WEBVTT 00:00.000 --> 00:11.200 So, hi everybody. I'm Julia. This is David. We're going to talk about backbain, simplify 00:11.200 --> 00:16.640 consensus on Android forensics. And we are part of an organization that's called Observatory 00:16.640 --> 00:22.480 on Existono. It's an Italian nonprofit that started running tournaments, mostly to our 00:22.480 --> 00:26.400 ex-innotes, because we had legal troubles doing that as individuals. And so, we associated 00:26.400 --> 00:33.600 those, have a bit more rights. And we are all volunteers at the moment. And we expanded 00:33.600 --> 00:39.520 our original scope. And also, helping activists was being became also surveillance and doing 00:39.520 --> 00:46.880 general research on surveillance tools and equipment from various users. And we started 00:46.880 --> 00:50.960 in our clubs and in our organized spaces and those are still our communities and the people 00:50.960 --> 00:56.720 we try to add and with whom we try to work with. And this is our tour data center. It's a beautiful 00:56.720 --> 01:02.640 basement in Italy, so it's our headquarters. And let's talk about Spieber. So, when somebody 01:02.640 --> 01:07.680 thinks Spieber and is not very deep into it, they generally think all the big scandals set up 01:07.680 --> 01:14.000 and through Europe and not only Europe, they might think of Pegasus, of an esogrup, of predator, 01:14.000 --> 01:22.400 and of other many Israeli companies. So, the point is that in the last five years, a lot of companies 01:22.400 --> 01:28.400 have started in Spain in Italy. And as exploit research hub and spyware development tabs, 01:28.400 --> 01:35.760 mostly because of the good climate, nice food, tax cuts, and a lot of research in Italy wanted 01:35.760 --> 01:43.040 to relocate somewhere that wasn't possibly cypress or Israel. And Barcelona is one of the main places 01:43.040 --> 01:50.800 as most people, I know. And Israel is still leading the exploit development, especially for 01:50.800 --> 01:56.160 insects, like cyberite and similar, and they test on Palestinians all the time. That's also why it's 01:57.200 --> 02:02.720 developed on their side. And mostly, your countries have had a spyware scandal at a point in time, 02:02.720 --> 02:07.040 Italy had it recently, but we know about Greece. We know about Spain with a cattle and gated, 02:07.040 --> 02:11.600 regret the Pegasus committee. We know about Serbia recently, we know about Bonan, Latvia, 02:11.600 --> 02:15.120 if one search, they can probably find one, and it's very likely that the places they're 02:15.120 --> 02:19.920 unlisted there, it's just that we don't know what they're doing. It's not like they're exempt from this. 02:21.520 --> 02:26.960 And generally doing attribution of was infected boom for which reason is extremely difficult, 02:26.960 --> 02:31.040 and the burden of the proof is almost always on the victims. And even if you can prove that there 02:31.040 --> 02:36.560 was a spyware, finding out what will be sent it is extremely difficult. So, you can guess it stays 02:36.640 --> 02:42.080 surveillance, but you just almost can never confirm it unless the other party confirm it, 02:42.080 --> 02:47.040 which is kind of annoying because justice should work in a way that not everything should be on the 02:47.040 --> 02:54.800 victims. And when we talk about spyware, I started from the leftmost column, and discussing about the 02:54.800 --> 03:01.280 very famous, very sophisticated, very costly ones, including NSW group, Dataflow, which is an Italian 03:01.280 --> 03:06.400 company. And mostly, when we think of this spyware, we think of zero click exploits or one click 03:06.400 --> 03:11.200 exploits plus a little bit of social engineering to a view, a lot of previews, or a document, 03:11.200 --> 03:16.720 or click a link. And generally, this highly sophisticated spyware have agents that run in memory, 03:16.720 --> 03:23.360 maybe in kernel space, are live persistence. And so, they're really difficult to catch from user space, 03:23.360 --> 03:29.600 unless you try to break or root your device. While there's a plethora of, let's say, less expensive, 03:29.680 --> 03:34.720 less sophisticated spyware that are used all the time in so many more circumstances. 