Open Source Android Forensics Threat Index

The Threat Index is shows all of the applications that have been previously analyzed using the Open Source Android Forensics framework. The frame includes not only the OSAF-Toolkit but also the documentation and processes that have been developed. These applications have been categorized based off of their level of maliciousness. Please references the Threat Index Metric to understand the color coding for varying level of risk.

  • Severe
    Elevated + malicious code present, modification of android ecosystem, exfiltration of user data found
  • Elevated
    Guarded + ability to hijack login sessions.
  • Guarded
    malicious code not found, backend databases unencypted, personal data at risk of theft
  • Low
    no malicious code found - misuse of android permissions

Trusteer Rapport - Threat Level Severe

Description:

This application was advertised as a two-factor authentication application that could be used to secure a personal banking account.

Full case report can be found here.


The first step in analyzing the Trusteer Report application was static analysis. During static analysis we used a few tools to gain insight into what this application was trying to do. The first tool we used was APK inspector. We used APK inspector to gain insight into what permissions the application was attempting to access on the phone. The application was accessing the receive sms, full internet access, and phone state and ID permissions. With this knowledge, we then opened the application up in the Java Decompiler. Through the Decompiler, we were able to analyze the actual code of the application. Through that analysis, we were able to determine that the application was in fact attempting to receive sms messages and send them off the a remote location. Further Dynamic analysis is required to confirm this.


After performing the static analysis we had a general idea of what to look for when performing the dynamic analysis. The main bulk of the dynamic analysis consisted of creating two virtual android devices within the toolkit. With the two android VM's running we installed the application onto one of the two. Then using our findings in the code analysis, we knew that the application would be attempting to steal the content within text messages. After sending a text message from one device to the other and the infected device intercepting the message we wanted to see if there was any network traffic related. Looking into our Wireshark captures we were able to see distinct packets of information leaving the device containing plain-text text message information.


Other Comments and Conclusion

The Trusteer Rapport two-factor banking authentication application contains malicious code that is designed to gain access to many different permissions on a device. At first glance, the permissions of the application show that the phone accesses receive sms, full internet access, and phone state and ID. These permissions give the application access to the personal information of the user, without their consent, therefore the application is deemed Severe.Beyond the permissions of the application, the behavior of the application also deems it Severe. Once the application is opened for the first time, it runs in the background without the users knowledge. It intercepts all received sms messages and attempts to send them to a remote server. This back-ground interception of messages makes this application extremely malicious and thus is why we have named the threat level Severe.

Facebook - Threat Level Elevated

Description:

Share and stay connected with your friends with the Facebook for Android app. Facebook for Android helps you connect with your friends and share on the go. Upload a photo, keep up with friends photos and status updates, look up a phone number, and more right from your Android device.

Full case report can be found here.


The main reason this application was awarded a threat level of elevated was due to the findings that were made during the static analysis. After installing the application and dumping the databased created by the application to store data, we noticed that the application was storing a lot of personally identified data that seemed out of place. Some of the data within the databases include chatmessages, chatconversations, notifications and friends_data. The DB also holds session cookie information that can be reconstructed and forced into a browser to allow unauthorized access to a logged in users account.


No applicable dynamic analysis for discussion.


Other Comments and Conclusion

The Facebook application contains a vulnerability that can allow unauthorized users access into a person account. This application also raises privacy concerns due to the face that both information is stored and uploaded from the users device. Remediation to prevent future data leak/loss includes encrypting the contents of the com.facebook.katana data folder, more specifically, the databases contained the application data folder. Database encryption will prevent session cookie hijacks and will also protect the identities, and personal identifiable information, of Facebook users.