2. Goal of malware
Send SMS to premium-rate numbers
Bank : steal account info and money
Adware : click fraud
Spyware : Exfiltrate personal info like location, phone info, contact list,
etc.
Ransomware
Bitcoin mining
2
3. Installation methods
1. Repackaging : Download and decompile a popular App. Add
malicious payload. Upload to some other “app store” for download.
Upload a benign app to Playstore. Upload new malware version of
same app to third-party “app store”. Since both apps share same
certificate, app will get updated on device (Trendmicro blog).
2. Update attack : Insert only the update component in the App.
Download the actual malware payload at runtime.
3. Drive-by download : Using QR code, SMS link, Social media link,
Bluetooth, USB.
3
4. Malicious install of an APK
1. Root exploit
2. Misuse Android Accessibility services
3. Create confusion through popups and look-alikes
4. Prevent removal by storing in system partition
Grabos (McAfee)
https://securingtomorrow.mcafee.com/mcafee-labs/android-malware-grabo
s-exposed-millions-to-pay-per-install-scam-on-google-play/
4
5. PC to mobile infection
Android.Claco: Runs on the Mobile device. Downloads Windows
executable and places it in the root directory of the SD card. When the
mobile device is connected to a PC, and if the AutoRun feature is
enabled, Windows will automatically execute the malicious file.
Trojan.Droidpak: Runs on Windows as system service. Downloads
malware APK and even “adb”. Attempts to install the APK on the
connected Mobile (if USB debugging Mode is On).
5
6. Loopholes in Google Playstore
Innovation by Android.dvmap
“To bypass Google Play Store security checks, the malware creators
used a very interesting method: they uploaded a clean app to the store
at the end of March, 2017, and would then update it with a malicious
version for short period of time. Usually they would upload a clean
version back on Google Play the very same day. They did this at least 5
times between 18 April and 15 May. “
https://securelist.com/dvmap-the-first-android-malware-with-code-inject
ion/78648/
6
8. Top permissions asked by Malware
Unless you have a root exploit, you require “Permissions” in the
Manifest.
1. Internet
2. Access_network_state
3. read/write external storage
4. Read phone state
5. Access wifi state
6. Access coarse/fine location
7. Read/write contacts
8
9. How to create overlay windows
Bank malware needs to overlay a window which resembles the bank
login website.
Ways to achieve this overlay:
1. Use permission SYSTEM_ALERT_WINDOW.
2. Seek permission to use “Accessibility services” which allows access
to UI of other running apps, and create overlays. (Used by SvPeng)
3. Use “TOAST” notification to create full-screen window (on pre-Oreo).
See “Toast overlay attack” in Sept 2017.
9
10. Botnets
Evolution of Command and Control (C&C) architecture
1. First generation had single C&C server
2. Semi-distributed
3. Peer-to-peer
To avoid hard-coded URLs, C&C URL is generated using domain name
generation (DGA) seeded by current date. Or the C&C is a twitter
account whose name is generated dynamically (e.g. twikabot). Bot
then decrypts and executes tweets.
Rapidly rotate the IP address of the C&C server : “Fast flux botnet”.
10
11. Evade detection by anti-malware tools
1. All constant strings in APK are encrypted
2. Use of Base64 encoding
3. Network traffic is encrypted
4. Call via reflection; decrypt class and method names just before call
5. Decryption key is not hard-coded but derived at runtime
6. Hide payload inside images folder
7. Use Android Packers or Protectors
8. Alter behaviour when running inside Emulator
9. Modify the code at runtime to evade static signatures (metamorphic
malware).
11
12. Hide the payload inside an image
PNG file has many chunks, each with its header and length
If a chunk has an unknown header, the PNG reader will skip it
PNG with a legitimate image (app icon) can contain malware
(encrypted)
Load malware payload from chunk, decrypt and run using
DexClassLoader
Anomaly : Look for a small image having large size !
12
Axelle Apvrille. Hide Android Applications in Images. Blackhat Europe 2014
13. Packers and Protectors
Top packers : Bangcle, APKProtect.com, Baidu, Tencent
● Encrypts the APK and stores it in assets folder
● Replaces the APK Main Activity by their own
● Inserts it own decryption library (native C)
● During run, decrypts your APK in the RAM and runs it
Packers developed to protect vendor IP, but being misused to distribute
malware.
Packed APK cannot be detected by static or dynamic analysis.