03:34.720 --> 03:39.760 And, really, in the lack of sophistication and in the lack of the availability of very expensive 03:39.760 --> 03:44.800 exploit chains, they've to use different tactics. And so, for instance, we've seen spyware, 03:44.800 --> 03:49.600 bar, RCS, ornamental, the general use some type of social engineering for installation, 03:49.600 --> 03:55.360 and then maybe they use either end-day bugs or non-bugs for previous collections, or for maybe 03:55.360 --> 04:02.800 bypassing system prompts, or doing basic kind of basic attacks, so that they require some 04:02.800 --> 04:06.320 social engineering, but also they have some technical sophistication to pass through that. 04:06.320 --> 04:11.840 But, generally, this kind of spyware, are ready, more persistence on this, maybe they 04:11.840 --> 04:15.760 start an application, maybe they become device admin, so they're a bit more catchable, 04:15.760 --> 04:21.360 and they're still generally used, I guess, a significant amount of activities, journalists, 04:21.360 --> 04:25.120 and this is then depending on the case. And then we have on the right-most columns, 04:25.120 --> 04:30.800 the cheapest ones, where basically they just can be installed via social engineering, 04:30.800 --> 04:33.760 and while this seems very unlikely, because we're all taking care of people, they are 04:33.760 --> 04:38.800 totally very used, and they have a high degree of efficiency, because they can start, 04:38.800 --> 04:41.760 especially if you're in a position of power, you can start by doing the basics, 04:41.760 --> 04:45.600 social engineering, but then you can add extra tools. For instance, you can see the phone, 04:45.600 --> 04:50.160 unlock it using a forensic tool like cyber, 10 instance spyware, and they return it to the victim. 04:50.240 --> 04:56.000 And clearly, that doesn't require exploits on the spyware side, and clearly still has a high degree 04:56.000 --> 05:00.560 of efficiency, that's what's been seen in Serbia and in other countries. And there's also 05:01.520 --> 05:05.840 other things that we're going to talk about, where I discuss social engineering plus infrastructure 05:05.840 --> 05:11.200 attacks that are very widely used in Italy to deploy spyware against activists. And there's also 05:11.200 --> 05:17.680 a sub-genre of all these things that are spyware that don't employ any exploit, but they're still 05:17.680 --> 05:22.880 widely used for gender violence, so for stocking purposes, for subvening employees, and these 05:22.880 --> 05:27.600 tools are generally very cheap, like you can buy them. Maybe a while ago, you could still find 05:27.600 --> 05:31.760 these tools on the Play Store, now you can't probably anymore unless special circumstances, 05:31.760 --> 05:36.640 but they're still very widely available and used. And as we see, there's been 05:38.880 --> 05:44.160 evidence of cyber use to unlock phones, and then it's a spyware. This is from another Italian 05:44.240 --> 05:48.800 collective that's been tracking spyware locus spyware infection via social engineering, 05:48.800 --> 05:53.360 and what they found out is that what happens in Italy at the social engineering, 05:53.360 --> 05:57.680 plus infrastructure level, is the victim. We'll have a service that they need cut off, 05:57.680 --> 06:04.880 so for instance, the data on their sim, or their phone calls don't work anymore. And then 06:04.880 --> 06:09.200 