SlideShare a Scribd company logo
1 of 34
Download to read offline
TLP:WHITE
From FakeSpy to Guerilla
Understanding Android Malware Crime Gangs
Fyodor Yarochkin (with help of Paul Pajeres, Vladimir Kropotov, Ecular Xu,
Zhengyu Dong)
Trend Micro Research
Copyright 2021 Trend Micro Inc.
2 TLP:WHITE
Introduction
Copyright 2021 Trend Micro Inc.
3 TLP:WHITE
Why Mobile phones are targets?
• Mobile often phones ~= ATM cards with
Antennas
• Telecom carriers ~= Banking Institutions
• Less regulated, more connected, easier to break,
compromise and remotely control
Copyright 2021 Trend Micro Inc.
4 TLP:WHITE
Reasons for Android Phones being targetd
1. Money theft
2. Cyber espionage
3. Data breaches
4. Ransomware (targeted)
5. Crypto currencies
Copyright 2019 Trend Micro Inc.
5 TLP:WHITE
Geographical specifics
• Many online IDs are bound to a phone in
China
• Mobile Phones allow balance transfers in a
number of countries including china, india
• Verified phone numbers in some countries
allow caller impersonation
Copyright 2021 Trend Micro Inc.
6 TLP:WHITE
Criminals interest in android platforms?
• Money (banking)
• Virtual currencies
• Access to other apps and accounts in bulk
• Access to phone numbers
Copyright 2021 Trend Micro Inc.
7 TLP:WHITE
Numbers are valuable commodity
Copyright 2021 Trend Micro Inc.
8 TLP:WHITE
Lets take a look at some examples
• Fakespy
• Anubis
• Guerilla
Copyright 2021 Trend Micro Inc.
9 TLP:WHITE
A good illustration what hackers want from a
phone
• Mail
• Storage
• Finance
• Online accounts
• Crypto currencies
Copyright 2021 Trend Micro Inc.
10 TLP:WHITE
Fakespy
Copyright 2021 Trend Micro Inc.
11 TLP:WHITE
How It Works
SMS with malicious link
Poses as courier service,
Chrome update, others.
Prompt to install
malicious iOS profile
to configure Wifi, email
accounts, etc
Prompts to install
malicious Android
app
Display Apple phishing
or illegal Casino site
Monitor device activity
like SMS, device info,
router, mobile transactions
Connect to SNS account
Decrypt content and reveal
real C2 server
Send and receive information
Spread SMS to contacts
Copyright 2021 Trend Micro Inc.
12 TLP:WHITE
Lifecycle of Fakespy Apps
Oct 2017
Dec 2017 Jun 2018
Korean banks
(NH Capital,
KB Kookmin,
Nonghyup Bank)
Apr 2019
Oct
2019
2,000+ fake apps
up to Nov
Label: 日本郵便
Aug
2019
5,400+
fake apps
up to Nov
Label: DHL
Paket 4 fake apps
Label: Die Post
Jul
2019
1,400+ fake apps
up to Nov
Label: 智能宅急
便
Started Feb 2016
around 800+ fake
apps until Aug 2019
1200+ fake apps
in Sep 2019 to Nov
Label: CJ 대한통운
Sep
2019
20,000+ fake apps
since 2015
Label: Chrome
600+ fake apps
since 2017
Label: Facebook
21,600+ fake apps
since 2017
Label: 佐川急便
Xloader started Jun 2018
Fakespy started Dec 2017
70+ fake apps
Oct & Nov 2019
Label: ヤマト運輸
50+ fake apps
Mar to Sep 2019
Label: SEX kr porn
2 fake app MyDocomo
800+ fake apps
Mar to Oct 2019
Label: Anshin Scan
Copyright 2019 Trend Micro Inc.
13 TLP:WHITE
Use of social networks as covert channel
Copyright 2021 Trend Micro Inc.
14 TLP:WHITE
Fakespy
• Fakespy does not target banks but
• collects contact information, intercepts SMS
• and propagates via SMS. Common lures are
• Japan Post, Sagawa Express and Chrome
Copyright 2021 Trend Micro Inc.
15 TLP:WHITE
Fakespy derrivatives
• FakeOps: targets europe (appeared during Covid)
• Xloader: banks in Japan
Copyright 2021 Trend Micro Inc.
16 TLP:WHITE
Fakespy vs Xloader
0
50,000
100,000
150,000
200,000
250,000
300,000
350,000
Jan-19
Feb-19
Mar-19
Apr-19
May-19
Jun-19
Jul-19
Aug-19
Sep-19
Oct-19
Nov-19
Dec-19
Jan-20
Feb-20
Mar-20
Apr-20
May-20
Jun-20
Jul-20
Aug-20
FakeSpy Xloader
Copyright 2021 Trend Micro Inc.
17 TLP:WHITE
Victims and Infrastrcture
• Asia: Korea, Japan, Singapore
• Some countries in Europe
• Infrastructure: geographically diverse
Copyright 2021 Trend Micro Inc.
18 TLP:WHITE
Anubis
Copyright 2019 Trend Micro Inc.
19 TLP:WHITE
What is Anubis?!
Copyright 2019 Trend Micro Inc.
20 TLP:WHITE
Anubis backend
Copyright 2019 Trend Micro Inc.
21 TLP:WHITE
Anubis communications
Copyright 2019 Trend Micro Inc.
22 TLP:WHITE
Objective of Anubis actions: $$$
MONEY!
Copyright 2019 Trend Micro Inc.
23 TLP:WHITE
Copyright 2021 Trend Micro Inc.
24 TLP:WHITE
Guerilla
Copyright 2019 Trend Micro Inc.
25 TLP:WHITE
Copyright 2019 Trend Micro Inc.
26 TLP:WHITE
Copyright 2019 Trend Micro Inc.
27 TLP:WHITE
Guerilla app testing lifecycle
Copyright 2019 Trend Micro Inc.
28 TLP:WHITE
Debugging statements in some modules
Copyright 2019 Trend Micro Inc.
29 TLP:WHITE
Lots of other functionality
Copyright 2019 Trend Micro Inc.
30 TLP:WHITE
functionality (2)
paramBundle = c.b("{n "birthday": {n "year":
1966,n "month": 6,n "day": 25n },n
"gender": "female",n "username":
"biukabiuka88" + new Random().nextInt(1000) + "",n
"passwd": "d0b22405db",n "key":
Copyright 2019 Trend Micro Inc.
31 TLP:WHITE
Many victims, globally
Copyright 2019 Trend Micro Inc.
32 TLP:WHITE
ConclusionJ
Trust your phone?
Verify your phone?
Protect phone?
Copyright 2019 Trend Micro Inc.
33 TLP:WHITE
Protect your phone :p
my phone – my
bastion J
Questions? ;-)
Iphone J
Copyright 2021 Trend Micro Inc.
34 TLP:WHITE
Thank You!
QUESTIONS => FYODOR_YAROCHKIN@TRENDMICRO.COM

