SlideShare uma empresa Scribd logo

Android malware presentation

S
Sandeep Joshi

survey of android malware techniques and detection mechanisms

Software
1 de 42
Android Malware Survey 1
Goal of malware Send SMS to premium-rate numbers Bank : steal account info and money Adware : click fraud Spyware : Exfiltrate personal info like location, phone info, contact list, etc. Ransomware Bitcoin mining 2
Installation methods 1. Repackaging : Download and decompile a popular App. Add malicious payload. Upload to some other “app store” for download. Upload a benign app to Playstore. Upload new malware version of same app to third-party “app store”. Since both apps share same certificate, app will get updated on device (Trendmicro blog). 2. Update attack : Insert only the update component in the App. Download the actual malware payload at runtime. 3. Drive-by download : Using QR code, SMS link, Social media link, Bluetooth, USB. 3
Malicious install of an APK 1. Root exploit 2. Misuse Android Accessibility services 3. Create confusion through popups and look-alikes 4. Prevent removal by storing in system partition Grabos (McAfee) https://securingtomorrow.mcafee.com/mcafee-labs/android-malware-grabo s-exposed-millions-to-pay-per-install-scam-on-google-play/ 4
PC to mobile infection Android.Claco: Runs on the Mobile device. Downloads Windows executable and places it in the root directory of the SD card. When the mobile device is connected to a PC, and if the AutoRun feature is enabled, Windows will automatically execute the malicious file. Trojan.Droidpak: Runs on Windows as system service. Downloads malware APK and even “adb”. Attempts to install the APK on the connected Mobile (if USB debugging Mode is On). 5
Loopholes in Google Playstore Innovation by Android.dvmap “To bypass Google Play Store security checks, the malware creators used a very interesting method: they uploaded a clean app to the store at the end of March, 2017, and would then update it with a malicious version for short period of time. Usually they would upload a clean version back on Google Play the very same day. They did this at least 5 times between 18 April and 15 May. “ https://securelist.com/dvmap-the-first-android-malware-with-code-inject ion/78648/ 6
Activation methods BOOT COMPLETED event to kick off background services SMS RECEIVED broadcast SCREEN TURNED OFF 7
Top permissions asked by Malware Unless you have a root exploit, you require “Permissions” in the Manifest. 1. Internet 2. Access_network_state 3. read/write external storage 4. Read phone state 5. Access wifi state 6. Access coarse/fine location 7. Read/write contacts 8
How to create overlay windows Bank malware needs to overlay a window which resembles the bank login website. Ways to achieve this overlay: 1. Use permission SYSTEM_ALERT_WINDOW. 2. Seek permission to use “Accessibility services” which allows access to UI of other running apps, and create overlays. (Used by SvPeng) 3. Use “TOAST” notification to create full-screen window (on pre-Oreo). See “Toast overlay attack” in Sept 2017. 9
Botnets Evolution of Command and Control (C&C) architecture 1. First generation had single C&C server 2. Semi-distributed 3. Peer-to-peer To avoid hard-coded URLs, C&C URL is generated using domain name generation (DGA) seeded by current date. Or the C&C is a twitter account whose name is generated dynamically (e.g. twikabot). Bot then decrypts and executes tweets. Rapidly rotate the IP address of the C&C server : “Fast flux botnet”. 10
Evade detection by anti-malware tools 1. All constant strings in APK are encrypted 2. Use of Base64 encoding 3. Network traffic is encrypted 4. Call via reflection; decrypt class and method names just before call 5. Decryption key is not hard-coded but derived at runtime 6. Hide payload inside images folder 7. Use Android Packers or Protectors 8. Alter behaviour when running inside Emulator 9. Modify the code at runtime to evade static signatures (metamorphic malware). 11
Hide the payload inside an image PNG file has many chunks, each with its header and length If a chunk has an unknown header, the PNG reader will skip it PNG with a legitimate image (app icon) can contain malware (encrypted) Load malware payload from chunk, decrypt and run using DexClassLoader Anomaly : Look for a small image having large size ! 12 Axelle Apvrille. Hide Android Applications in Images. Blackhat Europe 2014