basically what they can do is they can only call the support number of the RSP. The RSP will have 06:09.200 --> 06:13.920 a social engineering agent, who knows, who that is, and then they will basically say, 06:13.920 --> 06:18.000 you need to install these special support app so that you can get your data traffic back. 06:18.400 --> 06:22.000 And that works very well, because you need the service, and like the only way to get back 06:22.000 --> 06:26.080 your services to start the spyware, and that will guide you through a design, the play product, 06:26.080 --> 06:30.560 like all the security features, like it's an alpha-nour, or social engineering support code, 06:30.560 --> 06:34.160 that they do, and people install the spyware, and it works. And it's also extremely cheap, 06:34.160 --> 06:38.640 because the cost per license of the staff can be as well as a standard per day per user. 06:40.400 --> 06:45.200 And so, where we've focused on consensual forensic on mobile. It's because, well, on desktop, 06:45.200 --> 06:49.280 we have focused for a long time on trying to do live detection of malware. Actually, 06:49.280 --> 06:55.200 we cannot really look system calls, or we can really, I'm privileged and caught threats, like 06:55.200 --> 07:01.280 data, Ily privileged level. And so, from user space, we are very limited of the things we can do, 07:01.920 --> 07:07.680 and obviously there's good reason for that. And so, most civil society has worked into two branches, 07:07.680 --> 07:13.280 to catch this kind of threats. One is the forensic methodology, which we're going to talk about, 07:13.280 --> 07:17.440 and the other is network-based detection from Pirog to Sweet, where basically you have 07:17.440 --> 07:20.080 at least a false name and some other network you see. 07:31.280 --> 07:37.520 Yeah, it says, 07:41.360 --> 07:43.680 get a signal. 07:49.520 --> 07:53.200 Maybe I can... 07:54.560 --> 07:56.240 Instagram, and I don't even published an Instagram account. 07:56.240 --> 08:17.440 as the painting 08:17.440 --> 08:25.840 let's go 08:25.840 --> 08:28.840 I think that's what this one is supposed to. 08:28.840 --> 08:32.840 It's like a cell delay in the mouse. 08:32.840 --> 08:35.840 It's a cell delay in the mouse. 08:35.840 --> 08:38.840 This is what I would like to ask you. 08:40.840 --> 08:41.840 Okay. 08:41.840 --> 08:42.840 I'll wait. 08:42.840 --> 08:43.840 Let's take a look. 08:51.840 --> 08:52.840 No. 08:52.840 --> 08:53.840 That's all. 08:55.840 --> 08:57.840 Thank you. 09:26.840 --> 09:27.840 Thank you. 09:29.840 --> 09:30.840 No. 09:38.840 --> 09:40.840 I don't know what's going on here. 09:40.840 --> 09:41.840 No. 09:41.840 --> 09:42.840 No. 09:42.840 --> 09:43.840 No. 09:43.840 --> 09:44.840 No. 09:44.840 --> 09:45.840 No. 09:45.840 --> 09:46.840 No. 09:46.840 --> 09:48.840 No. 09:48.840 --> 09:49.840 No. 09:49.840 --> 09:50.840 No. 09:50.840 --> 09:51.840 No. 09:51.840 --> 09:52.840 No. 09:52.840 --> 09:53.840 No. 09:53.840 --> 09:54.840 No. 09:54.840 --> 09:57.840 No. 09:57.840 --> 09:58.840 No. 09:58.840 --> 09:59.840 No. 09:59.840 --> 10:00.840 No. 10:00.840 --> 10:01.840 I don't like it. 10:01.840 --> 10:02.840 Okay. 10:11.840 --> 10:12.840 Okay. 10:12.840 --> 10:13.840 Sorry for the introduction. 10:13.840 --> 10:16.840 And so, as I was saying, we've been focused on forensic methodology 10:16.840 --> 10:17.840 and network-based detection, 10:17.840 --> 10:19.840 but they have shortcomings, 10:19.840 --> 10:20.840 especially at the moment, 10:20.840 --> 10:22.840 where basically you can almost only catch 10:22.840 --> 10:25.840 on the known spyware, like cause you need to have a ready-day 10:25.840 --> 10:27.840 OCS or not the OCS names or as some indicators, 10:27.840 --> 10:30.840 you know, like something has happened. 