In this section, we provide an overview of the general threat landscape throughout 2022 and major trends based on telemetry sets gathered across Talos.

Tuesday, January 24, 2023 09:01

While our ongoing support to Ukraine and response to the Log4j vulnerabilities were two of our most comprehensive and impactful efforts in 2022, we also dealt with a multitude of other threats as the security community faced an expanding set of adversaries and malware. In January, we identified several emerging trends that we expected would affect or dominate the threat landscape in 2022, many of which ultimately played out as significant events this year. In this section, we provide an overview of the general threat landscape throughout 2022 and major trends based on telemetry sets gathered across Talos, including:

*   Behavioral indicators from Secure Malware Analytics.
*   Snort and ClamAV alerts .
*   Behavioral Protections (BPs) from Cisco Secure Endpoint.
*   Case studies from CTIR engagements.

Visit the Year in Review page for the full report, with topic summary reports, livestreams, podcasts, and other content starting December 14th.  New content will be added with each topic summary release through February.  You can access the full 2022 Cisco Talos Year in Review report directly here:

Threat Landscape Topic Summary Report: Cisco Talos Year in Review 2022

As 2023 begins I wanted to look forward on the future of state sponsored aggression and how we can see it change and evolve over the next year and beyond.

Tuesday, January 24, 2023 07:01

As we begin 2023 I wanted to take some time and look at the state sponsored threat landscape. Over the last few decades we've seen seismic shifts in how state sponsored actors attack, starting with traditional espionage with attacks like Moonlight Maze and Project Gunman and evolving into more intellectual property theft and dissident targeting with attacks like Operation Aurora. Now activity is moving into increasingly destructive or destabilizing attacks we've seen used in both Ukraine and the Middle East with information warfare emerging as one of the key battlefields. One thing to note is espionage never left the landscape. It is a constant and significant force driving state sponsored hacking and always will be.

Throughout 2022 we faced one of the more unique landscapes that we have seen in cyberspace due to the ongoing war in Ukraine and associated attacks. Interestingly we saw the war leveraged in different ways by other state sponsored groups, not just those originating from Russia. As we discovered this past year, groups like Mustang Panda were launching malicious campaigns with documents related to the Ukrainian war as a lure. Demonstrating how this war is having far reaching impacts on the threat landscape, far beyond the actual war zone.

The war provided us with one of the first real life demonstrations of how much of a role cyber activities would play in kinetic warfare. Unfortunately, the answer is clouded by doubt of whether it played a surprisingly small role or if the Russians underestimated the capabilities and perseverance of Ukrainian people, neglecting the full scope of cyber capabilities. The question now is: where do state sponsored attacks move in the future? The retreat from globalization is going to shift the landscape and change the ways nation states are operating in cyberspace. As countries move to manufacture and build internally, their targeting will change accordingly. Instead of just attacking for espionage purposes, economic considerations will play a significant role. For the first time we will see how nation states will leverage cyber when facing the economic strain of this move away from globalization coupled with high inflation and interest rates that we haven't seen in decades.

**Retreat from globalization could usher in another era of IP theft**

The post pandemic push against globalization could drive a new era in cyber-based intellectual property theft in the months and years ahead. The pandemic has changed the world in a staggering number of ways, but most crucially it could precipitate the end to the decades long march to globalization. Countries around the world were met with supply chain bottlenecks and the realization that just-in-time (JIT) shipping only works when your suppliers are available, and the push to bring jobs back stateside has already begun. Whether it's Apple announcing chip manufacturing will begin in the United States or the CHIPS act being passed in the United States pushing hundreds of billions of dollars into semiconductor research, both enterprises and nation states are revisiting manufacturing.

This shift will have many downstream impacts, but the largest impacts will be felt in those countries where manufacturing dominates their GDP. This is also going to result in more autocratic nations spinning up domestic versions of products and technologies. Developing these new capabilities isn't a simple process and typically requires significant investment into research and development to achieve the technological breakthroughs required for some manufacturing.

However, there is another avenue for those nations willing to take it –theft. More specifically cyber theft of intellectual property. This isn't a new behavior, in fact back in 2012 General Keith Alexander famously said, cyber theft was the "greatest transfer of wealth in history" but since then the activity has cooled slightly. China and the US agreed to scale back their offensive operations and we haven't had a barrage of high profile breaches at defense contractors and other high value targets in some time.