Packers and Protectors Top packers : Bangcle, APKProtect.com, Baidu, Tencent ● Encrypts the APK and stores it in assets folder ● Replaces the APK Main Activity by their own ● Inserts it own decryption library (native C) ● During run, decrypts your APK in the RAM and runs it Packers developed to protect vendor IP, but being misused to distribute malware. Packed APK cannot be detected by static or dynamic analysis. 13
14 http://www.vxsecurity.sg/2014/08/25/android-packers-bangcle/ BEFORE PACKING
15 http://www.vxsecurity.sg/2014/08/25/android-packers-bangcle/ AFTER PACKING
Emulator evasion techniques-1 deviceID, phonenumber, IMEI, IMSI are faked on emulator ● TelephonyManager.getDeviceId().equals(“00000…”) ● TelephonyManager.getSimCountryIso().equals(“Android”) ● TelephonyManager.getSimOperatorName().equals(“Android”) ● TelephonyManager.getLine1Number().equals(“15555215554”) where 15555521 is a constant, and emulator port number is 5554 https://news.sophos.com/en-us/2017/04/13/android-malware-anti-emulation-techniques/ 16
Emulator evasion techniques-2 Inside emulator, the build info is set to fake values ● BUILD.MODEL contains either “google_sdk”, “Emulator”, “Android SDK”. ● BUILD.FINGERPRINT starts with “generic”, “unknown” ● BUILD.MANUFACTURER contains “Genymotion” ● BUILD.BRAND starts with “generic” ● BUILD.DEVICE starts with “generic” 17
Emulator evasion techniques-3 Emulator properties give it away 1. System properties “ro.bootloader”, “ro.bootmode”, “ro.hardware”, “ro.product.mode”, etc are set to “Unknown”, “generic”, “sdk” etc. 2. Emulator related files exist : “/dev/socket/qemud”, “/system/lib/libc_malloc_debug_qemu.so”, “/sys/qemu_trace”, “/system/bin/qemu-props”. 3. getInstallerPackageName() = “com.android.vending” (i.e. app was installed using “adb”). 4. Check if user’s email address contains “google”, “tester”, etc. 18
Detect if running in debugger Check Debug.isDebuggerConnected(), Debug.waitingForDebugger() Launch multiple threads and let one thread attach to another using ptrace(), because a process can only be attached by one process. [Packergrind paper] 19
Delay the attack Delay the attack by fixed time (e.g. 24 hours) which is long enough to beat sandbox testing. Launch malware only when Google Play is launched, by adding the application’s main intent to the the category “android.intent.category.APPMARKET”. (done by “Tascudap”) 20
Polymorphic and metamorphic malware Oligomorphic : Polymorphic ● Use of encryption for strings, payloads; Data append/prepend Metamorphic (hard to detect using file signatures) 1. Reorder instructions or data structures 2. Add Semantic NOPs 3. Register reassignment 21 https://reverseengineering.stackexchange.com/questions/1696/what-are-the-differences-between- metamorphic-oligomorphic-and-polymorphic-malwa
Malware toolkits Adware SDK : MDash, Xavier, lgexin Botnet : Bilal Bot, GM Bot, KNL Bot Rooting tools : https://github.com/android-rooting-tools (older Android versions) 22
Malware databases Android Malware Genome Database (outdated) Contagio Drebin (Individual vendors collect their own databases) 23
Malware Detection Methods 24 ● Static analysis (signature, ML) ● Dynamic analysis (sandbox) ● Opcode analysis (cusom, ML) ● Hybrid
Static analysis Check ● Uses-feature in Manifest ● Permissions in Manifest ● Intents ● Use of DexClassLoader, NDK Loadlib ● Use of crypto API ● OS system calls ● Receiving broadcasts 25
Dynamic Analysis Run APK in Sandbox - e.g. DroidBox, Andrubis Record 1. API calls 2. OS system calls 3. Network traffic 4. Battery consumption 5. CPU usage 26
Network monitoring Malware tends to use DNS, HTTP (OkHttp), IRC, and TOR ! 1. DNS query may be used to locate C&C server. 2. Why OkHttp? It can contact multiple alternative HTTP servers, and retries silently and periodically in case of failure. 3. IRC is popular because it supports redundancy (multi-master), has builtin login protocol, and offers full 2-way communication. 4. TOR : Difficult to shutdown a botnet using TOR, as you cannot de- anonymize the C&C server sitting inside TOR network. 5. App may not request Internet permissions but use other apps like browser to send/recv data over network 27
Dynamic Analysis - Andrubis Andrubis does “Stimulation” instead of passive wait or UI exploration. 1. Invoke all Activities (not just Main) found in the Manifest 2. Patch Android ActivityManager to start all background services automatically. 3. Intercept calls to “registerReceiver” and use ActivityManager to invoke them. 4. Broadcast common events such as SMS, WiFi+3G connectivity, GPS lock, phone calls, phone state changes to trigger OS and App behaviour. Andrubis is now commercial - Lastline [Weichselbaum, et al. Andrubis. Android Malware under the magnifying glass ] 28
