\n\n\n
Our goal was to find Windows kernel bugs using a fuzzer.
\n\n\n\nWe started exploring the fuzzers landscape in the Windows kernel, and since we had experience with AFL style fuzzers, we looked for one that performs similarly and found kAFL.
\n\n\n\nWe looked at kAFL and searched for attack surfaces in the Windows kernel, but we found out quickly that a syscall fuzzer can reach a lot more attack surfaces.
\n\n\n\nWe searched for syscall fuzzers and found Syzkaller.
\n\n\n\nAt this point, we started porting it to WSL as it’s the most similar to Linux kernel and we could get some experience with Syzkaller on Windows. We implemented coverage instrumentation for the Windows kernel using IntelPT. We shared a crash detection mechanism, our crash symbolizer approach and that was used for bug de-duplication. We found a few coverage stability issues and shared our solution for that.
\n\n\n\nAfter we found some DoS bugs, we decided to move to a real PE target – win32k – but we had to implement missing parts in Syzkaller. We then did a sanity check and stress test to make sure the fuzzer is not wasting CPU time. After that we invested a lot of time in writing grammar, reading about our target and eventually adding support for newly learned parts in Win32k back to the fuzzer.
\n\n\n\nOverall, our research lead us to find 8 vulnerabilities, DoS bugs and deadlocks in the Windows 10 Kernel.
\n","status":"PUBLISHED","fileName":null,"link":"https://research.checkpoint.com/2020/bugs-on-the-windshield-fuzzing-the-windows-kernel/","tags":[],"score":0.5565887689590454,"topStoryDate":null},{"id":"RS-23460","type":"Research_Publications","name":"Google Play Store Played Again – Tekya Clicker Hides in 24 Children’s Games and 32 Utility Apps","author":null,"date":1585070094000,"description":"Research by Israel Wernik, Danil Golubenko , Aviran Hazum Although Google has taken steps to secure its Play store and stop malicious activity, hackers are still finding ways to infiltrate the app store and access users’ devices. Millions of mobile phone users have unintentionally downloaded malicious apps that have the ability to compromise their data, credentials, emails, text… Click to Read More","content":"\n
Although Google has taken steps to secure its Play store and stop malicious activity, hackers are still finding ways to infiltrate the app store and access users’ devices. Millions of mobile phone users have unintentionally downloaded malicious apps that have the ability to compromise their data, credentials, emails, text messages, and geographical location. For example, in February 2020, the Haken malware family was installed in over 50,000 Android devices by eight different malicious apps, all of which initially appeared to be safe.
\nRecently, Check Point’s researchers identified a new malware family that was operating in 56 applications and downloaded almost 1 million times worldwide. With the goal of committing mobile ad fraud, the malware – dubbed ‘Tekya’ – imitates the user’s actions in order to click ads and banners from agencies like Google’s AdMob, AppLovin’, Facebook, and Unity.
\nTwenty four of the infected apps were aimed at children (ranging from puzzles to racing games), with the rest being utility apps (such as cooking apps, calculators, downloaders, translators, and so on).
\nThe Tekya malware obfuscates native code to avoid detection by Google Play Protect and utilizes the ‘MotionEvent’ mechanism in Android (introduced in 2019) to imitate the user’s actions and generate clicks.
\nDuring this research, the Tekya malware family went undetected by VirusTotal and Google Play Protect. Ultimately, it was available for download in 56 applications downloadable on Google Play.
\nThis campaign cloned legitimate popular applications to gain an audience, mostly with children, as most application covers for the Tekya malware are children’s games. The good news is, these infected applications have all been removed from Google Play.
\nHowever, this highlights once again that the Google Play Store can still host malicious apps. There are nearly 3 million apps available from the store, with hundreds of new apps being uploaded daily – making it difficult to check that every single app is safe. Thus, users cannot rely on Google Play’s security measures alone to ensure their devices are protected.
\nThe full list of infected apps is listed below.