The playing field has grown considerably for state-sponsored actors. What used to be dominated by a handful of well-resourced countries is now seeing more nations turn to offensive capabilities to support their missions. As such the likelihood that other countries take a similar path seems likely. History has shown that the fastest way to come up to speed is to steal the intellectual property instead of developing it yourself. It's also plausible that you could start to see criminal organizations take increasing interest in the intellectual property of their ransom and extortion victims as that data could be worth many times the ransom demand to a nation state trying to make up critical ground in technology or manufacturing.

**Destructive attacks will increase as the retreat from globalization hastens**

Over the last decade state-sponsored actors have increased their use of destructive attacks. They have historically been largely associated with Russian aggression: NotPetya, OlympicDestroyer, WhisperGate, CaddyWiper, etc. However, we have seen examples of other groups launching destructive attacks, most notably against Saudi Aramco and other Shamoon\-associated targets. The use of destructive malware is poised to increase in the months and years ahead. These actors have learned that wipers are an effective means to destabilize a region or impact vital services. This was demonstrated most clearly in the Colonial Pipeline attack where a ransomware attack against its enterprise systems resulted in pipelines being stopped. This attack demonstrated how nations don't need to attack critical infrastructure directly to disrupt it. There is little reason for these actors to avoid critical infrastructure as, to this point, cyberspace based aggression has seen little or no response.

Critical infrastructure has always been a red line, albeit one that's already been crossed several times. Russia has attacked Ukraine’s power system multiple times, resulting in a loss of service and in some cases black outs. However, I'd argue that all of Russia's attacks could be associated with the war against Ukraine, a war that started in 2014 with Russia's invasion of Crimea. Looking at the conflict as it stands now, it appears that, in regional wars, kinetic attacks against critical infrastructure seem far more efficient with bombs being able to inflict more lasting damage. This may not be the case for more long distance opponents where kinetic attacks are more costly and difficult. The only reason to use exclusively digital attacks would be the desire to keep the facilities functioning, although there is no guarantee that a cyber attack couldn't be destructive, as demonstrated by Stuxnet.

Today state-sponsored actors are looking for ways to disrupt critical infrastructure without attacking it directly, for fear of reprisal. The colonial pipeline attack gave them the playbook they needed and in all likelihood we'll see it play out again. The only way to prevent critical infrastructure from being a target is to establish rules of engagement for cyberspace which is unlikely to happen anytime soon, barring a calamitous cyber event. The reason is that the big players aren't willing to give up their own capabilities for times of war, at least not yet. Critical infrastructure isn't the only place where these groups attempt to destabilize their adversaries. The information battlefield has only grown from the days of pamphlet drops and forgeries. With the advent of social media, information can be used in powerful and unexpected ways.

Information moves impossibly fast today. Viral news spreads like wildfire across the globe and in a matter of hours has traversed it many times over. The issue is, how do we know it's true? The line between true and false has been blurred repeatedly by leaders both elected and otherwise around the world. As such an opportunity has been created for state-sponsored groups to leverage this as a wedge. We've seen it in the US elections in 2016, we saw it again in the French election-related hacking, and we saw it countless times in the COVID era. Misinformation and disinformation are now powerful tools that can be wielded to effect change on a scale previously thought to require physical involvement, and those with the capacity to abuse it have noticed.

One of the interesting aspects of social media is that each user's experience is largely unique to them. Meaning that it's based on aspects of your life, for instance your location, profession, and social circle. This provides avenues for targeted misinformation and disinformation to hit specific groups. We've already seen this done in the election interference where things were targeted at certain demographics or groups.

For most nation states this is an incredibly attractive avenue as it's easy to conduct, relatively cheap, and easy to plausibly deny. Worst case scenario they get exposed, fold up the current campaign and spin up new companies or organizations to start the next one armed with the lessons learned from the previous failures. The activities on social media for nation states hardly ends with misinformation and disinformation.

**Targeting of citizens will continue as mobile spyware market grows**

The last five years has seen an explosion in the mobile spyware market. NSO Group is the most well known but there are new startups flooding the market, all promising the same level of zero-day support and repeatable in-memory access. These tools are marketed as the ultimate spy tool to expose criminals and terrorists around the globe but it is often being found used against dissidents, activists, and journalists. Today everyone's life exists on their devices from email to documents to private communications. It's all right there and if you have millions of dollars to spend it's easily accessible. The truth is that if someone deems your information valuable enough, they can get it, they just have to be willing to spend the money to accomplish it. For most of us that means we're in the clear. Unfortunately, the risks are quite high for the few that choose to challenge those in positions of power or aid those in doing so. To be clear this isn't something an average person or even company would be able to purchase, but for intelligence apparatuses around the globe it's all too easy to achieve.