More Related Content

What's hot

10 of the Top Data Breaches of the Decade
10 of the Top Data Breaches of the Decade10 of the Top Data Breaches of the Decade
10 of the Top Data Breaches of the Decadestudentinternetdeals33
 
What is sim swipe fraud
What is sim swipe fraudWhat is sim swipe fraud
What is sim swipe fraudCyberSangam
 
Mobile Payments Overview
Mobile Payments OverviewMobile Payments Overview
Mobile Payments OverviewToveri
 
Payment Week - Andrew Barnes, Managing Director___Gemalto
Payment Week - Andrew Barnes, Managing Director___GemaltoPayment Week - Andrew Barnes, Managing Director___Gemalto
Payment Week - Andrew Barnes, Managing Director___GemaltoAndrew Barnes
 
Keep your office secure
Keep your office secureKeep your office secure
Keep your office secureKonica Minolta
 
Driving Payment Innovation - Know Your Enemy
Driving Payment Innovation - Know Your EnemyDriving Payment Innovation - Know Your Enemy
Driving Payment Innovation - Know Your EnemyFirst Atlantic Commerce
 
Business Fraud and Cybersecurity Best Practices in the Office or While Worki...
 Business Fraud and Cybersecurity Best Practices in the Office or While Worki... Business Fraud and Cybersecurity Best Practices in the Office or While Worki...
Business Fraud and Cybersecurity Best Practices in the Office or While Worki...ArielMcCurdy
 
Issues and ethics in finance (fin 657) - How hackers steal $81 million in Ban...
Issues and ethics in finance (fin 657) - How hackers steal $81 million in Ban...Issues and ethics in finance (fin 657) - How hackers steal $81 million in Ban...
Issues and ethics in finance (fin 657) - How hackers steal $81 million in Ban...Hafizah Jupri
 
Kin (Bright Policy)
Kin (Bright Policy)Kin (Bright Policy)
Kin (Bright Policy)Daniel Rosen
 
Online payment gateway service providers testware informatics
Online payment gateway service providers testware informaticsOnline payment gateway service providers testware informatics
Online payment gateway service providers testware informaticsyathishbesant
 
Ready.estate pitchdeck
Ready.estate pitchdeckReady.estate pitchdeck
Ready.estate pitchdeckChris Hamby
 
Law enforcement agencies grappling with spike in multi-million-dollar cyber s...
Law enforcement agencies grappling with spike in multi-million-dollar cyber s...Law enforcement agencies grappling with spike in multi-million-dollar cyber s...
Law enforcement agencies grappling with spike in multi-million-dollar cyber s...Bigger Price
 
Cybercrime and Business Process Hacking
Cybercrime and Business Process HackingCybercrime and Business Process Hacking
Cybercrime and Business Process HackingRichard Stiennon
 
ISTR Internet Security Threat Report 2019
ISTR Internet Security Threat Report 2019ISTR Internet Security Threat Report 2019
ISTR Internet Security Threat Report 2019- Mark - Fullbright
 
The Cost Of Hacking
The Cost Of HackingThe Cost Of Hacking
The Cost Of Hackingbluecoatss
 
30 years living a happy life - Breaking Systems, Chasing Bad Guys and Teachin...
30 years living a happy life - Breaking Systems, Chasing Bad Guys and Teachin...30 years living a happy life - Breaking Systems, Chasing Bad Guys and Teachin...
30 years living a happy life - Breaking Systems, Chasing Bad Guys and Teachin...Jonathan Care
 

What's hot (18)

10 of the Top Data Breaches of the Decade
10 of the Top Data Breaches of the Decade10 of the Top Data Breaches of the Decade
10 of the Top Data Breaches of the Decade
 
