H@kin9 & vulnerability assessment in android

By,J@$h.

13501A1908

contents

What is hacking Who are hackers Hacker types Practical attacks Phishing attacks Dos attacks Clickjacking attacks Mobile hacking

What is computer hacking &

who are hackers Computer hacking Hacking is simply gaining unauthorized access to data in a system or computer Hacker The person who hacks Cracker System intruder/destroyer

Who are hackers

Someone who bypasses the system’s access controls by taking advantage of security weaknesses left in the system by developers

Hacker means cracker nowadays

Hacker types

White hat hackers Black hat hackers Grey hat hackers

Phishing attacks

Phishing is the illegal attempt to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money), often for malicious reasons, by masquerading as a trustworthy entity in an electronic communication.

Types Deceptive malware

Clickjacking attacks

 It is a malicious technique of tricking a web user into clicking on something different from what the user perceives they are clicking on web pages

Exploit process

A Simple example

The simple example source code

Advanced clickjacking techniques

Exploit process for Facebook

Likejacking on the wild

Mobile hacking

Bypassing android lockscreen

Modifying apk data WhatsApp hacking Modifying apks

Bypassing android lockscreen

Modifying apk data

Modifying apk data

WhatsApp cracking

Modifying apks

Making of the apk

Modifying apks

Reversing the apk

Getting our hands dirty

Its Demo time !!!

Android malwares

Memories of the past

Some famous android malwares …

Trojan-SMS .Fakeplayer.a Geinimi Snake DreamDroid GGtracker

Trojan-SMS .Fakeplayer.a

simplest malware till date

Sends SMS to premium members

Mainly distrubuted through porn/media apps

Stop watching porn? :0

Geinimi

most sophisticated malware till date

Botnet like capabilities Mainly distrubuted through

porn/media apps Suggests infected legimate apps

Geinimi(continued)

Botnet command capabilities… Call-call a number Email-send an email Sms record-sends all the sms’ses to

the server Install-install an app Shell-get a shell Suggests infected legimate apps

Creating our own android malware

Expected time < 5 min

Exploit process

The game is over :’(

The game is over :’(

The game isn't over :)

Can create malwares not detected by the antivirus

Disable the antivirusUse ur own black hat creativity

Stored passwords

Browser passwords stored in database called webview.db

Got r00t ?

Insecure data storage