  
In many countries around the world there are rules and protections in place to prevent domestic abuse or targeting overreach. The problem is that there are lots of countries with access and willingness to skirt the typical rules of engagement. Governments are starting to take action against these mobile spyware companies, but for every company they knock down another one will rise up. There are no easy solutions for the small minority of people that fall into this targeting, but technology companies are beginning to work on it.

The world is shifting away from globalization in the post pandemic era. Interest rates are exploding and borrowing just got a lot more expensive. State-sponsored groups are going to be squeezed just as we all are. Cyber operations are cheap both financially and politically. Rarely do you need to put boots on the ground and you can launch the attack from the other side of the planet without a single physical asset at risk of being discovered. Additionally, cyber campaigns carry a much higher level of deniability and rarely have political repercussions. The appetite to expend scarce resources in espionage activities will always exist, but if an agency can conduct five or six cyber operations for every non-cyber campaign, then the value is in cyber. Maximizing value will be increasingly important as budgets around the world tighten to counter the increased cost of borrowing. Additionally, the push away from globalization likely increased the non-governmental targets for state-sponsored groups going forward.

State Sponsored Attacks in 2023 and Beyond

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Jan. 13 and Jan. 20. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key

Threat Round up for January 13 to January 20

Talent retention and institutional knowledge go hand in hand. Both are critical to ensuring the security of your network environment.

Thursday, January 19, 2023 16:01

Welcome to this week’s edition of the Threat Source newsletter.

Talent retention and institutional knowledge go hand in hand. Both are critical to ensuring the security of your network environment. To that end, I want to talk briefly about why talent retention isn’t just about money. So I am going to speak directly to the people managers from the team leads in the SOC to the C-Level execs. When you examine what you do on a day-to-day basis are you telling your team members what they can and can’t do? How often do the things you say and the goals you provide fall between those two things? Now, ask yourself what you’ve done to enable them to grow today, both technically and as people. One of the easiest ways to very quickly identify quality leadership is to find out if the mindset and actions of the people managers is that the employees work for and reflect on them, or if they understand that they work for the team and that the team is a reflection of their leadership. Yes, there are plenty of employees that will leave simply based on pay, and we all have budgets to work within – but there is no cost to show respect and fighting to find budget for pet projects, training, or even niche learning for your employees is your job. When you can’t find budget find other ways to show the employees that you respect them and are actively working to ensure their growth. In the end your efforts will be rewarded with a stronger team and a more secure environment.

**The one big thing**

Focus on the basics. As we run headlong into the impending brick wall of 2023 take a moment to look at your environment and simply relearn it.

**Why do I care?**

Without knowing your baseline environment there is absolutely no way that you can expect to protect it.

**So now what?**

Learn your network. Observe and reevaluate your physical security standards in this crazy post pandemic world. Ensure that your patch management strategy is sound and that you have good cross-team collaboration to get those change windows handled. Ensure dead accounts are handled correctly. On and on – you know the steps. Take a beat and follow them.

**Top security headlines of the week**

Yum Brands, the parent company of fast-food chains KFC, Pizza Hut and Taco Bell, has confirmed that company data was stolen in a ransomware attack.

Yum Brands said a ransomware attack impacted “certain information technology systems,” prompting the chain to take some of its systems offline. The incident also led to the closure of roughly 300 restaurants in the United Kingdom for 24 hours, the company said. Although the ransomware attack largely affected the company’s U.K. operations, Yum Brands said it notified U.S. federal law enforcement as its investigation continues. (Tech Crunch and Yum)

Initial Access Broker market is booming, posing growing threat to enterprises. Research shows a sharp year-over-year growth in the number of IABs operating in underground forums and markets. For ransomware operators and other cybercriminals that are looking for quick access to enterprise networks, these brokers are the answer. (Dark Reading and GroupIB)

**Can’t get enough Talos?**

*   https://blog.talosintelligence.com/following-the-lnk-metadata-trail/
*   https://blog.talosintelligence.com/talos-year-in-review-2022/
*   https://talosintelligence.com/podcasts/shows/beers\_with\_talos
*   https://talostakes.talosintelligence.com/2018149/12016411-year-in-review-apt-summary-edition