What is sim swipe fraud
What is sim swipe fraudWhat is sim swipe fraud
What is sim swipe fraud
 
Mobile Payments Overview
Mobile Payments OverviewMobile Payments Overview
Mobile Payments Overview
 
Payment Week - Andrew Barnes, Managing Director___Gemalto
Payment Week - Andrew Barnes, Managing Director___GemaltoPayment Week - Andrew Barnes, Managing Director___Gemalto
Payment Week - Andrew Barnes, Managing Director___Gemalto
 
Keep your office secure
Keep your office secureKeep your office secure
Keep your office secure
 
National Mobile Device Registration
National Mobile Device RegistrationNational Mobile Device Registration
National Mobile Device Registration
 
Driving Payment Innovation - Know Your Enemy
Driving Payment Innovation - Know Your EnemyDriving Payment Innovation - Know Your Enemy
Driving Payment Innovation - Know Your Enemy
 
Business Fraud and Cybersecurity Best Practices in the Office or While Worki...
 Business Fraud and Cybersecurity Best Practices in the Office or While Worki... Business Fraud and Cybersecurity Best Practices in the Office or While Worki...
Business Fraud and Cybersecurity Best Practices in the Office or While Worki...
 
Issues and ethics in finance (fin 657) - How hackers steal $81 million in Ban...
Issues and ethics in finance (fin 657) - How hackers steal $81 million in Ban...Issues and ethics in finance (fin 657) - How hackers steal $81 million in Ban...
Issues and ethics in finance (fin 657) - How hackers steal $81 million in Ban...
 
Kin (Bright Policy)
Kin (Bright Policy)Kin (Bright Policy)
Kin (Bright Policy)
 
Online payment gateway service providers testware informatics
Online payment gateway service providers testware informaticsOnline payment gateway service providers testware informatics
Online payment gateway service providers testware informatics
 
Cybercriminality
CybercriminalityCybercriminality
Cybercriminality
 
Ready.estate pitchdeck
Ready.estate pitchdeckReady.estate pitchdeck
Ready.estate pitchdeck
 
Law enforcement agencies grappling with spike in multi-million-dollar cyber s...
Law enforcement agencies grappling with spike in multi-million-dollar cyber s...Law enforcement agencies grappling with spike in multi-million-dollar cyber s...
Law enforcement agencies grappling with spike in multi-million-dollar cyber s...
 
Cybercrime and Business Process Hacking
Cybercrime and Business Process HackingCybercrime and Business Process Hacking
Cybercrime and Business Process Hacking
 
ISTR Internet Security Threat Report 2019
ISTR Internet Security Threat Report 2019ISTR Internet Security Threat Report 2019
ISTR Internet Security Threat Report 2019
 
The Cost Of Hacking
The Cost Of HackingThe Cost Of Hacking
The Cost Of Hacking
 
30 years living a happy life - Breaking Systems, Chasing Bad Guys and Teachin...
30 years living a happy life - Breaking Systems, Chasing Bad Guys and Teachin...30 years living a happy life - Breaking Systems, Chasing Bad Guys and Teachin...
30 years living a happy life - Breaking Systems, Chasing Bad Guys and Teachin...
 

Similar to 【HITCON FreeTalk 2021 - From fakespy to Guerilla: Understanding Android malware crime gangs】

The Current State of Cybercrime 2014
The Current State of Cybercrime 2014The Current State of Cybercrime 2014
The Current State of Cybercrime 2014EMC
 
The Current State of Cybercrime 2013
The Current State of Cybercrime 2013The Current State of Cybercrime 2013
The Current State of Cybercrime 2013EMC
 
RSA Online Fraud Report - August 2014
RSA Online Fraud Report - August 2014RSA Online Fraud Report - August 2014
RSA Online Fraud Report - August 2014EMC
 
Identity as easy asLMNOP
Identity as easy asLMNOPIdentity as easy asLMNOP
Identity as easy asLMNOPEric Sachs
 
Identity as easy as LMNOP
Identity as easy as LMNOPIdentity as easy as LMNOP
Identity as easy as LMNOPEric Sachs
 
Utilizing Internet for Fraud Examination and Investigation
Utilizing Internet for Fraud Examination and InvestigationUtilizing Internet for Fraud Examination and Investigation
Utilizing Internet for Fraud Examination and InvestigationGoutama Bachtiar
 
phishingattackseminarpresentation-211230055252.pdf
phishingattackseminarpresentation-211230055252.pdfphishingattackseminarpresentation-211230055252.pdf
phishingattackseminarpresentation-211230055252.pdfchauhan323234
 
Phishing attack seminar presentation
Phishing attack seminar presentation Phishing attack seminar presentation
Phishing attack seminar presentation AniketPandit18
 
IQPC Mobile Payments Presentation
IQPC Mobile Payments PresentationIQPC Mobile Payments Presentation
IQPC Mobile Payments PresentationBrennan Hayden
 
Cybercrime, Digital Investigation and Public Private Partnership by Francesca...
Cybercrime, Digital Investigation and Public Private Partnership by Francesca...Cybercrime, Digital Investigation and Public Private Partnership by Francesca...
Cybercrime, Digital Investigation and Public Private Partnership by Francesca...Tech and Law Center
 
Qrator Labs annual report 2017
Qrator Labs annual report 2017Qrator Labs annual report 2017
Qrator Labs annual report 2017Qrator Labs
 
