2015 IEEE International Symposium on Signal Processing and Information Technology (ISSPIT) Investigation Into Google Play Security Mechanisms Via Experimental Botnet Milan Oulehla Faculty of Applied Informatics Tomas Bata University in Zlín 760 05 Zlín, Czech Republic [email protected] Abstract—Mobile devices such as smartphones and tablets • misuse of smartphones and tablets as a whole for have become a common part of human society of the 21st century coordinated actions. For example a huge number of and their popularity is continuously growing. However, certain mobile devices could constitute not only a target of research papers imply that popularity and security do not reach attacks, but also an effective resource for executing the same level. They suggest that there are security weaknesses Distributed Denial-of-Service (DDoS) attacks [3]. allowing publishing applications with malicious behavior on Mobile devices are also capable of distributing email, Google Play. For test reasons of Google Play security SMS, and MMS spamming [4]. mechanisms, a special pair of applications has been developed. The former is a testing application containing a mobile botnet Even though there is a number of security risks on the client. It has been designed to be resistant against security scans mobile platform, security issues are usually underestimated by based on dynamic analysis but its malicious intentions have been both companies involved in mobile devices development and presented in uncovered form into the code of application. Such users. Mobile devices are produced in short development testing application has been published on Google Play. The latter is represented by a malware application with the sole purpose of cycles which do not provide enough time for a robust security being fraudulently installed on mobile devices without any ensuring design because from producers’ point of view, profit security verification including Google Play. Certain interesting is very often more important than security. Typical behavior of results have been raised by the research. Based on these results, many users is characterized by ignoring security useful future research directions to security of mobile device field recommendations since they prefer user comfort to their safety. have emerged. Combination of the above mentioned potential security risks and increasing popularity of mobile devices make the mobile Keywords—Android, bot, botmaster, mobile botnet, C&C server, platform a very promising area for malware creators. There is Google Pay, mobile devices. another argument which may tip the scales in favor of malware I. INTRODUCTION writers: “Four mobile antiǦvirus applications (AVG AntiǦvirus, Avast Mobile Security, Lookout Security & AntiǦvirus and Mobile devices such as smartphones and tablets have Norton AntiǦvirus & Security) were installed on a smartphone become a common component of the 21st century human society. This fact can be illustrated by an example of Android prior to the execution of the prototype (client of hybrid which has become one of the most popular mobile operating command and control mobile botnet created by authors). All systems. It had over 1 billion active Android users in 2014 [1]. the antiǦviruses were active during the execution of the The contemporary mobile devices often contain a lot of prototype but failed to identify any malicious activities” [5]. sensitive data including personal information which can be As already mentioned, Android [6] is one of the most abused for social engineering, contacts that can be collected for common mobile operating systems in the world. For this spam databases and subsequently sold, corporate data (know- reason, this research has been focused on Android security how which can be used for unfair competition) and more. issues, especially on vulnerabilities of Google Play which is a Except of data theft, other ways of abusing mobile devices for malicious actions exist: software distribution platform for Android run devices. (Except of software, Google Play also offers digital • misuse of hardware includes: built-in GPS module distribution of books, films and music. Nevertheless these ("Roll call release for police, fire, ems, and security features are not important for the research.) There are many personnel" by FBI released on July 23, 2013 to inform threats on the mobile platform such as worms, Trojan horses about malware which is able to log users’ locations [2]), (also known as Trojans) and viruses. However, mobile botnets camera (for example, there is a threat of face represent the biggest issue in this field [7], [8], [9]. It is recognition by front camera of mobile device and image probably because one mobile botnet is able to perform a whole processing) and microphone (audio recording), range of varied criminal activities starting from data thefts and ending by DDoS attacks. There is no fixed predictable pattern of behavior since botnet clients (bots) are not controlled by an 591 algorithm but by a human (a botmaster). Zitmo Botnet, a 5. Static application analysis is a process dealing with variant named Eurograbber, attacked all main mobile code inspection. It has usually