**Upcoming events where you can find Talos**

CactusCon (Jan 27-28)  
Mesa, AZ

Cisco Live Amsterdam (Feb 6-10)  
Amsterdam, Netherlands

**Most prevalent malware files from Talos telemetry over the past week**

SHA 256:  
9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
MD5: 2915b3f8b703eb744fc54c81f4a9c67f  
Typical Filename: VID001.exe  
Detection Name: Simple\_Custom\_Detection

SHA 256:  
1077bff9128cc44f98379e81bd1641e5fbaa81fc9f095b89c10e4d1d2c89274d  
MD5: 26f927fb7560c11e509f0b8a7e787f79  
Typical Filename: Iris QuickLinks.exe  
Claimed Product: N/A  
Detection Name: W32.File.MalParent

SHA 256:

125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645  
MD5: 2c8ea737a232fd03ab80db672d50a17a  
Typical Filename: LwssPlayer.scr  
Claimed Product: 梦想之巅幻灯播放器  
Detection Name: Auto.125E12.241442.in02

SHA256:  
e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
MD5: 93fefc3e88ffb78abb36365fa5cf857c  
Typical Filename: Wextract  
Claimed Product: Internet Explorer  
Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

Threat Source newsletter (Jan. 19, 2023): Talent retention and institutional knowledge

Dave McDaniel of Cisco Talos discovered this vulnerability.
Cisco Talos recently discovered a cross-site scripting (XSS) vulnerability in Ghost CMS.
Ghost is a content management system with tools to build a website, publish content and send newsletters. Ghost offers paid subscriptions to members and supports a number of integrations with

Thursday, January 19, 2023 15:01

_Dave McDaniel of Cisco Talos discovered this vulnerability._

Cisco Talos recently discovered a cross-site scripting (XSS) vulnerability in Ghost CMS.

Ghost is a content management system with tools to build a website, publish content and send newsletters. Ghost offers paid subscriptions to members and supports a number of integrations with external services.

The TALOS-2022-1686 (CVE-2022-47194-CVE-2022-47197) shows that several XSS vulnerabilities could lead to privilege escalation.

Ghost CMS separates users into four groups (five, if including the site owner) of increasing privilege: Contributor, Author, Editor and Administrator. Contributor users have the least privilege and are allowed to create but not publish posts. All users have the ability to include social media links, as well as a few other pieces of information that will be included on their posts and author pages. A stored XSS vulnerability exists in a number of these fields, and it can be leveraged from basic user attacks to full privilege escalation. As with any XSS, it does require a target user with the correct access level to access affected resources while logged in to trigger the injected Javascript. The vulnerabilities listed here can be triggered when a higher-level user simply previews or visits any post by the malicious user, as these social links seem to be included in all of a user's posts. We have confirmed that a full privilege escalation to administrator can be achieved with the correct Javascript payload.

Separating the admin domain as documented at https://ghost.org/docs/config/#admin-url will prevent this type of vulnerability from being exploited to perform privileged API calls, such as modifying a user group, adding users, etc. However, in default installations, these vulnerabilities can be used for privilege escalation via XSS. Essentially this means that, in default installations of Ghost CMS, users that can author pages and administrator users have the same privileges.

Ghost responded to notification of this advisory with: “Ghost is designed to be used by trusted users, and we are not interested in hypothetical attack vectors involving staff users attacking each other. This is not how the product is used. For any people who are using Ghost in an untrusted environment, we have clearly documented steps to add further separation of concerns between staff users... We do not consider this to be a valid report."

Cisco Talos believes these are potential security issues due to the fact that it is trivial to escalate privileges in default installations. Talos notified Ghost in adherence to Cisco’s vulnerability disclosure policy.

Talos tested and confirmed this version of Ghost could be exploited by this vulnerability: Ghost Foundation Ghost 5.9.4.

The following Snort rules will detect exploitation attempts against this vulnerability: 60764-60765. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Vulnerability Spotlight: XSS vulnerability in Ghost CMS

While tracking some prevalent commodity malware threat actors, Talos observed the popularization of malicious LNK files as their initial access method to download and execute payloads. A closer look at the LNK files illustrates how their metadata could be used to identify and track new campaigns.

Following the LNK metadata trail

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Jan. 6 and Jan. 13. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key

Threat Round up for January 6 to January 13

Emma Reuter and Theo Morales of ASIG and Aleksandar Nikolic of Cisco Talos discovered these vulnerabilities.
Cisco ASIG and Cisco Talos recently discovered code execution vulnerabilities in QT QML.
Qt is a popular software suite primarily used to create graphical user interfaces. It also contains several supporting libraries which all

Friday, January 13, 2023 11:01

_Emma Reuter and Theo Morales of ASIG and Aleksandar Nikolic of Cisco Talos discovered these vulnerabilities._

Cisco ASIG and Cisco Talos recently discovered code execution vulnerabilities in QT QML.

