Hiding Behind Android Runtime (ART)

[Youtube Data] Public Data - [ART]

2022년 NHN Cloud 무료 교육일정 : https://doc.skill.or.kr/2022-NHN-Cloud-Education

제목 : Hiding Behind Android Runtime (ART)

주의 : 테스트 이외의 목적으로 발생 되는 문제점에 대해서는 프로그램을 사용하는 사용자가 책임을 지셔야 한다는 것을 알려 드립니다.

Disclaimer: I am not responsible for any damage done using this tool. This tool should only be used for educational purposes and for penetration testing.

내용 :

Android 루트 킷 연구에 대한 논의부터 시작하여 이러한 기술이 현대 Android 시스템에서 사용하기가 점점 어려워지고 있습니다.
ART 내부로 들어가서 루트킷 생성과 관련된 파일 형식과 메커니즘을 논의합니다. 우리가 관련된 메커니즘을 이해하고 나면, 루트 킷 (rootkit)을 만드는 방법, 즉 무엇을 변경해야하는지, 어디에서 찾을 지, 어떻게 바꾸는 지, 그리고 시스템에서 끈기를 얻는 방법 등에 대해 논의 할 것입니다.

Description :

The introduction of the new Android Runtime (ART) brings several improvements in Android. But, as with any new technology, it also brings new ways to conduct or enhance malicious activities. In this presentation, we will detail one of those ways.
Once an attacker or malware has gained access to the Android device, the next step is to find ways to hide itself and gain persistence, and this is usually achieved by installing a rootkit. The majority of these rootkits are kernel mode rootkits and the common way of achieving persistence is by modifying files in the system partition. However, recent advancements in Android security, such as verified boot, have made this increasingly difficult. This presentation will demonstrate how to go around this difficulty by taking the game out of kernel mode and out of the system partition. We will show you how to take advantage of the mechanisms of ART to create a user mode rootkit.
We will start with a discussion of past Android rootkit research and how these techniques have become increasingly difficult to use in modern Android systems. Then we will go deep into ART internals where we will discuss the file formats and mechanisms relevant to rootkit creation. After we have understood the mechanisms involved, we will then discuss methods of crafting the rootkit i.e. what to change, where to find them, and how to change them, and techniques on gaining persistence on the system. We will also examine the limitations of this approach and possible future work in this area.
The talk will conclude with a live demonstration of an ART rootkit.

2022년 NHN Cloud 무료 교육일정 : https://doc.skill.or.kr/2022-NHN-Cloud-Education

PreviousKali Linux - BeEF & Linode NextHacking a Professional Drone

Last updated 2 years ago

제목 : Hiding Behind Android Runtime (ART)

주의 : 테스트 이외의 목적으로 발생 되는 문제점에 대해서는 프로그램을 사용하는 사용자가 책임을 지셔야 한다는 것을 알려 드립니다.

Disclaimer: I am not responsible for any damage done using this tool. This tool should only be used for educational purposes and for penetration testing.

내용 :

Android 루트 킷 연구에 대한 논의부터 시작하여 이러한 기술이 현대 Android 시스템에서 사용하기가 점점 어려워지고 있습니다.

ART 내부로 들어가서 루트킷 생성과 관련된 파일 형식과 메커니즘을 논의합니다. 우리가 관련된 메커니즘을 이해하고 나면, 루트 킷 (rootkit)을 만드는 방법, 즉 무엇을 변경해야하는지, 어디에서 찾을 지, 어떻게 바꾸는 지, 그리고 시스템에서 끈기를 얻는 방법 등에 대해 논의 할 것입니다.

Description :

The introduction of the new Android Runtime (ART) brings several improvements in Android. But, as with any new technology, it also brings new ways to conduct or enhance malicious activities. In this presentation, we will detail one of those ways.

Once an attacker or malware has gained access to the Android device, the next step is to find ways to hide itself and gain persistence, and this is usually achieved by installing a rootkit. The majority of these rootkits are kernel mode rootkits and the common way of achieving persistence is by modifying files in the system partition. However, recent advancements in Android security, such as verified boot, have made this increasingly difficult. This presentation will demonstrate how to go around this difficulty by taking the game out of kernel mode and out of the system partition. We will show you how to take advantage of the mechanisms of ART to create a user mode rootkit.

We will start with a discussion of past Android rootkit research and how these techniques have become increasingly difficult to use in modern Android systems. Then we will go deep into ART internals where we will discuss the file formats and mechanisms relevant to rootkit creation. After we have understood the mechanisms involved, we will then discuss methods of crafting the rootkit i.e. what to change, where to find them, and how to change them, and techniques on gaining persistence on the system. We will also examine the limitations of this approach and possible future work in this area.

The talk will conclude with a live demonstration of an ART rootkit.