Wednesday 5 October 12:00 - 12:30, Red roomZhi Xu (Palo Alto Networks)
Tongbo Luo (Palo Alto Networks)
Cong Zheng (Palo Alto Networks)It is common for a third-party mobile SDK to maintain a communication and control (C&C) channel between the app installed with the SDK and its remote master server. For example, most mobile ad SDKs and analytics SDKs allows the SDK company's master server to collect device/user/app information, deliver content to the device, and even control certain behaviours of the app remotely.Should the master server or the C&C channel fall into the hands of attackers, it would bring great security risks to all apps installed with the SDK (e.g. the BadNews attack in 2013). Benign apps may even turn malicious under the control of a compromised C&C channel.Unfortunately, since the launch of the Google Android OS in 2008, a great number of mobile SDK companies have failed, leaving their SDK and C&C channels unmaintained, though the domain names of many SDK companies are now available to register at a cheap price. We call those unmaintained SDKs, the 'zombie SDKs'.If an attacker takes over the C&C channel of a zombie SDK, he will have control of all APK files with this SDK. Furthermore, the attacker can intentionally send existing APK files with the compromised zombie SDK to targeted victims. Since the zombie SDKs and the APK files are usually legitimate and have been published for a long time, they will easily pass an anti-virus whitelist check.In this presentation, we will present our study of zombie SDKs:First, we will present a survey of observed zombie SDKs, detailing the status of their master servers/domains, the capabilities gained once installed, and the security impact if an attacker takes over the domain. We will show that these ignored zombie SDKs have great potential for attackers and pose great security risks to the users.Then, we will demonstrate two approaches that an attacker can use to launch attacks within a zombie SDK. One approach is through taking control of the domain and building a malicious master server to control the C&C channel. In this way, the attacker inherits all the capabilities of the zombie SDK's previous owner.