Qt is a popular software suite primarily used to create graphical user interfaces. It also contains several supporting libraries which all aim to enable cross-platform application development with a unified programming API.

QT has responded to vulnerability notifications with this statement: “We have analyzed your report, and our evaluation is that this is not a security issue, even though it is a real bug. Qt’s QML and JavaScript support is explicitly not designed for untrusted content... Each application that is passing untrusted input to QtQml needs to have an advisory instead and must thoroughly check their inputs.”

This advisory concerns:

TALOS-2022-1617 (CVE-2022-40983), in which Javascript code can trigger an integer overflow during memory allocation, which can lead to arbitrary code execution. A target application would need to access a malicious web page to trigger this vulnerability.

Secondarily, TALOS-2022-1650 (CVE-2022-43591) can involve an out-of-bounds memory access, leading to arbitrary code execution.

Cisco Talos believes these are potential security issues and notified QT of the issues all in adherence to Cisco’s vulnerability disclosure policy.

Users are encouraged to update this affected product as soon as possible: Qt Project Qt 6.3.2. Talos tested and confirmed this version of QT could be exploited by this vulnerability.

The following Snort rules will detect exploitation attempts against this vulnerability: 60690-60691 and 60912-60913. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Vulnerability Spotlight: Integer and buffer overflow vulnerabilities found in QT QML

We tried to get ChatGPT to write this week’s newsletter but it was at capacity, so you’ll have to stick with us for another week. Or maybe that’s just what the robots want you to think, you be the judge

Thursday, January 12, 2023 14:01

Welcome to this week’s edition of the Threat Source newsletter.

We tried to get ChatGPT to write this week’s newsletter but it was at capacity, so you’ll have to stick with us for another week. Or maybe that’s just what the robots want you to think, you be the judge.

**The one big thing**

This week Talos hosted a 2022 Year in Review: APTs livestream. On the livestream we brought together subject matter experts to deep dive into the Advanced Persistent Threats section of our 2022 Year in Review. During the livestream the panel covered section findings but also gave further insights to the trends we saw over the 2022 year.

**Why do I care?**

Over the next few weeks we’ll continue to host livestreams with our SMEs and report contributors to give further insights into our report and its findings. If you’re not one for larger reports or extended reading, our Topic Summary reports provide a one-pager to quickly digest the information of corresponding sections. Read the newly released APT Topic Summary Report here.

**So now what?**

Join us for our final two livestreams, on LinkedIn and Twitter, on January 24th and February 7th as we continue to discuss the general threat landscape and conclude our report coverage with a panel discussion on ransomware and commodity loaders.

**Top security headlines of the week**

Microsoft released its monthly security update on Tuesday, disclosing 98 vulnerabilities. Of these vulnerabilities, 11 are classified as “Critical”, 87 are classified as “Important”, no vulnerabilities were classified as “Moderate.” (DarkReading) See Talos’ Patch Tuesday coverage for Snort rules and prominent vulnerabilities.

We’re only the second week into 2023 and ransomware isn’t taking any breaks this year. Maternal & Family Health Services, a Pennsylvania based nonprofit health provider, confirmed the ransomware attack had exposed almost half a billion individuals’ personal data. Impacted were current and former patients along with employees and vendors.  (TechCrunch)

Suffering from a previous breach earlier this month CircleCI is in the news yet again as researchers warn the breach may have an impact on other third-party applications. Given CircleCI integration with SaaS and Cloud providers and it’s authentication process researchers urge users to rotate all secrets stored in CircleCI and hunt for malicious behavior on SaaS and cloud platforms. (SC Media)

**Can’t get enough Talos?**

APT Topic Summary Report

2022 Year in Review: APTs Livestream Replay

2022 Year in Review Report

Beers with Talos

Talos Takes

**Upcoming events where you can find Talos**

CactusCon (Jan 27-28)

Mesa, AZ  

Cisco Live Amsterdam (Feb 6-10)

