SlideShare uma empresa Scribd logo

Slide Intervento Zanero Giornata del Perito 2015

L
LegolasTheElf

Le slide dell'intervento del Prof. Stefano Zanero alla Giornata del perito 2015 di Modena dal titolo "Mobile malware tra mito e realtà: quante volte possiamo gridare al lupo?"

Internet
1 de 35
Baixar para ler offline
Stefano Zanero, Politecnico di Milano Collaboration work with: - Technical University of Vienna (TUV) - FOundation for Research & Technology Hellas (FORTH) Wolf, Wolf! So much malware. So little malware.
Low infection rates? • The Core of the Matter (NDSS13) 0.0009% • The Company You Keep (WWW14) 0.28% Google: Android Security From The Ground Up (VirusBulletin 2013)
AV vendors paint a different picture… Fortinet 2014 Threat Landscape Report TrendMicro TrendLabs 1Q 2014 Security Roundup McAfee Labs Threats Report June 2014
Motivation • How are malicious apps distributed? - Official Google Play Store - Torrents, One-Click Hosters - Websites, Blogs, … - Alternative App Markets • How wide-spread are malicious apps, how often are they downloaded? • Do alternative markets employ security measures? • Collect metadata for malware analysis - Andrubis, AndroTotal
Metadata • Malware for traditional devices (desktop) - No metadata - Best case: we know the website that tried to perform a drive-by download infection • Malware for mobile devices - Internal metadata • App name, developer pseudonym • Package name • Resources (e.g., assets, images) - External metadata • App name (as on the market) • Description, comments, rating • Popularity
Market Metadata: Google Play
Market Metadata: Google Play
Outline • Market Characterization • Android Market Radar (AndRadar) • Evaluation and Case Study • Future Work and Conclusion MST Workshop 2015
Market Characterization • Alternative markets are popular because of … - Country gaps (e.g. no paid apps in Google Play China) - Promotion - Specific needs and specialization • Sometimes, too specific: check removedapps.com … • Preliminary study on 8 alternative marketplaces - Crawled them entirely between July and Nov 2013 - Downloaded 318,515 apps
(1) Distribution of Unwanted Apps Do markets distribute known, unwanted apps? • Yes, they do! • 5-8% malicious apps in whole dataset • (10+ AV detections, excluding adware) • Some markets specialize in adware/”madware”
(2) Publication of malicious apps Do markets allow the publication of malicious apps? • Yes, they do! • Ranking based on number • of published apps • Well visible and known to • market operators • Top authors publish both • benign and malicious apps andapponline camangi opera pandaapp slideme 0 50 100 150 1 2 3 4 5 1 2 3 4 5 1 2 3 4 5 1 2 3 4 5 1 2 3 4 5 Top 5 authors per market Number of apps published Malware Goodware
(3) Distinctive metadata Do malicious apps have distinctive metadata? • Yes, they do! • Malicious apps are downloaded more often •  Inflation of ranking with app rank boosting services • Malicious apps slightly larger than goodware •  Additional malicious code in repackaged apps
How are markets related to each other? • Markets share up to 47% MD5s, 75% package names (4) Market Overlap andapponline opera getjar blackmart pandaapp slideme fdroid camangi 59% 38% 15% 19% 12% 22% 12% 36% 16% 15% 13% 63% 32% 16% 31% 12% 75% 26% 41% 21% 26% 22% Intersection by MD5 Intersection by package name
Outline • Market Characterization • Android Market Radar (AndRadar) • Evaluation and Case Study • Future Work and Conclusion
AndRadar Design Goals • Discover apps in markets in real-time • Track distribution of apps across markets • Increasing space and time requirements • Meta data is dynamic: regular crawling of apps • Crawling of complete markets becomes infeasible • Plethora of alternative markets • ~ 196 in October 2011 (Vidas et al. CODASPY13) • ~ 500 in Juniper Threats Report March 2012/2013 - ~ 89 in our market study in June 2013
AndRadar Architecture Metadata  Scraper Downloader Search App Metadata Market  Specifications Tracker Seed
App Discovery • Lightweight identifier to select target apps • Package name uniquely identifies app on device • Package name identifies app in markets • Part of an app’s “Branding”
App Discover: AppChina
App Discovery: Appszoom
APP MATCHING WORKFLOW
Speed for a full market scan
Collected Metadata • Continuous monitoring of discovered apps • Harvest meta information from market listing - Upload date - Description - Screenshots - Number of downloads - User ratings - Reviews - Other apps by the same author - Delete date
Outline • Market Characterization • Android Market Radar (AndRadar) • Evaluation and Case Study • Future Work and Conclusion
Overall performance • Track tens of thousands of apps per market/day • Tracked 20,000 malicious apps perfect match + deleted = market-deleted malware weak match + non-deleted = benign app used as host (same package name)
Application Lifecycles Normal Lifecycle (90.75%): Market deletes app after it is detected by AVs
Application Lifecycles Malware Hopping: (7.89%) App republished after detection “Failover” strategy
Application Lifecycles Market Self-Defense (1.56%): Market deletes app before it is detected by AVs
Community Reaction Time Google Play others
Market Reaction Time
Outline • Market Characterization • Android Market Radar (AndRadar) • Evaluation and Case Study • Future Work and Conclusion
Future Current Work • Automated notification system for markets • Extend app discovery in markets based on - Application name - Image characteristics (icon, screenshots) - Description of functionality • Versioning of malicious apps • Identify fraud in markets (“App rank boosting”) - Inflated download numbers - Fake ratings and reviews Want to play? The system is online at: - http://admire.necst.it
ADMIRE Intelligence platform Rank marketplaces Distinguish between malicious and benign developers Evaluate goodness of applications
Data collection Seed collected: 87.115 Marketplaces crawled: 11 Apps collected: 191.851 Developers found: 25.512 Malicious sources Seed Crawler DB Search Collect APK and metadata
Conclusions • In-depth measurement on 8 alternative markets • AndRadar to discover malicious apps in real-time • Tracking of app distribution across markets • Collect metadata about apps - Branding - Updates - Download numbers - Ratings & reviews • Expose publishing patterns of malware authors - “Failover” strategies to migrate between markets
THANKS! Questions? stefano.zanero@polimi.it - @raistolo http://zanero.org

