Botconf Author Listing

Łukasz Siewierski


Last known affiliation: Google
Bio: Łukasz is a Reverse Engineer on the Android Security team at Google, where he takes apart malware and figures out how to stop it from working. Previously he was taking apart security incidents at the .pl domain registry, figuring out how to prevent them from happening in the future. Siewierski likes sharing his knowledge by presenting at conferences, such as RSA Conference, Virus Bulletin or Botconf.
Date: 2023-04-12
You OTA Know: Combating Malicious Android System Updaters
Łukasz Siewierski 🗣 | Alec Guertin 🗣

Abstract (click to view)

Over-the-air (OTA) updates are a crucial part of the Android operating system. The updates are signed and applied by the operating system, but the process of checking for new updates, downloading the files and handling the user interactions is done by a preinstalled application – an OTA provider. For the operating system’s update, the OTA application cannot interfere with the contents of the update in any way making the OTA system image update secure.

However, to provide lightweight updates to preloaded applications, OTA applications are often also able to download and install specific applications. Access to these privileges makes OTA applications a potentially interesting target for abuse.

We have identified several cases in which 3rd-party OTA solutions contained code used to secretly download additional apps without user consent during the device’s lifetime. This talk covers examples of the problematic additions, the downloaded applications and the steps we have taken to combat the problem by pre-scanning system images and the future of the Android OTA ecosystem.

Slides Icon
PDF
Video
Date: 2019-12-06
Zen: a Complex Campaign of Harmful Android Apps
Łukasz Siewierski 🗣

Abstract (click to view)

Android malware authors go to great lengths to come up with increasingly clever ways to monetise their apps. The author (or a group) presented during my talk shows quite the range, from simply repacking apps with a bespoke advertising SDK to writing a sophisticated rooting trojan with new techniques never seen in other harmful apps. Their most complex creation is called “Zen”. Zen bundles exploits to gain privileged root access. It then uses this access to create fake Google accounts on devices. These accounts are created by abusing accessibility service with additional help from code injection.

Date: 2020-12-02
The fall of Domino – a preinstalled hostile downloader
Łukasz Siewierski 🗣

Abstract (click to view)

Android is an open-source operating system which allows OEMs and their subcontractors certain flexibility in adding components to the system. These add-ons may contain new and exciting features, but sometimes they also hide complex malware. This talk will deal with a malware family called ‘Domino’.

Domino was discovered preinstalled on certain Android devices and distributed as a new operating system component on a small fraction of different phone brands, all of them low-cost devices running Android 7 or lower. On these devices, the malware author added additional code to many Android components – such as the default browser, the Settings app and the Android framework – which allows Domino to use system privileges to download additional applications later on and prevent their uninstallation by the user.

Different versions of Domino implement different behaviour, from displaying advertisements to overwriting visited URLs in order to change the default search engine or advertisement campaign referral IDs. The changes introduced by Domino also made it possible to ensure that Domino’s browser was exclusively used to display all links clicked by the user.

Rather unusually, we were able to obtain a compressed archive with Domino’s source code, including code comments and notes for manufacturers on how to embed Domino on their devices. Additionally, this archive includes SELinux policies crafted to allow Domino to persist and run with elevated privileges. We also obtained a test application which tried to interact with the Google Play store in order to test referral substitution and seems to be written by the Domino author to test some coding ideas.

Slides Icon
PDF
Video
Date: 2018-12-07
Triada: the Past, the Present, the (Hopefully not Existing) Future
Łukasz Siewierski 🗣

Abstract (click to view)

Triada is an Android threat known within the malware research field for a couple of years. Despite that, it still remains a very interesting threat as their authors did something very rarely seen in any malicious software – instead of evading detection they embraced it. Triada was first detected preinstalled on the system image of some Android low-end devices in mid-2017.

As soon as we detected these applications, we reached out to OEM partners to address this threat and we gained a unique insight into Triada’s evolution and tactics. This presentation will cover Google Play Protect’s findings and present previously unrevealed aspects of Triada and the extent to which it backdoored OEM system images. We will also cover how our unprecedented coordination with OEMs led us to update system images across the Android ecosystem.