Amsterdam, Netherlands

**Most prevalent malware files from Talos telemetry over the past week**

SHA 256: 1077bff9128cc44f98379e81bd1641e5fbaa81fc9f095b89c10e4d1d2c89274d

MD5:  26f927fb7560c11e509f0b8a7e787f79

Typical Filename: Iris QuickLinks.exe

Claimed Product: Iris QuickLinks

Detection Name: W32.DFC.MalParent

SHA 256:   9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507

MD5:  2915b3f8b703eb744fc54c81f4a9c67f

Typical Filename: VID001.exe

Claimed Product: N/A

Detection Name: Simple\_Custom\_Detection

SHA 256:   d5dc790f6f220cf7e42c6c1c9f5bc6e4443cb52d07bcdef24a6bf457153c1d86

MD5:  69fbf6849d935432bac8b04bdb00fd68

Typical Filename: kmsauto++.exe

Claimed Product: N/A

Detection Name: W32.File.MalParent

SHA 256:  e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934

MD5:  93fefc3e88ffb78abb36365fa5cf857c

Typical Filename: Wextract

Claimed Product: Internet Explorer

Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

SHA 256:   d00977521dba67111876729e4b8ed09455b85c653bef2fd0c23e9e8a09f0a9b6

MD5:  d00977521dba67111876729e4b8ed09455b85c653bef2fd0c23e9e8a09f0a9b6

Typical Filename: KMSAuto x64 dv.exe

Claimed Product: N/A

Detection Name: W32.File.MalParent

Threat Source newsletter (Jan. 12, 2023): Did ChatGPT write our newsletter?

By Vitor Ventura

This post is the result of research presented at Recon Montreal 2022. Two slide decks are provided along with this research . One is the presentation showing the whole process and how to do it on Google Play Protect services. The other one is a workshop on how

_By_ _Vitor Ventura_  

This post is the result of research presented at Recon Montreal 2022. Two slide decks are provided along with this research . One is the presentation showing the whole process and how to do it on Google Play Protect services. The other one is a workshop on how to do it on an emulator targeting MtpService.

**Motivation**

Performing reverse engineering on Android applications and/or malware is often about doing static analysis that is complemented by dynamic analysis. This is an approach that works perfectly with applications that run at the user level and have a user interface. However, the Android security model allows for the existence of system applications, which can be operating system applications, operator applications or vendor applications. This does not mean that the applications require special permissions. They may be regular applications or service provider applications that are pre-installed either by a vendor or by the telecom service provider.

One of the features associated with these applications is that they are uninstalable by the user - The best the user can do is uninstall the latest updates and suspend or deactivate the applications, but never uninstall them.

There are also system applications that are part of the Android framework which, are closed source, thus require reverse engineering to be analyzed.

A popular tool to perform dynamic analysis is the Frida Framework. To use it a researcher needs to inject the Frida library into the target application’s address space. This can be done either by running the Frida daemon with root level access on the device or by patching the target application and making it load the shared library version of Frida. If the target application is headless, i.e. without a user interface, the instrumentation can only be done by forcing the load of the shared library and patching the target application code.  

Doing such analysis should be easy by using an OEM version of the Android operating system; however, these images may not contain the target of our research which created the need to  enable the instrumentation of system applications on Android stock images.

This, however, presented a bigger challenge than originally expected due to the protection mechanisms in place in the Android Operating system. Maddie Stone’s presentation at BlackHat 2019 describes both the limitations and vulnerabilities found on some system applications.

**Obstacles**

There are several limitations imposed by the Android security architecture, but also limitations imposed by the very nature of the availability of the target applications. This section will enumerate the limitations and solutions to those limitations.

**Operating system limitations**

It would be easy to obtain root level access on the operating system if one was to reflash the device with an open operating system like GrapheneOS however this presents two challenges:

1) Applications that are installed by vendors would not be present. Even though it is possible to install them, they may have checks regarding the operating system version they are running on. Eventually a static analysis along with patching could bypass such checks. But at this point the analysis environment would be tainted which could lead to biased results. Additionally there is also the risk of missing some checks.

2) Some vendors add protections to the kernel which won’t be present on this different operating system which tend to be more generic. As an example, Samsung ships most of their kernels with the SELinux permissions set to restricted without the possibility of change from user level.

**Headless applications**

System applications are often headless, meaning that they don’t have a launch activity or a user interface. Without it, tools like Frida or the debugger provided by the Android studio, are not able to start the application and debug it. Effectively the researcher doesn’t have the means to start the application or even to know, in a deterministic way, when the application will be executed.

