Are you a malware developer for Android devices? We have very bad news for you: the Android-SDK packager (aapt) is leaking your time zone! We have found a bug inside this Android-SDK's component that relies in not properly setting the value of a variable used as an argument for localtime() function, when setting the "Last Modified" field for the Android App's files. Because of this, the time zone of anyone using the Android-SDK packager to generate their APKs is leaked. The curious thing is that, despite of this bug inside aapt, the problem goes even beyond aapt itself: its roots goes deep into an incorrect handling errors in the operative system functions localtime() (Windows) and localtime_r() (UNIX).
Because of in the world of Threat Intelligence determining the attacker's geographical location of is one of the most valuable data for attribution techniques, we focused our research in taking advantage of this bug for tracking Android malware developers. In addition to this, we have discovered another very effective way to find out the developer's time zone, based on a calculation of times extracting the GMT timestamp from the Android's app files and the UTC timestamp of the self-signed,"disposable" certificate added to the application (most common cases in malware developers). This is what we call: Rock appround the clock! Using these two different techniques, we have crunched some numbers with our 10 million apps database to determine how these leaked time zones (with one or another technique) are related with malware and which are the countries that generate more Android malicious applications, what is the possible relation between time zone and"malware likelihood" among other interesting numbers.
But that's not all, we have another bad news for malware developers: no IDE (even Android Studio) removes metadata from the files added to the Android app. We will show examples with real cases in which, after analyzing the metadata of files inside the .apk, we got to know country, language, or even more specific geographical location of the developer and -in some cases- the name of the suppose-to-be-anonymous developer! Finally, we will share the scripts we have built to get all this information with just a simple click.
Sheila Ayelen Berta is an Information Security Specialist and Developer, who started at 12 years-old by herself. At the age of 15, she wrote her first book about Web Hacking, published by RedUSERS Editorial in several countries. Over the years, she has discovered lots of vulnerabilities in popular web applications, softwares and given courses of Hacking Techniques in universities and private institutes. Sheila currently works at Eleven Paths as Security Researcher who specializes in offensive techniques, reverse engineering and exploit writing. She is also a developer in ASM (microcontrollers, x32/x64), C/C++ and Python. Sheila is an international speaker who has spoken at important security conferences such as Black Hat EU 2017, DEF CON 25 CHV, HITBSecConf, Ekoparty Security Conference, IEEE ArgenCon, Hack.Lu, OWASP Latam Tour and others. @UnaPibaGeek
Sergio De Los Santos is currently head of innovation and labs in Eleven Paths, responsible for researching, creating new projects, tools and prototypes. In the past (2005-2013), he was a Technical consultant in Hispasec (where VirusTotal was developed for 10 years), responsible for antifraud, vulnerabilities alert and other services mostly bank industry oriented. Sergio is responsible for the most veteran security newsletter in spanish. Since 2000 he has worked as an auditor and technical coordinator, written three technical security books and one about the history of security. He has an informatics degree, a master in software engineering and artificial intelligence and has been awarded with Microsoft MVP Consumer Security title in 2013-2017. He is a teacher and director of different courses, masters and lectures in universities and private companies. @ssantosv