\n\n\n\n
Figure 1 – Google Play pages for some of the ‘Tekya’ applications
\nUpon installation of this application from Google Play, a receiver is registered (‘us.pyumo.TekyaReceiver’) for multiple actions:
\nFigure 2 – TekyaReceiver registration
\nThis receiver has one purpose — to load the native library ‘libtekya.so’ in the ‘libraries’ folder inside the .apk file.
\n\nFigure 3 – TekyaReceiver’s code
\nInside the constructor for the ‘Tekya’ library, a list of “Validator” objects (that don’t validate anything) is created.
\n\nFigure 4 – Part of the ‘Tekya’ constructor
\nInside each “Validator”, another method called runs an internal function from the native library ‘libtekya.so’.
\nIn the case of the ‘AdmobValidator’, the function calls the ‘c’ function, which then runs the ‘z’ function, which in turn calls the ‘zzdtxq’ function from the native library.
\n\nFigure 5 – AdmobValidator’s overridden function and calling internal native function
\nInside the ‘libtekya.so’ native library, this function, which is called from the “Validator”s, is responsible for multiple actions:
\n\n\n
Figure 6 – Tekya’s ‘zzdtxq’s native code
\nLastly, the sub-function ‘sub_AB2C’ creates and dispatches touch events, imitating a click via the ‘MotionEvent’ mechanism
\n\n\n
\n
\nFigure 7 – VirusTotal output for ‘Tekya’ applications
If you suspect you may have one of these infected apps on your device, here’s what you should do:
\nFurthermore, enterprises need to ensure their employees corporate devices can be secured against sophisticated mobile cyberattacks like Tekya or Haken (or any other malware) with SandBlast Mobile. To protect personal devices against attacks, Check Point offers ZoneAlarm Mobile Security.
\n\n
Package_name | \nRemoved by Google/Developer | \nGp Installs | \nDeveloper | \nC&C | \nsha256 | \n
caracal.raceinspace.astronaut | \n100000 | \nCaracal Entertainment | \nhttps://api.lulquid.xyz | \nf1d32c17a169574369088a87f2df9e56df2abeeeda0b7f4c826da5f4f69d11e4 | \n|
com.caracal.cooking | \n100000 | \nCaracal Entertainment | \nhttps://api.namekitchen9.xyz/api/subscription | \n46e41ef7673e34ef72fb3a971859aed5baaea8ea4a193fc6e74fc9fcbe033d67 | \n|
com.leo.letmego | \n100000 | \nLeopardus Studio | \nhttps://api.leopardus.xyz/api/subscription | \nb21cb5ebfb692a2db1c5cbbc20e00d90a4e04ca1c2c3f7b25cb0bbc13b43f5eb | \n|
com.caculator.biscuitent | \n50000 | \nBiscuit Ent | \nhttps://api.lulquid.xyz | \n734418efafd312e9b3e96adaac6f86cc1a4565f69baf831945788399bc9d1c5f | \n|
com.pantanal.aquawar | \n50000 | \nPantanal Entertainment | \nhttps://api.pantanal.xyz | \n8fec77c47421222cc754b32c60794e54409a55ac5a002b300b5b35c4718fd0b0 | \n|
com.pantanal.dressup | \n50000 | \nPantanal Entertainment | \nhttps://api.pantanal.xyz | \n64e2c905bcef400e861469e114bf4eaf2b00b11c4d002f902b8d02c4074efb22 | \n|
