tldr - powered by Generative AI

• Using the Android SDK tool apt, creation times of files within an APK can be analyzed to identify potential malware
• Language metadata within RTF documents can also be used to identify the default language of the developer, potentially indicating the country of origin of the malware
• A bug in the apt tool causes it to use the wrong time zone when adding files to an APK, but this can be fixed by manually inputting the correct time stamp

tldr - powered by Generative AI

• IPC in client-server architecture may be vulnerable to various types of attacks
• Standalone password managers are particularly vulnerable due to lack of authentication between the browser extension and the app
• RoboForm is an example of a password manager with no authentication between the browser extension and the app
• OnePassword is an example of a password manager with attempted protection of IPC channel, but with an insecure protocol and lack of server verification
• Native messaging is a more secure alternative to IPC, but still has limitations

tldr - powered by Generative AI

• The attack involves a route process and a drone process
• The drone process launches and throws back a specific return code based on whether or not it has the desired base address
• The route process maps the file in a loop until it finds the desired base address
• The attack can be embedded in any PE and is position agnostic
• The attack cannot obfuscate imports and can be slow
• The presenter discovered a method of invalidating base addresses by copying and launching the file repeatedly
• The attack can be used to bypass ASLR on Windows 10 by tweaking ASLR configuration or invalidating base addresses

tldr - powered by Generative AI

• Synthetic events are a powerful capability that can be used to bypass security mechanisms and perform actions invisibly.
• AppleScript and Core Graphics Framework are commonly used to interact with UI prompts programmatically and generate synthetic events.
• Apple's security mechanisms have vulnerabilities that can be exploited using synthetic events, such as the unsecured privacy alerts and the flaw in the kernel loading extension security mechanism.
• The presentation also announces a new Mac security conference called Objective by the Sea.
• In Mohave, Apple has taken a more drastic approach to block and disallow a ton of actions, which is good from a security point of view but may block legitimate applications.

tldr - powered by Generative AI

• Malicious drivers often use techniques such as hooking, encryption, and random driver selection to evade detection and compromise systems
• Patchguard can be used to protect against some of these techniques, but malicious drivers may also try to avoid touching protected areas
• Advanced malware may use techniques such as altering the MBR or hiding sectors to bypass security measures
• It is important for security professionals to be aware of these techniques and to analyze and protect against them

tldr - powered by Generative AI

• Reverse engineering of Microsoft Defender ATP
• AV instrumentation throughout the engine
• Vulnerabilities discovered by Google Project Zero
• Abuse of API call instruction by malware
• Importance of reverse engineering and vulnerability research

tldr - powered by Generative AI

• Gadget chains are important to understand in deserialization vulnerabilities
• Existing applications with clients make updating IPC mechanisms difficult
• Tools like Y so serial and Marshal SEC can help identify known gadget chains
• Jugal is a tool for programmatically querying data types on a class path
• The speaker introduces a tool for automatically finding gadget chains
• The tool was able to find a sophisticated gadget chain in a proof of concept
• Better tools are needed to understand risk profiles in applications

tldr - powered by Generative AI

• Commercial Android emulators are popular and often shipped with root permission, making them vulnerable to cheating tools.
• Cheating on emulators is often done through touch simulation, which requires root privilege or shell access.
• A native hooking framework can be used to prevent cheating on mixed-mode emulators.
• The presentation includes a demo of using the hooking framework to cheat a game on an emulator.
• The future of mobile game cheating may be impacted by the development of such frameworks.

tldr - powered by Generative AI

• Tumble RF is a software framework for fuzzing arbitrary RF protocols
• It abstracts out the radio API, test case generation, and harness
• Allows for easy changing of RF interfaces
• Flexible test case generation
• Comprehensive fuzzing of both layer two and the file layer

tldr - powered by Generative AI

• Mobile money applications are widely used in developing countries where access to banks is limited
• ThinSIMs are small SIM card add-ons that provide alternative mobile money implementations without operating their own mobile networks
• The security implications of ThinSIMs are not well understood
• Attackers can use ThinSIMs to steal money from mobile money platforms by intercepting, modifying, and creating toolkit commands
• The attacks take place in two phases: stealing credentials and making fraudulent payments
• Mobile money platforms offer different interfaces such as USSD, smartphone apps, SIM toolkit apps, and IVR
• ThinSIM-based attacks can be triggered through various means, and defense is difficult