Family office elite magazine Spring 15
Family office elite magazine Spring 15Family office elite magazine Spring 15
Family office elite magazine Spring 15Ty Murphy
 
001-MAVIS - Criminal acts in the telecom field
001-MAVIS - Criminal acts in the telecom field001-MAVIS - Criminal acts in the telecom field
001-MAVIS - Criminal acts in the telecom fieldMichalis Mavis, MSc, MSc
 
Future of Cyber-security Economy
Future of Cyber-security EconomyFuture of Cyber-security Economy
Future of Cyber-security EconomyBehnaz Aria
 
Finch Capital FinTech Prediction 2019
Finch Capital FinTech Prediction 2019Finch Capital FinTech Prediction 2019
Finch Capital FinTech Prediction 2019Aman Ghei
 
Dave Mahon - CenturyLink & Cyber Security - How Modern Cyber Attacks Are Disr...
Dave Mahon - CenturyLink & Cyber Security - How Modern Cyber Attacks Are Disr...Dave Mahon - CenturyLink & Cyber Security - How Modern Cyber Attacks Are Disr...
Dave Mahon - CenturyLink & Cyber Security - How Modern Cyber Attacks Are Disr...Alisha Deboer
 

Similar to 【HITCON FreeTalk 2021 - From fakespy to Guerilla: Understanding Android malware crime gangs】 (20)

The Current State of Cybercrime 2014
The Current State of Cybercrime 2014The Current State of Cybercrime 2014
The Current State of Cybercrime 2014
 
The Current State of Cybercrime 2013
The Current State of Cybercrime 2013The Current State of Cybercrime 2013
The Current State of Cybercrime 2013
 
RSA Online Fraud Report - August 2014
RSA Online Fraud Report - August 2014RSA Online Fraud Report - August 2014
RSA Online Fraud Report - August 2014
 
Identity as easy asLMNOP
Identity as easy asLMNOPIdentity as easy asLMNOP
Identity as easy asLMNOP
 
Identity as easy as LMNOP
Identity as easy as LMNOPIdentity as easy as LMNOP
Identity as easy as LMNOP
 
Databreach forecast
Databreach forecastDatabreach forecast
Databreach forecast
 
Rp quarterly-threat-q3-2013
Rp quarterly-threat-q3-2013Rp quarterly-threat-q3-2013
Rp quarterly-threat-q3-2013
 
Utilizing Internet for Fraud Examination and Investigation
Utilizing Internet for Fraud Examination and InvestigationUtilizing Internet for Fraud Examination and Investigation
Utilizing Internet for Fraud Examination and Investigation
 
phishingattackseminarpresentation-211230055252.pdf
phishingattackseminarpresentation-211230055252.pdfphishingattackseminarpresentation-211230055252.pdf
phishingattackseminarpresentation-211230055252.pdf
 
Phishing attack seminar presentation
Phishing attack seminar presentation Phishing attack seminar presentation
Phishing attack seminar presentation
 
IQPC Mobile Payments Presentation
IQPC Mobile Payments PresentationIQPC Mobile Payments Presentation
IQPC Mobile Payments Presentation
 
Cybercrime, Digital Investigation and Public Private Partnership by Francesca...
Cybercrime, Digital Investigation and Public Private Partnership by Francesca...Cybercrime, Digital Investigation and Public Private Partnership by Francesca...
Cybercrime, Digital Investigation and Public Private Partnership by Francesca...
 
Qrator Labs annual report 2017
Qrator Labs annual report 2017Qrator Labs annual report 2017
Qrator Labs annual report 2017
 
Family office elite magazine Spring 15
Family office elite magazine Spring 15Family office elite magazine Spring 15
Family office elite magazine Spring 15
 
001-MAVIS - Criminal acts in the telecom field
001-MAVIS - Criminal acts in the telecom field001-MAVIS - Criminal acts in the telecom field
001-MAVIS - Criminal acts in the telecom field
 
Cyber crime-in-bangladesh
Cyber crime-in-bangladesh Cyber crime-in-bangladesh
Cyber crime-in-bangladesh
 
Future of Cyber-security Economy
Future of Cyber-security EconomyFuture of Cyber-security Economy
Future of Cyber-security Economy
 
Finch Capital FinTech Prediction 2019
Finch Capital FinTech Prediction 2019Finch Capital FinTech Prediction 2019
Finch Capital FinTech Prediction 2019
 
Top 10 ICO News
Top 10  ICO NewsTop 10  ICO News
Top 10 ICO News
 
Dave Mahon - CenturyLink & Cyber Security - How Modern Cyber Attacks Are Disr...
Dave Mahon - CenturyLink & Cyber Security - How Modern Cyber Attacks Are Disr...Dave Mahon - CenturyLink & Cyber Security - How Modern Cyber Attacks Are Disr...
Dave Mahon - CenturyLink & Cyber Security - How Modern Cyber Attacks Are Disr...
 