Recomendados

IMPAKT: Verdediging aangaan t.o.v. (on)bekende ransomware:
IMPAKT: Verdediging aangaan t.o.v. (on)bekende ransomware:IMPAKT: Verdediging aangaan t.o.v. (on)bekende ransomware:
IMPAKT: Verdediging aangaan t.o.v. (on)bekende ransomware:Nancy Nimmegeers
 
Android security
Android security Android security
Android security Hassan Abutair
 
Mobile Apps Security Testing -3
Mobile Apps Security Testing -3Mobile Apps Security Testing -3
Mobile Apps Security Testing -3Krisshhna Daasaarii
 
Mobile Trends And The New Threats - Is Your SAP System Vulnerable to Cyber At...
Mobile Trends And The New Threats - Is Your SAP System Vulnerable to Cyber At...Mobile Trends And The New Threats - Is Your SAP System Vulnerable to Cyber At...
Mobile Trends And The New Threats - Is Your SAP System Vulnerable to Cyber At...Virtual Forge
 
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.com
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.comMobile Application Security Testing, Testing for Mobility App | www.idexcel.com
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.comIdexcel Technologies
 
FRAppE Detecting Malicious Facebook Applications
FRAppE Detecting Malicious Facebook ApplicationsFRAppE Detecting Malicious Facebook Applications
FRAppE Detecting Malicious Facebook ApplicationsNagamalleswararao Tadikonda
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile ApplicationsDenim Group
 
Security testing of mobile applications
Security testing of mobile applicationsSecurity testing of mobile applications
Security testing of mobile applicationsGTestClub
 

Recomendados

IMPAKT: Verdediging aangaan t.o.v. (on)bekende ransomware:
IMPAKT: Verdediging aangaan t.o.v. (on)bekende ransomware:IMPAKT: Verdediging aangaan t.o.v. (on)bekende ransomware:
IMPAKT: Verdediging aangaan t.o.v. (on)bekende ransomware:Nancy Nimmegeers
 
