[owasp_seraphimdroid_project] Questions regarding warnings and logs, location

Nikola Milosevic nikola.milosevic at owasp.org
Mon Mar 21 22:54:40 UTC 2016


Hello Johanna,

If you are happy starting transferring and rewriting (where needed) things
for a better user guide, I will be very happy. Probably something like that
will be necessary to be added into the app. I recieved some feedback where
users did not realized some features or did not know how to use them.

I might try as well to find someone who will be able to give couple of
advises on UX and UI in near future.



Pozdrav/Best regards,

Nikola Milošević
OWASP Seraphimdroid project leader
nikola.milosevic at owasp.org
OWASP - Open Web Application Security Project
<https://www.owasp.org/index.php/Main_Page>
OWASP Seraphimdroid Project
<https://www.owasp.org/index.php/OWASP_SeraphimDroid_Project>

On Sun, Mar 20, 2016 at 4:44 PM, johanna curiel curiel <
johanna.curiel at owasp.org> wrote:

> I checked the document indeed but stopped readying at page 2 as I though
> it was more of a technical than user guide.
> Do you have a specific user guide alone? If you want, now I'm getting
> involved how SeraphimDroid works, can write one on GitBook.
>
> The malware seems to be quiet, not sending any SMS, with who knows which
> reason (maybe it waits certain amount of days in order to better hide or
> something else). I'll keep observing the behaviour
>
> Given the information you provided, I believe this is the case. I also
> checked the logs you mentioned but there was nothing there, therefore I
> think that the trojan has been doing anything yet or wont do (maybe
> depends on my region? who knows)
>
> Thank you for clarifying the part of non-rooted. I also think that this
> should not be the case or interfere in case of malware.
>
> This malware is classified as 'low'. I'll be escalating using a medium to
> high type of malware but also  do some test with rooted devices and
> Emulators.
>
> I'm hoping to setup an environment where I'll be actually debugging the
> phone and the app, by reverse engineering and checking
> network communications
>
> Thank you for the explanation. I'l incorporate this too.
>
> Cheers
>
> On Sun, Mar 20, 2016 at 10:50 AM, Nikola Milosevic <
> nikola.milosevic at owasp.org> wrote:
>
>> One more thing, I would like to clarify. In your post you said:
>>
>>
>>    - SeraphimDropid did not provide any warnings since the phone is
>>    non-rooted
>>
>> SeraphimDroid is designed to work with non-rooted devices only. The idea
>> was that majority of users do have normal, non-rooted phones, as they buy
>> them and they need some sort of protection. When you do root the device you
>> do get access to many more features and you can provide heavier protection,
>> but usually users who rooted their device are technically more savvy and
>> know what they are doing.
>>
>> So device being not rooted is not a problem for us, as it should work
>> with these devices, so it is great you are testing it on it. I don't
>> believe there could be any issue for malware if phone is not rooted, since
>> it would be a bit weird to design malware that work only with rooted
>> devices as they are few. However, to conclude, if app does not work, I
>> would take responsibility to say that feature did not work in that case.
>> However, here malware seems to be quiet, not sending any SMS, with who
>> knows which reason (maybe it waits certain amount of days in order to
>> better hide or something else). You should check permission scanner what
>> says about installed app and let us know. However, that is a bit harder to
>> update and we are aware that it will provide some degree of protection
>> (hopefully!), but not perfect one, since it uses only the use of
>> permissions to determine whether something is or is not malware and is
>> trained on relatively small dataset (400 apps, 200 malware, 200 benign).
>>
>>
>>
>> Pozdrav/Best regards,
>>
>> Nikola Milošević
>> OWASP Seraphimdroid project leader
>> nikola.milosevic at owasp.org
>> OWASP - Open Web Application Security Project
>> <https://www.owasp.org/index.php/Main_Page>
>> OWASP Seraphimdroid Project
>> <https://www.owasp.org/index.php/OWASP_SeraphimDroid_Project>
>>
>> On Sun, Mar 20, 2016 at 3:36 PM, Nikola Milosevic <
>> nikola.milosevic at owasp.org> wrote:
>>
>>> Hello Johanna,
>>>
>>> I am not sure whether you are aware, there is some kind of user guide
>>> http://inspiratron.org/OWASPSeraphimdroid/SeraphimdroidDocumentation.pdf
>>> and it starts on 11th page on the document (in the beginning is some
>>> architecture overview, which may be better off in separate document,
>>> however, this is the current state of affairs.
>>>
>>> Regarding your question, please make sure you entered the app at least
>>> once after installing it. There are SMS logs. You can find them under menu
>>> and blocker logs. There are 3 tabs, for blocked SMS, USSD and calls.
>>> However, if the SMS is sent you should see a notification with OWASP logo
>>> saying that there is potentially malicious SMS sent from the device, or
>>> something similar. Similar should happen when you install malicious app if
>>> Seraphimdroid recognizes it. What should happen is that app is run through
>>> the classifier and if it is classified as potentially malicious it should
>>> fire notification. However, you can check as well how your apps are
>>> classified when you open permission scanner (again from the app menu). If
>>> there is green square next to app name, classifier thought it is ok, if it
>>> is red it thinks it is malicious.
>>>
>>> Also you may want to have a look at settings menu. There are some
>>> options regarding which calls/SMS/USSD codes should be let go, which should
>>> be stopped, some settings for blacklists and remote control features.
>>>
>>>
>>>
>>> Pozdrav/Best regards,
>>>
>>> Nikola Milošević
>>> OWASP Seraphimdroid project leader
>>> nikola.milosevic at owasp.org
>>> OWASP - Open Web Application Security Project
>>> <https://www.owasp.org/index.php/Main_Page>
>>> OWASP Seraphimdroid Project
>>> <https://www.owasp.org/index.php/OWASP_SeraphimDroid_Project>
>>>
>>> On Sun, Mar 20, 2016 at 2:33 PM, johanna curiel curiel <
>>> johanna.curiel at owasp.org> wrote:
>>>
>>>> Hi All
>>>>
>>>> I finalised a first round of testing with SeraphimDroid, you can see my
>>>> experience here:
>>>>
>>>> http://cybersecuritywarrior.blogspot.com/2016/03/continued-saga-with-seraphimdroid.html
>>>>
>>>> Based on it, I have some questions:
>>>> Where are warnings shown?
>>>> In case of infection, were can I confirm that information(any forms of
>>>> logs , reports)
>>>>
>>>> Cheers
>>>>
>>>> Johanna Curiel
>>>>
>>>> _______________________________________________
>>>> Owasp_seraphimdroid_project mailing list
>>>> Owasp_seraphimdroid_project at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp_seraphimdroid_project
>>>>
>>>>
>>>
>>
>
>
> --
> Johanna Curiel
> OWASP Volunteer
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp_seraphimdroid_project/attachments/20160321/420e999f/attachment.html>


More information about the Owasp_seraphimdroid_project mailing list