More from Hacks in Taiwan (HITCON)

HITCON FreeTalk 2022 - 自己的SOC自己管-- SOC建置的心路歷程分享
HITCON FreeTalk 2022 - 自己的SOC自己管-- SOC建置的心路歷程分享HITCON FreeTalk 2022 - 自己的SOC自己管-- SOC建置的心路歷程分享
HITCON FreeTalk 2022 - 自己的SOC自己管-- SOC建置的心路歷程分享Hacks in Taiwan (HITCON)
 
HITCON FreeTalk 2022 - Zero Trust Architecture 讀書筆記
 HITCON FreeTalk 2022 - Zero Trust Architecture 讀書筆記  HITCON FreeTalk 2022 - Zero Trust Architecture 讀書筆記
HITCON FreeTalk 2022 - Zero Trust Architecture 讀書筆記 Hacks in Taiwan (HITCON)
 
HITCON FreeTalk 2022 - Defeat 0day is not as Difficult as You Think
HITCON FreeTalk 2022 - Defeat 0day is not as Difficult as You ThinkHITCON FreeTalk 2022 - Defeat 0day is not as Difficult as You Think
HITCON FreeTalk 2022 - Defeat 0day is not as Difficult as You ThinkHacks in Taiwan (HITCON)
 
【HITCON FreeTalk 2022 - 我把在網頁框架發現的密碼學漏洞變成 CTF 題了】
【HITCON FreeTalk 2022 - 我把在網頁框架發現的密碼學漏洞變成 CTF 題了】【HITCON FreeTalk 2022 - 我把在網頁框架發現的密碼學漏洞變成 CTF 題了】
【HITCON FreeTalk 2022 - 我把在網頁框架發現的密碼學漏洞變成 CTF 題了】Hacks in Taiwan (HITCON)
 
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
【HITCON FreeTalk 2021 -  SolarWinds 供應鏈攻擊事件分析】【HITCON FreeTalk 2021 -  SolarWinds 供應鏈攻擊事件分析】
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】Hacks in Taiwan (HITCON)
 
【HITCON FreeTalk 2018 - Spectre & Meltdown 漏洞的修補策略與 risk mitigation】
【HITCON FreeTalk 2018 - Spectre & Meltdown 漏洞的修補策略與 risk mitigation】【HITCON FreeTalk 2018 - Spectre & Meltdown 漏洞的修補策略與 risk mitigation】
【HITCON FreeTalk 2018 - Spectre & Meltdown 漏洞的修補策略與 risk mitigation】Hacks in Taiwan (HITCON)
 
【HITCON FreeTalk 2018 - 從晶片設計角度看硬體安全】
【HITCON FreeTalk 2018 - 從晶片設計角度看硬體安全】【HITCON FreeTalk 2018 - 從晶片設計角度看硬體安全】
【HITCON FreeTalk 2018 - 從晶片設計角度看硬體安全】Hacks in Taiwan (HITCON)
 
【HITCON FreeTalk】HITCON 2017 下半年活動介紹
【HITCON FreeTalk】HITCON 2017 下半年活動介紹【HITCON FreeTalk】HITCON 2017 下半年活動介紹
【HITCON FreeTalk】HITCON 2017 下半年活動介紹Hacks in Taiwan (HITCON)
 
【HITCON Hackathon 2017】 TrendMicro Datasets
【HITCON Hackathon 2017】 TrendMicro Datasets【HITCON Hackathon 2017】 TrendMicro Datasets
【HITCON Hackathon 2017】 TrendMicro DatasetsHacks in Taiwan (HITCON)
 
HITCON TALK 技術解析 SWIFT Network 攻擊
HITCON TALK 技術解析 SWIFT Network 攻擊 HITCON TALK 技術解析 SWIFT Network 攻擊
HITCON TALK 技術解析 SWIFT Network 攻擊 Hacks in Taiwan (HITCON)
 
HITCON TALK 台灣駭客協會年度活動簡介
HITCON TALK 台灣駭客協會年度活動簡介HITCON TALK 台灣駭客協會年度活動簡介
HITCON TALK 台灣駭客協會年度活動簡介Hacks in Taiwan (HITCON)
 
Hacker as a maker 如何利用 mtk 7688 設計出超炫的 ctf 決賽戰場燈控效果
Hacker as a maker 如何利用 mtk 7688 設計出超炫的 ctf 決賽戰場燈控效果Hacker as a maker 如何利用 mtk 7688 設計出超炫的 ctf 決賽戰場燈控效果
Hacker as a maker 如何利用 mtk 7688 設計出超炫的 ctf 決賽戰場燈控效果Hacks in Taiwan (HITCON)
 
2015 資安從業人員的寶(鬼)島求生
2015 資安從業人員的寶(鬼)島求生2015 資安從業人員的寶(鬼)島求生
2015 資安從業人員的寶(鬼)島求生Hacks in Taiwan (HITCON)
 

More from Hacks in Taiwan (HITCON) (20)

HITCON CISO Summit 2023 - Closing
HITCON CISO Summit 2023 - ClosingHITCON CISO Summit 2023 - Closing
HITCON CISO Summit 2023 - Closing
 
HITCON FreeTalk 2022 - 自己的SOC自己管-- SOC建置的心路歷程分享
HITCON FreeTalk 2022 - 自己的SOC自己管-- SOC建置的心路歷程分享HITCON FreeTalk 2022 - 自己的SOC自己管-- SOC建置的心路歷程分享
HITCON FreeTalk 2022 - 自己的SOC自己管-- SOC建置的心路歷程分享
 
HITCON FreeTalk 2022 - Zero Trust Architecture 讀書筆記
 HITCON FreeTalk 2022 - Zero Trust Architecture 讀書筆記  HITCON FreeTalk 2022 - Zero Trust Architecture 讀書筆記
HITCON FreeTalk 2022 - Zero Trust Architecture 讀書筆記
 