10:30.840 --> 10:32.840 And there's a bit of research of running, 10:32.840 --> 10:35.840 starting and dynamic analysis on the phone itself, 10:35.840 --> 10:38.840 but like that's very battery consuming, it's pretty difficult to do. 10:38.840 --> 10:41.840 So there's a lot of complexity if you want to have something 10:41.840 --> 10:43.840 that respects the privacy of the user, doesn't do data collection, 10:43.840 --> 10:45.840 does it do data correlation, 10:45.840 --> 10:46.840 but also you want to catch things, 10:46.840 --> 10:49.840 but then you're limited only to non-stuff. 10:49.840 --> 10:51.840 And as I was saying before, 10:51.840 --> 10:54.840 what we were going to focus is the threads that I've sorted, 10:54.840 --> 10:57.840 I've used it, have apps because we can't really catch 10:57.840 --> 10:59.840 from user space or it's extremely difficult to catch 10:59.840 --> 11:02.840 from user space, they're very sophisticated threads. 11:02.840 --> 11:05.840 And it's also not like our target users, 11:05.840 --> 11:09.840 just because we know that there's so many of the lower 11:09.840 --> 11:12.840 sophistication threads just affects a lot of people 11:12.840 --> 11:16.840 and generally they have also less assistance for civil society. 11:17.840 --> 11:20.840 And so what we're going to focus on is consensual 11:20.840 --> 11:21.840 forensic methodology. 11:21.840 --> 11:24.840 And what happens at the moment when an activist or a journalist 11:24.840 --> 11:27.840 is suspected to have been infected, 11:27.840 --> 11:30.840 is that they have to look for a civil society organization 11:30.840 --> 11:32.840 that's likely going to help them, 11:32.840 --> 11:35.840 it depends on the case and on their organization, 11:35.840 --> 11:37.840 and also on geography, but these are so many issues. 11:37.840 --> 11:41.840 Because the first thing is that if the person who has the 11:41.840 --> 11:43.840 infection is in contact with the nation, 11:43.840 --> 11:45.840 they likely either need to have somebody come to them, 11:45.840 --> 11:48.840 and some come online tools, do some manual analysis, 11:48.840 --> 11:51.840 check the results and like explain them what's happening, 11:51.840 --> 11:54.840 or there's to be guided to this process through a 11:54.840 --> 11:56.840 multiple part, which is again pretty difficult, 11:56.840 --> 11:59.840 or the victim has actually to ship their device, 11:59.840 --> 12:00.840 to one of these support organizations, 12:00.840 --> 12:02.840 which again is border someplace, 12:02.840 --> 12:04.840 you basically send somebody or your data via post, 12:04.840 --> 12:06.840 like there's a bunch of complexities. 12:06.840 --> 12:09.840 And obviously we are great for all the organization 12:09.840 --> 12:11.840 we've been doing this at this point at this moment. 12:11.840 --> 12:14.840 And we also do this in Italy for people when you don't 12:14.840 --> 12:17.840 have a fact, but it's something that's really difficult 12:17.840 --> 12:19.840 to scale just because you need a person, 12:19.840 --> 12:21.840 to provide the support. 12:21.840 --> 12:23.840 And some of these are volunteer based, 12:23.840 --> 12:25.840 some employees volunteer and employees, 12:25.840 --> 12:28.840 we are all volunteer so it's a bit complicated. 12:31.840 --> 12:34.840 So we have seen a consensus, 12:34.840 --> 12:38.840 forensic methodology, but what to do you use 12:38.840 --> 12:41.840 if you're at a technician and want to analyze a phone 12:41.840 --> 12:44.840 that you think it is infected by spyware 12:44.840 --> 12:47.840 and there is a spyware abuse. 12:56.840 --> 13:00.840 So MVT is the factors standard tool for consensus mode 13:00.840 --> 13:04.840 that mobile forensic, it was developed by 13:05.840 --> 13:09.840 Amnesty Tech Lab that is one of the civil society 13:09.840 --> 13:13.840 organization that performed this type of analysis. 