The Ease Of Adding Trojans To Major Financial Android Apps

This was both an amusing and frightening talk. [Sam Bowne] presented How to Trojan Financial Android Apps on Saturday afternoon at the LayerOne Conference. [Sam] calculates that 80-90% of the apps provided by major financial institutions like banks and investment companies are vulnerable and the ease with which trojans can be rolled into them is incredible.

Some Background

[Sam] did a great job of concisely describing the circumstances that make Android particularly vulnerable to the attacks which are the subject of the talk. Android programs are packaged as APK files which are easy to unpack. The “compiled” code itself is called smali and is readable in a similar way as Java. It’s super easy to unpack and search this byte code using grep. Once the interesting parts are located, the smali code can be altered and the entire thing can be repackaged. The app will need to be resigned but Google doesn’t control the signing keys so an attacker can simply generate a new key and use that to sign the app. The user still needs to install the file, but Android allows app installation from webpages, email, etc. so this isn’t a problem for the bad guys either.

The Attack

So what can be done? This is about information harvesting. [Sam’s] proof of concept uses a python script to insert logging for every local variable. The script looks at the start of every module in the smali code, grabs the number of local variables, increments it by one and uses this extra variable to write out the values through logcat.

bank-of-america-logcat
ADB Log shows the Credit Card Number

He demonstrated live on the Bank of America app. From the user side of things it looks exactly like the official app, because it is the official app. However, when you register your account the log reports the card number as you can see here. Obviously this information could easily be phoned-home using a number of techniques.

As mentioned, the vast majority of banking and financial apps are vulnerable to this, but some have made an attempt to make it more difficult. He found the Bancorp app never exposes this information in local variables so it can’t just be logged out. However, the same trojan technique works as a keylogger since he found the same function kept getting called every time a key is pressed. The same was true of the Capital One app, but it echos out Google’s Android keymap values rather than ascii; easy enough to translate back into readable data though.

The Inability to Report Vulnerabilities

bowne-schwab-twitter-security-reportWhat is the most troubling is that none of these companies have a means of reporting security vulnerabilities. It was amusing to hear [Sam] recount his struggle to report these issues to Charles Schwab. Online contact forms were broken and wouldn’t post data and several publicly posted email addresses bounced email. When he finally got one to accept the email he later discovered another user reporting on a forum that nobody ever answers back on any of the Schwab accounts. He resorted to a trick he has used many times in the past… Tweeting to the CEO of Charles Schwab to start up a direct-message conversation. This itself is a security problem as @SwiftOnSecurity proves by pointing out that whenever @SamBowne Tweets a CEO it’s because he found a vulnerability in that company’s platform and can’t find a reasonable way to contact the company.

There is Hope

Although very rare, sometimes these apps do get patched. The Trade King app was updated after his report and when [Sam] tried the exploit again it crashes at start-up. The log reports a verification failure. This indicates that the injected code is being noticed, but [Sam] wonders if the verification is included in the app itself. If it is, then it will be possible to track it down and disable it.

This may sound like all of us Android users should despair but that’s not the case. Adding verification, even if it’s possible to defeat it, does make the apps safer; attackers may not want to invest the extra time to try to defeat it. Also, there are obsfucators available for a few thousand dollars that will make these attacks much more difficult by making variable names unreadable. The free obsfucator available now with the Android development suites doesn’t change names of everything… local variables are left unaltered and programmers have a habit of using descriptive names for variables. For instance, BofA used “CARDNUM” in the example above.

The Slides

[Sam Bowne’s] slides and testing results for the entire talk are available under the “Upcoming Events” part of his website.

Reading Resistors With OpenCV

Here’s a tip from a wizened engineer I’ve heard several times. If you’re poking around a circuit that has failed, look at the resistor color codes. Sometimes, if a resistor overheats, the color code bands will change color – orange to brown, blue to black, and so forth. If you know your preferred numbers for resistors, you might find a resistor with a value that isn’t made. This is where the circuit was overheating, and you’re probably very close to discovering the problem.

