Google Confirms Tapjacking Attack – Likely All Versions Are Affected!

Stephan Huber and I found a dangerous tapjacking vulnerability in the Android Open Source Project (AOSP) which causes serious security issues. Tapjacking, which is similar to clickjacking for web applications, is an attack where the user clicks/taps on seemingly benign objects in applications, triggering unintended actions not actually intended by the victim[1]. This results to dangerous security issues. Unfortunately, we already found malware samples in the wild that include our attack. To the best of our knowledge, the attack seems to apply to all currently available Android versions back til version 2.3. The attack, together with a patch, has already been submitted to the Android Security team who confirmed our vulnerability and add our patch to the next major release of the AOSP. More details on the attack will follow as soon as the AOSP is patched. The contribution is nominated for Google’s Patch Award.

[1] Marcus Niemietz and Jörg Schwenk, UI Redressing Attacks on Android Devices, BlackHat Asia 2014

Combating Dormant Malware Apps with Harvester

Over the past few days, the news has been full of a report of “dormant” malware that infected millions of Android devices. (German article here on The malware previously went unnoticed by laying dormant for several hours, sometimes multiple days, after installation, in some cases even requiring a reboot of the device to become active. Dynamic-analysis procedures usually only run for minutes and for efficiency reasons do not simulate situations like reboot Contrary to the current perception, though, this problem had long been identified, and in fact today with this article we are revealing Harvester, a new tool to address exactly this problem.

Harvester* uses a unique novel combination of static and dynamic analysis and code transformation to (1) identify and eliminate emulator and timeout checks from apps, and (2) that way allows for the extraction of interesting runtime values such as reflective method calls, target numbers of calls to the SMS APIs, account-data hard-wired in the malware, etc. In addition, Harvester is resilient against virtually all current cases of code obfuscation.

Continue reading

First International Workshop on Agile Secure Software Development

We are co-organizing the First International Workshop on Agile Secure Software Development (ASSD’15) with Prof. Röning from University of Oulu, Finland. The workshop is organized in conjunction with ARES 2015, which will be hosted in Toulouse, France from 24th to 28th August, 2015. We are looking for papers related to applying the agile approach and methods to develop secure software. We encourage you to submit your paper to the workshop.

Time for new challenges: DroidBench 2.0 available

Our micro-benchmark suite DroidBench (published with FlowDroid at PLDI’14) aims at testing the precision and recall of static taint tracking tools for Android. It provides categorized, tested, and well-documented test cases for the various hard challenges in program analysis. The ground truth is provides makes it easy to check and compare the results of the various information-flow analysis tools proposed both in research and available commercially.

The suite has been used by various research groups all over the world and we have seen tools greatly improve on the precision and recall they achieve on DroidBench. With many tools now achieving very good results, it is time for new challenges.

We are thus happy to announce that DroidBench 2.0 is now available from Github. It features 120 test cases in 13 categories including aliasing, implicit data flows, Android lifecycle handling, inter-component communication, and reflective method calls. We would like to thank all the researchers world wide that have contributed to DroidBench and would like to extend this call: Feel free to propose and/or submit new test cases to extend the suite even further so that it can continue to serve as a standardized benchmark suite for research in the field of static taint tracking.

All kinds of contributions are welcome. We have started to also add test cases challenging dynamic analysis tools, for instance emulator-detection mechanisms. In the future, we also plan to add test cases that leverage native code to hide data flows.

DroidSearch accepted at SAI Conference

We are happy to announce that our paper “DroidSearch: A Tool for Scaling Android App Triage to Real-World App Stores” has been accepted for publication at the IEEE Technically Co-Sponsored “Science and Information Conference 2015″ (SAI) in London, UK.

While many precise analysis tools for detecting malware and finding vulnerabilities in Android applications exist, they usually do not scale to the large number of applications in today’s real-world markets such as Google Play. We therefore present DroidSearch, a search engine that aids a multi-staged analysis in which fast pre-filtering techniques allow security experts to quickly retrieve candidate applications that should be subjected to further automated and/or manual analysis. DROIDSEARCH is supported by DROIDBASE, a middleware and back-end database which associates apps with metadata and the results of lightweight analyses on bytecode and configuration files that DROIDBASE automatically manages and executes.

Continue reading

SSE Group together with McAfee Research Lab has identified a new threat campaign currently underway in South Korea

With the help of our new CodeInspect tool, we – together with the McAfee Research Lab – have identified a new threat campaign currently underway in South Korea;
attempting to exploit the huge media frenzy surrounding the release of the movie ‘The Interview’. Continue reading

Yes, banking apps are as secure as other apps, but is it really the banks who are to blame?

Malicious appsAt 31C3 this year, Eric Filiol and Paul Irolla from Laboratoire de Cryptologie et Virologie Opérationnelles presented on (In)security of mobile banking app security. While I appreciate the effort to draw more attention to the insecurity of mobile applications in general, I am afraid that the talk itself was based on quite a few misconceptions, and thus gave a very wrong impression of how app development actually works and about why the code we see is as insecure as it is. Unfortunately, these misconceptions were readily amplified through the mass media (the Zeit, for instance), which is why I think someone with more experience in the field should probably clarify a few things in this respect. Continue reading