto Networks)

It is common for a third-party mobile SDK to maintain a communication and control (C&C) channel between the app installed with the SDK and its remote master server. For example, most mobile ad SDKs and analytics SDKs allows the SDK company's master server to collect device/user/app information, deliver content to the device, and even control certain behaviours of the app remotely.

Should the master server or the C&C channel fall into the hands of attackers, it would bring great security risks to all apps installed with the SDK (e.g. the BadNews attack in 2013). Benign apps may even turn malicious under the control of a compromised C&C channel.

Unfortunately, since the launch of the Google Android OS in 2008, a great number of mobile SDK companies have failed, leaving their SDK and C&C channels unmaintained, though the domain names of many SDK companies are now available to register at a cheap price. We call those unmaintained SDKs, the 'zombie SDKs'.

If an attacker takes over the C&C channel of a zombie SDK, he will have control of all APK files with this SDK. Furthermore, the attacker can intentionally send existing APK files with the compromised zombie SDK to targeted victims. Since the zombie SDKs and the APK files are usually legitimate and have been published for a long time, they will easily pass an anti-virus whitelist check.

In this presentation, we will present our study of zombie SDKs:

First, we will present a survey of observed zombie SDKs, detailing the status of their master servers/domains, the capabilities gained once installed, and the security impact if an attacker takes over the domain. We will show that these ignored zombie SDKs have great potential for attackers and pose great security risks to the users.

Then, we will demonstrate two approaches that an attacker can use to launch attacks within a zombie SDK. One approach is through taking control of the domain and building a malicious master server to control the C&C channel. In this way, the attacker inherits all the capabilities of the zombie SDK's previous owner.

Another approach targets at the zombie SDK with dynamic loaded web content (e.g. PhoneGap apps). By serving a crafted web page with malicious JavaScript code, an attacker could take advantage of the bridge between WebView and the mobile app to invoke any registered Java functions, with the same permissions as the APK file.

Click here for more details about the conference.


Zhi Xu

Zhi Xu is a researcher in the Security Research Group of Palo Alto Networks. He works on mobile security, mobile malware analysis, automatic app analysis, etc. Prior to joining the company, he received a Ph.D. degree in computer science from Pennsylvania State University in 2012. 


Tongbo Luo

Tongbo Luo is a security reseacher at Palo Alto Networks. His current research interests include cybersecurity, mobile security and security data analysis. He obtained his M.S. and Ph.D. in computer science from Syracuse University in 2014.


Cong Zheng

Cong Zheng is a mobile security researcher at Palo Alto Networks. His research mainly focuses on Android malware analysis and detection, program analysis, and system security. He has developed several Android security systems/tools including the SmartDroid, ARTDroid and APKInspector.


We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.