inferno.me.translator | \n50000 | \nWorld TravelX | \nhttps://api.molatecta.icu | \nebe3546208fd32d3f6a9e5daf21a724089febb1f61978bfd51f0edb520ae4348 | \n|
translate.travel.map | \n50000 | \nLynx StudioX | \nhttps://api.nhudomainuong.xyz | \nf805e128b9d686170f51b1add35e45ea939d166b5ada4b6e900511518655f243 | \n|
travel.withu.translate | \n50000 | \nWorld TravelX | \nhttps://api.molatecta.icu | \nb7670b5d9a6643a54b800b4cb344f43b7826b2504cab949a96dd42e8c3fc5bc5 | \n|
allday.a24h.translate | \nDeveloper | \n10000 | \nRoyal Chow Studio | \nhttps://api.royalchowstudio.xyz | \n29f2fd6ccf0f632e45dd1f15ec72985cfab56b0b4a07cb0b11b6011d1f7ebe32 | \n
banz.stickman.runner.parkour | \n10000 | \nBiaz Inc | \nhttps://api.lulquid.xyz/api/subscription | \ne1027b6681e93d9763f19ea7e5ab2522362ebc27e29863e11822ca1e3b203fae | \n|
best.translate.tool | \n10000 | \nMegapelagios | \nhttps://api.megapelagios.site | \n043e15b8b9799723649141f60f68cfad8d2d4fabc0a348d0087118c7b5047020 | \n|
com.banzinc.littiefarm | \n10000 | \nBiaz Inc | \nhttps://api.banzinc.xyz | \n5fab614ff6510b20a9579de940b88810d0c6fec220e202feef221d7d5c7aba3e | \n|
com.bestcalculate.multifunction | \n10000 | \nTitanyan Entertainment | \nhttps://api.lulquid.xyz | \n7b2670f7c8550aafcfbdb279446648073a9d099499c863a1380518b8edab435f | \n|
com.folding.blocks.origami.mandala | \n10000 | \nSlardar Studio | \nhttps://app.slardar.icu/api/subscription | \n2d6df88bd0ad7d442b731e5755df55be2febb0d57118b9b01edeabd5c5db4439 | \n|
com.goldencat.hillracing | \nDeveloper | \n10000 | \nGolden Cat | \n\n | 94e256a3ce62564e1e61b612375c6be4d90c99849edcadfe05bf13863a1029e3 | \n
com.hexa.puzzle.hexadom | \n10000 | \nMajorStudioX | \nhttps://api.chauxincaidomainnua.icu | \n3eeae3f56011aa7b858d38fc7f60a580d3b90bdfe194a7d6ad67bea1680002c2 | \n|
com.ichinyan.fashion | \n10000 | \nTitanyan Entertainment | \n\n | f4b3143ec3091bc07cfb443efb6b076becad719438aeaf58cf1da65136aab74a | \n|
com.maijor.cookingstar | \n10000 | \nMajorStudioX | \n\n | 57260286c49599a9b65851888b8f30ffe497c1f013bc6d760943789cbceb16fe | \n|
com.major.zombie | \n10000 | \nMajorStudioX | \n\n | ffb5d8d7e8bc16c8664fb67a680e3aa2b7f4dae4f50e7bce9352edd51ff3e4fc | \n|
com.mimochicho.fastdownloader | \n10000 | \nMochiMicho | \n\n | 41d8d9c910511a914b584f4a40cd12042abc69a83b8d70e92f66c870e6b34c45 | \n|
com.nyanrev.carstiny | \n10000 | \nTitanyan Entertainment | \n\n | \n | |
com.pantanal.stickman.warrior | \n10000 | \nPantanal Entertainment | \nhttps://api.pantanal.xyz/api/subscription | \n45527951a533674be836f9efbc40ba207b6abac36bd05b065af79e4f2aa696cd | \n|
com.pdfreader.biscuit | \n10000 | \nBiscuit Ent | \n\n | 215ff546710b96c69130cfef9b4d719a9866ceffd3c9cc2ba113e731a23309a6 | \n|
com.splashio.mvm | \n10000 | \nBiscuit Ent | \n\n | 74d7a572aa84b5deeed7fedf9eb1873a4bb38c4acd7a9c93992b61b07dcc7cdd | \n|
com.yeyey.translate | \n10000 | \nWorld TravelX | \n\n | 967f136cb2824e8c49b3bde8e910ac7a93a64339a3e2a060a15fb745b1211487 | \n|
