Sunday, March 20, 2016

Continued saga with SeraphimDroid


I sent the issue and Nikola & team fix it, awesome :)
https://github.com/nikolamilosevic86/owasp-seraphimdroid/issues/33#issuecomment-198543264

I was able now to install it on an older Android version, but In the meantime I decided also to download an Emulator on a Windows VM and test one nasty Trojan I found on scumware.org.

An Emulator does not contain any SMS features, only thing I was able to observe is that 3 services were started after I downloaded the Trojan.



The trojan is of low category and attempts to send unauthorised SMS. Now , from what I understood from Nikola on his last email is that the app wont avoid this in non-rooting devices, which will probably be my case since the device I'm using is sim-locked by the Service provider and I would have to kind of 'jail brake' it, however, you can block the services as preventive measure.

Nikola also mentioned that the app will provide warnings on this part, if it's rooted. I'll have to ask where can I see those warnings

Without being too technical, my experiment is simple. The phone has some balance and as SMS are sent, I'll probably see this on the phone and the logs, if this is the case my balance will go from USD20 to 0 ;-P, if the trojan succeeds.

First experiment will imply to infect the phone with locking on and afterwards I'll unlock (OMG release the Cracken!). Many things can happen as I'm not sure to how the application reacts...


With Lock


First step is to visit the webpage identified by scumware.org containing a Drive-by Download identified malware.
After the download, I installed and ran the 'malware' update.

Then I waited...

Wether the malware update was able to actually do something or not, is not clear from a user perspective. The balance was the same, no changes, warning or logs

Without Lock

This was the scary part, as I was thinking I will loose the balance on the phone ;-P. But, then I checked, left the phone for an entire day and...nothing. Let me clarified that at this point I unlocked all the applications in the phone, just to make sure the virus had a 'free for all' without having the chance to be blocked on any activity.
No signal of SMS, fake messages, warnings, lower balance, logs. Nothing.

So, at the end of this first battle against the Trojan type, I cannot conclude anything specific.
It is unclear if the malware was able to actually do something or if was properly blocked.
For that part, I decided to do one more test and download an antivirus for Android phones.
Once I did, the antivirus confirmed I was infected after I ran a scan.The scan was specific on potential affected SMS sending on my system

So..I'm not sure what happened, but given the circumstances of the experiment I can conclude that

  • SeraphimDropid did not provide any warnings since the phone is non-rooted
  • The phone was infected but the virus did not do anything to affect the phone
  • The fact that the phone is non-rooted could have affected the behaviour of the trojan
Some questions I'll have for Nikola & Team:

  • How are warnings shown by SeraphimDroid?
  • Where can I see any possible logs?
The next experiment will involved another Android phone at my disposition (don't asked me why I'm not using it, lets say is Blue) but this other one is rooted, so I will definitely expect another behavior










Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)