Android security
Android security Android security
Android security Hassan Abutair
 
Mobile Apps Security Testing -3
Mobile Apps Security Testing -3Mobile Apps Security Testing -3
Mobile Apps Security Testing -3Krisshhna Daasaarii
 
Mobile Trends And The New Threats - Is Your SAP System Vulnerable to Cyber At...
Mobile Trends And The New Threats - Is Your SAP System Vulnerable to Cyber At...Mobile Trends And The New Threats - Is Your SAP System Vulnerable to Cyber At...
Mobile Trends And The New Threats - Is Your SAP System Vulnerable to Cyber At...Virtual Forge
 
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.com
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.comMobile Application Security Testing, Testing for Mobility App | www.idexcel.com
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.comIdexcel Technologies
 
FRAppE Detecting Malicious Facebook Applications
FRAppE Detecting Malicious Facebook ApplicationsFRAppE Detecting Malicious Facebook Applications
FRAppE Detecting Malicious Facebook ApplicationsNagamalleswararao Tadikonda
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile ApplicationsDenim Group
 
Security testing of mobile applications
Security testing of mobile applicationsSecurity testing of mobile applications
Security testing of mobile applicationsGTestClub
 
18-mobile-malware.pptx
18-mobile-malware.pptx18-mobile-malware.pptx
18-mobile-malware.pptxsundar110567
 
I haz you and pwn your maal
I haz you and pwn your maalI haz you and pwn your maal
I haz you and pwn your maalc0c0n - International Cyber Security and Policing Conference
 
I haz you and pwn your maal
I haz you and pwn your maalI haz you and pwn your maal
I haz you and pwn your maalHarsimran Walia
 
Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malwa...
Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malwa...Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malwa...
Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malwa...Thanasis Petsas
 
I haz you and pwn your maal whitepaper
I haz you and pwn your maal whitepaperI haz you and pwn your maal whitepaper
I haz you and pwn your maal whitepaperHarsimran Walia
 
AppCoins @ Kyber event in Seoul (20 Jan 2018)
AppCoins @ Kyber event in Seoul (20 Jan 2018)AppCoins @ Kyber event in Seoul (20 Jan 2018)
AppCoins @ Kyber event in Seoul (20 Jan 2018)AppCoins
 
Assessing the Effectiveness of Antivirus Solutions
Assessing the Effectiveness of Antivirus SolutionsAssessing the Effectiveness of Antivirus Solutions
Assessing the Effectiveness of Antivirus SolutionsImperva
 
Hii assessing the_effectiveness_of_antivirus_solutions
Hii assessing the_effectiveness_of_antivirus_solutionsHii assessing the_effectiveness_of_antivirus_solutions
Hii assessing the_effectiveness_of_antivirus_solutionsAnatoliy Tkachev
 
Android malware analysis
Android malware analysisAndroid malware analysis
Android malware analysisJason Ross
 
Appstores imc13
Appstores imc13Appstores imc13
Appstores imc13Thanasis Petsas
 
Application Explosion How to Manage Productivity vs Security
Application Explosion How to Manage Productivity vs SecurityApplication Explosion How to Manage Productivity vs Security
Application Explosion How to Manage Productivity vs SecurityLumension
 
Create a Unified View of Your Application Security Program – Black Duck Hub a...
Create a Unified View of Your Application Security Program – Black Duck Hub a...Create a Unified View of Your Application Security Program – Black Duck Hub a...
Create a Unified View of Your Application Security Program – Black Duck Hub a...Denim Group
 
E is for Endpoint II: How to Implement the Vital Layers to Protect Your Endpo...
E is for Endpoint II: How to Implement the Vital Layers to Protect Your Endpo...E is for Endpoint II: How to Implement the Vital Layers to Protect Your Endpo...
E is for Endpoint II: How to Implement the Vital Layers to Protect Your Endpo...Lumension
 
Cazando Cibercriminales con: OSINT + Cloud Computing + Big Data
Cazando Cibercriminales con: OSINT + Cloud Computing + Big DataCazando Cibercriminales con: OSINT + Cloud Computing + Big Data
Cazando Cibercriminales con: OSINT + Cloud Computing + Big DataChema Alonso
 
