Thursday 5 October 09:30 - 10:00, Green room
Rowland Yu (Sophos)
Android's Webview, as described by Google, is a view that enables Android apps to display web content. Today, it is far more than a just 'view': using a Webview allows developers to utilize advanced web technologies such as CSS, iframe and JavaScript to build apps. In this way, Webview not only changes the landscape of the web but also weakens the web's security infrastructure.
The recently discovered WireX botnet used up to 100 Webview instances each time to launch DDoS attacks. In May 2017, possibly the largest Android adware, 'Judy', employed an invisible Webview on top of a game to load a malicious JavaScript payload with the capability of locating and clicking on Google Ads banners. This advanced adware disclosed on Google Play might have infected upwards of 36.5 million users to date. Two months later, another 300 apps were uncovered on Google Play again, which can also generate fraudulent advert clicks by randomly selecting links in a Webview. Apart from click fraud, traditional and browser-based phishing attacks have taken advantage of Webview to support dozens of apps on Google Play targeting online payment companies. Furthermore, Webview has been discovered in collusion with other malicious technologies to perform clickjacking and activity hijacking attacks over the last few years.
By exploiting Webview with a dynamic URL, malicious apps are able to successfully bypass the Google Bouncer scanner as well as the AV detection. It also enables attackers to load different pages without having to update the apps. Moreover, the injected JavaScript code in a Webview allows malicious apps to steal sensitive and confidential information and control apps without users' interaction. An interesting and closer look at Webview will be revealed in this presentation.
Rowland Yu Rowland Yu is a Senior Threat Researcher Level 2 in Sophos, where he is the primary researcher leading the Android team for malware analysis and emerging threats. He has over 10 years of experience and knowledge in advanced threat research, reverse engineering and remediation, vulnerability assessment, spam and DLP (data leakage protection). Rowland is also a regular speaker at the RSA, Virus Bulletin and AVAR conferences. |
Tiberius Axinte (Bitdefender)
This paper provides an in-depth analysis of the macOS version of the APT28 component known as XAgent. We will dissect the…
Thiago Marques (Kaspersky Lab)
Fabio Assolini (Kaspersky Lab)
Of all the forms of attack against financial institutions in the world, the ones that are most likely to combine traditional…
John Graham-Cumming (Cloudflare)
In February 2017, Cloudflare was revealed to have been leaking private information including HTTP headers, cookies and POST data…