two parts: platforms including Android, Symbian, Windows Phone and decompilation and code analysis. In the decompilation Blackberry and stole 47 million of dollars [10]. Another part, tools such as Dex2Jar [7], JD-GUI [7], Apktool million-dollar loss was caused by the Android.Bmaster mobile [16] and Virtuous Ten Studio (VTS)[16] are used. The botnet in China [11]. All these facts imply necessity of an code analysis part tries to search for harmful actions in additional research into the field of mobile botnets. This paper Java/Smali/XML source codes. In contrast to the tries to shed light on the mobile botnets issue as well as dynamic analysis, it is relatively difficult to develop accurate automatic code analyzers because code contribute to the mobile platform security improvement. security risk evaluation is a quite complicated process II. CHARACTERISTICS OF MOBILE BOTNETS with many pitfalls resulting in the fact that the static analysis methods cannot be easily transformed into the A. Essential terms automated program form. This may be the reason why In order to be able to understand mobile botnet security the Google Play analyzer and antivirus companies are risks on the Android platform better, it is necessary to explain trying to concentrate on the AndroidManifest.xml file some essential terms used in this field. examination described in section “A design of pair applications developed to test Google Play security 1. Bot is a special kind of malware installed on a mobile mechanisms section” below. device. It is a client of botnet network receiving commands typically from a C&C server. Bot, on the 6. AndroidManifest.xml file “Every application must basis of obtained commands, tries to perform have an AndroidManifest.xml file. The manifest file malicious actions such as firmware damage, email presents essential information about a described app spamming, theft of sensitive information, SMS to the Android system; the system must have this interception (e.g. internet banking), audio recording, information before it can run any of the app's code. It click fraud and downloading additional content [8]. describes the components of the application including There are two typical kinds of bots: activities, services, broadcast receivers, and content a. A regular Android application which consists of providers. It declares which permissions the legitimate and illegitimate parts as FakePlayer application must have in order to access protected [12]. While the legitimate part can perform certain parts of the API and interact with other useful activities such as playing music or video, applications”[17]. the illegitimate part is able to perform criminal B. Phases of mobile botnets activities. A mobile botnet is relatively sophisticated malware with b. Hidden bots consist of hidden Activity ("An complex patterns of behavior which causes that each Activity is an application component that provides individual mobile botnet differs from the others. Nevertheless, a screen with which users can interact in order to there is one aspect common for all mobile botnets. This do something, such as dial the phone, take a photo, feature is a life cycle consisting of three phases: Infection, send an email, or view a map." [13]) and Propagation and Execution [9]. In the Infection phase, the BroadcastReceiver. Such application does not have a user interface and is able to run secretly in botnet creator tries to develop a bot that is a botnet client. the background and processes various malicious Once the bot is finished, it must be hidden in the mobile actions or attacks using broadcasts [14]. A mobile software which looks legitimate and attractive for the users. device infected with a bot is called Zombie or There are three ways how to camouflage a botnet client on “zombie” device [4] [15]. mobile devices. The first two ways are concerned with regular Android applications (see paragraph 1a in subsection Essential 2. A command and control (C&C) server is specially terms): designed for sending commands to bots as well as collecting stolen user data sent from the bots. a. APK of a legitimate application is decompiled and then a malicious code is added to the application. 3. A botmaster is either a botnet developer or a cyber- Finally, the infected application is again built into the criminal who has bought a botnet from a botnet creator at the black market. Botmaster controls bots APK [16]. via C&C server or peer-to-peer (P2P) network to b. The second way how to conceal a bot in a regular perform aforementioned malicious activities. Android application is to develop a useful application and add the bot into it. 4. Dynamic application analysis does not examine the c. The last possibility of hiding a bot in mobile devices source code. It is focused on behavior of applications has been raised by a research revealing how malware as a whole. These applications are tested in controlled creators hide installed APK applications from users on environment and every suspicious action like sending their mobile devices [26]. This way is used by special or receiving data from the well-known C&C servers, single-purpose bot applications. There is only the memory access violation or remote code execution are logged and evaluated. 