13
16. Emulator evasion techniques-1
deviceID, phonenumber, IMEI, IMSI are faked on emulator
● TelephonyManager.getDeviceId().equals(“00000…”)
● TelephonyManager.getSimCountryIso().equals(“Android”)
● TelephonyManager.getSimOperatorName().equals(“Android”)
● TelephonyManager.getLine1Number().equals(“15555215554”)
where 15555521 is a constant, and emulator port number is 5554
https://news.sophos.com/en-us/2017/04/13/android-malware-anti-emulation-techniques/
16
17. Emulator evasion techniques-2
Inside emulator, the build info is set to fake values
● BUILD.MODEL contains either “google_sdk”, “Emulator”, “Android
SDK”.
● BUILD.FINGERPRINT starts with “generic”, “unknown”
● BUILD.MANUFACTURER contains “Genymotion”
● BUILD.BRAND starts with “generic”
● BUILD.DEVICE starts with “generic”
17
18. Emulator evasion techniques-3
Emulator properties give it away
1. System properties “ro.bootloader”, “ro.bootmode”, “ro.hardware”,
“ro.product.mode”, etc are set to “Unknown”, “generic”, “sdk” etc.
2. Emulator related files exist : “/dev/socket/qemud”,
“/system/lib/libc_malloc_debug_qemu.so”, “/sys/qemu_trace”,
“/system/bin/qemu-props”.
3. getInstallerPackageName() = “com.android.vending” (i.e. app was
installed using “adb”).
4. Check if user’s email address contains “google”, “tester”, etc.
18
19. Detect if running in debugger
Check Debug.isDebuggerConnected(), Debug.waitingForDebugger()
Launch multiple threads and let one thread attach to another using
ptrace(), because a process can only be attached by one process.
[Packergrind paper]
19
20. Delay the attack
Delay the attack by fixed time (e.g. 24 hours) which is long enough to
beat sandbox testing.
Launch malware only when Google Play is launched, by adding the
application’s main intent to the the category
“android.intent.category.APPMARKET”. (done by “Tascudap”)
20
21. Polymorphic and metamorphic malware
Oligomorphic :
Polymorphic
● Use of encryption for strings, payloads; Data append/prepend
Metamorphic (hard to detect using file signatures)
1. Reorder instructions or data structures
2. Add Semantic NOPs
3. Register reassignment
21
https://reverseengineering.stackexchange.com/questions/1696/what-are-the-differences-between-
metamorphic-oligomorphic-and-polymorphic-malwa
25. Static analysis
Check
● Uses-feature in Manifest
● Permissions in Manifest
● Intents
● Use of DexClassLoader, NDK Loadlib
● Use of crypto API
● OS system calls
● Receiving broadcasts
25
26. Dynamic Analysis
Run APK in Sandbox - e.g. DroidBox, Andrubis
Record
1. API calls
2. OS system calls
3. Network traffic
4. Battery consumption
5. CPU usage
26
27. Network monitoring
Malware tends to use DNS, HTTP (OkHttp), IRC, and TOR !
1. DNS query may be used to locate C&C server.
2. Why OkHttp? It can contact multiple alternative HTTP servers, and
retries silently and periodically in case of failure.
3. IRC is popular because it supports redundancy (multi-master), has
builtin login protocol, and offers full 2-way communication.
4. TOR : Difficult to shutdown a botnet using TOR, as you cannot de-
anonymize the C&C server sitting inside TOR network.
5. App may not request Internet permissions but use other apps like
browser to send/recv data over network
27
28. Dynamic Analysis - Andrubis
Andrubis does “Stimulation” instead of passive wait or UI exploration.
1. Invoke all Activities (not just Main) found in the Manifest
2. Patch Android ActivityManager to start all background services
automatically.
3. Intercept calls to “registerReceiver” and use ActivityManager to
invoke them.
4. Broadcast common events such as SMS, WiFi+3G connectivity, GPS
lock, phone calls, phone state changes to trigger OS and App
behaviour.
Andrubis is now commercial - Lastline
[Weichselbaum, et al. Andrubis. Android Malware under the magnifying glass ]
28
29. TaintDroid
Leverages Android virtualized env. Assumes no app is trusted.
It labels (taints) data from privacy-sensitive sources
Transitively applies labels as sensitive data propagates through program
variables, files, and interprocess messages.
