Full Report
Everyone has a mobile phone (ok some have two) and the wealth of information people put into them is staggering. This single platform gives attackers an incredibly large attack surface area to target, so it’s no surprise we *love* owning mobile devices. With this in mind, the countdown to Blackhat USA has begun and we will be launching our latest iteration of the Mobile hacking course to the eager and thirsty minds that find themselves at the sensory circus that is Las Vegas!
Analysis Summary
# Tool/Technique: PwnBank
## Overview
PwnBank is a fully-fledged fictitious financial banking application designed as a practical target environment for security training, specifically the "Journeyman Mobile Hacking Course" presented by SensePost at Blackhat USA. Its purpose is to allow students to learn mobile application hacking by compromising a realistic sample banking app and leveraging that access to compromise the entire associated organization and infrastructure.
## Technical Details
- Type: Tool / Demonstration Application (Simulated Malware/Target)
- Platform: Mobile (Implied Android/iOS based on general focus, but used in a training environment)
- Capabilities: Mimics standard banking functionality (managing payments, beneficiaries) while incorporating vulnerabilities for exploitation. It is designed to be owned and used to pivot to back-end infrastructure compromise.
- First Seen: Introduced in connection with the SensePost Mobile Hacking Course being launched around Blackhat USA 2016 (June 2016).
## MITRE ATT&CK Mapping
Since PwnBank is a training tool simulating real-world attacks against a mobile application, the mapping focuses on the techniques simulated during its exploitation and subsequent lateral movement:
- T1433 - Impact
- T1433.002 - Data Destruction
- (Implied goal of "get rich" suggests financial manipulation or data exfiltration)
- T1447 - Mobile Application Abuse
- T1447.001 - Compromise Mobile Application Components
- T1490 - Inhibit System Recovery
- (Relevant if later ransomware analysis is incorporated)
## Functionality
### Core Capabilities
* Banking simulation (payments, beneficiary management).
* Designed to contain exploitable vulnerabilities for hands-on learning.
* Focuses on achieving complete ownership of the mobile application.
### Advanced Features
* Allows students to leverage mobile compromise to compromise the associated organization and infrastructure (lateral movement/pivoting).
* Includes vulnerable back-end services alongside the mobile interface.
* Utilized within a practical training environment involving customized bootable USBs instead of traditional VMs.
## Indicators of Compromise
* File Hashes: N/A (Application details and hashes are not provided as it is a custom training artifact).
* File Names: N/A
* Registry Keys: N/A
* Network Indicators: N/A (Focus is on attacking the back-end infrastructure, but specific indicators are not published).
* Behavioral Indicators: Application exploitation leading to unauthorized control and pivot attempts against associated enterprise systems.
## Associated Threat Actors
* SensePost Trainers/Attendees (Primary users in a controlled environment).
* The article mentions analyzing *real-life malicious ones* found in app stores (implying association with general mobile threats/ransomware).
## Detection Methods
* Detection methods are primarily instructional: Analyzing the application code during development/reverse engineering ("you can’t own what you can’t build").
* Detection of successful exploitation would rely on standard application security testing tools and infrastructure monitoring for unauthorized activity originating from the compromised mobile endpoint.
## Mitigation Strategies
* Secure development practices for mobile applications.
* Rigorous testing and penetration testing prior to deployment.
* Securing associated back-end infrastructure reachable from mobile endpoints.
## Related Tools/Techniques
* Real-life malicious mobile applications (specifically mentioned for later analysis, possibly including ransomware).
* Techniques related to mobile application reverse engineering and API abuse.