13:13.840 --> 13:16.840 And it was developed in 2021 13:16.840 --> 13:19.840 in the context of the Pegasus project investigation. 13:19.840 --> 13:21.840 And if you don't know, 13:21.840 --> 13:26.840 the Pegasus investigation was a spyware scandal 13:26.840 --> 13:30.840 that targeted the Catalan government 13:31.840 --> 13:34.840 and all the members of the Catalan government 13:34.840 --> 13:39.840 were like surveilled with the Pegasus spyware 13:39.840 --> 13:43.840 and these sparked a lot of problems 13:43.840 --> 13:48.840 in all of Europe because of these. 13:48.840 --> 13:54.840 And the MVT tool, it is developed in Python as a command line tool 13:54.840 --> 13:57.840 so it is not really usable for and user. 13:57.840 --> 13:59.840 You need to know what you are doing. 13:59.840 --> 14:01.840 It's difficult to install. 14:01.840 --> 14:03.840 You have to do like pee, 14:03.840 --> 14:05.840 etc. but for the end user, 14:05.840 --> 14:08.840 it's not really a common thing. 14:08.840 --> 14:11.840 And also interpreting the results 14:11.840 --> 14:13.840 requires some technical expertise 14:13.840 --> 14:15.840 that are a lot of scary warning 14:15.840 --> 14:18.840 that a user like maybe don't understand. 14:18.840 --> 14:21.840 And so you need a technical person 14:21.840 --> 14:24.840 to run this type of tool. 14:24.840 --> 14:28.840 And it works by connecting the target phone via USB 14:28.840 --> 14:31.840 enabling the developer tool on the phone, 14:31.840 --> 14:35.840 enabling ADB, Android bug bridge. 14:35.840 --> 14:39.840 And then you can extract the relevant artifact 14:39.840 --> 14:44.840 from the phone and analyze it on the PC. 14:44.840 --> 14:45.840 But as I said, 14:45.840 --> 14:48.840 it is really difficult to use for an end user 14:48.840 --> 14:51.840 so Android QuF was developed 14:51.840 --> 14:56.840 to make the acquisition process easier for the victims. 14:56.840 --> 15:00.840 And Android QuF is more user-friendly than MVT 15:00.840 --> 15:03.840 is basically returning along and distributed 15:03.840 --> 15:06.840 as a single binary. 15:06.840 --> 15:08.840 You can download it like a victim. 15:08.840 --> 15:11.840 You can download it, run it on their PC 15:11.840 --> 15:16.840 and then get an export that is basically MVT compatible 15:16.840 --> 15:18.840 in a single click. 15:18.840 --> 15:23.840 And these exports can then be shared 15:23.840 --> 15:25.840 with our technical team. 15:25.840 --> 15:32.840 And MVT is used to analyze it by like an expert. 15:32.840 --> 15:35.840 This just streamline the acquisition process 15:35.840 --> 15:39.840 but the analysis is still, let's say, difficult. 15:39.840 --> 15:43.840 So we came up with an idea that is bugbing 15:43.840 --> 15:47.840 and our goals were to first of all create 15:47.840 --> 15:51.840 a friendly user-friendly tools that can be used by everyone 15:51.840 --> 15:54.840 because these will improve the civil society 15:54.840 --> 15:58.840 tracking intelligence by making analysis widespread. 15:58.840 --> 16:03.840 So if more people that think they had 16:03.840 --> 16:05.840 a spyware infection abuse, 16:05.840 --> 16:07.840 they can analyze their phone 16:07.840 --> 16:11.840 then we can catch abuse sooner. 16:11.840 --> 16:14.840 And this kind of position can be 16:14.840 --> 16:18.840 so actively scan with updated indicators of compromise 16:18.840 --> 16:21.840 because you can acquire now, 16:21.840 --> 16:23.840 keep the acquisition on the phone 16:23.840 --> 16:26.840 and then scan later if new indicator of compromise 16:26.840 --> 16:29.840 are published or released. 16:29.840 --> 16:32.840 And another goal is to remain 16:32.840 --> 16:35.840 for compatible with other open source tools 16:35.840 --> 16:38.840 such as MVT and Android QF. 16:38.840 --> 16:41.840 But mostly perform acquisition 16:41.840 --> 16:45.840 and analysis locally on the target device. 