TaintDroid Leverages Android virtualized env. Assumes no app is trusted. It labels (taints) data from privacy-sensitive sources Transitively applies labels as sensitive data propagates through program variables, files, and interprocess messages. When tainted data are transmitted over the network, or otherwise leave the system, TaintDroid logs the data’s labels, the application responsible for transmitting the data, and the data’s destination. [Enck, et al. TaintDroid - OSDI 2010] 29
TaintDroid 30
Beat the malware’s emulator detection Make the emulator look like a real device ● Set geo-location : “adb emu geo fix longitude latitude altitude” ● Change hard-coded IMEI and ISMI in the emulator binary ● Set emulator port to be other than 5554 or 5584. ● Use “genymotion” - which apparently has addressed all these issues Axelle Apvrille. Android malware reverse engineering 31
How to beat the Packers Some packers decrypt the original APK at known locations in RAM. Use that to find and analyze the decrypted APK at runtime. [ Strazzere talk at Defcon 14 https://github.com/strazzere/android-unpacker ] DexHunter modified Dalvik runtime(ART/OAT) to trap ClassLoader. [ Zhang, et al. DexHunter ESORICS 2015 https://github.com/zyq8709/DexHunter ] PackerGrind [ Xue, et al. Adaptive Unpacking of Android Apps ] DaBID Debugger [Blackhat Asia 2015] 32
Opcode analysis Classify apps according to n-grams of opcodes in the APK. Dalvik has 218 unique opcodes Split the opcodes at class method boundaries before creating n-grams. Strip the opcode arguments (operands) Here, 1-gram is just a histogram of frequencies This method works with obfuscated code ! 33
ML model over opcode sequences ML : the holy grail ! Treat opcode sequence as text. Formulate malware recognition as an NLP problem. Feed the opcode sequence to a Neural Net. System dynamically learns the length of the n-gram which is most relevant. [ McLaughlin et al. Deep Android Malware Detection. ODASPY 2017 ] 34
ML model over API or OS calls These require first running the App in an emulator to capture dynamic behaviour. Malware may not exhibit all the malicious behaviour during test. 35
Baidu Appstore Baidu has ACS which is equivalent of Google’s Bouncer They offer an APK Protector (http://apkprotect.baidu.com) Evolution of their anti-malware strategy 1. Signature-based rules 2. Behaviour-based rules 3. Opcode-based rules 4. As of 2016 : Deep learning model called “AlphaAv” Thomas Wang (Baidu). AI Based An*virus. Blackhat 2016 36
Baidu Appstore AlphaAv ML model extracts features from APK 1. Permissions in Manifest. 2. Number of picture files in /res 3. Number of fields of type “boolean” 4. Number of methods with parameters > 20 5. Has executable file in /res ? 6. Has apk file in /assets ? 7. Registers for DEVICE_ADMIN_ENABLED broadcast and has sendSMSmessage permission 37
Google Playstore Components 1. Bouncer : test submitted apps in Google Cloud 2. Verify Apps : runs on device. Warn or block installation of harmful apps; continuously scan apps running on device; kill malware apps remotely. 3. SafetyNet : privacy preserving IDS. 4. SafetyNet Attestation : determine if the device is CTS compatible 5. Android Device Manager : locate a stolen or lost device 6. Android Update service : deliver updates to the device through web or OTA. 38
Google Playstore Vertical monitoring : Check if runtime behaviour differs from upload- time (testing) behaviour ? Lateral Monitoring : How does the same App work across all the devices ? A device that fails to perform the periodic “Verify Apps” check after an App install is flagged as DOI (Dead or Insecure) The “Verify Apps” service computes a DOI score of each App. All Apps should have DOI score in same range. https://android-developers.googleblog.com/2017/01/findingmalware.html 39
Malware detection tools Urlvoid : check if a URL is blacklisted. VirusTotal (owned by Alphabet) : collaborative platform. Your submitted APK is checked against large number of malware engines - McAfee, AVG, TrendMicro. Koodous : another collaborative platform 40
Resources 1. Conferences : Blackhat, DefCon, RSA, IEEE Security & Privacy, USENIX Security, ACM. Also see uploaded videos of past conferences. 2. https://github.com/ashishb/android-security-awesome 41
Malware detection Theoretical result by Fred Cohen The “virus detection” problem can be reduced to the “halting problem” - hence undecidable whether a program has a virus. Therefore, Anti-virus algorithms are essentially probabilistic. 42