592 illegitimate part with a camouflagee mechanism (see results can be seen in [18]: “Wee conducted an analysis of 1,632 the paragraph 1b in subsection Essenntial terms). popular applications on Googlee Play, each with more than one million installations, revealingg that 151 (9.25%) of them are Once the application includes a bot, it is ready for the next vulnerable to code injection atttacks.” Based on our preparatory phase which is Propagation. During this phase, the infected phase of research and publishedd papers in this field, we present application is distributed from various sourcees such as: a hypothesis about Google Pllay security process analysis of • Google Play store - official distributtion platform, approved applications. It seeems that static analysis is • unofficial software markets, underestimated by Google Playy, since it predominantly focuses on dynamic analysis and insppection of AndroidManifest.xml • web pages with JavaScript able to detect d Android web file. As mentioned earlier, dynaamic analysis is concentrated on browser and subsequently offer downloading of suspicious behavior of exaamined application such as infected APK package (a typical behavior b of certain sending/receiving data to thhe well-known C&C servers, torrent-searching web pages), multiple repetitive requests to the t same server in a short period • phishing, during which the victim receives either an of time which can inndicate DDoS attack etc. email containing a hypertext link too a malicious web AndroidManifest.xml analysis is concentrated on suspicious page in the body of the message or an a attachment with permissions. There are two kinds k of permissions: function an infected APK application. permissions and actually requeested permissions in the field of Android user applications. Funnction permissions form a set of At the time when a bot is on smartphone or tablet of victim, legitimate permissions. For example if application taking next phase can begin. From the point of vieww of botmaster, this pictures requests permissions as is the most important phase because now she/he is able to android.permission.CAMERA, android.hardware.camera or perform criminal activity for which a botnet was w created. There android.hardware.camera.autofo focus, it seems logical. In fact is a usual scenario of this phase. At the begiinning, bot tries to camera application could ask forf any Android permission. For connect to C&C server. It can be a POST orr GET http request instance camera appplication can request like this: http://address.of.candcserver.com m?id=null. C&C android.permission.READ_SM MS, server assigns only id for unsecured comm munication or login android.permission.RECORD__AUDIO or and password for secured communication. Then bot saves sent android.permission.INTERNET T. It depends only on the user credentials to the persistent memory and fromf that moment whether he accepts requested permissions of mostly free of server - bot communication is always with loogin and password charge application or not. Seccurity analyzers try to find the or with id. Now a bot is waiting for botmasteer's commands and contradiction between functiion permissions and actually is ready for malicious actions such as DDoS attacks, sending requested permissions (Figure 1).1 text messages to premium-rate numbers owned by cyber criminals without user's knowledge, stealing user's locations, All the above mentioned faacts have influenced a design of keystrokes and passwords without user's knoowledge etc. [2]. In our applications. There are twoo applications: addition to the above-mentioned phasess (i.e. Infection, Propagation and Execution), some of the beest mobile botnets • The first is called "testing application". It is a weather have also the Cleaning phase. During this phhase the bot as well forecast application coontaining bot which is controlled as all its auxiliary files such as cache, idd file (e.g. a file by botmaster via C&C C server. containing assigned login and password foor communication • The second is called "malware " application" and it has with a C&C server), temporary files (encryppted files including only one aim which iss to be fraudulently installed on stolen data for transfer to the server of cyb yber criminals) are mobile devices withhout any security inspection deleted from the infected mobile device. Cleeaning phase takes including Google Playy. place: Fig. 1. Principle of detection of suspicious applications based on • at the beginning of bot’s life becauuse it is not able to permissions function due to proper security settinngs (mobile device is not rooted, is not allowed to installl application from unknown sources etc.). A bot will not be operational on this particular device, • at the end of bot’s life. This is typical for bots which perform serious cyber-crime likee interception of authorization text messages for mobile internet banking without user's knowledge. III. A DESIGN OF PAIR APPLICATIONS DEVELOPED TO TEST GOOGLE PLAY SECURITY MECHA ANISMS The observations which have been caarried out in this research imply that Google Play storee contains many suspicious