Android安全技術周報 11.03 - 11.09

02-28

Malware

1. GooglePlay 應用市場上一款假 WhatsAPP 下載量達到了100 萬，而這款假 WhatsAPP的作者與真實作者只差一個 Unicode 空格，安裝之後會有推廣其他app的廣告

https://thehackernews.com/2017/11/fake-whatsapp-android.html https://www.reddit.com/r/Android/comments/7ahujw/psa_two_different_developers_under_the_same_name/

2. 包含挖礦代碼的app出現在Google Play（點擊按鈕之後會在後台運行一個WebView載入CoinHive的JS挖礦代碼）

https://blog.avast.com/cryptocurrency-mining-malware-sneaks-onto-google-play

3. 在Google Play Store 中發現幾款加密貨幣挖礦APP：

https://www.ixiacom.com/company/blog/everythings-better-blockchain

4. Clicking Bot Applications：

https://blog.zimperium.com/clicking-bot-applications/

5. The Strange Case of Play Policy for Copyright and Security

http://blog.fortinet.com/2017/11/08/the-strange-case-of-play-policy-for-copyright-and-security

6. Evil-Droid is a framework that create & generate & embed apk payload to penetrate android platforms

https://github.com/M4sc3r4n0/Evil-Droid

7. 如何構造Android平台的勒索軟體

https://0x00sec.org/t/creating-ransomware-for-android/4063

https://blog.underc0de.org/creando-ransomware-para-android/

8. 記一次網路詐騙追蹤過程：

http://www.freebuf.com/articles/others-articles/153079.html

9. 深淵背後的真相之薅羊毛產業報告：

http://www.freebuf.com/news/152525.html

10. 網路犯罪活動猖獗的當下，互聯網用戶該如何保護自己？

http://www.freebuf.com/articles/neopoints/153040.html

Tech

1. 對Android平台的Telegram Messager的取證分析，發現Telegram在其協議上有嚴重的問題。

http://people.unipmn.it/sguazt/pubs/Anglano-2017-Telegram.pdf

2. Bypassing Android』s Network Security Configuration

https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/november/bypassing-androids-network-security-configuration/

3. 深入理解虛擬內存，實現對內存越界寫的檢測、實現無碎片內存分配等等需求：

http://ourmachinery.com/post/virtual-memory-tricks/

4. 軟體基因技術及應用：

https://mp.weixin.qq.com/s/mF_KTr7Z30g3EwfDDcA6Rw

5. 使用 Radare 進行 Android 惡意軟體分析：

https://www.nowsecure.com/blog/2016/11/21/android-malware-analysis-radare-triada-trojan/

6. 域名關聯模型：讓惡意軟體自我暴露：

https://zhuanlan.zhihu.com/p/30780842

7. 代碼安全保障技術趨勢前瞻

http://bobao.360.cn/learning/detail/4667.html

8. BalCCon2k17 videos&Slides

https://2k17.balccon.org/speakers.html

9. Linux平台如何感染運行的進程

https://0x00sec.org/t/linux-infecting-running-processes/1097

https://github.com/0x00pf/0x00sec_code/tree/master/mem_inject

https://www.real0day.com/hacking-tutorials/2017/11/6/injecting-a-running-process-linux

10. 阿里巴巴在移動端生物識別技術實踐分享

http://www.freebuf.com/articles/terminal/151619.html

11. 機器學習在安全攻防場景的應用與分析

http://www.freebuf.com/articles/neopoints/152457.html

12. 工具黨是如何破解遊戲反修改功能的

http://www.freebuf.com/articles/terminal/152963.html

13. 爬蟲兇猛：爬支付寶、爬微信、竊取現金貸放貸數據

https://mp.weixin.qq.com/s?__biz=MzIxNjM3MDc4Mg==&mid=2247485673&idx=1&sn=15071ae472d0681c2064a2dd8f8876bc&chksm=978b53d8a0fcdace2309ce7f4214227d7a7dcffc83074e769e1d84091ca2e8fafca371c2309c&mpshare=1&scene=1&srcid=1108IvCsHI74EdaV4iTcQEiu&pass_ticket=3ITnF6r7x99s%2FA7oyhkhMkfDrQl13jY5XQxDgHYT7lDT5fJuAJo2I8byDhO7ehHo#rd

