How to Unpack Baidu Protect through Memory Dumping

Trustlook Mobile Security has researched an app (MD5: 67257EA2E9EC6B35C9E5245927980EEA) that is packed/encrypted by Baidu Protect, the service provided by Baidu. Users can upload their APKs to the developer portal in Baidu to get their apps hardened.

The app terminates itself when running on several versions of Android emulators.

It runs on a Moto G phone with Android version 4.4.3. The app has the following structure:

image02

The file “libbaiduprotect.so” under the lib/armeabi folder shows that the app is packed by Baidu Protect.

Some popular unpacking tools don’t seem to work on this app. ZjDroid, for example, which is installed as a module for the Xposed, causes the app to crash. DexExtractor also doesn’t generate any DEX files.

The app has implemented anti-debugging techniques. For example, the following code snippets prevent the debugger from attaching to the process:

image01

Most app packers use JNI native code to modify the Dalvik bytecode in the memory. The packers sometime unpack/decrypt the real DEX file in the memory, which is what gave us a chance to dump the memory.

Using the ADB connect to the phone, we ran the “ps” command, which gave the following result:

image04

The app has the process ID “28953”. We examined the region of the virtual memory in the process.

The first address field shows the starting and ending address of the region in the process’s memory space. The last field shows the name of the file mapped. We fired up “dd” command to dump the memory associated with the last file.

image06

The “dd” command accepts decimal values in the parameters. Here the value for the “skip” parameter is the beginning address of the memory and the “count” parameter takes the range of the beginning and ending value.

After the file is dumped, we pull the file and examine it:

image05

The file is an ODEX file which has the header stripped. After retrieving the magic code, we have the following file:

image08

Unpack the file:

image07
image11
image09

Observe the JAR file:

image10

Note the above method does not work for apps using multiple processes. The memory dumping tool searching for the DEX magic code won’t work on this type of app.

BadKernel Vulnerability Technical Details

360 researchers (Alpha Team) has recently uncovered a vulnerability that affects millions of Android phones.  Since it is especially widespread in China and can cause significant damage, it has been assigned CNNVD-201608-414 in the Chinese National Vulnerability Database of Information Security.  CNNVD is the Chinese equivalent of the US Common Vulnerabilities and Exposures system (CVE).

The vulnerability lies in the part of the Chrome V8 Engine responsible for JavaScript parsing.  It allows hackers to hijack the phone and remotely execute malicious code which could invade user privacy by accessing the camera and microphone, and to steal sensitive information such as credit card and password.

The flaw exists in version 3.20 to 4.2 of the Chrome V8 engine. The observe_accept_invalid exception type was incorrectly defined as observe_invalid_accept (see source), this error mistakenly allows open access to the kMessages key objects, which leaves an exploit allowing hackers to download and execute malicious code.

Versions of the Tencent’s X5.SDK library that integrated version 3.20 to 4.2 of the Chrome V8 engine are also affected.  The X5.SDK is used by many popular apps in China such as phone QQ, QQ space, Jingdong, 58 city, Sohu, Sina news.  These versions of apps are vulnerable to attacks.

Any app running on Android 4.4.4 to version 5.1 system and uses the WebView component are also vulnerable.

This exploit is introduced primarily via Social Engineering, such as an receiving email with a shared link from an infected friend, or an IM phishing message claimed to be from a well known source.  Once the user clicks on the link, the device will be infected with malicious code often leaving no detectable signs.

To check if a phone is infected

What to do if you are infected?

    • Upgrade to the latest phone software
    • Upgrade downloaded browsers
    • Be wary of emails and messages with links, even from people or organizations you know.  Never click on unknown URL, type it in browser bar instead.

Google Offers $200,000 to Find Android Vulnerabilities

Show me the money might become the new moniker in the hacking world. And with good reason. Google has announced it is going to offer up to $200,000 in prize money to the first team that can find a bug chain that can give remote access to multiple Android devices by just knowing their email address or phone numbers.