applications. These applicationns have features This testing application has h legitimate and illegitimate enabling to perform certain malicious actionss. This finding is in parts. The legitimate part is represented r by weather forecast accordance with other items of research. Foor example, useful 593 application for Spennymoor town. It show ws certain useful values of enginesha and weatheerenginesupportlibrary are equal, information such as current temperature, pressure, p humidity it means that command for installation of malware application etc. This testing application does not request any illegitimate has been issued by botmaster via v C&C server. The bot checks permission. It tries to perform every maliccious action solely whether an installation from unknown sources is allowed. within function permissions of legitimate part of application. Finally, the bot verifies access to the persistent memory of the The illegitimate part (a bot) is controlled byy weather forecast host device. If the last two reqquirements are met then the bot sets of JSON (JavaScript Object Notation) which w contains both starts the installation of malwaare application, which looks like weather forecast information and control commands. The a legitimate update of weatherr engine application (see Figure testing application as such can be considereed "clean" as it is 3), but in reality a separate mallware application which was not silently controlled by legitimate JSON data sets. It means that inspected by Google is being innstalled. The weatherengine1020 weather forecast server functions at the saame time as C&C server. The testing application does not perfoorm any malicious from ../res/raw directory is encrrypted array of bytes (Figure 2). actions as it is common for bots. The bot haas to pass through The bot decrypts array of byytes of the weatherengine1020 Google Play security scan as inconspicuous as possible. There using password taken from enginedata variable stored in JSON. is another fact which should be taken into account "An app Then it saves decrypted array to the persistent memory of the downloaded from Google Play may not modify, m replace or device without file extension *.apk. This is useful because update its own APK binary code using any method other than manipulation with *.apk in souurce code could attract attention Google Play’s update mechanism"[19]. Thuss this research has of security scans and regardlless of the fact that *.apk file not been focused on APK replacement andd subsequent using extension is missing, the installlation will work well. The rest of techniques like remote code execution etc. Instead, a testing installation is standard. After finishing fi the installation or if the application tries to install additional applicaation according to installation is canceled, cleaaning is performed. Cleaning commands from the C&C server. It will not be b then scanned by process deletes decrypted installlation file from the device. Now Google play security mechanisms and is intennded for malicious the malware application is insttalled on a mobile device which actions. In fact such testing application is som me kind of mixture is controlled by botmaster. of bot and Trojan horse. A. How the created bot works An example of JSON inncluding both weather forecast information and commaand from C&C server: Once the JSON weather forecast is downnloaded, the bot is {"icon":"01d","enginedata":"bdd5a95ab68c802f81e7d7c052e83 automatically launched. First, the bot tries too find out whether a52952b2c1abc","pressure":10223,"temp":52.54,"humidity":93, the malware application is already installed, because if it is, no "wind":8.86,"enginesha":"aabc4436e2dc018f729061d39ada235a additional installation is needed. Assuming that the malware 350be438acdc383da2525f38122ab7eba7","description":"Sky is application is not installed on the device, thhe bot is ready to Clear"} perform another step which looks like modiffication protection of the weatherengine. It consists of two t components: Fig. 3. Fraudulent installation of malw ware application weatherengine1020 and weatherenginesuupportlibrary (see Figure 2). The weatherengine system pretennds to be valuable and therefore it should be protected priorr its using but in reality it is a bot command mechanism. Fig. 2. Weatherengine1020 and weatherenginesupportllibrary The weatherenginesupportlibrary is an a encrypted array IV. RESULTS E of bytes with a sole purpose which is comparison with enginesha value from downloaded JSON (ssee an example of Within this research, testinng application has been created, JSON below). The bot reads value of the enginesha e variable which included malicious featuures such as: and compares it to SHA2566 value of • finding out whether an installation from unknown weatherenginesupportlibrary. If the values of enginesha and sources is allowed, weatherenginesupportlibrary are not equaal, the bot stops running and only legitimate part of applicatioon continues. If the 594 • an installation will be carried out provided that an application which has not been checked by any security scan installation from unknown sources is allowed in (see Figure 5/3). This is obviously a really