16:45.840 --> 16:47.840 It's our main goal. 16:47.840 --> 16:50.840 How can we do it by using wireless USB 16:50.840 --> 16:51.840 debugging? 16:51.840 --> 16:55.840 And basically it works like USB 16:55.840 --> 16:59.840 but the TCP via Wi-Fi. 16:59.840 --> 17:01.840 And basically you need to enable 17:01.840 --> 17:04.840 this option in the development tools 17:04.840 --> 17:08.840 and pair the D-Mon and the app 17:08.840 --> 17:12.840 with the pairing code or QR code. 17:12.840 --> 17:14.840 It is available since Android 11, 17:14.840 --> 17:17.840 these features so we are only targeting 17:17.840 --> 17:19.840 let's say newer devices. 17:19.840 --> 17:22.840 And it grants the same privileges as MVT 17:22.840 --> 17:24.840 and so this is a good news 17:24.840 --> 17:26.840 because we can do acquisition 17:26.840 --> 17:29.840 that are one to one the same as MVT. 17:29.840 --> 17:32.840 And ironically, this is the same mechanism 17:32.840 --> 17:36.840 that low-end spyware use to escalate their privileges. 17:36.840 --> 17:40.840 So they automate this part to obtain 17:40.840 --> 17:43.840 the pairing with the D-B process 17:43.840 --> 17:48.840 and then obtain higher privileges on the phone. 17:48.840 --> 17:52.840 So this is a little schema of bug vein 17:52.840 --> 17:53.840 on the left on the right. 17:53.840 --> 17:57.840 We can see the artifacts that gets collected. 17:57.840 --> 17:59.840 So SMS, it's a big thing 17:59.840 --> 18:03.840 because most of the entry points 18:03.840 --> 18:06.840 for low-end spyware are SMS. 18:06.840 --> 18:09.840 You get an SMS saying, yeah, please don't load this application 18:09.840 --> 18:12.840 to get your internet connection back 18:12.840 --> 18:18.840 and a lot of URLs are IOCs for infection. 18:18.840 --> 18:22.840 Another interesting part is that IOCs are updated. 18:22.840 --> 18:24.840 Let's say every day there is a check 18:24.840 --> 18:28.840 if there are new IOCs if you don't load it into use. 18:28.840 --> 18:32.840 And another thing is that the user is reported 18:32.840 --> 18:35.840 with some warnings and based on the warning level, 18:35.840 --> 18:39.840 the user can decide to encrypt their acquisition 18:39.840 --> 18:42.840 and share it with organization 18:42.840 --> 18:44.840 that can analyze it further 18:44.840 --> 18:48.840 and understand if there was indeed a spyware or spyware abuse. 18:48.840 --> 18:51.840 Or otherwise, if there are no big warnings 18:51.840 --> 18:54.840 they can just encrypt the acquisition 18:54.840 --> 18:57.840 and scan it in the next IOC update. 18:57.840 --> 18:59.840 And here are some screenshots 19:00.840 --> 19:05.840 of the beta version that we are starting to release. 19:05.840 --> 19:08.840 Here is an example acquisition 19:08.840 --> 19:12.840 that runs some modules to acquire artifacts. 19:12.840 --> 19:15.840 Then in the center there is an example 19:15.840 --> 19:19.840 of an acquisition details with some findings. 19:19.840 --> 19:23.840 Here are two scan of the same acquisition 19:23.840 --> 19:26.840 and then in the last one we have the detail 19:26.840 --> 19:31.840 of what are the warnings in that specific scan. 19:31.840 --> 19:34.840 What are the limitations of this approach? 19:34.840 --> 19:38.840 The first one is that can only catch known threats 19:38.840 --> 19:40.840 as we have saved before. 19:40.840 --> 19:44.840 And techtactors can also scrape public IOCs 19:44.840 --> 19:46.840 and update their obfuscation 19:46.840 --> 19:48.840 to make it harder for this tool 19:48.840 --> 19:51.840 to detect such spyware. 19:51.840 --> 19:54.840 And also another big thing is that 19:54.840 --> 19:56.840 we are using artifacts on the device 19:56.840 --> 19:59.840 to add evidence in case of seizures. 