HITCON FreeTalk 2022 - Defeat 0day is not as Difficult as You Think
HITCON FreeTalk 2022 - Defeat 0day is not as Difficult as You ThinkHITCON FreeTalk 2022 - Defeat 0day is not as Difficult as You Think
HITCON FreeTalk 2022 - Defeat 0day is not as Difficult as You Think
 
【HITCON FreeTalk 2022 - 我把在網頁框架發現的密碼學漏洞變成 CTF 題了】
【HITCON FreeTalk 2022 - 我把在網頁框架發現的密碼學漏洞變成 CTF 題了】【HITCON FreeTalk 2022 - 我把在網頁框架發現的密碼學漏洞變成 CTF 題了】
【HITCON FreeTalk 2022 - 我把在網頁框架發現的密碼學漏洞變成 CTF 題了】
 
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
【HITCON FreeTalk 2021 -  SolarWinds 供應鏈攻擊事件分析】【HITCON FreeTalk 2021 -  SolarWinds 供應鏈攻擊事件分析】
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
 
【HITCON FreeTalk 2018 - Spectre & Meltdown 漏洞的修補策略與 risk mitigation】
【HITCON FreeTalk 2018 - Spectre & Meltdown 漏洞的修補策略與 risk mitigation】【HITCON FreeTalk 2018 - Spectre & Meltdown 漏洞的修補策略與 risk mitigation】
【HITCON FreeTalk 2018 - Spectre & Meltdown 漏洞的修補策略與 risk mitigation】
 
【HITCON FreeTalk 2018 - 從晶片設計角度看硬體安全】
【HITCON FreeTalk 2018 - 從晶片設計角度看硬體安全】【HITCON FreeTalk 2018 - 從晶片設計角度看硬體安全】
【HITCON FreeTalk 2018 - 從晶片設計角度看硬體安全】
 
【HITCON FreeTalk】Supply Chain Attack
【HITCON FreeTalk】Supply Chain Attack【HITCON FreeTalk】Supply Chain Attack
【HITCON FreeTalk】Supply Chain Attack
 
【HITCON FreeTalk】HITCON 2017 下半年活動介紹
【HITCON FreeTalk】HITCON 2017 下半年活動介紹【HITCON FreeTalk】HITCON 2017 下半年活動介紹
【HITCON FreeTalk】HITCON 2017 下半年活動介紹
 
【HITCON Hackathon 2017】 TrendMicro Datasets
【HITCON Hackathon 2017】 TrendMicro Datasets【HITCON Hackathon 2017】 TrendMicro Datasets
【HITCON Hackathon 2017】 TrendMicro Datasets
 
HITCON TALK 技術解析 SWIFT Network 攻擊
HITCON TALK 技術解析 SWIFT Network 攻擊 HITCON TALK 技術解析 SWIFT Network 攻擊
HITCON TALK 技術解析 SWIFT Network 攻擊
 
HITCON TALK ATM 金融攻擊事件解析
HITCON TALK ATM 金融攻擊事件解析HITCON TALK ATM 金融攻擊事件解析
HITCON TALK ATM 金融攻擊事件解析
 
HITCON TALK 產業視野下的 InfoSec
HITCON TALK 產業視野下的 InfoSecHITCON TALK 產業視野下的 InfoSec
HITCON TALK 產業視野下的 InfoSec
 
HITCON TALK 台灣駭客協會年度活動簡介
HITCON TALK 台灣駭客協會年度活動簡介HITCON TALK 台灣駭客協會年度活動簡介
HITCON TALK 台灣駭客協會年度活動簡介
 
HITCON CTF 導覽
HITCON CTF 導覽HITCON CTF 導覽
HITCON CTF 導覽
 
Ctf hello,world!
Ctf hello,world! Ctf hello,world!
Ctf hello,world!
 
Hacker as a maker 如何利用 mtk 7688 設計出超炫的 ctf 決賽戰場燈控效果
Hacker as a maker 如何利用 mtk 7688 設計出超炫的 ctf 決賽戰場燈控效果Hacker as a maker 如何利用 mtk 7688 設計出超炫的 ctf 決賽戰場燈控效果
Hacker as a maker 如何利用 mtk 7688 設計出超炫的 ctf 決賽戰場燈控效果
 
2015 資安從業人員的寶(鬼)島求生
2015 資安從業人員的寶(鬼)島求生2015 資安從業人員的寶(鬼)島求生
2015 資安從業人員的寶(鬼)島求生
 
CTF 經驗分享
CTF 經驗分享CTF 經驗分享
CTF 經驗分享
 

Recently uploaded

Dynamics of Professional Presentationpdf
Dynamics of Professional PresentationpdfDynamics of Professional Presentationpdf
Dynamics of Professional Presentationpdfravleel42
 
Machine learning workshop, CZU Prague 2024
Machine learning workshop, CZU Prague 2024Machine learning workshop, CZU Prague 2024
Machine learning workshop, CZU Prague 2024Gokulks007
 
ISO 25964-1Working Group ISO/TC 46/SC 9/WG 8
ISO 25964-1Working Group ISO/TC 46/SC 9/WG 8ISO 25964-1Working Group ISO/TC 46/SC 9/WG 8
ISO 25964-1Working Group ISO/TC 46/SC 9/WG 8Access Innovations, Inc.
 