dangerous behavior Android security settings. It is a clear example of which indicates that the testing application should never pass malicious intention, through Google Play security scan. The research paper [18] • an installation file created from encrypted resource represented an inspiration for our research, especially the located inside the testing application, finding that out of 1,632 popular applications published on Google Play, 151 of them represent potential security threat. • an installation from local file which does not have However, a different approach has been employed in the *.apk file extension, presented research. It has not been focused on quantitative • a fraud installation of application which tries to look analysis of Google Play as it was in the previous research, like improvement of weather forecast application but qualitative analysis has been used instead. The results of the in fact it has nothing to do with weather forecast performed research have indirectly confirmed conclusions from process. [18] since our results imply that it is possible to publish All these items represent a dangerous mix of features for applications with malicious pattern of behavior on Google which there is no legitimate reason since extensions or external Play. It is feasible on condition that harmful application is supported software of legitimate applications published in designed to be able to pass through security scans based on Google Play store can be also distributed through it. Above dynamic analysis. The results as a whole also raise the possible mentioned malicious items could be uncovered by static implication that Google Play security tests are focused on analysis of code because the code of testing application does dynamic application analysis and inspection of not try to conceal its goals. It has even not been obfuscated. AndroidManifest.xml whilst static application analysis is Regardless of the fact that testing application represents underestimated. As malicious intentions of the testing security risk it has been successfully published via Google Play application have been presented in uncovered form in the code store and everybody has been able to install it on her/his of application, it has even not been obfuscated. Certain smartphone or tablet. See Figure 4. It has been probably impressive findings have been published in [18] and it is possible because the testing application has been designed to probably due to employed methods of static analysis. Based on minimize possibility of revelation by dynamic application both results of our research and [18], a recommendation for analysis or analysis of AndroidManifest.xml file: future research has been raised: it is extremely important to develop powerful static analysis tools which will be able to • the testing application does not show a contradiction perform reliable automatic tests of mobile applications. between function and requested permissions. It Fig. 4. Google Play store offering application including bot performs all its harmful actions using only function permissions, • the testing application does not connect to the C&C server by itself. It waits for legitimate download of weather forecast JSON including both up-to-date weather forecast information and command for bot. Download of JSON is performed only by calling onCreate() method or by users click on update button. • a bot command mechanism pretends that it is a SHA256 protection against manipulation of weather engine, • a malware application that is designed to be installed by bot is encrypted as anonymous array of bytes located in ../res/raw so it could not be tested by security scans, • the cleaning mechanism always removes decrypted installation file from persistent memory of the device regardless of the result of the malware application installation. Limitation of the research: Only one aspect of Google Play security mechanisms has been tested, for this reason it will be V. DISCUSSION necessary to create other testing applications checking whether Both applications - the testing application and the malware it is possible to publish applications with more dangerous application have been developed with the purpose to test patterns of behavior on Google Play. For example if it is Google Play security mechanisms. The malware application possible to publish on Google Play an application downloading has been encrypted and stored inside the testing application from web page and subsequently installing unchecked software which has been published in Google Play store (see Figure based on commands from C&C server. These testing 5/1). Testing application is controlled by botmaster via C&C applications are currently being developed as a part of further server (see Figure 5/2) and it has passed through Google Play research at Tomas Bata University in Zlín, Czech Republic, security mechanism performing fraud installation of malware Faculty of Applied Informatics. It would be also beneficial to 595 develop testing application with opposite features. Such [2] DEPARTMENT OF HOMELAND SECURITY, FEDERAL BUREAU application would be designed to be able to pass through OF INVESTIGATION, (ed.). (U//FOUO) DHS-FBI Bulletin: Threats to Mobile Devices Using the Android Operating System [online]. 