leo.unblockcar.puzzle | \n10000 | \nBiaz Inc | \n\n | 9ee67b541335b88b6649afe184ba75cac084e20bbc465d998bac05cc85d59cff | \n|
mcmc.delicious.recipes | \n10000 | \nMochiMicho | \n\n | 6de03bf38e462fc9205e2a7cb49b7ed48d52bf84ec4f3aebdd84e31374832042 | \n|
mcmc.delicious.recipes | \n10000 | \nMochiMicho | \n\n | f33f5d7fd3909380582d821394c59dc78aa06113932143662d69733542ad571b | \n|
multi.translate.threeinone | \n10000 | \nWhite Whale Studio | \n\n | 72f924b6c597a5eb68e4c35843ad6b3ffa7b71396abb2a4c8dafd39b9832a4c4 | \n|
pro.infi.translator | \n10000 | \nWorld TravelX | \n\n | 5d1ec6427f7f6fe49ac95687257818ef0a0890159cc14a9e866ddeabd1c2568b | \n|
rapid.snap.translate | \nDeveloper | \n10000 | \nRoyal Chow Studio | \nhttps://api.royalchowstudio.xyz | \n0045e2dc65a236fa05b18cbef767715cca4720ec3d3c8fb522264b8339669527 | \n
smart.language.translate | \n10000 | \nMegapelagios | \n\n | 44b99da080701c14dd833f9f6c8f2fbc260299448dd5db701fc5b9e625db2556 | \n|
sundaclouded.best.translate | \n10000 | \nSunda Clouded | \n\n | 30c9278c4907cf8fd13cbfa4bdbd47db8cce594871e08867a1f4282833e31e48 | \n|
biaz.jewel.block.puzzle2019 | \n5000 | \nBiaz Inc | \n\n | 93ce6082a22a56ae98c6381572d25356b00f65256d71f188687bdae03cff0ab4 | \n|
biaz.magic.cuble.blast.puzzle | \n5000 | \nBiaz Inc | \n\n | c75c5720befc162671f270b12891799cd4d9fd6f8d6ac0d586ef4109db6a6417 | \n|
biscuitent.imgdownloader | \n5000 | \nBiscuit Ent | \n\n | 3c943adc94489cc6c75bd5b6354c0af0f75f9d5710379e8cda02370352570156 | \n|
biscuitent.instant.translate | \n5000 | \nBiscuit Ent | \n\n | ce0161ca7702713251e21497ab2105fa4bf07e4f58f4622b64c4cbf2d86dd2fb | \n|
com.besttranslate.biscuit | \n5000 | \nBiscuit Ent | \n\n | 0c3aa1e07366fe37a693bae4833ce713de6eab2874a480f054c8442589ba71e0 | \n|
com.inunyan.breaktower | \n5000 | \nTitanyan Entertainment | \n\n | a0ca0dfd9f0fc59b2f6f13ede6eb1585f5185431926beaae9d87d147fc7de445 | \n|
com.leo.spaceship | \n5000 | \nLeopardus Studio | \nhttps://api.leopardus.xyz | \n31f7d64db00a1c3e93f8fa09d623df385d3d5a096f5abc6d00900f643239f073 | \n|
com.michimocho.video.downloader | \n5000 | \nMochiMicho | \n\n | 3aadee8c06edb4e3dddd4477943812dd08a922d50d2e4fa816a3a7a72db72768 | \n|
fortuneteller.tarotreading.horo | \nDeveloper | \n5000 | \nSunda Clouded | \nhttps://api.sundaclouded.host | \n9475507507a46e377a05f2667b2551649d8ab9ccc4f8fa8c31abf1b34aaf0ea5 | \n
ket.titan.block.flip | \n5000 | \nTitanyan Entertainment | \n\n | a6d7cb20d11557199ca8ceabff7c489743678c0851317f237f5e581dcb201782 | \n|
mcmc.ebook.reader | \n5000 | \nMochiMicho | \n\n | c18d820fef9f2e01c7e73e8576a931d74f6630554a95f04a3ef01ce5bcf6b816 | \n|
swift.jungle.translate | \n5000 | \nWhite Whale Studio | \nhttps://api.whitewhalestudio.host | \na78bb13218c7f528d62df3b71e2033ec618f933f0f046e6f332e8ef6bac4559f | \n|