Announced by Google’s Project Zero research team, the contest began on 9/14/2016 and is scheduled to run through next March 14. Researchers are invited to find critical bugs in Android, specifically on Nexus 6P and Nexus 5x devices running builds that are current for the specific device.

This offer is largely in response to the widespread Android vulnerability discovered in August 2016 named Quadrooter that affected 900 million devices.

Google is banking on the prize amount being a motivator for hackers to find flaws in the ecosystem. The first prize in the competition is $200,000; the second prize is $100,000 and the third prize is $50,000. There will be additional awards for winning entries that are able to find flaws in the Google’s operating system.

800,000 Identities Stolen From Adult Porn Site Brazzers

brazzers-logo
Passwords, usernames and emails have all been made available for some 800,000 users in the latest big name data leak, this time from porn network Brazzers. That’s the number of email addresses that were retrieved by security monitoring firm Vigilante, though the leaked data is also said to contain plain-text passwords and usernames associated with those emails.

Despite claiming that it’s an old hack, Brazzers isn’t taking any chances and has shut down its forum temporarily while it investigates for any potential new breach in its security.

There are a couple ways to check if you have been part of this data breach. Use the Identity Check feature in the Trustlook Mobile Security app, or use the Have I Been Pwned website.

Beyond that, users are encouraged to change their password.

Trustlook Sentinel Whitepaper Now Available!

Are you interested in learning more about one of the most groundbreaking technologies in mobile security?

Trustlook Sentinel is the first ever 100% behavioral based malware detection engine built into the operating system of a mobile device. It’s provides real-time zero day detection of malware. Download the whitepaper here and discover when Sentinel is considered a game changer in security. >>

Oops! BadKernel Now Affects 100 Million, Not 30 Million

We reported last week that BadKernel, a flaw in the Google Chromium mobile browser framework that spreads as users click on malicious links, affects 30 million Android users. However, from our internal reporting over the past few days, it’s clear that the actual number is much higher. Our new estimate is that BadKernel now impacts 100 million Android users. This is about 7% of the total Android user base.

Trustlook has released a new feature in its Trustlook Mobile Security  app that detects BadKernel. You are encouraged to scan your phone today and see if you are impacted.

Trustlook Releases BadKernel Vulnerability Detector

An Updated Version (Version 3.5.10) of the Trustlook Mobile Security App Identifies the BadKernel Issue Affecting 30 Million Android Users

Trustlook has released a new feature in its Trustlook Mobile Security app that detects BadKernel, the widespread vulnerability affecting millions of Android devices.

First discovered in August 2016, BadKernel is a flaw in the Google Chromium mobile browser framework that spreads as users click on malicious links. Users of older versions of Chromium-powered mobile browsers, as well as applications with embedded Webview (such as the massively popular WeChat app) may be vulnerable. If infected, a user’s contacts and text messages could be exposed, as well as any payment passwords.

To determine if your device is vulnerable to this threat, open the Trustlook Mobile Security app, navigate to the BadKernel Vulnerability detector on the main screen, and click “Check it Now.” If you are exposed, you can update your browser software.

Screenshot_2016-08-26-11-50-26         Screenshot_2016-08-26-11-50-33
The BadKernel vulnerability impacts an estimated 30 million Android smartphones and tablets. The flaw involves a bug in the source code of Google’s V8 JavaScript Engine, which is a component of the open-source Chromium. An attacker can exploit this flaw to cause key object information leakage.

Since many phones are not using the most current browser software, this zero-day attack could be used widely. Trustlook encourages users to run a quick scan of their phone and update their browser if they are affected. In addition, Trustlook suggests users not click on random links or links that appear suspicious. They also stress users keep their apps and OS updated, and continually monitor their device for any potential issues.

To check if your Android device is affected by the BadKernel vulnerability, please download the Trustlook Mobile Security app.