Rock appround the clock: Tracking malware developers by Android "AAPT" timezone disclosure bug

Conference:  Defcon 26



The presentation discusses techniques for identifying malware in Android applications through analyzing creation times and language metadata.
  • Using the Android SDK tool apt, creation times of files within an APK can be analyzed to identify potential malware
  • Language metadata within RTF documents can also be used to identify the default language of the developer, potentially indicating the country of origin of the malware
  • A bug in the apt tool causes it to use the wrong time zone when adding files to an APK, but this can be fixed by manually inputting the correct time stamp
The presenter describes a malware that preloaded usernames and passwords from an infected mobile device and used them to download fake applications and give them high ratings in the Google Play Store. By analyzing the creation times and language metadata of the APK, the researchers were able to identify the country of origin of the malware and alert Google to remove it.


Are you a malware developer for Android devices? We have very bad news for you: the Android-SDK packager (aapt) is leaking your time zone! We have found a bug inside this Android-SDK's component that relies in not properly setting the value of a variable used as an argument for localtime() function, when setting the "Last Modified" field for the Android App's files. Because of this, the time zone of anyone using the Android-SDK packager to generate their APKs is leaked. The curious thing is that, despite of this bug inside aapt, the problem goes even beyond aapt itself: its roots goes deep into an incorrect handling errors in the operative system functions localtime() (Windows) and localtime_r() (UNIX). Because of in the world of Threat Intelligence determining the attacker's geographical location of is one of the most valuable data for attribution techniques, we focused our research in taking advantage of this bug for tracking Android malware developers. In addition to this, we have discovered another very effective way to find out the developer's time zone, based on a calculation of times extracting the GMT timestamp from the Android's app files and the UTC timestamp of the self-signed,"disposable" certificate added to the application (most common cases in malware developers). This is what we call: Rock appround the clock! Using these two different techniques, we have crunched some numbers with our 10 million apps database to determine how these leaked time zones (with one or another technique) are related with malware and which are the countries that generate more Android malicious applications, what is the possible relation between time zone and"malware likelihood" among other interesting numbers. But that's not all, we have another bad news for malware developers: no IDE (even Android Studio) removes metadata from the files added to the Android app. We will show examples with real cases in which, after analyzing the metadata of files inside the .apk, we got to know country, language, or even more specific geographical location of the developer and -in some cases- the name of the suppose-to-be-anonymous developer! Finally, we will share the scripts we have built to get all this information with just a simple click.