One option could be the patching of the manifest and adding the launch activity. This poses its own problems, like deciding which existent activity would handle the request, and even checking if the code would be able to handle it. This leads to increased tampering with the application’s way of working, eventually creating unpredictable problems.

**Enabling dynamic analysis on the application**

On Android when doing dynamic analysis on a regular application the analyst can either activate the debug option on the application manifest or use an instrumentation toolkit like Frida.  To activate the debugging the researcher needs to change the debuggable attribute (android:debuggable="true") in the Application section of the application manifest to true, and repackage the application.

To use Frida, assuming there is no root level or the target application is headless, the analyst would need to patch the application, make it load the Frida Gadget and give it the Internet permission. These changes, like the previous, also need a  repackaging of the application.

Android requires that all application packages are digitally signed. In regular applications and in an open environment, the certificate that signs the application has little importance and a researcher can simply use a freshly generated self-signed certificate . However this is not the case if the target application is a system application. The sections ahead explain why.

**Android security architecture**

This section will describe the obstacles that a researcher must overcome to reach the point where it is possible to perform the dynamic analysis.

**Digital certificate collision**

As described above, in order to install an application its package needs to be digitally signed, which shouldn’t be a problem. However, there are a few situations where the certificate that signs the package actually matters. One of these cases, and for good security reasons, is when a user tries to upgrade an application. Imagine the following scenario;

An attacker is able to trick the victim into downloading and installing a fake Instagram application, posing it (to the system) as an upgrade to the original application. If there weren’t checks on the package signatures the malicious application would get access to all the data and configuration from the legitimate application. To avoid this, Android checks if the two applications are signed by the same certificate. If they are not, it won’t allow the installation of the fake upgrade. There are other ways to perform such an attack, but that is beyond the scope of this research.

This means that when the changes needed for dynamic analysis are made and the application is repacked, the patched application will not be able to be installed because the signatures will not match.

**Replace the original application**

Since the patched application cannot be installed on top of the original application, the obvious solution would be to simply uninstall the original one and replace it with the patched one. However this presents another barrier in this specific use case. As it was explained in the first section, these applications cannot be uninstalled. At best they can be deactivated but not uninstalled, making this a huge limitation to overcome in order to dynamically analyze these applications.

**Shared UIDs**

The fact that it's not possible to upgrade applications with different digital signatures is not the only limitation imposed. On the Android operating system, applications may share user IDs (UIDs). This is particularly useful if a developer wants to share information between applications using simple mechanisms provided by Linux without having to use mechanisms provided by the framework. However the security architecture imposes, and rightfully so, that applications that share the user ID must all be signed by the same certificate. Unfortunately, there are several system applications that share the same user ID, so it is likely that a researcher will bump into this limitation throughout their research.

**Solution**

The method to be able to dynamically analyze system applications on Android requires several actions.

**Step-by-step  
**

As it was shown in the previous sections there are several obstacles that need to be overcome in order to dynamically analyze system applications on the Android platform.  

Not necessarily in this order, but first the original target application needs to be uninstalled and removed, then identify if there are shared user ID applications. If these applications exist they need to be either uninstalled or re-signed with the same certificate used to sign the patched version of the target application. The image below illustrates the necessary steps.

Since system applications are often headless for the sake of this document, instrumenting target system application is the best way to perform non-interactive dynamic analysis.

This means that the application needs to be patched, and the instructions for it to load Frida library (gadget) into its address space must be added.

Before jumping into the details of the method it's important to explain the target and the environment. This research was conducted on the standard Android emulator using the Pixel 4 XL skin, an x86 image with API 30. For demonstration purposes the selected target application was the MtpService which is responsible for handling the MediaTransferProtocol setup when a new USB device is connected to the device. This is an open sourced application which was perfect for testing as the reversed code and behavior could always be compared  with the original code.

**Patching and re-signing target application  
**

The first step to patch the target is to unpack it using apktool which can be found here along with the instructions to pack and unpack applications.

The place to actually perform the patching will be highly dependent on the target application, there is not “_one spot fits all_”. As a rule of thumb the library should be  loaded as early as possible in the target application. A good way to do that is to load the library inside the method that handles the “BOOT\_COMPLETED” action as this will be the first one to be executed upon device reboot.  

The manifest will have the class that handles that action named on the receiver section. In the target application the class is called “com.android.mtp.MtpReceiver”. In this class look for the “onReceive()” method as that will be the method that will be executed once the action is broadcasted.

Using the apktool one can decompile the classes.dex and edit the smali code to load the library. The smali code should look like the image below.