14. Data Theorem 團隊研究員在微軟 BlueHat 2017 會議關於手機平台

SSL 劫持的研究報告

https://datatheorem.github.io/documents/bluehat-2017.pdf

15. How STACKLEAK improves Linux kernel security

https://it-events.com/system/attachments/files/000/001/376/original/Alexander_Popov_LinuxPiter2017.pdf

16. VUSEC的在nucleus將被移植到 Binary Ninja 二進位分析框架中，關於這種二進位文件中檢測函數的方法參考論文《Compiler-Agnostic Function Detection in Binaries》

https://www.vusec.net/2017/11/nucleus-picked-binary-ninja/

17. 重構ROCA

https://blog.cr.yp.to/20171105-infineon.html

18. 構建一個神經網路，從原始位元組序列的角度檢測惡意軟體

https://arxiv.org/abs/1710.09435

19. iOS vs. Android：物理數據提取與數據保護的對比：

https://blog.elcomsoft.com/2017/10/ios-vs-android-physical-data-extraction-and-data-protection-compared/

Tool

1. ARM exploitation for IoT - 基於增強版 GDB 調試工具 GEF 調試 ARM Exploit

https://quequero.org/2017/11/arm-exploitation-iot-episode-3/

2. FAME：友好的惡意軟體分析框架

https://www.virusbulletin.com/blog/2017/11/paper-fame-friendly-malware-analysis-framework/

https://certsocietegenerale.github.io/fame/

3. fridump：基於Frida的通用內存dump工具

http://pentestcorner.com/introduction-to-fridump/

https://github.com/Nightbringer21/fridump

Android平台示例：

http://pentestcorner.com/fridump-android-examples/

iOS平台示例：

http://pentestcorner.com/fridump-ios-examples/

4. Trape is a recognition tool that allows you to track people, the information you can get is very detailed.

https://github.com/boxug/trape

5. Ti_Collector：收集網上公開來源的威脅情報，主要關注信譽類威脅情報（如IP/域名等），以及事件類威脅情報

https://github.com/scu-igroup/Ti_Collector

6. LIEF - QuarksLab 開源的一個跨平台可執行文件格式（PE/ELF/MachO）的解析、修改、抽象庫

https://github.com/lief-project/LIEF

https://blog.quarkslab.com/have-fun-with-lief-and-executable-formats.html

Vulnerability

1. Android 11 月安全公告

https://source.android.com/security/bulletin/2017-11-01

2. 現在漏洞發現者都希望給漏洞命名。這篇Blog 作者介紹了 6 個之前沒有名字的內核漏洞，影響 Android 和一些路由器設備，作者表示："Please Stop Naming Vulnerabilities"（CVE-2017-11013/CVE-2017-9714/CVE-2017-11014/CVE-2017-11015/）

https://pleasestopnamingvulnerabilities.com/

3. 關於Rowhammer 攻擊技術的又一篇 Paper《Another Flip in the Wall of Rowhammer Defenses》，這篇 Paper 中作者提出了一種新的攻擊技術- one-location hammering，可以不再依賴之前觸發 Row Hammer Bug 的苛刻條件：

https://github.com/IAIK/flipfloyd

https://arxiv.org/abs/1710.00551

4. kernelpop - Linux 內核提權漏洞枚舉與利用框架：

http://www.kitploit.com/2017/11/kernelpop-kernel-privilege-escalation.html

https://github.com/spencerdodd/kernelpop

5. Designing New Operating Primitives to Improve Fuzzing Performance

https://acmccs.github.io/papers/p2313-xuA.pdf

6. afl-unicorn - 將 Unicorn 的模擬執行能力集成進 AFL Fuzz 中，Fuzz 無源碼的二進位代碼：

https://medium.com/@njvoss299/afl-unicorn-fuzzing-arbitrary-binary-code-563ca28936bf

7. Linux內核Waitid系統調用本地提權漏洞（CVE-2017-5123）的分析與利用：

http://www.freebuf.com/vuls/152412.html

https://reverse.put.as/2017/11/07/exploiting-cve-2017-5123/