When tainted data are transmitted over the network, or otherwise leave
the system, TaintDroid logs the data’s labels, the application responsible
for transmitting the data, and the data’s destination.
[Enck, et al. TaintDroid - OSDI 2010]
29
31. Beat the malware’s emulator detection
Make the emulator look like a real device
● Set geo-location : “adb emu geo fix longitude latitude altitude”
● Change hard-coded IMEI and ISMI in the emulator binary
● Set emulator port to be other than 5554 or 5584.
● Use “genymotion” - which apparently has addressed all these issues
Axelle Apvrille. Android malware reverse engineering
31
32. How to beat the Packers
Some packers decrypt the original APK at known locations in RAM. Use
that to find and analyze the decrypted APK at runtime.
[ Strazzere talk at Defcon 14 https://github.com/strazzere/android-unpacker ]
DexHunter modified Dalvik runtime(ART/OAT) to trap ClassLoader.
[ Zhang, et al. DexHunter ESORICS 2015 https://github.com/zyq8709/DexHunter ]
PackerGrind
[ Xue, et al. Adaptive Unpacking of Android Apps ]
DaBID Debugger [Blackhat Asia 2015]
32
33. Opcode analysis
Classify apps according to n-grams of opcodes in the APK.
Dalvik has 218 unique opcodes
Split the opcodes at class method boundaries before creating n-grams.
Strip the opcode arguments (operands)
Here, 1-gram is just a histogram of frequencies
This method works with obfuscated code !
33
34. ML model over opcode sequences
ML : the holy grail !
Treat opcode sequence as text.
Formulate malware recognition as an NLP problem.
Feed the opcode sequence to a Neural Net.
System dynamically learns the length of the n-gram which is most
relevant.
[ McLaughlin et al. Deep Android Malware Detection. ODASPY 2017 ]
34
35. ML model over API or OS calls
These require first running the App in an emulator to capture dynamic
behaviour.
Malware may not exhibit all the malicious behaviour during test.
35
36. Baidu Appstore
Baidu has ACS which is equivalent of Google’s Bouncer
They offer an APK Protector (http://apkprotect.baidu.com)
Evolution of their anti-malware strategy
1. Signature-based rules
2. Behaviour-based rules
3. Opcode-based rules
4. As of 2016 : Deep learning model called “AlphaAv”
Thomas Wang (Baidu). AI Based An*virus. Blackhat 2016
36
37. Baidu Appstore
AlphaAv ML model extracts features from APK
1. Permissions in Manifest.
2. Number of picture files in /res
3. Number of fields of type “boolean”
4. Number of methods with parameters > 20
5. Has executable file in /res ?
6. Has apk file in /assets ?
7. Registers for DEVICE_ADMIN_ENABLED broadcast and has
sendSMSmessage permission
37
38. Google Playstore
Components
1. Bouncer : test submitted apps in Google Cloud
2. Verify Apps : runs on device. Warn or block installation of harmful
apps; continuously scan apps running on device; kill malware apps
remotely.
3. SafetyNet : privacy preserving IDS.
4. SafetyNet Attestation : determine if the device is CTS compatible
5. Android Device Manager : locate a stolen or lost device
6. Android Update service : deliver updates to the device through web
or OTA.
38
39. Google Playstore
Vertical monitoring : Check if runtime behaviour differs from upload-
time (testing) behaviour ?
Lateral Monitoring : How does the same App work across all the
devices ? A device that fails to perform the periodic “Verify Apps”
check after an App install is flagged as DOI (Dead or Insecure)
The “Verify Apps” service computes a DOI score of each App. All Apps
should have DOI score in same range.
https://android-developers.googleblog.com/2017/01/findingmalware.html
39
40. Malware detection tools
Urlvoid : check if a URL is blacklisted.
VirusTotal (owned by Alphabet) : collaborative platform. Your
submitted APK is checked against large number of malware engines -
McAfee, AVG, TrendMicro.
Koodous : another collaborative platform
40
41. Resources
1. Conferences : Blackhat, DefCon, RSA, IEEE Security & Privacy,
USENIX Security, ACM. Also see uploaded videos of past
conferences.
2. https://github.com/ashishb/android-security-awesome
41
42. Malware detection
Theoretical result by Fred Cohen
The “virus detection” problem can be reduced to the “halting problem”
- hence undecidable whether a program has a virus.
Therefore, Anti-virus algorithms are essentially probabilistic.
42