Android Applications and Security Preview

Dear readers,

In this edition we wanted to present the articles focused on Android system and applications. We have plenty of tutorials and interesting approaches to this topic, and as always we also have publications from different areas. Let’s see what’s inside!

Mobile payments have increased significantly over the past few years, most of us have, at least once, used this method, as it is quick and effective. In the first article our authors decided to focus on the scan-and-pay option and its risks. Authors implemented Malview, a proof-of-concept malicious application to show you how dangerous this payment technique can be. 

In another article, you will read how to use the clustering method to improve the detection accuracy of malicious Android applications. 

There are two more articles about Android, in the first one you will read about a method based on Android permissions and Convolutional Neural Networks (CNNs) to classify botnets and benign Android applications. The second one is focused on augmented reality, and you will learn more about mobile AR sensor (MARS) logger for two of the most popular mobile operating systems, Android and iOS.

For those of you who are less interested in mobile topics, we prepared other articles, which we hope will catch your interest. Among them is the second part of Advanced Web Attacks. We will continue our journey into Burp Suite capabilities, and this time we get into the practical approach. Next is Ansible, which is the simplest way to automate apps and IT infrastructure. The article will guide you how to use it, step by step,, and give you tips to make it more effective. For bug Bounty Hunters we have articles about various tools, there is an article dedicated to Internet of Things Penetration Testing OS tool, and Agent-based (BDI) modeling for automation of penetration testing is another publication that’s worth your attention. 

We hope that you will enjoy this edition. Feel free to leave us a comment or send us a message! As always, special thanks to all the contributors, reviewers, and proofreaders involved in the process of creating this issue.

Enjoy the reading,

Hakin9 Editorial Team

>>If you want to buy this magazine click here <<

>>If you are a subscriber, download your magazine here<<

TABLE OF CONTENTS

Scan-and-Pay on Android is Dangerous

Enis Ulqinaku , Julinda Stefa, Alessandro Mei

Mobile payments have increased significantly in recent years and one-to-one money transfers are offered by a wide variety of smartphone applications. We implement Malview, a proof-of-concept malicious application that runs in the background on the payee’s smartphone and shows that it succeeds in redirecting payments to a malicious wallet. We analyze the weaknesses of the current defense mechanisms and discuss possible countermeasures against the attack.

Internet of Things Penetration Testing OS

Veerababu Penugonda

I would like to share an OVA Operating System environment for Pentesting IoT devices in an easy way. Most of the questions that I get from the Telegram group,  are about how to start IoT Security and any good resources. I have made my 3^rd open source learning gift from my side to learners and enthusiasts - IoT-PT Virtual OS.

Agent-based (BDI) modeling for automation of penetration testing

Ge Chu

Penetration testing (or pentesting) is one of the widely used and important methodologies to assess the security of computer systems and networks. Traditional pentesting relies on the domain expert knowledge and requires considerable human effort, all of which incurs a high cost. Automation can significantly improve the efficiency, availability and lower the cost of penetration testing. Existing approaches to automation include those which map vulnerability scanner results to the corresponding exploit tools, and those addressing the pentesting as a planning problem expressed in terms of attack graphs. Due to mainly non-interactive processing, such solutions can deal effectively only with static and simple targets. In this article, I propose an automated penetration testing approach based on the belief-desire-intention (BDI) agent model, which is central in the research on agent-based processing in that it deals interactively with dynamic, uncertain and complex environments.

Android Malicious Application Classification Using Clustering

Hemant Rathore

Android malware has been growing at an exponential pace and is a serious threat to mobile users. It appears that most anti-malware still relies on the signature-based detection system, which is generally slow and often not able to detect advanced obfuscated malware. Hence, from time-to-time, various authors have proposed different machine learning solutions to identify sophisticated malware. However, it appears that detection accuracy can be improved by using the clustering method. Therefore, in this article, I propose a novel scalable and effective clustering method to improve the detection accuracy of the malicious Android application and obtained a better overall accuracy (98.34%) by random forest classifier compared to regular method, i.e., taking the data altogether to detect the malware.

Extending the Metasploit Framework to Implement an Evasive Attack Infrastructure

Aubrey Alston

Given a desired goal of testing the capabilities of mainstream antivirus software against evasive malicious payloads delivered via drive-by download, the work of this project was to extend the functionality of Metasploit {the penetration testing suite of choice} in a three-fold manner: (1) to allow it to dynamically generate evasive forms of Metasploit-packaged malicious binaries, (2) to provide an evasive means of delivering said executables through a drive-by download-derived attack vector, and (3) coordinate the previous two functionalities in a manner that can be used to produce reproducible tests within the SPICE framework.

Building Ansible AWX (Ansible Tower) with Docker and Docker Compose

Braier Alves

The huge success of Ansible and how this tool has become indispensable in the lives of technology professionals is not new to anyone, DevOps, SysAdmins or Programmers (here in the "oldest" definition of the word). It no longer makes sense to work in a data center, for example, as a tangle of devices that need manual intervention. Automation and agility in tasks is increasingly necessary. And Ansible is one of the leading solutions for provisioning, managing and deploying mass configurations.

A Look into Bug Bounty Programs and Responsible Disclosure

Aaron Yi Ding, Gianluca Limon De Jesus, Marijn Janssen

We focus on Bug Bounty Programs (BBP) and Responsible Disclosure (RD), which stimulate hackers to report vulnerability in exchange for monetary rewards. We carried out a qualitative investigation supported by literature survey and expert interviews to explore how BBP and RD can facilitate the practice of identifying, classifying, prioritizing, remediating, and mitigating IoT vulnerabilities in an effective and cost-efficient manner. Besides deriving tangible guidelines for IoT stakeholders, our study also sheds light on a systematic integration path to combine BBP and RD with existing security practices (e.g., penetration test) to further boost overall IoT security.

Web Attacks: Discovering new recipes for advanced attacks part 2

Joas Antonio, João Paulo de Andrade, Felipe Gomes, Thiago Vieira

In this article, our goal is not to present a recipe to make these attacks, but take you on a journey that will make you think outside the box. If you are reading this magazine, you have probably been faced with or encountered concepts and practice of some attacks, right? But do you know how to go further? First of all, we will strengthen some concepts. Even if they are concepts that a quick Google search can help, we aim to write for both Seniors and for the Script Kiddies.

Android Botnet Detection using Convolutional Neural Networks

Sina Hojjatinia, Sajad Hamzenejadi, Hadis Mohseni

Today, Android devices are able to provide various services. They support applications for different purposes such as entertainment, business, health, education, and banking services. Because of the functionality and popularity of Android devices as well as the open-source policy of Android OS, they have become a suitable target for attackers. Android Botnet is one of the most dangerous malwares because an attacker called Botmaster can control that remotely to perform destructive attacks. A number of researchers have used different well-known Machine Learning (ML) methods to recognize Android Botnets from benign applications.

The Mobile AR Sensor Logger for Android and iOS Devices

Jianzhu Huai, Yujia Zhang

In recent years, commodity mobile devices equipped with cameras and inertial measurement units (IMUs) have attracted much research and design effort for augmented reality (AR) and robotics applications. Based on such sensors, many commercial AR toolkits and public benchmark datasets have been made available to accelerate hatching and validating new ideas. To lower the difficulty and enhance the flexibility in accessing the rich raw data of typical AR sensors on mobile devices, this paper presents the mobile AR sensor (MARS) logger for two of the most popular mobile operating systems, Android and iOS.