19:59.840 --> 20:02.840 So maybe you have a lot of acquisition 20:02.840 --> 20:04.840 that you performed on your device 20:04.840 --> 20:06.840 that you want to keep to scan later 20:06.840 --> 20:09.840 but if your phone gets seized 20:09.840 --> 20:12.840 and then they use subbright for example 20:12.840 --> 20:14.840 to unlock it then they can get 20:14.840 --> 20:18.840 all this kind of evidence from the past. 20:18.840 --> 20:20.840 What it is currently on the developed 20:20.840 --> 20:23.840 in our application we want to secure 20:23.840 --> 20:26.840 the app by encrypting the local data 20:26.840 --> 20:30.840 so the local acquisition so it is encrypted 20:30.840 --> 20:34.840 and not available at a later time 20:34.840 --> 20:40.840 for people outside of the user itself. 20:40.840 --> 20:43.840 We are building and are reproducible builds 20:43.840 --> 20:46.840 infrastructure and we plan to release the app 20:46.840 --> 20:50.840 also on f-droid so that the source code 20:50.840 --> 20:54.840 is public and everybody can vet the source code 20:54.840 --> 21:00.840 and see that the app that is downloaded is really safe. 21:00.840 --> 21:02.840 And we want to improve all 21:02.840 --> 21:04.840 so false positive detection and prevention 21:04.840 --> 21:07.840 that is a problem with the MVT 21:07.840 --> 21:10.840 because technical people can just 21:10.840 --> 21:12.840 check out what are the false positive 21:12.840 --> 21:14.840 and exclude them. 21:14.840 --> 21:16.840 Instead if you are target 21:16.840 --> 21:19.840 the end user you need to be able to provide 21:19.840 --> 21:21.840 like less false positive 21:21.840 --> 21:24.840 as possible otherwise the user will simply just 21:24.840 --> 21:28.840 be scared by all your warnings. 21:28.840 --> 21:31.840 And finally as I said UX because it is important 21:31.840 --> 21:34.840 for the end user to ever 21:34.840 --> 21:39.840 easy to use application. 21:39.840 --> 21:41.840 So clearly everything is open source 21:41.840 --> 21:45.840 you can find a blog post on our website about this. 21:45.840 --> 21:47.840 It is not released yet we will soon 21:47.840 --> 21:49.840 we are thankful to all the people who helped 21:49.840 --> 21:52.840 to Rowan and also to all the previous projects 21:52.840 --> 21:55.840 who provided like the foundation to start building 21:55.840 --> 21:58.840 is to see the service service service organization 21:58.840 --> 22:00.840 that is an organization 22:00.840 --> 22:02.840 of organization and all the 22:02.840 --> 22:04.840 civil society groups tend to share 22:04.840 --> 22:05.840 threat intelligence. 22:05.840 --> 22:07.840 And we didn't talk about closet source 22:07.840 --> 22:08.840 source tools, there are a few 22:08.840 --> 22:10.840 and that is some purpose because most of 22:10.840 --> 22:12.840 these tools do some kind of full pack 22:12.840 --> 22:14.840 data collection and then run 22:14.840 --> 22:16.840 and maybe machine learning algorithms 22:16.840 --> 22:18.840 on their servers but the first need to collect 22:18.840 --> 22:19.840 the logs and all that kind of stuff 22:19.840 --> 22:21.840 where we are trying to focus on 22:21.840 --> 22:25.840 local clear practices to 22:25.840 --> 22:27.840 respect the user choices so nothing 22:27.840 --> 22:29.840 from the application gets shared unless 22:29.840 --> 22:30.840 the user explicitly go through 22:30.840 --> 22:32.840 a flow to share that information 22:32.840 --> 22:35.840 and to end encrypted it doesn't come to us. 22:35.840 --> 22:36.840 And so that was it. 22:36.840 --> 22:38.840 We are happy for questions. 22:38.840 --> 22:40.840 There are more pointers. 22:40.840 --> 22:50.840 Thank you. 22:50.840 --> 22:56.840 Just say that this project was only 22:56.840 --> 23:00.840 in my work that is existing 23:00.840 --> 23:03.840 all the advice as an application. 23:03.840 --> 23:06.840 So in theory, like that's the easiest to 23:06.840 --> 23:07.840 catch. 