Line 151 declares a variable string object referred to as v0 and stores the word “gadget” inside of it. Line 153 invokes the static method “loadLibrary()” which resides inside the System package. With a single String object as argument, the v0 object was previously declared. These two instructions are enough to load a static library into the application address space. The image below illustrates how the code looks like in Java.

Now before repacking the whole application the Frida library needs to be added into the package. In the root of the package (created by apktool after extraction) create a directory called “lib/” inside it and create a directory with the architecture of the library, in this case it's “x86” since this is the emulator. Inside this directory place the library file.

Now, because of the Android installer there are a few tweaks that need to be done. First the library file must start with the prefix “lib” and end with the extension “.so”. So even though the instructions make the system load a library called “gadget”, the file name must be “libgadget.so”. Frida gadget needs a configuration file, whose details will be addressed in the next section. This file also needs to be inside the package so that it is made available upon the loading of the library. Frida gadget will look for a configuration file with the same name as the library itself but with an extension “.config”. So as per Android requirements this file must be called “libgadget.config.so”.

Conforming to these  naming criteria will ensure that upon installation the patched version of the target application will load the Frida gadget once the device is rebooted. Once all the files are in place, the application needs to be repacked into an APK file using apktool.

**Signing the target application  
**

Now the package needs to be re-signed. The certificate can be generated with a simple command such as :

keytool -genkey -v -keystore release-key.jks -keyalg RSA -keysize 2048 -validity 10000 -alias my-alias

Keep in mind that this same certificate may be needed to sign applications that share the user ID (UID) with your target application. Before the package can be signed the zip file needs to be aligned which is done with the command below.

zipalign -v -p 4 <package\_file> <output>

Afterwards the package should be signed using the apksigner with the command line below:

apksigner sign --ks <path to java keystore> --out <package name> <output  from zipalign>

**Searching for shared ID applications**

As It happens, the MtpService application installation still fails with the error below.

This means that there are applications that share the same userid but are signed with a different certificate. This can be confirmed by checking the manifest snippet below.

There is a property called “android:sharedUserId” which is defined and set to “android.media”, meaning that there are other applications that use the same userid. Any application using this shared userid must be a system application. A not very elegant but effective method to find all the applications is to download all the system applications, extract and convert the manifest into a text format and search for the shared id property.

Once all of these are known, they can either be removed, using the same technique described in the previous section; OR they can be replaced with a version signed with the same certificate. The latter is the preferred action because there may be unforeseen dependencies between the applications.

**Uninstall/replace the original target application package  
**

_This is a crucial step in this method_, without which Android security architecture will never allow the installation of the patched version of the target application. So in order to do this a tool called Magisk, will have to be installed. Magisk is a “rooting” tool that will allow users to obtain root level access on their devices without changing the whole operating system image. The tool provides a method for users to patch the kernel which can then be re-flashed into the device.

This method is the least intrusive possible, while allowing root access. Because these are system applications analysis, the root access is not that relevant (keep in mind that the application must be patched to have the Frida library in its own code) since there is no need to run Frida server as a daemon with high privileges.

Magisk has another crucial feature: It allows a user to define a virtual filesystem which will be laid on top of the actual file system at boot time. This allows any folder or file to be remapped to the version replacing the original ones flashed into the partitions upon system creation.

The first step is to install Magisk on the system that will be used for the analysis. The installation itself is beyond the scope of this article, but once installed you should be able to see the home screen of the Magisk Application, and should look something like the image below.

The application being  targeted here is stored at “/system/priv-app/MtpService/” and the image below shows that's where the application package is located at.

If one tries to delete the package manually, one can see that “/system” directory is mounted on a read-only filesystem which, as seen below, doesn’t allow the file to be deleted, even though the files are owned as root.

So the way to address this is to use what Magisk calls “modules”, where in reality a user can define a filesystem path to be overlaid by Magisk on top of the real path. Thus changing the contents of the real path. The overlay can simply delete a full path or replace it with one’s own contents.

The Magisk modules configuration is stored in “/data/adb/modules”, the full module documentation can be found here, and in this case one just needs to create a directory with the name desired for the module to have and recreate the path to overlay. By adding the file “.replace” on the last directory, one simply replaces that directory by an empty one.

The image above shows the empty directory after the module has been created.

Now that all the obstacles have been overcome, the patched application can simply be installed and the device rebooted. This should start the patched application with the instrumentation toolkit embedded in it and ready to use.