Recomendados

Android Malware Detection Mechanisms
Android Malware Detection MechanismsAndroid Malware Detection Mechanisms
Android Malware Detection MechanismsTalha Kabakus
 
Android malware analysis
Android malware analysisAndroid malware analysis
Android malware analysisJason Ross
 
Fast detection of Android malware: machine learning approach
Fast detection of Android malware: machine learning approachFast detection of Android malware: machine learning approach
Fast detection of Android malware: machine learning approachYury Leonychev
 
Malware Detection using Machine Learning
Malware Detection using Machine Learning Malware Detection using Machine Learning
Malware Detection using Machine Learning Cysinfo Cyber Security Community
 
Keyloggers
KeyloggersKeyloggers
Keyloggerskdore
 
Android Security
Android SecurityAndroid Security
Android SecurityArqum Ahmad
 
Android security
Android securityAndroid security
Android securityMidhun P Gopi
 
Burp suite
Burp suiteBurp suite
Burp suiteSOURABH DESHMUKH
 

Recomendados

Android Malware Detection Mechanisms
Android Malware Detection MechanismsAndroid Malware Detection Mechanisms
Android Malware Detection MechanismsTalha Kabakus
 
Android malware analysis
Android malware analysisAndroid malware analysis
Android malware analysisJason Ross
 
Fast detection of Android malware: machine learning approach
Fast detection of Android malware: machine learning approachFast detection of Android malware: machine learning approach
Fast detection of Android malware: machine learning approachYury Leonychev
 
Malware Detection using Machine Learning
Malware Detection using Machine Learning Malware Detection using Machine Learning
Malware Detection using Machine Learning Cysinfo Cyber Security Community
 
Keyloggers
KeyloggersKeyloggers
Keyloggerskdore
 
Android Security
Android SecurityAndroid Security
Android SecurityArqum Ahmad
 
Android security
Android securityAndroid security
Android securityMidhun P Gopi
 
Burp suite
Burp suiteBurp suite
Burp suiteSOURABH DESHMUKH
 
malware analysis
malware analysismalware analysis
malware analysis20CS201AkashR
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Advanced persistent threats(APT)
Advanced persistent threats(APT)Advanced persistent threats(APT)
Advanced persistent threats(APT)Network Intelligence India
 
Cyber security awareness
Cyber security awarenessCyber security awareness
Cyber security awarenessJason Murray
 
Malware forensics
Malware forensicsMalware forensics
Malware forensicsSameera Amjad
 
Android security
Android securityAndroid security
Android securityMobile Rtpl
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing BasicsRick Wanner
 
Android Security
Android SecurityAndroid Security
Android SecurityLars Jacobs
 
DNS spoofing/poisoning Attack
DNS spoofing/poisoning AttackDNS spoofing/poisoning Attack
DNS spoofing/poisoning AttackFatima Qayyum
 
Topics in network security
Topics in network securityTopics in network security
Topics in network securityNasir Bhutta
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on itWSO2
 
Cyber Kill Chain.pptx
Cyber Kill Chain.pptxCyber Kill Chain.pptx
Cyber Kill Chain.pptxVivek Chauhan
 
IDS and IPS
IDS and IPSIDS and IPS
IDS and IPSSantosh Khadsare
 
Mobile Device Security
Mobile Device SecurityMobile Device Security
Mobile Device SecurityNemwos
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application SecurityIshan Girdhar
 
Mobile security
Mobile securityMobile security
Mobile securitypriyanka pandey
 
Computer Worms
Computer WormsComputer Worms
Computer Wormssadique_ghitm
 
Cyber Threat Intelligence.pptx
Cyber Threat Intelligence.pptxCyber Threat Intelligence.pptx
Cyber Threat Intelligence.pptxAbimbolaFisher1
 
Malware- Types, Detection and Future
Malware- Types, Detection and FutureMalware- Types, Detection and Future
Malware- Types, Detection and Futurekaranwayne
 
