Last-minute paper: Webview is far more than a 'view'

Thursday 5 October 09:30 - 10:00, Green room

Rowland Yu (Sophos)



Android's Webview, as described by Google, is a view that enables Android apps to display web content. Today, it is far more than a just 'view': using a Webview allows developers to utilize advanced web technologies such as CSS, iframe and JavaScript to build apps. In this way, Webview not only changes the landscape of the web but also weakens the web's security infrastructure.

The recently discovered WireX botnet used up to 100 Webview instances each time to launch DDoS attacks. In May 2017, possibly the largest Android adware, 'Judy', employed an invisible Webview on top of a game to load a malicious JavaScript payload with the capability of locating and clicking on Google Ads banners. This advanced adware disclosed on Google Play might have infected upwards of 36.5 million users to date. Two months later, another 300 apps were uncovered on Google Play again, which can also generate fraudulent advert clicks by randomly selecting links in a Webview. Apart from click fraud, traditional and browser-based phishing attacks have taken advantage of Webview to support dozens of apps on Google Play targeting online payment companies. Furthermore, Webview has been discovered in collusion with other malicious technologies to perform clickjacking and activity hijacking attacks over the last few years.

By exploiting Webview with a dynamic URL, malicious apps are able to successfully bypass the Google Bouncer scanner as well as the AV detection. It also enables attackers to load different pages without having to update the apps. Moreover, the injected JavaScript code in a Webview allows malicious apps to steal sensitive and confidential information and control apps without users' interaction. An interesting and closer look at Webview will be revealed in this presentation.

 

Rowland-Yu-web.jpg

Rowland Yu

Rowland Yu is a Senior Threat Researcher Level 2 in Sophos, where he is the primary researcher leading the Android team for malware analysis and emerging threats. He has over 10 years of experience and knowledge in advanced threat research, reverse engineering and remediation, vulnerability assessment, spam and DLP (data leakage protection). Rowland is also a regular speaker at the RSA, Virus Bulletin and AVAR conferences.



Register.jpg

VB2017 OVERVIEW

WHY ATTEND

SPEAKERS

PROGRAMME

REGISTER NOW!

VENUE

BOOK HOTEL

VB2017 DRINKS RECEPTION

VB2017 FOOSBALL TOURNAMENT

2017 PÉTER SZŐR AWARD


Other VB2017 papers

Keynote address: Inside Cloudbleed

John Graham-Cumming (Cloudflare)

In February 2017, Cloudflare was revealed to have been leaking private information including HTTP headers, cookies and POST data…

The state of cybersecurity in Africa: Kenya

Tyrus Kamau (Euclid Consultancy)

The cyber threats Kenya faces range from basic hacking such as website defacements, financial fraud, social media account…

XAgent: APT28 cyber espionage on macOS

Tiberius Axinte (Bitdefender)

This paper provides an in-depth analysis of the macOS version of the APT28 component known as XAgent. We will dissect the…