Are free Android app security analysis tools effective in detecting known vul...
Are free Android app security analysis tools effective in detecting known vul...Are free Android app security analysis tools effective in detecting known vul...
Are free Android app security analysis tools effective in detecting known vul...Venkatesh Prasad Ranganath
 
Catch Me If You Can- Evaluating Android Anti-Malware Against Transformation A...
Catch Me If You Can- Evaluating Android Anti-Malware Against Transformation A...Catch Me If You Can- Evaluating Android Anti-Malware Against Transformation A...
Catch Me If You Can- Evaluating Android Anti-Malware Against Transformation A...Papitha Velumani
 
Anti-tampering in Android and Take Look at Google SafetyNet Attestation API
Anti-tampering in Android and Take Look at Google SafetyNet Attestation APIAnti-tampering in Android and Take Look at Google SafetyNet Attestation API
Anti-tampering in Android and Take Look at Google SafetyNet Attestation APIArash Ramez
 
Malware Detection in Android Applications
Malware Detection in Android ApplicationsMalware Detection in Android Applications
Malware Detection in Android Applicationsijtsrd
 
The modern-malware-review-march-2013
The modern-malware-review-march-2013 The modern-malware-review-march-2013
The modern-malware-review-march-2013 Комсс Файквэе
 
The Modern Malware Review March 2013
The Modern Malware Review March 2013The Modern Malware Review March 2013
The Modern Malware Review March 2013- Mark - Fullbright
 
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一z xss
 
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Sonam Pathan
 

Mais conteúdo relacionado

Semelhante a Slide Intervento Zanero Giornata del Perito 2015

18-mobile-malware.pptx
18-mobile-malware.pptx18-mobile-malware.pptx
18-mobile-malware.pptxsundar110567
 
I haz you and pwn your maal
I haz you and pwn your maalI haz you and pwn your maal
I haz you and pwn your maalHarsimran Walia
 
Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malwa...
Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malwa...Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malwa...
Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malwa...Thanasis Petsas
 
I haz you and pwn your maal whitepaper
I haz you and pwn your maal whitepaperI haz you and pwn your maal whitepaper
I haz you and pwn your maal whitepaperHarsimran Walia
 
AppCoins @ Kyber event in Seoul (20 Jan 2018)
AppCoins @ Kyber event in Seoul (20 Jan 2018)AppCoins @ Kyber event in Seoul (20 Jan 2018)
AppCoins @ Kyber event in Seoul (20 Jan 2018)AppCoins
 
Assessing the Effectiveness of Antivirus Solutions
Assessing the Effectiveness of Antivirus SolutionsAssessing the Effectiveness of Antivirus Solutions
Assessing the Effectiveness of Antivirus SolutionsImperva
 
Hii assessing the_effectiveness_of_antivirus_solutions
Hii assessing the_effectiveness_of_antivirus_solutionsHii assessing the_effectiveness_of_antivirus_solutions
Hii assessing the_effectiveness_of_antivirus_solutionsAnatoliy Tkachev
 
Android malware analysis
Android malware analysisAndroid malware analysis
Android malware analysisJason Ross
 
Application Explosion How to Manage Productivity vs Security
Application Explosion How to Manage Productivity vs SecurityApplication Explosion How to Manage Productivity vs Security
Application Explosion How to Manage Productivity vs SecurityLumension
 
Create a Unified View of Your Application Security Program – Black Duck Hub a...
Create a Unified View of Your Application Security Program – Black Duck Hub a...Create a Unified View of Your Application Security Program – Black Duck Hub a...
Create a Unified View of Your Application Security Program – Black Duck Hub a...Denim Group
 
E is for Endpoint II: How to Implement the Vital Layers to Protect Your Endpo...
E is for Endpoint II: How to Implement the Vital Layers to Protect Your Endpo...E is for Endpoint II: How to Implement the Vital Layers to Protect Your Endpo...
E is for Endpoint II: How to Implement the Vital Layers to Protect Your Endpo...Lumension
 