Sandboxing
SandboxingSandboxing
SandboxingLan & Wan Solutions
 
Mobile application security
Mobile application securityMobile application security
Mobile application securityShubhneet Goel
 
Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Stephan Chenette
 

Mais conteúdo relacionado

Mais procurados

Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Cyber security awareness
Cyber security awarenessCyber security awareness
Cyber security awarenessJason Murray
 
Android security
Android securityAndroid security
Android securityMobile Rtpl
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing BasicsRick Wanner
 
Android Security
Android SecurityAndroid Security
Android SecurityLars Jacobs
 
DNS spoofing/poisoning Attack
DNS spoofing/poisoning AttackDNS spoofing/poisoning Attack
DNS spoofing/poisoning AttackFatima Qayyum
 
Topics in network security
Topics in network securityTopics in network security
Topics in network securityNasir Bhutta
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on itWSO2
 
Cyber Kill Chain.pptx
Cyber Kill Chain.pptxCyber Kill Chain.pptx
Cyber Kill Chain.pptxVivek Chauhan
 
Mobile Device Security
Mobile Device SecurityMobile Device Security
Mobile Device SecurityNemwos
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application SecurityIshan Girdhar
 
Cyber Threat Intelligence.pptx
Cyber Threat Intelligence.pptxCyber Threat Intelligence.pptx
Cyber Threat Intelligence.pptxAbimbolaFisher1
 
Malware- Types, Detection and Future
Malware- Types, Detection and FutureMalware- Types, Detection and Future
Malware- Types, Detection and Futurekaranwayne
 

Mais procurados (20)

malware analysis
malware analysismalware analysis
malware analysis
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
Advanced persistent threats(APT)
Advanced persistent threats(APT)Advanced persistent threats(APT)
Advanced persistent threats(APT)
 
Cyber security awareness
Cyber security awarenessCyber security awareness
Cyber security awareness
 
Malware forensics
Malware forensicsMalware forensics
Malware forensics
 
Android security
Android securityAndroid security
Android security
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
 
Android Security
Android SecurityAndroid Security
Android Security
 
DNS spoofing/poisoning Attack
DNS spoofing/poisoning AttackDNS spoofing/poisoning Attack
DNS spoofing/poisoning Attack
 
Topics in network security
Topics in network securityTopics in network security
Topics in network security
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
 
Cyber Kill Chain.pptx
Cyber Kill Chain.pptxCyber Kill Chain.pptx
Cyber Kill Chain.pptx
 
IDS and IPS
IDS and IPSIDS and IPS
IDS and IPS
 
Mobile Device Security
Mobile Device SecurityMobile Device Security
Mobile Device Security
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
 
Mobile security
Mobile securityMobile security
Mobile security
 
Computer Worms
Computer WormsComputer Worms
Computer Worms
 
Cyber Threat Intelligence.pptx
Cyber Threat Intelligence.pptxCyber Threat Intelligence.pptx
Cyber Threat Intelligence.pptx
 
Malware- Types, Detection and Future
Malware- Types, Detection and FutureMalware- Types, Detection and Future
Malware- Types, Detection and Future
 
Sandboxing
SandboxingSandboxing
Sandboxing
 

Semelhante a Android malware presentation

Mobile application security
Mobile application securityMobile application security
Mobile application securityShubhneet Goel
 
Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Stephan Chenette
 
When developers api simplify user mode rootkits development – part ii
When developers api simplify user mode rootkits development – part iiWhen developers api simplify user mode rootkits development – part ii
When developers api simplify user mode rootkits development – part iiSTO STRATEGY
 
pentest mobile app issue
pentest mobile app issuepentest mobile app issue
pentest mobile app issueshekar M
 
Remote Exploitation of the Dropbox SDK for Android
Remote Exploitation of the Dropbox SDK for AndroidRemote Exploitation of the Dropbox SDK for Android
Remote Exploitation of the Dropbox SDK for AndroidIBM Security
 
FBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopFBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopErnest Staats
 
Anti-tampering in Android and Take Look at Google SafetyNet Attestation API
Anti-tampering in Android and Take Look at Google SafetyNet Attestation APIAnti-tampering in Android and Take Look at Google SafetyNet Attestation API
Anti-tampering in Android and Take Look at Google SafetyNet Attestation APIArash Ramez
 