Communication Accommodation Theory Kaylyn Benton.pptx
Communication Accommodation Theory Kaylyn Benton.pptxCommunication Accommodation Theory Kaylyn Benton.pptx
Communication Accommodation Theory Kaylyn Benton.pptxkb31670
 
Juan Pablo Sugiura - eCommerce Day Bolivia 2024
Juan Pablo Sugiura - eCommerce Day Bolivia 2024Juan Pablo Sugiura - eCommerce Day Bolivia 2024
Juan Pablo Sugiura - eCommerce Day Bolivia 2024eCommerce Institute
 
The Real Story Of Project Manager/Scrum Master From Where It Came?!
The Real Story Of Project Manager/Scrum Master From Where It Came?!The Real Story Of Project Manager/Scrum Master From Where It Came?!
The Real Story Of Project Manager/Scrum Master From Where It Came?!Loay Mohamed Ibrahim Aly
 
Burning Issue presentation of Zhazgul N. , Cycle 54
Burning Issue presentation of Zhazgul N. , Cycle 54Burning Issue presentation of Zhazgul N. , Cycle 54
Burning Issue presentation of Zhazgul N. , Cycle 54ZhazgulNurdinova
 
Communication Accommodation Theory Kaylyn Benton.pptx
Communication Accommodation Theory Kaylyn Benton.pptxCommunication Accommodation Theory Kaylyn Benton.pptx
Communication Accommodation Theory Kaylyn Benton.pptxkb31670
 

Recently uploaded (8)

Dynamics of Professional Presentationpdf
Dynamics of Professional PresentationpdfDynamics of Professional Presentationpdf
Dynamics of Professional Presentationpdf
 
Machine learning workshop, CZU Prague 2024
Machine learning workshop, CZU Prague 2024Machine learning workshop, CZU Prague 2024
Machine learning workshop, CZU Prague 2024
 
ISO 25964-1Working Group ISO/TC 46/SC 9/WG 8
ISO 25964-1Working Group ISO/TC 46/SC 9/WG 8ISO 25964-1Working Group ISO/TC 46/SC 9/WG 8
ISO 25964-1Working Group ISO/TC 46/SC 9/WG 8
 
Communication Accommodation Theory Kaylyn Benton.pptx
Communication Accommodation Theory Kaylyn Benton.pptxCommunication Accommodation Theory Kaylyn Benton.pptx
Communication Accommodation Theory Kaylyn Benton.pptx
 
Juan Pablo Sugiura - eCommerce Day Bolivia 2024
Juan Pablo Sugiura - eCommerce Day Bolivia 2024Juan Pablo Sugiura - eCommerce Day Bolivia 2024
Juan Pablo Sugiura - eCommerce Day Bolivia 2024
 
The Real Story Of Project Manager/Scrum Master From Where It Came?!
The Real Story Of Project Manager/Scrum Master From Where It Came?!The Real Story Of Project Manager/Scrum Master From Where It Came?!
The Real Story Of Project Manager/Scrum Master From Where It Came?!
 
Burning Issue presentation of Zhazgul N. , Cycle 54
Burning Issue presentation of Zhazgul N. , Cycle 54Burning Issue presentation of Zhazgul N. , Cycle 54
Burning Issue presentation of Zhazgul N. , Cycle 54
 
Communication Accommodation Theory Kaylyn Benton.pptx
Communication Accommodation Theory Kaylyn Benton.pptxCommunication Accommodation Theory Kaylyn Benton.pptx
Communication Accommodation Theory Kaylyn Benton.pptx
 

【HITCON FreeTalk 2021 - From fakespy to Guerilla: Understanding Android malware crime gangs】