The problem with this technique is that you have to look at and decode all the resistors. If automation and computer vision is more your thing, [Parth] made an Android app that will automatically tell you the value of a resistor by pointing a camera at it.

The code uses OpenCV to scan a small line of pixels in the middle of the screen. Colors are extracted from this, and the value of the resistor is displayed on the screen. It’s perfect for scanning through a few hundred through hole resistors, if you don’t want to learn the politically correct mnemonic they’re teaching these days.

Video below, and the app is available for free on the Google Play store.

Continue reading “Reading Resistors With OpenCV”

Your Body Is Your PIN With Bodyprint

[Christian Holz, Senaka Buthpitiya, and Marius Knaust] are researchers at Yahoo that have created a biometric solution for those unlucky folks that always forget their smartphone PIN codes. Bodyprint is an authentication system that allows a variety of body parts to act as the password.  These range from ears to fists.

Bodyprint uses the phone’s touchscreen as an image scanner. In order to do so, the researchers rooted an LG Nexus 5 and modified the touchscreen module. When a user sets up Bodyprint, they hold the desired body part to the touchscreen. A series of images are taken, sorted into various intensity categories. These files are stored in a database that identifies them by body type and associates the user authentication with them. When the user wants to access their phone, they simply hold that body part on the touchscreen, and Bodyprint will do the rest. There is an interesting security option: the two person authentication process. In the example shown in the video below, two users can restrict file access on a phone. Both users must be present to unlock the files on the phone.

How does Bodyprint compare to capacitive fingerprint scanners? These scanners are available on the more expensive phone models, as they require a higher touchscreen resolution and quality sensor. Bodyprint makes do with a much lower resolution of approximately 6dpi while increasing the false rejection rate to help compensate.  In a 12 participant study using the ears to authenticate, accuracy was over 99% with a false rejection rate of 1 out of 13.

Continue reading “Your Body Is Your PIN With Bodyprint”

The Wisest Wizard Doesn’t Drink From Cans

“Wizard Staff” or “Wisest Wizard” is a drinking game played at parties where the attendees participate by taping the empty cans of the drinks they’ve consumed on top of one another to form a staff of inebriated power. A person with a longer staff is considered to be at a higher level and can therefore command lesser wizards to pound their current beverage to a point they see fit. Not everyone at a party necessarily drinks their tasty libation of choice from a can however. So, [Ahmed] and his group came up with a solution for those of us who might alternately prefer to wield a pint glass of power instead.

In their hardware project for Hack Illinois 2015, [Brady Salz], [Ahmed Suhyl], [Dario Aranguiz], and [Kashev Dalmia] decided to add a zest of tech to the game. For their updated rendition, glasses are equipped with battery packs for mobility, a Spark micro-controller, and different colored LEDs as indicators. A couple of wires reach into the bottom of each glass to measure conductivity and keep track of the number of times it is filled and then emptied. In leu of towers of aluminum husks and duct-tape, the group developed a simple Android app for participants to log into which will track and visualize the standings of each player registered to one of the glasses. They even created a pebble version of the app that will display all the same information in case you don’t want to risk handling your phone while drinking… heh.

For an added level of fun, once a player reaches a certain level above someone else, they unlock the option to “challenge” the lesser adversary. By selecting that person’s user name in the app, the LED and buzzer on their glass will spring to life, letting them know they’ve been chosen to chug the rest of their drink. If you’re curious how they made it work, you can check out the team’s code on Github and maybe take a stab at giving the game a makeover of your own.

Continue reading “The Wisest Wizard Doesn’t Drink From Cans”

OK Google, Open Sesame

There are a myriad of modern ways to lock and unlock doors. Keypads, Fingerprint scanners, smart card readers, to name just a few. Quite often, adding any of these methods to an old door may require replacing the existing locking mechanism. Donning his Bollé sunglasses allowed [Dheera] to come up with a slightly novel idea to unlock doors without having to change his door latch. Using simple, off the shelf hardware, a Smartwatch, some code crunching and a Google Now app, he was able to yell “OK Google, Open Sesame” at his Android Wear smartwatch to get his apartment  door to open up.