Stephanie Vanroelen - Mobile Anti-Virus apps exposed
Stephanie Vanroelen - Mobile Anti-Virus apps exposedStephanie Vanroelen - Mobile Anti-Virus apps exposed
Stephanie Vanroelen - Mobile Anti-Virus apps exposedNoNameCon
 
When developers api simplify user mode rootkits development – part ii
When developers api simplify user mode rootkits development – part iiWhen developers api simplify user mode rootkits development – part ii
When developers api simplify user mode rootkits development – part iiYury Chemerkin
 
Lab-10 Malware Creation and Denial of Service (DoS) In t.docx
Lab-10 Malware Creation and Denial of Service (DoS) In t.docxLab-10 Malware Creation and Denial of Service (DoS) In t.docx
Lab-10 Malware Creation and Denial of Service (DoS) In t.docxpauline234567
 
Overtaking Firefox Profiles: Vulnerabilities in Firefox for Android
Overtaking Firefox Profiles: Vulnerabilities in Firefox for AndroidOvertaking Firefox Profiles: Vulnerabilities in Firefox for Android
Overtaking Firefox Profiles: Vulnerabilities in Firefox for AndroidIBM Security
 
Multiple Vulnerabilities in Mozilla Firefox for Android
Multiple Vulnerabilities in Mozilla Firefox for AndroidMultiple Vulnerabilities in Mozilla Firefox for Android
Multiple Vulnerabilities in Mozilla Firefox for AndroidThe Hacker News
 
Exploits Attack on Windows Vulnerabilities
Exploits Attack on Windows VulnerabilitiesExploits Attack on Windows Vulnerabilities
Exploits Attack on Windows VulnerabilitiesAmit Kumbhar
 
IRJET- Secure Android Application Development and Security Assessment
IRJET- Secure Android Application Development and Security AssessmentIRJET- Secure Android Application Development and Security Assessment
IRJET- Secure Android Application Development and Security AssessmentIRJET Journal
 
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsInvestigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsAaron ND Sawmadal
 
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsInvestigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsAaron ND Sawmadal
 
When developer's api simplify user mode rootkits developing.
When developer's api simplify user mode rootkits developing.When developer's api simplify user mode rootkits developing.
When developer's api simplify user mode rootkits developing.Yury Chemerkin
 
Droidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensicsDroidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensicsviaForensics
 

Semelhante a Android malware presentation (20)

Mobile application security
Mobile application securityMobile application security
Mobile application security
 
Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013
 
When developers api simplify user mode rootkits development – part ii
When developers api simplify user mode rootkits development – part iiWhen developers api simplify user mode rootkits development – part ii
When developers api simplify user mode rootkits development – part ii
 
pentest mobile app issue
pentest mobile app issuepentest mobile app issue
pentest mobile app issue
 
Remote Exploitation of the Dropbox SDK for Android
Remote Exploitation of the Dropbox SDK for AndroidRemote Exploitation of the Dropbox SDK for Android
Remote Exploitation of the Dropbox SDK for Android
 
FBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopFBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise Workshop
 
Anti-tampering in Android and Take Look at Google SafetyNet Attestation API
Anti-tampering in Android and Take Look at Google SafetyNet Attestation APIAnti-tampering in Android and Take Look at Google SafetyNet Attestation API
Anti-tampering in Android and Take Look at Google SafetyNet Attestation API
 
Spiffy Spyware Stuff
Spiffy Spyware StuffSpiffy Spyware Stuff
Spiffy Spyware Stuff
 
Stephanie Vanroelen - Mobile Anti-Virus apps exposed
Stephanie Vanroelen - Mobile Anti-Virus apps exposedStephanie Vanroelen - Mobile Anti-Virus apps exposed
Stephanie Vanroelen - Mobile Anti-Virus apps exposed
 
When developers api simplify user mode rootkits development – part ii
When developers api simplify user mode rootkits development – part iiWhen developers api simplify user mode rootkits development – part ii
When developers api simplify user mode rootkits development – part ii
 
Lab-10 Malware Creation and Denial of Service (DoS) In t.docx
Lab-10 Malware Creation and Denial of Service (DoS) In t.docxLab-10 Malware Creation and Denial of Service (DoS) In t.docx
Lab-10 Malware Creation and Denial of Service (DoS) In t.docx
 
Overtaking Firefox Profiles: Vulnerabilities in Firefox for Android
Overtaking Firefox Profiles: Vulnerabilities in Firefox for AndroidOvertaking Firefox Profiles: Vulnerabilities in Firefox for Android
Overtaking Firefox Profiles: Vulnerabilities in Firefox for Android
 