  • 1. TLP:WHITE From FakeSpy to Guerilla Understanding Android Malware Crime Gangs Fyodor Yarochkin (with help of Paul Pajeres, Vladimir Kropotov, Ecular Xu, Zhengyu Dong) Trend Micro Research
  • 2. Copyright 2021 Trend Micro Inc. 2 TLP:WHITE Introduction
  • 3. Copyright 2021 Trend Micro Inc. 3 TLP:WHITE Why Mobile phones are targets? • Mobile often phones ~= ATM cards with Antennas • Telecom carriers ~= Banking Institutions • Less regulated, more connected, easier to break, compromise and remotely control
  • 4. Copyright 2021 Trend Micro Inc. 4 TLP:WHITE Reasons for Android Phones being targetd 1. Money theft 2. Cyber espionage 3. Data breaches 4. Ransomware (targeted) 5. Crypto currencies
  • 5. Copyright 2019 Trend Micro Inc. 5 TLP:WHITE Geographical specifics • Many online IDs are bound to a phone in China • Mobile Phones allow balance transfers in a number of countries including china, india • Verified phone numbers in some countries allow caller impersonation
  • 6. Copyright 2021 Trend Micro Inc. 6 TLP:WHITE Criminals interest in android platforms? • Money (banking) • Virtual currencies • Access to other apps and accounts in bulk • Access to phone numbers
  • 7. Copyright 2021 Trend Micro Inc. 7 TLP:WHITE Numbers are valuable commodity
  • 8. Copyright 2021 Trend Micro Inc. 8 TLP:WHITE Lets take a look at some examples • Fakespy • Anubis • Guerilla
  • 9. Copyright 2021 Trend Micro Inc. 9 TLP:WHITE A good illustration what hackers want from a phone • Mail • Storage • Finance • Online accounts • Crypto currencies
  • 10. Copyright 2021 Trend Micro Inc. 10 TLP:WHITE Fakespy
  • 11. Copyright 2021 Trend Micro Inc. 11 TLP:WHITE How It Works SMS with malicious link Poses as courier service, Chrome update, others. Prompt to install malicious iOS profile to configure Wifi, email accounts, etc Prompts to install malicious Android app Display Apple phishing or illegal Casino site Monitor device activity like SMS, device info, router, mobile transactions Connect to SNS account Decrypt content and reveal real C2 server Send and receive information Spread SMS to contacts
  • 12. Copyright 2021 Trend Micro Inc. 12 TLP:WHITE Lifecycle of Fakespy Apps Oct 2017 Dec 2017 Jun 2018 Korean banks (NH Capital, KB Kookmin, Nonghyup Bank) Apr 2019 Oct 2019 2,000+ fake apps up to Nov Label: 日本郵便 Aug 2019 5,400+ fake apps up to Nov Label: DHL Paket 4 fake apps Label: Die Post Jul 2019 1,400+ fake apps up to Nov Label: 智能宅急 便 Started Feb 2016 around 800+ fake apps until Aug 2019 1200+ fake apps in Sep 2019 to Nov Label: CJ 대한통운 Sep 2019 20,000+ fake apps since 2015 Label: Chrome 600+ fake apps since 2017 Label: Facebook 21,600+ fake apps since 2017 Label: 佐川急便 Xloader started Jun 2018 Fakespy started Dec 2017 70+ fake apps Oct & Nov 2019 Label: ヤマト運輸 50+ fake apps Mar to Sep 2019 Label: SEX kr porn 2 fake app MyDocomo 800+ fake apps Mar to Oct 2019 Label: Anshin Scan
  • 13. Copyright 2019 Trend Micro Inc. 13 TLP:WHITE Use of social networks as covert channel
  • 14. Copyright 2021 Trend Micro Inc. 14 TLP:WHITE Fakespy • Fakespy does not target banks but • collects contact information, intercepts SMS • and propagates via SMS. Common lures are • Japan Post, Sagawa Express and Chrome
  • 15. Copyright 2021 Trend Micro Inc. 15 TLP:WHITE Fakespy derrivatives • FakeOps: targets europe (appeared during Covid) • Xloader: banks in Japan
  • 16. Copyright 2021 Trend Micro Inc. 16 TLP:WHITE Fakespy vs Xloader 0 50,000 100,000 150,000 200,000 250,000 300,000 350,000 Jan-19 Feb-19 Mar-19 Apr-19 May-19 Jun-19 Jul-19 Aug-19 Sep-19 Oct-19 Nov-19 Dec-19 Jan-20 Feb-20 Mar-20 Apr-20 May-20 Jun-20 Jul-20 Aug-20 FakeSpy Xloader
  • 17. Copyright 2021 Trend Micro Inc. 17 TLP:WHITE Victims and Infrastrcture • Asia: Korea, Japan, Singapore • Some countries in Europe • Infrastructure: geographically diverse
  • 18. Copyright 2021 Trend Micro Inc. 18 TLP:WHITE Anubis
  • 19. Copyright 2019 Trend Micro Inc. 19 TLP:WHITE What is Anubis?!
  • 20. Copyright 2019 Trend Micro Inc. 20 TLP:WHITE Anubis backend
  • 21. Copyright 2019 Trend Micro Inc. 21 TLP:WHITE Anubis communications
  • 22. Copyright 2019 Trend Micro Inc. 22 TLP:WHITE Objective of Anubis actions: $$$ MONEY!
  • 23. Copyright 2019 Trend Micro Inc. 23 TLP:WHITE
  • 24. Copyright 2021 Trend Micro Inc. 24 TLP:WHITE Guerilla
  • 25. Copyright 2019 Trend Micro Inc. 25 TLP:WHITE
  • 26. Copyright 2019 Trend Micro Inc. 26 TLP:WHITE
  • 27. Copyright 2019 Trend Micro Inc. 27 TLP:WHITE Guerilla app testing lifecycle
  • 28. Copyright 2019 Trend Micro Inc. 28 TLP:WHITE Debugging statements in some modules
  • 29. Copyright 2019 Trend Micro Inc. 29 TLP:WHITE Lots of other functionality
  • 30. Copyright 2019 Trend Micro Inc. 30 TLP:WHITE functionality (2) paramBundle = c.b("{n "birthday": {n "year": 1966,n "month": 6,n "day": 25n },n "gender": "female",n "username": "biukabiuka88" + new Random().nextInt(1000) + "",n "passwd": "d0b22405db",n "key":
  • 31. Copyright 2019 Trend Micro Inc. 31 TLP:WHITE Many victims, globally
  • 32. Copyright 2019 Trend Micro Inc. 32 TLP:WHITE ConclusionJ Trust your phone? Verify your phone? Protect phone?
  • 33. Copyright 2019 Trend Micro Inc. 33 TLP:WHITE Protect your phone :p my phone – my bastion J Questions? ;-) Iphone J
  • 34. Copyright 2021 Trend Micro Inc. 34 TLP:WHITE Thank You! QUESTIONS => FYODOR_YAROCHKIN@TRENDMICRO.COM