com.leopardus.happycooking | \n1000 | \nLeopardus Studio | \n\n | 027385e60d35229a2c4357484b55485058804f09369305fe6ad69f0b30ff3076 | \n|
com.mcmccalculator.free | \n1000 | \nMochiMicho | \n\n | 3f537802dc5275e50c8e41ac464431731d01726b59538649453518f0619ac7bc | \n|
com.tapsmore.challenge | \n1000 | \nBiscuit Ent | \n\n | 48135e74fe912dbaff83989ca85894826afcd98ea80dde61793d72c11073dddd | \n|
com.yummily.healthy.recipes | \n1000 | \nMochiMicho | \n\n | 5a9ddb23df77fc305ffb66d2bf6570a3f7789846f17541eb7dfea40899724018 | \n|
com.hexamaster.anim | \n500 | \nLeopardus Studio | \n\n | faad1e3ea694e15f8817387d3409c5cad871c5953e2ef57df0573719f4fe20ee | \n|
com.twmedia.downloader | \n100 | \nMochiMicho | \n\n | 5a87a8e648af47368c2cfd0fc2b4b75f04ddff76ab9266d2b3fa1ff928b31857 | \n|
com.caracal.burningman | \n50 | \nCaracal Entertainment | \n\n | bee86d3b154aed3ca7665ea5d7d6c2fc49e8454126e39b9887604cbb5f5a0474 | \n|
com.cuvier.amazingkitchen | \n50 | \nMajorStudioX | \n\n | a08253d1a857354c3f21238012b2e2db6036f64eff1d20978ff820f985afdb84 | \n|
bis.wego.translate | \n0 | \n\n | \n | 3767f7dd5cadf7b725dbbbf70a0e9ae61addf59a17a3c6ea91399461a4f8e702 | \n|
com.arplanner.sketchplan | \n0 | \n\n | https://api.maygaiproduct.icu/api/subscription | \n81947007337ed148665ae7ec6af26db36a9d9694fbdf8a4f41255dc0052a6b38 | \n|
com.arsketch.quickplan | \n0 | \n\n | https://waws-prod-dm1-033.cloudapp.net/api/subscription | \n38edf2876f545329fd0694af182e431afb49fabc08439162567743b35daa02f2 | \n|
com.livetranslate.best | \n0 | \nMochiMicho | \n\n | 54361b941969577d83491a4f4b01cffb65399fa5c427575e7b45681cbf260997 | \n|
com.lulquid.calculatepro | \n0 | \n\n | \n | 1c5ea6523bca5c85febde29f49e92fdbfbadd80078ef42d1e1efa800a008e072 | \n|
com.smart.tools.pro | \n0 | \n\n | \n | 6fcfd045ca7dda7bb98eb912d554bb0bebcb0ebfacb5f26cbf09d6e9aa4bfb33 | \n|
com.titanyan.igsaver | \n0 | \n\n | \n | 34b6a6fcf84883a2f3ec52531cdd1b84e21b41b7d146169fa04f07ca179095f3 | \n|
hvt.ros.digiv.weather.radar | \n0 | \n\n | https://api.mantaalfredi.icu | \n22e4e534279ffa86ad5d543c71b4a678700758d0f8958c6dd1529807fd24c84a | \n|
md.titan.translator | \n0 | \n\n | \n | fea92e6b30899b1d2733bb28758635edbf3916e1b8acd6b8b163d19bb33f4141 | \n|
scanner.ar.measure | \n0 | \n\n | https://api.felinae.icu | \n1f864b9251eeff470529364fd48ad7d3e8a6a520f2088f6552aefcf53f4dfacd | \n|
toolbox.artech.helpful | \n0 | \n\n | https://api.kaluga.xyz/api/subscription | \n2ff57056dd17b8a43d46f342a440d3f04eb59f27074a39f6e47f3d70c03393ff | \n|
toolkit.armeasure.translate | \n0 | \n\n | https://api.somniosus.xyz | \n3eb62e52f0b361d60436bec366cfad64e180d9a4acb5f573476c32b11e1ee541 | \n
\n","status":"PUBLISHED","fileName":null,"link":"https://research.checkpoint.com/2020/google-play-store-played-again-tekya-clicker-hides-in-24-childrens-games-and-32-utility-apps/","tags":[],"score":0.5204830765724182,"topStoryDate":null}],"mapData":null,"topMalwareFamilies":null};