Cyber in Bretagne: solutions

Exercise 1 : Observing under cover the Mobidash adware

Step 1: connect your device:

Tap Storage Tap top-right then USB… Switch to PTP
% adb devices                        
    List of devices attached
    0a9dd409f1646022	device
% adb reboot recovery 

Step 2: connect the phone to internet

Step 3: clean your Nexus

Step 4: install MobiDash and configure Androblare

Step 5: launch the malware

Step 6: extraction, conversion, visualization

Step 7: trigger the malicious behavior

Step 8: visualization

Exercise 2: Preparing an antidote for a ransomware

Step 1-2-3-4:

Step 5: reverse a simple .apk

Step 6: reverse the SimpleLocker malware .apk

Step 7: convert, edit the classes and repackage

Step 8: deploy the antidote

Conclusion

:thumbsup:

Exercise 3: Capturing the data leaked by a Spyware

The captured data are the following:

android-7031c46da1524f5f - - [30/Jun/2016 21:06:32] "POST /android/googlefinal/install.php HTTP/1.1" 200 -
{'teli': ['UNKNOWN'], 'counta': [''], 'mac': ['24:da:9b:05:b6:eb'], 'carrie': [''], 'timea': ['2016-06-30 09:06:31']}
android-7032c46da1524f5f - - [30/Jun/2016 21:06:33] "POST /android/googlefinal/holla.php HTTP/1.1" 200 -
{'checkif': ['yes'], 'carrie': [''], 'CGF': ['MCLA'], 'mac': ['24:da:9b:05:b6:eb'], 'ADGF': ['ACSIR'], 'CSGF': ['SCNAH'], 'SEGF': ['SESFK'], 'timea': ['2016-06-30 09:06:32'], 'SGF': ['SSTLAH']}
android-7032c46da1524f5f - - [30/Jun/2016 21:06:34] "POST /android/googlefinal/senddata.php HTTP/1.1" 200 -
{'EXCL': ['000000000001'], 'EXTS': ['000000000000'], 'mac': ['24:da:9b:05:b6:eb'], 'carrie': [''], 'TSS': ['TEST']}
android-7032c46da1524f5f - - [30/Jun/2016 21:06:35] "POST /android/googlefinal/bingo.php HTTP/1.1" 200 -
{'mac': ['24:da:9b:05:b6:eb']}

We can observer that the malware captures the MAC, the name of the operator (carrie), the telephone number (teli), etc.