The hardware, in his own words, is trivial. An Arduino, an HC-05 bluetooth module and a servo. The servo is attached to his door latch using simple hardware that looks sourced from the closest hardware store. The code is split in to two parts. The HC-05 listens for a trigger signal, and informs the Arduino over serial. The Arduino in turn activates the servo to open the door. The other part is the Google Now app. Do note that the code, as he clearly points out, is “barebones”. If you really want to implement this technique, it would be wise to add in authentication to prevent all and sundry from opening up your apartment door and stealing your precious funky Sunglasses. Watch a video of how he put it all together after the break. And if you’re interested, here are a few other door lock hacks we’ve featured in the past.

Continue reading “OK Google, Open Sesame”

An Adventure Into Android Makes The VIC-20 Speak

History and [Bil Herd] teaches us that Commodore begged, borrowed, or stole the engineers responsible for the Speak & Spell to add voice synthesis to a few of the computers that came after the C64. This didn’t quite work out in practice, but speech synthesis was something that was part of the Commodore scene for a long time. The Votrax Type ‘n Talk was a stand-alone speech synthesizer that plugged into the expansion port of the VIC-20. It was expensive, rare, but a few games supported it. [Jan] realized the state of speech synthesis has improved tremendously over the last 30 years, and decided to give his VIC a voice with the help of a cheap Android phone.

A few VIC-20 games, including [Scott Adams] adventure games, worked with the Votrax speech synthesizer by sending phonemes as text over the expansion port. From there, the Votrax would take care of assembling everything into something intelligible, requiring no overhead on the VIC-20. [Jan] realized since the VIC is just spitting out characters for each phoneme, he could redirect those words to a better, more modern voice synthesizer.

A small Bluetooth module was wired up to the user port on the VIC, and this module was paired with a cheap Android smartphone. The smartphone receives the serial stream from an adventure game, and speaks the descriptions of all the scenes in these classic adventure games.

It’s a unique experience judging from the video, but the same hardware and software can also be added to any program that will run on the VIC-20, C64, and C128. Video below.

Continue reading “An Adventure Into Android Makes The VIC-20 Speak”

AlarmLamp

Prefix Your Phone Alarm With A Desk Lamp

If you are like [Gbola], then you have a hard time waking up during the winter months. Something about the fact that it’s still dark outside just makes it that much more difficult to get out of bed. [Gbola] decided to build his own solution to this problem, by gradually waking himself up with an electric light. He was able to do this using all off-the-shelf components and a bit of playing around with the Tasker Android application.

[Gbola] started out with a standard desk lamp. He replaced the light bulb with a larger bulb that simulates the color temperature of natural daylight. He then switched the lamp on and plugged it into a WeMo power switch module. A WeMo is a commercial product that attempts to make home automation accessible for consumers. This particular module allows [Gbola] to control the power to his desk lamp using his smart phone.

[Gbola] mentions that the official WeMo Android application is slow and includes no integration with Tasker. He instead decided to use the third-party WeMoWay application, which does include Tasker support. Tasker is a separate Android application that allows you to configure your device to perform a set task or series of tasks based on a context. For example you might turn your phone to silent mode when your GPS signal shows you are at work. WeMoWay allows [Gbola] to interact with his WeMo device based on any parameter he configures.

On top of all of that, [Gbola] also had to install three Tasker plugins. These were AutoAlarm, Taskkill, and WiFi Connect. He then got to work with Tasker. He configured a custom task to identify when the next alarm was configured on the phone. It then sets two custom variables, one for 20 minutes before the alarm (turn on the lamp) and one for 10 minutes after (turn it off).

[Gbola] then built a second task to actually control the lamp. This task first disconnects and reconnects to the WiFi network. [Gbola] found that the WeMoWay application is buggy and this “WiFi reset” helps to make it more reliable. It then kills the WeMoWay app and restarts it. Finally, it executes the command to toggle the state of the lamp. The project page has detailed instructions in case anyone wants to duplicate this. It seems like a relatively painless way to build your own solution for less than the cost of a specialized alarm clock lamp.