Android安全技術周報 12.01 - 12.07

03-02

Malware

1. DoubleHidden 惡意軟體隱藏在 Google Play 商店

<https://www.symantec.com/blogs/threat-intelligence/doublehidden-android-malware-google-play

2. 揭秘2017網路黑產四大新趨勢，威脅源全方位襲來

http://www.freebuf.com/news/155425.html

3. Palo Alto Networks 發布 2018年安全網路安全預測

https://researchcenter.paloaltonetworks.com/2017/12/2018-predictions-recommendations-cloud-security-adoption-will-disrupt-automotive-industry/

4. 卡巴斯基發布 2017 年安全事件回顧

https://securelist.com/ksb-review-of-the-year-2017/83338

5. Google Safe Browsing 團隊將把反垃圾軟體保護策略（Unwanted Software Policy）擴展到 Android 平台上

https://security.googleblog.com/2017/12/additional-protections-by-safe-browsing.html

Tech

1. LLVM混淆器剖析 Part 1

https://blog.rpis.ec/2017/12/dissection-llvm-obfuscator-p1.html

2. 對抗 IDA Pro 調試器 ARM 反彙編的技巧

https://kbdsmoke.me/anti-disassembly-on-arm-ida-specifically/

3. 惡意軟體滲透傳播技術（基於文件、郵件、域控等等）研究，以及以欺騙為核心的檢測框架

https://zh.scribd.com/document/366244507/Spreading-Techniques-and-Deception-based-Detection-Acalvio-Technical-White-Paper

4. 基於神經網路的惡意軟體檢測

https://devblogs.nvidia.com/parallelforall/malware-detection-neural-networks/

5. 惡意軟體分析資源集

https://malwareanalysisforums.com/topic/7/malware-analysis-resources-noobs-read-first

6. Badintent的安裝與配置

http://blog.obscuritylabs.com/badintent-setup/

7. 在安卓手機上配置並運行 Radare2

http://www.blackstormsecurity.com/docs/radare2_arm.pdf

8. 編寫簡單 Linux 內核模塊的實例

https://blog.sourcerer.io/writing-a-simple-linux-kernel-module-d9dc3762c234

9. 看我如何通過Linux Rootkit實現文件隱藏

https://0x00sec.org/t/hiding-with-a-linux-rootkit/4532

https://www.anquanke.com/post/id/89215

https://github.com/jordan9001/superhide

10. BlackHat Europe 2017 會議的部分議題資料

https://www.blackhat.com/eu-17/briefings.html

11. XLearning - 一款支持多種機器學習、深度學習框架調度系統:

https://github.com/Qihoo360/XLearning/blob/master/README_CN.md

12. 剖析虛擬內存堆棧，寄存器和彙編代碼

https://blog.holbertonschool.com/hack-virtual-memory-stack-registers-assembly-code/

13. 《安全智能情報驅動》網路安全分析與情報大會資料下載

https://threatbook.cn/event/#agenda

14. Mimikatz非官方指南和命令參考

https://adsecurity.org/?page_id=1821

15. Aura信息安全團隊關於安全、政策等方面的白皮書

http://research.aurainfosec.io/whitepapers/

16. 對Linux Kernel 4.14.0的SLAB_FREELIST_HARDENED加固實現的部分分析

https://hardenedlinux.github.io/system-security/2017/12/02/linux_kernel_4.14%E7%9A%84SLAB_FREELIST_HARDENED%E7%9A%84%E7%AE%80%E8%A6%81%E5%88%86%E6%9E%90.html?nsukey=D3MRM%2BIaOSiup9lNI9JP8vslv3UWopP%2FkD%2BvrANn5a49VgnvYhVMPCMv6sBTsi1cTxQCLjcIcd2GvrqZISJxA3LINp%2Bhlh%2FD2sG6l3iWqFRcDdcN70P6EGDL7bbaenz77CaiCKoTyjXrZPkTkTjnEga70OfZ4YO%2BESIvEfC33PfcRTcnPOdRLOnz8stw6HW4Z5OXsPUmAnDV3aEEIkxFJw%3D%3D&from=timeline&isappinstalled=0