2013, : 1 security scans based on static analysis and would have clear p. [Accessed 2015-09-07]. Available: https://publicintelligence.net/dhs- malicious behavior including remote code execution or regular fbi-android-threats/. single-purpose connections to C&C server. [3] FARINA, Paolo, Enrico CAMBIASO, Gianluca PAPALEO and Maurizio AIELLO. Mobile Botnets Development: Issues and Solutions. Fig. 5. Mechanism of a botnet which has been developed for the purpose of International Journal of Future Computer and Communication. 2014, the research 3(6): 385-390. DOI: 10.7763/IJFCC.2014.V3.333. ISSN 20103751. [4] ESLAHI, Meisam, Mohammad Reza ROSTAMI, H. HASHIM, N. M. TAHIR and Maryam Var NASERI. A data collection approach for Mobile Botnet analysis and detection: Issues and Solutions. 2014 IEEE Symposium on Wireless Technology and Applications (ISWTA). IEEE, 2014, 3(6): 199-204. DOI: 10.1109/ISWTA.2014.6981187. ISBN 978-1- 4799-5436-0. ISSN 20103751. [5] PIETERSE, H. and M. OLIVIER. Design of a Hybrid Command and Control Mobile Botnet. The Journal of Information Warfare. 2013, 12(1). ISSN 1445-3347. [6] Android History [online]. Android, 2015 [Accessed 2015-09-07]. Available: http://www.android.com/history/. [7] ABDULLAH, Zubaile, Madihah Mohd SAUDI and Nor Badrul ANUAR. Mobile botnet detection: Proof of concept. 2014 IEEE 5th Control and System Graduate Research Colloquium. IEEE, 2014, : 257- 262. DOI: 10.1109/ICSGRC.2014.6908733. ISBN 978-1-4799-5692-0. [8] LA POLLA, Mariantonietta, Fabio MARTINELLI and Daniele SGANDURRA. A Survey on Security for Mobile Devices. IEEE Communications Surveys. 2013, 15(1): 446-471. DOI: 10.1109/SURV.2012.013012.00028. ISSN 1553-877x. [9] PIETERSE, Heloise and Martin S OLIVIER. Android botnets on the rise: Trends and characteristics. 2012 Information Security for South Africa. IEEE, 2012, : 1-5. DOI: 10.1109/ISSA.2012.6320432. ISBN 978-1-4673-2159-4. [10] ALIGE, Eran and Darrell BURKEY. A Case Study of Eurograbber:: How 36 Million Euros was Stolen via Malware [online]. 2012, : 18 p. [Accessed 2015-09-08]. Available: http://www.mtechpro.com/2013/mconnect/february/dyncontent/Eurogra bber_White_Paper.pdf VI. ANNOUNCEMENT [11] MULLANEY, Cathal. Android.Bmaster: A Million-Dollar Mobile Botnet. Symantec Official Blog [online]. 2012 [Accessed 2015-09-09]. During the performed research any data from users has not Available: http://www.symantec.com/connect/blogs/androidbmaster- been collected. All malicious actions were performed only on million-dollar-mobile-botnet. devices owned by Tomas Bata University in Zlín, Faculty of [12] AndroidOS.FakePlayer. SYMANTEC. Symantec [online]. 2015 Applied Informatics. The C&C server and its botmaster [Accessed 2015-09-09]. Available: interface have been developed by independent offensive https://www.symantec.com/security_response/writeup.jsp?docid=2010- security researcher Kamil Vavra (contact: @vavkamil). The 081100-1646-99. botmaster interface has been designed for executing malicious [13] Activities. Android [online]. Andoid, 2015 [cit. 2015-09-10]. Available: actions only based on IP addresses which were explicitly add http://developer.android.com/guide/components/activities.html. as active target. These targets were exclusively owned by [14] OULEHLA, Milan and David MALANÍK. Techniques Allowing Broadcast Receiver Malware on Android Platform. 2015. Zakynthos, Faculty of Applied Informatics. Currently a testing application 2015. Proceedings of the 19th International Conference on Systems. published on Google Play is clean, there is no illegitimate part. ISBN 978-1-61804-321-4. ISSN 1790-5117. The Spennymoor weather is available and free of charge for [15] LEAVITT, Neal. Mobile Security: Finally a Serious Problem? IEEE everyone. It is our courtesy, how give warm thanks to users of Computer Society [online]. 2011 [Accessed 2015-09-10]. Available: Google Play. http://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=5875929. [16] GUPTA, Aditya. Learning Pentesting for Android Devices. Packt ACKNOWLEDGMENT Publishing, 2014. ISBN 978-1783288984. This work was supported by Internal Grant Agency of [17] App Manifest. Android [online]. 2015. [Accessed 2015-09-10]. Available: http://developer.android.com/guide/topics/manifest/manifest- Tomas Bata University under the project No. intro.html. IGA/FAI/2015/014. [18] POEPLAU, Sebastian, Yanick FRATANTONIO, Antonio BIANCHI, Christopher KRUEGEL and Giovanni VIGNA. Execute This! REFERENCES Analyzing Unsafe and Malicious Dynamic Code Loading in Android Applications. NDSS Symposium 2014. 2014, 16 p. Available: http://www.internetsociety.org/sites/default/files/10_5_0.pdf. [1] TROUT, Christopher. Android still the dominant mobile OS with 1 billion active users [online]. ENGADGET INTERNATIONAL [19] Google Play Developer Programme Policies [online]. GOOGLE EDITIONS. 2014 [Accessed 2015-09-01]. Available: PLAY,. Google Play, 2015 [Accessed 2015-09-11]. Available: http://www.engadget.com/2014/06/25/google-io-2014-by-the-numbers/. https://play.google.com/about/developer-content-policy.html 596
Enter the password to open this PDF file:
-
-
-
-
-
-
-
-
-
-
-
-