Can someone explain what the java based SSH client "Jcraft" is used for in the Trendmicro Android mobile app?

  • 1
  • Question
  • Updated 1 year ago
  • Acknowledged
I am curious what function an SSH client is used for in a mobile app.
Photo of sloshnmosh1

sloshnmosh1

  • 450 Points 250 badge 2x thumb

Posted 1 year ago

  • 1
Photo of TM_Malik

TM_Malik

  • 9,374 Points 5k badge 2x thumb
Hi, sloshnmosh1 

Welcome and thank you for posting here in the community!

I understand that you have an inquiry regarding the Trend Micro Mobile Security app for Android. May I ask how were you able to come up with the idea that the Jcraft is being used?

You may provide screenshots or any documents necessary.

Thanks for your time and have a lovely day!

TrendMicro Home Users Community
Photo of sloshnmosh1

sloshnmosh1

  • 450 Points 250 badge 2x thumb
I saw the app in question broken down on a site that tests Android apps for malware and I just Googled the package names that were listed in the tree.
Photo of sloshnmosh1

sloshnmosh1

  • 450 Points 250 badge 2x thumb
I am a follower of your excellent blog that exposes malicious Android applications.
The most recent one I read was this one: http://blog.trendmicro.com/trendlabs-security-intelligence/dresscode-android-malware-finds-successor...
Extremely informative!

A Better Version of DressCode?

The malicious code runs a process called android.process.s, disguised as an Android system package in order to draw attention away from it when running. Upon the Trojanized app’s installation, MilkyDoor requests a third-party server, which we’ve tracked as freegeoip[.]net, to obtain the device’s local IP address, including the country, city, and its coordinates (longitude/latitude). It then uploads information to its command and control (C&C) server, which replies with data in JavaScript Object Notation (JSON) format that contains an SSH server’s user, password, and host. The malware’s operators leverages Java Secure Channel (JSch), a common library that is a pure Java implementation of SSH2, to establish the SSH tunnel between the infected device and the attacker.

To use its port forwarding feature, MilkyDoor smuggles various types of Internet traffic into or out of a network. This can be employed to avoid network monitoring or sniffers, or even bypass firewalls on the Internet. In this case, the attacker’s server, as an SSH server, lets the infected apps connect while the server also listens to local ports. Through this tunnel, all traffic traversing this port will then be forwarded to the client host’s internal network.

DressCode was noted for building a proxy using the Socket Secure (SOCKS) protocol on Android devices in order to access internal networks. MilkyDoor leverages the SOCKS protocol and remote port forwarding via SSH to achieve dynamic port forwarding, which in turn allows data to traverse to all remote destinations and ports. Because the SSH tunnel uses Port 22, firewalls usually do not block traffic that go through this port; this enables data encryption of payloads transmitted over a network connection. In a nutshell, MilkyDoor’s routines resemble anonymizing and Internet censorship-bypassing services.

(Edited)
Photo of sloshnmosh1

sloshnmosh1

  • 450 Points 250 badge 2x thumb
Hence my question.
Photo of TM_JustineM

TM_JustineM, Employee

  • 3,774 Points 3k badge 2x thumb
Hello sloshnmosh1,

Thank you for the information and apologies for the late reply.

Upon checking on the blog that you posted on your reply SSH or Secure Shell tunnel uses port 22 that is commonly found on computers since computers uses ports for transmitting and receiving data. Now since Java is found in more or less 3 billion devices world wide it also uses SSH or Secure Shell tunnel similar to a computer, the SSH on Android devices is pure Java which attackers can use to attack the infected device. Now to prevent this kind of infection The Trend Micro Mobile Security for Android checks the Java based SSH to block MilkyDoor since it uses normal network traffic and masquerades itself as a normal application. Trend Micro has been working with Google to check and block applications that poses any threats to users.

I hope this answers your question, please feel free to comment or post in this community.

Thank you!

Trend Micro Home Users Community
(Edited)
Photo of sloshnmosh1

sloshnmosh1

  • 450 Points 250 badge 2x thumb
Thanks for your reply!

I'm having a little difficulty wrapping my head around this.

If I wanted to have my Android to be able to tunnel data out to my laptop through a SOCKS proxy over SSH I would have to install an app that includes the Java based SSH client.

http://www.devineloper.com/2013/08/28/setup-socks-proxy-android-without-root/

Or if I had installed a "malicious" app (such as the one mentioned in the blog) it too would need the Jcraft/JSch included inside the application.

Android OS does not have JSch "built in" it must be added.
 

As per your explanation:

The Trend Micro Mobile Security for Android checks the Java based SSH to block MilkyDoor since it uses normal network traffic and masquerades itself as a normal application.

Tell me if I'm understanding this correctly...The Trendmicro mobile security app has ADDED the Jcraft/JSch SSH package to see if a "malicious" app has ALSO added the same package?

Or is all the "normal network traffic" being tunneled over SSH through Trendmicro's Jcraft/JSch package  to a Trendmicro and/or Google server to be "examined" for "malicious" traffic?

Trend Micro has been working with Google to check and block applications that poses any threats to users.


It just seems to me that by ADDING an SSH package where there wasn't one before just broadens "attack" vectors.

Why not just create a rule in the IPtables firewall  to block port 22?

IPtables is native to the Android OS and doesn't need to be exported in.

Or just include detection "signatures" in the Trendmicro app that looks for instances of the Jcraft/Jsch  package and send an alert notification to the user that an app that has been installed has the  Jcraft/Jsch package installed in it to warn users?

I'm more confused than ever!
Photo of sloshnmosh1

sloshnmosh1

  • 450 Points 250 badge 2x thumb
OK, since Trendmicro just left me hangin' here, I believe I have figured out what the JSch in the mobile app IS actually used for.

A simple answer was all I asked for, not a "story" about checking for instances of "Milkydoor".

Unless of course you have NO IDEA about how your product actually works?

"Have a lovely day"
(Edited)
Photo of TM_Ian

TM_Ian, Employee

  • 5,222 Points 5k badge 2x thumb
Hi @sloshnmosh1,

We sincerely apologize for not being able to get back to you immediately as we have consulted this case to our Technical Team. Thank you so much for the patience.

You need not to worry about your protection as the Trend Micro Mobile Security detects applications installed on the mobile device based on the app's behavior. This detection feature runs on a real-time basis and will delete the file as soon as it get detected.

It also has a feature which could allow you to prevent installing malicious applications to your device which is the Pre-Installation Scan--an extra-layer protection from Trend Micro on Google Playstore. This engine runs before you install an application from the Google Playstore.

Safe Install can also help on preventing installation of applications outside the Google Playstore. If in case the application will be installed on your device, as soon as the Mobile Security detected that it is doing a malicious activities on your device, regardless if you have allowed all the permissions for a specific app on the device, the Mobile Security will prompt you to delete this app and you will be informed about the malicious activities it does on your mobile device.

We also have the Mobile Application Reputation Service or MARS which is a cloud-based service that automatically identifies mobile threats based on app behaviors. If you wish to check a specific app installation file, you may visit our MARS website at https://mars.trendmicro.com.

(Note: Please do not click the link but copy the entire link and paste it on the address bar of your Internet browser
then press Enter on your keyboard.)


Lastly, though Trend Micro does not have a JSCh to filter out SSH yet, we assure you that all the protection you needed for your device is available from our Trend Micro Mobile Security app.

We hope this helps you with your concern. Should you have further inquiries, please do not hesitate to post here.

Again, thank you for your patience and you have a lovely day!

Trend Micro Home Users Community
(Edited)

This conversation is no longer open for comments or replies.