Date: 2017-12-08
Thinking Outside of the (Sand)box
Łukasz Siewierski 🗣

Abstract (click to view)

During my talk, I will outline the current state of apps that try to break the Android sandbox model, either by directly exploiting the Android device or by trying to circumvent the protections in place. In the past, there has been mentions of malware families that try to interfere with the Android system the same way Windows malware frequently does – by implementing function hooks or code injection. My talk will also show the difficulties faced by malicious authors, their creativity, goals and ways that Android system security features prevent such behaviour.

Date: 2016-11-30
Hunting Droids from the Inside
Łukasz Siewierski 🗣

Abstract (click to view)

This talk will be a survey of different potentially harmful applications (PHAs), botnets and malware campaigns on Android that we encountered in 2016. I’ll walk through a variety of different malicious apps, explain the malware authors’ objectives and the techniques they use in order to achieve those objectives. In addition to detecting and analyzing PHAs, we also actively shield users from them through platform enhancements. For example, by changing Android APIs to make them less prone to abuse, we render some of the potentially harmful APKs unusable and benign for users. In some cases, we’ve deprecated APIs or introduced new features, resulting in a significant drop in affected users. This is not only limited to providing protections from PHAs in the Google Play store, but also for any apps that users install on their phones. I will highlight a series of anti-abuse measures and present the positive impact it’s had on the ecosystem at large.

Date: 2015-12-02
(Mostly) Polish threat landscape: not only VBKlip
Łukasz Siewierski 🗣

Abstract (click to view)

Last year, I presented a talk about Polish malware authors. Since then, we acquired even more knowledge and Polish malware market evolved slightly. Of course, there still are ”hacker” forums, which use simple, leaked and cracked keyloggers and sell their services to anyone with enough money. However, this is probably the same case in any other country.
On the other hand, major players start emerging. VBKlip and Banatrix, which were used to replace the bank account number in the Windows clipboard, evolved to a more sophisticated, webinject-based malware. This means that Polish authors are constantly learning from other malware families. This evolution mimics what was happening in the banking trojan market during the last couple of years – starting with simple, one-off attacks moving to a
more structured way of stealing money.

Video
Date: 2014-04-12
Middle Income Malware Actors in Poland: VBKlip and Beyond
Łukasz Siewierski 🗣

Abstract (click to view)

In the past year we have closely observed a new malware family attacking Polish online banking users. It utilized a simple observation: users tend not to check whether the text they copied is the one they pasted. Especially when that text is a 26-digit bank account number. This malware started as a simple Visual Basic 6 application and then evolved to a more complex banking malware. While it still has a long way to go to become next ZeuS or Citadel, it does impact users and we are still getting signals that this is a problem.

This novel way to infect users was also attractive for copycats – aspiring malware authors, which were building small applications based on the same idea. These applications were at first not detected by any of the antivirus solutions according to the VirusTotal service. It can be attributed to the absence of network traffic or registry presence.

While these examples may not be a mainstream banking malware, they provide some insight to what new and upcoming low-end banking trojans may do. What is also interesting is how this malware authors evolve – what are they tactics and what are they looking for. It also sheds some light on what can still be done using a small (or even none) budget.

Slides Icon
PDF
Date: 2014-04-12
Slides Icon
PDF
Date: 2013-12-05
Malware Calling
Maciej Kotowicz 🗣 | Tomasz Bukowski | Łukasz Siewierski

Abstract (click to view)

Zitmo (ZeuS in the MObile) is a mutation of ZeuS that appeared for the first time in early 2011, targeting bank customers in Poland and Spain, infecting unknown numbers of users. Zitmo consists of two parts: spyware installed od PC and an application installed on mobile device. At the time the PC app is capable to run on all modern Windows systems (2000-8) both 32 and 64 bits, while the mobile part runs on Android, (although it’s prepered for Symbian and Blackbery as well).

We have recently discoverd that the banker used in malware is a strange mixture of ZeuS and Spy-Eye, served as a module, and it’s only one of functionalities offered by malware. It also incorporates a sophisticated communication schema used to trasport stolen data from mobile phones which we are still investigating. We will show how malware operates on both PCs and mobiles to stealing money. In addition, we will release tools that aid analysis.

External link: Github
Slides Icon
PDF
Video
Scroll to Top