User Activities Leakage with Free App

The android free app is transferring the device conditions and user activities without the user agreement. An adware included the free app is collecting the internet access data and launched app history on the installed device.

Free app: National Call Taxi – 전국 콜텍시(Korean)
Google Play:

The name of launched app and accessed URL list were sent to the outside server when user execute an app or connect to web with a mobile browser during the ‘National Call Taxi’ app launched or  in background. The malicious code is NOT a part of main source of the app, but it was included the adware module of app for profit.

The malicious data includes internet access URL, access time, applied rooting, WiFi status and device serial number (Not a real UUID, randomly generated).

[Sending Packet(URL Access)]

POST /servlet/Navvy.mawrite3 HTTP/1.1Content-Type: application/x-www-form-urlencodedContent-Length: 208User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.1.2; SHV-E210S Build/JZO54K)Host:

Connection: Keep-Alive

Accept-Encoding: gzip


[Sending Packet(App Execution)]

POST /servlet/Navvy.mawrite3 HTTP/1.1Content-Type: application/x-www-form-urlencodedContent-Length: 233User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.1.2; SHV-E210S Build/JZO54K)Host:

Connection: Keep-Alive

Accept-Encoding: gzip


[Sending Information]

–  Malicious App Version and Name
–  Serial Number(Generated random UUID)
–  Type : app(app execution) or web(web access)
–  Wifi and Rooting status
–  Executed App Name or Access URL

I have decompiled the malicious app and reviews the code of malicious functions.

[UUID Generation]

private String w(){

String str = "";



str = <b>UUID.randomUUID().toString();</b>

new StringBuilder("CreateSerial : ").append(str).toString();


label33: return str;


catch (Exception localException)


break label33;



[Browser History Access]

unregisterReceiver(this.s);stopSelf();Intent localIntent = new Intent(this, revRankey.class);

localIntent.putExtra("appwebCollect", 4500);


PendingIntent localPendingIntent = PendingIntent.getBroadcast(this, 0, localIntent, 0);

g.g.set(2, 10000L, localPendingIntent);

if (localObject4 == null)




<b>Cursor localCursor1 = g.e.query(Browser.BOOKMARKS_URI, Browser.HISTORY_PROJECTION, "date > " + g.i, null, "date");</b>

localObject4 = localCursor1;




localObject5 = "";

if (!((Cursor)localObject4).isBeforeFirst())


if (localObject1 == null)


boolean bool1 = localObject1.contentEquals("0");

if (!bool1)

break label509;

if (localObject4 == null)

Some adware are collecting the user behavior and internet access history data. And the advertising companies extract the worth from the data for their marketing. I guess that the web accessing and app launching data of the malicious app would be used for the similar purpose. But, WiFi status and Rooting conditions are able to use breaking into the device. I already posted the issue with Facebook, warning the another app include the adware could be exposed same security issue

Mobile Banking integrate with Apple Touch ID

Large scale banks like Bank of America, Chase made a connection with Apple Pay. But, banks in several countries were not worked with Apple Pay directly; they integrated with Apple Touch ID, St George Bank(Australia), Tangerine(Canada), Turkiye Bankasi(Turkey).

They only added the function, authenticated by fingerprint via Touch ID. So, customers can login into mobile banking with their fingerprint instead of the traditional identification, password and PIN.

Banks can develop the fingerprint authentication using Apple’s API. And the biometric data is stored into the customer’s device.

123          234

Video :

Security Expert Hack to Drone

My friend Dongcheol Hong( made a presentation about Drone Hacking at Code Blue Conference in Japan. He showed the interaction hijacking between Drone and control app, also he explained about how drone could be infected with malware.

Link :

Make a secure mobile payment – HITCON 2014

I made a presentation at HITCON 2014 in Taiwan, the title is “Make a secure mobile payment”.

File : E2_06_Yongjun Park – Make a secure mobile payment


Recently, many kinds of mobile payment have launched, and it has got a large share of payment transactions in the world. As we know that, a breach of payment is highly dangerous because it could be exploited to steal real money, directly.

I have found diverse flows and vulnerabilities during security testing. Some of them could be used to acquire payment data and to change transactions. I will talk about threats of mobile payment and cases of vulnerability. Also, I am going to share how to test the security of mobile payment.

[Google Authenticator] Account and Key plaintexts stored in a file

[Google Authenticator] Account and Key plaintexts are stored in a file (May 22, 2012)

I found out a security issue at the Google authenticator in May, 2012. I sent a paper about the details of issue to Google security team, but, I didn’t get a response from them. The authenticator was applied upgrade last year, however, I have no idea whether or not the issue was changed. Anyway I post it before dumping it a behind of memory.

Google provides the 2-step verification to make their service more secure. A user can install and use the Google’s OTP(One Time Passwords) app on their Smartphone. But, I have analyzed a authenticator on Android, I figure out a security issue that can be used to make a clone authenticator on another Smartphone.

When a user try to register their Smartphone to use the authenticator, a user have to input their account and, key or scan QR code. And then, the authenticator it starting to create one time password. Now a user can authenticate with Google services through a one time credential.


< Add account >

The authenticator provides two selections to be initialized, ‘Scan bar-code’ and ‘Manually add account’. But if you choose anything, account and key are stored in a file. But the problem is that the user account and key are stored in a file as a plaintext

Stored file is sqlite and the file path is


As you can see the below, the email  field is a user account and the secret field is a key for the authenticator. The secret are looks encrypted, but it’s not a matter to make a clone authenticator.


< An example of stored key and secret >

If the file is copied or secrets and keys are duplicated into the another Smartphone’ authenticator, now we have a clone authenticator. The duplicated authenticators are creating a same one time password at the same time, and it can be used to authenticate the Google’s services.

I checked that the authenticator is verifying the device with phone number, Serial or IMEI, but device verification were not applied and it’s not affected the authenticator.


< The clone OTP >

The suggestions for this issue

  1. Encrypt account and key files
  2. Verify a device when the app executed to check it is a valid device or not or include a device serial into the one time password creation process
  3. Using more secure space like SIM, Turst Zone to prevent from the malicious access(In Korea, OTP apps for banks and financial sector are stored and executed in the SIM card)

South Korea Cyberterror on March 20th – News –

***Updated on march 26th***


South Korean Attack & Malware Analysis

South Korean Banks, Media Companies Targeted by Destructive Malware


Wowhacker Report

NProtect Report


Each report are continuingly updating, Korean reports have more detail and correct information. I’ll keep updating.

Advice for CIA(Certificated Internal Auditor)

Last yest, I got the CIA(Certificated Internal Auditor) certification. Actually, it is not an IT security certification, it concerns internal auditing activities. When I was performing an IT security auditing to financial institutions as an external expert of government, I think that if I can make a big picture of the company, it might be led me to high quality auditing even security auditing. So, I was preparing it and certificated.

As you know that, CISA is another auditing certification, the difference between CISA and CIA, CISA is specialized in IT auditing, but, CIA handles whole audit activity include an IT auditing. It include accounting, business, audit activity and team management. CIA is not directly connecting with IT security, but if you want to understand company’s attributes to perform more efficient and effective security audit, It will help you.

Blows might help to gonna be a certificated internal auditor.

IIA(Organization of CIA Certification) :, in Korea :
Gleim CIA review(books) :
Official – Certified Internal Auditor (CIA) at Linkedin (many IIA executives belong this group, if you ask a question directly, they will answer you)

If you have a plan to get CIA certification or have a question, please leave a comment.