17. 安卓中的ARM Mode與Thumb Mode

https://userpc.net/2017/12/04/arm-mode-thumb-mode-classification-android/

Tool

1. Duo Labs 開源了兩個 IDAPython 腳本，用於輔助 ARM Cortex M 固件逆向以及 ARM thumb 指令搜索

https://github.com/duo-labs/idapython

2. A Qt and C++ GUI for radare2 reverse engineering framework

https://github.com/radareorg/cutter

3. FruityWifi - 一款無線網路安全審計工具

https://github.com/xtr4nge/FruityWifi

4. Mailsploit - 郵箱客戶端的漏洞利用工具套件，集成了 30 款主流郵箱客戶端（Apple

Mail、Thunderbird、Yahoo! Mail、ProtonMail 等）的漏洞

https://www.mailsploit.com/index

5. findcrypt-yaraIDA pro plugin to find crypto constants (and more)

https://github.com/polymorf/findcrypt-yara

6. java-asm-obfuscator (jasmo)Obfuscates compiled java code to make it harder to reverse engineer.

https://github.com/CalebWhiting/java-asm-obfuscator

7. Linux Expl0rerEasy-to-use live forensics toolbox for Linux endpoints written in Python & Flask.

https://github.com/intezer/linux-explorer

8. IDA Batch Decompile is a plugin for Hex-Rays IDA Pro that adds the ability to batch decompile multiple files and their imports with additional annotations (xref, stack var size) to the pseudocode .c file

https://github.com/tintinweb/ida-batch_decompile

9. V3SPA is a tool for visualizing and analyzing SELinux and SEAndroid security policies.

https://github.com/twosixlabs/V3SPA

10. 微軟開源了一個 Linux 版本的 ProcDump 工具，可以獲得應用的內存 DUMP

https://github.com/Microsoft/ProcDump-for-Linux

11. rematch - 一款二進位 diff 工具

https://github.com/nirizr/rematch

Vulnerability

1. Android 12月安全公告發布

https://source.android.com/security/bulletin/2017-12-01

https://source.android.com/security/bulletin/pixel/2017-12-01

2. 360 Vulpecker友盟SDK越權漏洞分析報告

https://www.anquanke.com/post/id/89222

3. Huge Dirty COW(CVE-2017–1000405)分析

http://ne2der.com/2017/HugeDirtyCOW-CVE-2017%E2%80%931000405/

https://www.anquanke.com/post/id/88063

https://www.anquanke.com/post/id/89096

https://medium.com/bindecy/huge-dirty-cow-cve-2017-1000405-110eca132de0

4. 一石多鳥——擊潰全線移動平台瀏覽器

https://mp.weixin.qq.com/s/MiIG-AZDYzU20WPNl-kOkQ

5. ParseDroid - 來自 CheckPoint 的研究員提出了一個 Android 生態環境的攻擊面 - 開發者工具，以 APKTool 為例，他們在 APKTool 的第三方 XML 庫中找到了一個 XXE，下載使用 APKTool 的開發者/研究員就可能被攻擊

https://threatpost.com/developers-targets-in-parsedroid-poc-attack/129088/

https://research.checkpoint.com/parsedroid-targeting-android-development-research-community/

https://www.anquanke.com/post/id/89557

6. 利用 Bootloader Exploit 為鎖定的 Motorola 設備刷機

https://articles.forensicfocus.com/2017/12/05/imaging-locked-motorola-devices-via-bootloader-exploit/

7. Attacks against GSMA』s M2M Remote Provisioning，來自 BlackHat

Europe 2017 會議

https://www.blackhat.com/docs/eu-17/materials/eu-17-Meyer-Attacks-Against-GSMAS-M2M-Remote-Provisioning.pdf

8. Android 上的 Keybase 應用存在 bug，可能致使用戶的私鑰自動備份到 google 的伺服器上

https://www.bleepingcomputer.com/news/security/keybase-bug-might-have-backed-up-your-private-encryption-key-on-googles-servers/

9. 深度剖析手機指紋的馬奇諾防線

https://mp.weixin.qq.com/s/0VJPz4ckWO11aD1sft2emA

10. Improving Function Coverage with Munch: A Hybrid Fuzzing and Directed Symbolic Execution Approach

https://arxiv.org/pdf/1711.09362.pdf

11. Info Leak in the Linux Kernel via Bluetooth

http://seclists.org/oss-sec/2017/q4/357

12. Linux利用動態鏈接共享對象庫提權

https://www.contextis.com/blog/linux-privilege-escalation-via-dynamically-linked-shared-object-library

13. XML漏洞與攻擊總結

https://gist.github.com/mgeeky/4f726d3b374f0a34267d4f19c9004870

14. difuze - Linux 內核驅動 Fuzz 工具

https://www.blackhat.com/docs/eu-17/materials/eu-17-Corina-Difuzzing-Android-Kernel-Drivers.pdf

https://www.blackhat.com/docs/eu-17/materials/eu-17-Corina-Difuzzing-Android-Kernel-Drivers-wp.pdf

https://github.com/ucsb-seclab/difuze