One of our officers had an incident in his family. His son got a powerbank of a school friend (later we found out about it was his father). The boy used the accessory normally. Once his father (our officer) took the powerbank in need of juice and connected to charge.
Here it comes PowerBank to Kill
We later found that the device (Android 7.0) got infected by the powerbank which had a modified and extended battery controller with a directly on-soldered microsSD with malware onboard. The banking trojan tried to phone-home over the mobiles internet connection to P.R.C..
Dont plugin every powerbank.
There are isolating USB adapters that only allow +5v and ground specially made for this purpose.
One of our officers had an incident in his family. His son became a powerbank of a school friend (later we found out about it was his father). The boy used the accessory normally. Once his father (our officer) took the powerbank in need of juice and connected to charge.
Here it comes PowerBank to Kill
We later found that the device (Android 7.0) got infected by the powerbank which had a modified and extended battery controller with a directly on-soldered microsSD with malware onboard. The banking trojan tried to phone-home over the mobiles internet connection to P.R.C..
Dont plugin every powerbank.
… became a powerbank? 😯
Soldering the microSSD on the poor kid must have been the difficult (and I have to presume very painful) part… roll
jaclaz
We later found that the device (Android 7.0) got infected by the powerbank which had a modified and extended battery controller with a directly on-soldered microsSD with malware onboard.
What mechanism allows the malicious code on that kind of device to execute? Is there some kind of 'autoexec' mechanism that Android uses? Or does it rely on the curious user starting the hostile code manually in some way? (Added I was thinking along the line of an external disk for this scenario)
'Extended battery controller'… extended how? Enough for it to act as a host computer?
… became a powerbank? 😯
Lost in translation 'Er bekommte ein Powerbank' … or something on those lines.
… became a powerbank? 😯
Lost in translation 'Er bekommte ein Powerbank' … or something on those lines.
Sure ) , I know, but when you title something "Powerbank to Kill" with the evident intent to catch people's attention (should have been "Powerbank to Steal Data" or "Powerbank with banking trojan", from the title I expected that somehow the device contained supercapacitors or *whatever* capable of generating peaks of voltage/current that could "kill" a device or a human) you also need to double check that what you write makes sense (translation or not).
jaclaz
… I expected that somehow the device contained supercapacitors or *whatever* capable of generating peaks of voltage/current that could "kill" a device or a human)
Freudian slip of the tounge, probably. The malware vector was probably terminated … permanently.
Got a powerbank of a school friend.
Sounds like your officer was hit with a very interesting rubber ducky usb attack.
The banking trojan tried to phone-home over the mobiles internet connection to P.R.C..
Dont plugin every powerbank.
Rolf, why don`t you and your colleague make an article from this story? Write down the story, more technical details, some photos from inside the device and publish it here on ForensicFocus. I am sure a lot of people here (and elsewhere) are very interested in more details, the manipulated firmware and the IP addresses the device connected to. Some PCAPs would be great, too.
Please get in touch with Scar and contribute this story to this audience here. I have done it twice and it was not only an interesting experience, it was a great training for myself.
regards,
Robin