Cazando Cibercriminales con: OSINT + Cloud Computing + Big Data
Cazando Cibercriminales con: OSINT + Cloud Computing + Big DataCazando Cibercriminales con: OSINT + Cloud Computing + Big Data
Cazando Cibercriminales con: OSINT + Cloud Computing + Big DataChema Alonso
 
Are free Android app security analysis tools effective in detecting known vul...
Are free Android app security analysis tools effective in detecting known vul...Are free Android app security analysis tools effective in detecting known vul...
Are free Android app security analysis tools effective in detecting known vul...Venkatesh Prasad Ranganath
 
Catch Me If You Can- Evaluating Android Anti-Malware Against Transformation A...
Catch Me If You Can- Evaluating Android Anti-Malware Against Transformation A...Catch Me If You Can- Evaluating Android Anti-Malware Against Transformation A...
Catch Me If You Can- Evaluating Android Anti-Malware Against Transformation A...Papitha Velumani
 
Anti-tampering in Android and Take Look at Google SafetyNet Attestation API
Anti-tampering in Android and Take Look at Google SafetyNet Attestation APIAnti-tampering in Android and Take Look at Google SafetyNet Attestation API
Anti-tampering in Android and Take Look at Google SafetyNet Attestation APIArash Ramez
 
Malware Detection in Android Applications
Malware Detection in Android ApplicationsMalware Detection in Android Applications
Malware Detection in Android Applicationsijtsrd
 
The Modern Malware Review March 2013
The Modern Malware Review March 2013The Modern Malware Review March 2013
The Modern Malware Review March 2013- Mark - Fullbright
 

Semelhante a Slide Intervento Zanero Giornata del Perito 2015 (20)

18-mobile-malware.pptx
18-mobile-malware.pptx18-mobile-malware.pptx
18-mobile-malware.pptx
 
I haz you and pwn your maal
I haz you and pwn your maalI haz you and pwn your maal
I haz you and pwn your maal
 
I haz you and pwn your maal
I haz you and pwn your maalI haz you and pwn your maal
I haz you and pwn your maal
 
Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malwa...
Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malwa...Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malwa...
Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malwa...
 
I haz you and pwn your maal whitepaper
I haz you and pwn your maal whitepaperI haz you and pwn your maal whitepaper
I haz you and pwn your maal whitepaper
 
AppCoins @ Kyber event in Seoul (20 Jan 2018)
AppCoins @ Kyber event in Seoul (20 Jan 2018)AppCoins @ Kyber event in Seoul (20 Jan 2018)
AppCoins @ Kyber event in Seoul (20 Jan 2018)
 
Assessing the Effectiveness of Antivirus Solutions
Assessing the Effectiveness of Antivirus SolutionsAssessing the Effectiveness of Antivirus Solutions
Assessing the Effectiveness of Antivirus Solutions
 
Hii assessing the_effectiveness_of_antivirus_solutions
Hii assessing the_effectiveness_of_antivirus_solutionsHii assessing the_effectiveness_of_antivirus_solutions
Hii assessing the_effectiveness_of_antivirus_solutions
 
Android malware analysis
Android malware analysisAndroid malware analysis
Android malware analysis
 
Appstores imc13
Appstores imc13Appstores imc13
Appstores imc13
 
Application Explosion How to Manage Productivity vs Security
Application Explosion How to Manage Productivity vs SecurityApplication Explosion How to Manage Productivity vs Security
Application Explosion How to Manage Productivity vs Security
 
Create a Unified View of Your Application Security Program – Black Duck Hub a...
Create a Unified View of Your Application Security Program – Black Duck Hub a...Create a Unified View of Your Application Security Program – Black Duck Hub a...
Create a Unified View of Your Application Security Program – Black Duck Hub a...
 
E is for Endpoint II: How to Implement the Vital Layers to Protect Your Endpo...
E is for Endpoint II: How to Implement the Vital Layers to Protect Your Endpo...E is for Endpoint II: How to Implement the Vital Layers to Protect Your Endpo...
E is for Endpoint II: How to Implement the Vital Layers to Protect Your Endpo...
 
