This presentation will discuss the resources available to attackers to write Android viruses, including methods of infecting executables, gaining control from the original app and avoiding detection.

1. Viruses on mobile platforms:
Why we don't/don't we have viruses on Android?
Jimmy Shah
Mobile Security Researcher

2. 2 Viruses on mobile platforms: Why we don't/don't we have viruses on Android?
• Virus
– Self-replicating program
• May inject itself into clean programs
• May have destructive or visible payload
• Worm
– Self-replicating program that doesn't infect files
– E.g. Internet, MMS or Bluetooth worms
• Trojan
– Non-replicating, program that pretends to be another
• May have destructive or visible payload
Definitions

3. Viruses on mobile platforms: Why we don't/don't we have viruses on Android?3
Viruses on Mobile Platforms
PalmOS
Windows Mobile
Symbian
Android

4. 4 Viruses on mobile platforms: Why we don't/don't we have viruses on Android?
• 2000
– Palm/Phage
• File infector
– Overwriter
• Code resource replaced with virus code
– Potentially smaller programs
Palm OS
Credit: Niels Heidenreich
Creative Commons Attribution licensed.

5. Viruses on mobile platforms: Why we don't/don't we have viruses on Android?5
Viruses on Mobile Platforms
PalmOS
Windows Mobile
Symbian
Android

6. 6 Viruses on mobile platforms: Why we don't/don't we have viruses on Android?
• 2007
– WinCE/Duts.1536
• Injected itself into all apps in current directory
– Asked for permission before running
Windows Mobile

7. 7 Viruses on mobile platforms: Why we don't/don't we have viruses on Android?
• 2009
– WinCE/PMCryptic
• Polymorphic
• Developed with and only ran within emulator
– Author didn't understand how to do self-modifying code on ARM
Windows Mobile

8. Viruses on mobile platforms: Why we don't/don't we have viruses on Android?8
Viruses on Mobile Platforms
PalmOS
Windows Mobile
Symbian
Android

9. 9 Viruses on mobile platforms: Why we don't/don't we have viruses on Android?
• 2004
– SymbOs/Cabir
• First worm/malware for Symbian
• 2005
– SymbOS/Lasco.A
• File infector
– Infected SIS installation files
Symbian

10. Viruses on mobile platforms: Why we don't/don't we have viruses on Android?10
Viruses on Mobile Platforms
PalmOS
Windows Mobile
Symbian
Android

11. 11 Viruses on mobile platforms: Why we don't/don't we have viruses on Android?
• 2010
– Android/Fakeplayer.A
• First trojan
• 20??
– Android/??????
• File infector
– Haven't seen one yet
Android

12. Viruses on mobile platforms: Why we don't/don't we have viruses on Android?12
Android:
What do attackers need to build a virus?

13. 13 Viruses on mobile platforms: Why we don't/don't we have viruses on Android?
• Ability to replicate
• Making copies of itself is easy enough
Android – What do attackers need to build a virus?
Replication Infection Evasion
Tool Useful functions
File managers Move, copy,delete files
File transfer programs Network copy,delete files

14. 14 Viruses on mobile platforms: Why we don't/don't we have viruses on Android?
Android – What do attackers need to build a virus?
Replication Infection Evasion
• Ability to inject code into clean apps
– This has been done manually in numerous trojans:
– Automating this saves them work and makes actual viruses
Android/Geinimi Android/Jmsonez
Android/PJApp Android/SteamyScr
Android/HippoSMS Android/GoldDream
Android/J.SMSHider Android/DroidKungfu

15. 15 Viruses on mobile platforms: Why we don't/don't we have viruses on Android?
Android – What do attackers need to build a virus?
Replication Infection Evasion
• Locate code
– Apps are in APKs.
• APKs are zip files
• App code is in classes.dex files.
• Modify Dex files
– Format is documented
• http://source.android.com/tech/dalvik/dex-format.html
– Multiple tools
Tool Use
Smali/baksmalil Assemnler/disassembler for DEX files.
apktool Unpack/decode APK: resources, smali code, AndroidManifest.xml

16. 16 Viruses on mobile platforms: Why we don't/don't we have viruses on Android?
• Dex files are difficult to modify?
• Disassembling easy with baksmali
– Used by Privacy Blocker to mod apps
» Memory issues
Attackers – Ability to inject code into clean apps
Replication Infection Evasion

17. 17 Viruses on mobile platforms: Why we don't/don't we have viruses on Android?
• Modifying AndroidManifest.xml can redirect execution
– Register for intents
Attackers – Ability to inject code into clean apps
Replication Infection Evasion
Intent Function
android.intent.action.BOOT_COMPLETED Start immediately after system finishes booting
android.permission.RECEIVE_SMS Run when SMS received
android.intent.action.PHONE_STATE Phone state chages; specifically ringing
android.net.wifi.WIFI_STATE_CHANGED Wifi state changes; specifically enabled

18. 18 Viruses on mobile platforms: Why we don't/don't we have viruses on Android?
• Ability to evade detection
• Encryption
– Simple obfuscations and ciphers
– Complex and well known encryption algorithms
• Pretending to be clean apps
– Infected apps
– “Legitimate” apps (e.g. Adult entertainment, IM,Web browsers,
games)
• Reduce/remove security
– Disable security checks
– Remove/disable security & anti-malware software
Android – What do attackers need to build a virus?
Replication Infection Evasion

19. 19 Viruses on mobile platforms: Why we don't/don't we have viruses on Android?
• Ability to evade detection
• Encryption
– Simple obfuscations and ciphers
– Complex and well known encryption algorithms
• Pretending to be clean apps
– Infected apps
– “Legitimate” apps (e.g. Adult entertainment, IM,Web browsers,
games)
• Reduce/remove security
– Disable security checks
– Remove/disable security & anti-malware software
Android – What do attackers need to build a virus?
Replication Infection Evasion

20. 20 Viruses on mobile platforms: Why we don't/don't we have viruses on Android?
Questions?