It’s always tough to get a ticket for Washington D.C.’s ShmooCon hacker conference. Just over 1,200 tickets were available in three rounds of ticket sales for the January 28-30 event. It’s a sign of the conference’s popularity that each round sold out in under 10 seconds. At about a third of the size of a larger conference like Black Hat, it’s much easier to talk to the speakers without fighting with a crowd. Past years have had good presentations on mobile phone security and this year is no exception.
Starting off the batch is a presentation on Android security by researchers Jon Oberheide and Zach Lanier. They’ve previously had success with social-engineering users into downloading malicious proof of concept (PoC) apps. Their last app pretended to be an update for the Android version of the Angry Birds game. The timing was fortunate as it was after the release of the game, but before the official game update. Instead of offering new levels of bird launching fun, the app exploited a security flaw that allowed it to download additional malicious programs without the user’s permission. The talk promises similar fun with the OS and an extension to third-party apps.
Anti-malware researchers Axelle Apvrille and Kyle Yang will do a detailed teardown of Symbos/Zitmo.A. Zitmo.A was the mobile phone spyware used by the criminals behind the Zeus botnet to steal mTANs/TACs (Mobile Transaction Authorization Numbers/Codes). Your bank will send an mTAN to your mobile phone by SMS. An attacker would need to steal both your banking login and password (using the Zeus Trojan) and the SMS containing the currently active mTAN (with SymbOS/Zitmo.A or other spyware). The researchers will show how it works and a bit of how it may have been designed by the malware authors.
Recent threats like Android/Geinimi.A have generated a lot of interest in Android reverse engineering. Security Researcher Scott Dunlop’s talk will cover methods using the Android SDK and emulator and other open-source tools for tearing apart, instrumenting, and modifying Android apps. The talk will include a practical example showcasing the reverse-engineering process on a mobile antivirus app. Dunlop will go over how it updates its signatures, how its SMS scanning functions, and the security of its network communication–essentially a case study on how not to write security software.
Mobile apps have access to a lot of personal information. We’ve already seen the type and quantity of personal information available from iOS to an attacker using PoC spyware. Using an app to access your favorite social network might seem safe, especially since our personal data and that of our friends and contacts is stored in the cloud. Computer forensics investigator Sarah Edwards will enlighten us, in detail, on how that might not be entirely accurate.
Mobile botnets are a growing area of research, with investigators looking into various smartphone platforms and methods for command and control (C&C). Security researcher Georgia Weidman will look into botnets evading detection on Android phones. The presentation will include a demo with a live Android botnet controlled via SMS messages. Weidman extends Collin Mulliner and Charlie Miller’s research on fuzzing SMS to help hide the C&C channel and messages from the user. The talk will also cover issues relating to securing the botnet from takeover by other attackers.
Mobile phones aren’t the only things under attack; the mobile networks are also at risk. Although attacks against GSM networks are becoming common and easier to perform, attacks against new 3G and 4G networks are still rare or unknown. Researchers Enno Rey and Daniel Mende will attempt to change that with their presentation on the security architecture of new mobile networks. The researchers will provide tales from their experience in testing real-world networks, and not just discuss theoretical attacks.
This year there are nearly twice as many smartphone-related talks as at last year’s Shmoocon. It looks like the start of an interesting year in smartphone and mobile threat research.