Cazando Cibercriminales con: OSINT + Cloud Computing + Big Data
Cazando Cibercriminales con: OSINT + Cloud Computing + Big DataCazando Cibercriminales con: OSINT + Cloud Computing + Big Data
Cazando Cibercriminales con: OSINT + Cloud Computing + Big Data
 
Are free Android app security analysis tools effective in detecting known vul...
Are free Android app security analysis tools effective in detecting known vul...Are free Android app security analysis tools effective in detecting known vul...
Are free Android app security analysis tools effective in detecting known vul...
 
Catch Me If You Can- Evaluating Android Anti-Malware Against Transformation A...
Catch Me If You Can- Evaluating Android Anti-Malware Against Transformation A...Catch Me If You Can- Evaluating Android Anti-Malware Against Transformation A...
Catch Me If You Can- Evaluating Android Anti-Malware Against Transformation A...
 
Anti-tampering in Android and Take Look at Google SafetyNet Attestation API
Anti-tampering in Android and Take Look at Google SafetyNet Attestation APIAnti-tampering in Android and Take Look at Google SafetyNet Attestation API
Anti-tampering in Android and Take Look at Google SafetyNet Attestation API
 
Malware Detection in Android Applications
Malware Detection in Android ApplicationsMalware Detection in Android Applications
Malware Detection in Android Applications
 
The modern-malware-review-march-2013
The modern-malware-review-march-2013 The modern-malware-review-march-2013
The modern-malware-review-march-2013
 
The Modern Malware Review March 2013
The Modern Malware Review March 2013The Modern Malware Review March 2013
The Modern Malware Review March 2013
 

Último

办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一z xss
 
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Sonam Pathan
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书zdzoqco
 
Git and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMGit and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMgdsc13
 
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012rehmti665
 
Magic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMagic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMartaLoveguard
 
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一Fs
 
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Dana Luther
 
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一Fs
 
Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Sonam Pathan
 
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作ys8omjxb
 
Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhimiss dipika
 
Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Paul Calvano
 
PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationPHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationLinaWolf1
 
Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...Excelmac1
 
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一Fs
 
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一Fs
 

Último (20)

办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
 
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
 
Git and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMGit and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITM
 
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
 
Magic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMagic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptx
 
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
 
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
 
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Serviceyoung call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
 
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
 
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
 
Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170
 
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
 
Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhi
 
Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24
 
PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationPHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 Documentation
 
Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...
 