23:07.840 --> 23:08.840 Sorry. 23:08.840 --> 23:10.840 The question is does the application only 23:10.840 --> 23:12.840 try to detect malware that is installed 23:12.840 --> 23:13.840 as an application? 23:13.840 --> 23:15.840 The answer is not necessary. 23:15.840 --> 23:17.840 In the sense that that's the easiest to catch 23:17.840 --> 23:19.840 because it leaves the most traces and then we can 23:19.840 --> 23:21.840 from the application in theory you can 23:21.840 --> 23:23.840 not extract the application and then 23:23.840 --> 23:24.840 as to share those. 23:24.840 --> 23:26.840 But with the fact that we collect the log 23:26.840 --> 23:28.840 cut and the back report, 23:28.840 --> 23:30.840 if there's wheel crashes and we have 23:30.840 --> 23:31.840 you see it for the wheel crashes, 23:31.840 --> 23:33.840 then we can basically say well there's 23:33.840 --> 23:35.840 wheel crashes on your back report that's 23:35.840 --> 23:37.840 the easiest and the same goes for SMS. 23:37.840 --> 23:39.840 Like if you received an URL, 23:39.840 --> 23:41.840 there was one of the known ones. 23:41.840 --> 23:54.840 So the question is about, for instance, 23:54.840 --> 23:55.840 Java card applets. 23:55.840 --> 23:57.840 So these are regretted as if you open 23:57.840 --> 23:59.840 us an issue, then we look if we can find 23:59.840 --> 24:02.840 this information from adb and we will add 24:02.840 --> 24:03.840 the model to do that. 24:03.840 --> 24:05.840 Because you've got this all the time. 24:05.840 --> 24:06.840 Yeah. 24:06.840 --> 24:07.840 Yeah. 24:07.840 --> 24:10.840 But all the forms are due to this, 24:10.840 --> 24:13.840 but very low integrated 24:13.840 --> 24:15.840 with the communication problems. 24:15.840 --> 24:17.840 And it's true. 24:17.840 --> 24:19.840 Yeah. 24:19.840 --> 24:20.840 Yeah. 24:20.840 --> 24:21.840 Yeah. 24:21.840 --> 24:22.840 Yeah. 24:22.840 --> 24:23.840 Yeah. 24:23.840 --> 24:24.840 Yeah. 24:24.840 --> 24:25.840 Yeah. 24:25.840 --> 24:26.840 Yeah. 24:26.840 --> 24:28.840 Yeah. 24:28.840 --> 24:29.840 Yeah. 24:29.840 --> 24:30.840 Yeah. 24:30.840 --> 24:31.840 Yeah. 24:31.840 --> 24:33.840 Yeah. 24:33.840 --> 24:35.840 Yeah. 24:35.840 --> 24:36.840 Yeah. 24:36.840 --> 24:37.840 Oh, yes. 24:37.840 --> 24:39.840 Oh. 24:39.840 --> 24:40.840 Yeah. 24:40.840 --> 24:43.840 Well, a bit to chat afterwards and we see 24:43.840 --> 24:45.840 we can build a model to do that. 24:45.840 --> 24:47.840 It really depends on what we can do from adb. 24:47.840 --> 24:50.840 We can't, like some stuff is documentited. 24:50.840 --> 24:51.840 Like you can do adb commands to finance 24:51.840 --> 24:53.840 certain things other stuff just like finding 24:53.840 --> 24:55.840 application to their device had means have 24:55.840 --> 24:56.840 commands to their know document. 24:56.840 --> 24:58.840 So if you spend some time you can find a way 24:58.840 --> 24:59.840 to detect it. 24:59.840 --> 25:00.840 So maybe there's a way to also detect it. 25:00.840 --> 25:23.840 This is the, by now, yes, the last one is up in the configuration of the operator 7, or 8, and the one that's the one that's the one that's up, and to be a vector of infection, you know the basis, you know the basis, 25:23.840 --> 25:37.840 if there are changes on the device setting, yes, that's an artifact that we gather. 25:37.840 --> 25:51.840 If, for example, malware just leaving memory and replace, for example, the X, Java class classes for another process, for example, like it's targeting WhatsApp and then changes the code for WhatsApp, 25:51.840 --> 26:13.840 then we are not going to be able to detect that with normal artifacts, but that's not like the our target, like our target is just low-end spyware that is not so sophisticated because we don't have like the privileges to dump and catch that.