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
 
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
 
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
 

Slide Intervento Zanero Giornata del Perito 2015

  • 1. Stefano Zanero, Politecnico di Milano Collaboration work with: - Technical University of Vienna (TUV) - FOundation for Research & Technology Hellas (FORTH) Wolf, Wolf! So much malware. So little malware.
  • 2. Low infection rates? • The Core of the Matter (NDSS13) 0.0009% • The Company You Keep (WWW14) 0.28% Google: Android Security From The Ground Up (VirusBulletin 2013)
  • 3. AV vendors paint a different picture… Fortinet 2014 Threat Landscape Report TrendMicro TrendLabs 1Q 2014 Security Roundup McAfee Labs Threats Report June 2014
  • 4. Motivation • How are malicious apps distributed? - Official Google Play Store - Torrents, One-Click Hosters - Websites, Blogs, … - Alternative App Markets • How wide-spread are malicious apps, how often are they downloaded? • Do alternative markets employ security measures? • Collect metadata for malware analysis - Andrubis, AndroTotal
  • 5. Metadata • Malware for traditional devices (desktop) - No metadata - Best case: we know the website that tried to perform a drive-by download infection • Malware for mobile devices - Internal metadata • App name, developer pseudonym • Package name • Resources (e.g., assets, images) - External metadata • App name (as on the market) • Description, comments, rating • Popularity
  • 8. Outline • Market Characterization • Android Market Radar (AndRadar) • Evaluation and Case Study • Future Work and Conclusion MST Workshop 2015
  • 9. Market Characterization • Alternative markets are popular because of … - Country gaps (e.g. no paid apps in Google Play China) - Promotion - Specific needs and specialization • Sometimes, too specific: check removedapps.com … • Preliminary study on 8 alternative marketplaces - Crawled them entirely between July and Nov 2013 - Downloaded 318,515 apps
  • 10. (1) Distribution of Unwanted Apps Do markets distribute known, unwanted apps? • Yes, they do! • 5-8% malicious apps in whole dataset • (10+ AV detections, excluding adware) • Some markets specialize in adware/”madware”
  • 11. (2) Publication of malicious apps Do markets allow the publication of malicious apps? • Yes, they do! • Ranking based on number • of published apps • Well visible and known to • market operators • Top authors publish both • benign and malicious apps andapponline camangi opera pandaapp slideme 0 50 100 150 1 2 3 4 5 1 2 3 4 5 1 2 3 4 5 1 2 3 4 5 1 2 3 4 5 Top 5 authors per market Number of apps published Malware Goodware
  • 12. (3) Distinctive metadata Do malicious apps have distinctive metadata? • Yes, they do! • Malicious apps are downloaded more often •  Inflation of ranking with app rank boosting services • Malicious apps slightly larger than goodware •  Additional malicious code in repackaged apps
  • 13. How are markets related to each other? • Markets share up to 47% MD5s, 75% package names (4) Market Overlap andapponline opera getjar blackmart pandaapp slideme fdroid camangi 59% 38% 15% 19% 12% 22% 12% 36% 16% 15% 13% 63% 32% 16% 31% 12% 75% 26% 41% 21% 26% 22% Intersection by MD5 Intersection by package name
  • 14. Outline • Market Characterization • Android Market Radar (AndRadar) • Evaluation and Case Study • Future Work and Conclusion
  • 15. AndRadar Design Goals • Discover apps in markets in real-time • Track distribution of apps across markets • Increasing space and time requirements • Meta data is dynamic: regular crawling of apps • Crawling of complete markets becomes infeasible • Plethora of alternative markets • ~ 196 in October 2011 (Vidas et al. CODASPY13) • ~ 500 in Juniper Threats Report March 2012/2013 - ~ 89 in our market study in June 2013
  • 17. App Discovery • Lightweight identifier to select target apps • Package name uniquely identifies app on device • Package name identifies app in markets • Part of an app’s “Branding”
  • 21. Speed for a full market scan
  • 22. Collected Metadata • Continuous monitoring of discovered apps • Harvest meta information from market listing - Upload date - Description - Screenshots - Number of downloads - User ratings - Reviews - Other apps by the same author - Delete date
  • 23. Outline • Market Characterization • Android Market Radar (AndRadar) • Evaluation and Case Study • Future Work and Conclusion
  • 24. Overall performance • Track tens of thousands of apps per market/day • Tracked 20,000 malicious apps perfect match + deleted = market-deleted malware weak match + non-deleted = benign app used as host (same package name)
  • 25. Application Lifecycles Normal Lifecycle (90.75%): Market deletes app after it is detected by AVs
  • 26. Application Lifecycles Malware Hopping: (7.89%) App republished after detection “Failover” strategy
  • 27. Application Lifecycles Market Self-Defense (1.56%): Market deletes app before it is detected by AVs
  • 30. Outline • Market Characterization • Android Market Radar (AndRadar) • Evaluation and Case Study • Future Work and Conclusion
  • 31. Future Current Work • Automated notification system for markets • Extend app discovery in markets based on - Application name - Image characteristics (icon, screenshots) - Description of functionality • Versioning of malicious apps • Identify fraud in markets (“App rank boosting”) - Inflated download numbers - Fake ratings and reviews Want to play? The system is online at: - http://admire.necst.it
  • 32. ADMIRE Intelligence platform Rank marketplaces Distinguish between malicious and benign developers Evaluate goodness of applications
  • 33. Data collection Seed collected: 87.115 Marketplaces crawled: 11 Apps collected: 191.851 Developers found: 25.512 Malicious sources Seed Crawler DB Search Collect APK and metadata
  • 34. Conclusions • In-depth measurement on 8 alternative markets • AndRadar to discover malicious apps in real-time • Tracking of app distribution across markets • Collect metadata about apps - Branding - Updates - Download numbers - Ratings & reviews • Expose publishing patterns of malware authors - “Failover” strategies to migrate between markets