Multiple Vulnerabilities in Mozilla Firefox for Android
Multiple Vulnerabilities in Mozilla Firefox for AndroidMultiple Vulnerabilities in Mozilla Firefox for Android
Multiple Vulnerabilities in Mozilla Firefox for Android
 
Exploits Attack on Windows Vulnerabilities
Exploits Attack on Windows VulnerabilitiesExploits Attack on Windows Vulnerabilities
Exploits Attack on Windows Vulnerabilities
 
IRJET- Secure Android Application Development and Security Assessment
IRJET- Secure Android Application Development and Security AssessmentIRJET- Secure Android Application Development and Security Assessment
IRJET- Secure Android Application Development and Security Assessment
 
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsInvestigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
 
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsInvestigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
 
When developer's api simplify user mode rootkits developing.
When developer's api simplify user mode rootkits developing.When developer's api simplify user mode rootkits developing.
When developer's api simplify user mode rootkits developing.
 
Droidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensicsDroidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensics
 
Unveiling-Patchwork
Unveiling-PatchworkUnveiling-Patchwork
Unveiling-Patchwork
 

Mais de Sandeep Joshi

Synthetic data generation
Synthetic data generationSynthetic data generation
Synthetic data generationSandeep Joshi
 
How to build a feedback loop in software
How to build a feedback loop in softwareHow to build a feedback loop in software
How to build a feedback loop in softwareSandeep Joshi
 
Programming workshop
Programming workshopProgramming workshop
Programming workshopSandeep Joshi
 
Hash function landscape
Hash function landscapeHash function landscape
Hash function landscapeSandeep Joshi
 
Doveryai, no proveryai - Introduction to tla+
Doveryai, no proveryai - Introduction to tla+Doveryai, no proveryai - Introduction to tla+
Doveryai, no proveryai - Introduction to tla+Sandeep Joshi
 
Apache spark undocumented extensions
Apache spark undocumented extensionsApache spark undocumented extensions
Apache spark undocumented extensionsSandeep Joshi
 
Rate limiters in big data systems
Rate limiters in big data systemsRate limiters in big data systems
Rate limiters in big data systemsSandeep Joshi
 
Virtualization overheads
Virtualization overheadsVirtualization overheads
Virtualization overheadsSandeep Joshi
 
Data streaming algorithms
Data streaming algorithmsData streaming algorithms
Data streaming algorithmsSandeep Joshi
 

Mais de Sandeep Joshi (11)

Block ciphers
Block ciphersBlock ciphers
Block ciphers
 
Synthetic data generation
Synthetic data generationSynthetic data generation
Synthetic data generation
 
How to build a feedback loop in software
How to build a feedback loop in softwareHow to build a feedback loop in software
How to build a feedback loop in software
 
Programming workshop
Programming workshopProgramming workshop
Programming workshop
 
Hash function landscape
Hash function landscapeHash function landscape
Hash function landscape
 
Doveryai, no proveryai - Introduction to tla+
Doveryai, no proveryai - Introduction to tla+Doveryai, no proveryai - Introduction to tla+
Doveryai, no proveryai - Introduction to tla+
 
Apache spark undocumented extensions
Apache spark undocumented extensionsApache spark undocumented extensions
Apache spark undocumented extensions
 
Lockless
LocklessLockless
Lockless
 
Rate limiters in big data systems
Rate limiters in big data systemsRate limiters in big data systems
Rate limiters in big data systems
 
Virtualization overheads
Virtualization overheadsVirtualization overheads
Virtualization overheads
 
Data streaming algorithms
Data streaming algorithmsData streaming algorithms
Data streaming algorithms
 

Último

call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️Delhi Call girls
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comFatema Valibhai
 
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfintroduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfVishalKumarJha10
 
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionOnePlan Solutions
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...panagenda
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Steffen Staab
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Modelsaagamshah0812
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️Delhi Call girls
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
How to Choose the Right Laravel Development Partner in New York City_compress...
How to Choose the Right Laravel Development Partner in New York City_compress...How to Choose the Right Laravel Development Partner in New York City_compress...
How to Choose the Right Laravel Development Partner in New York City_compress...software pro Development
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...Health
 
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidPhilip Schwarz
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsAndolasoft Inc
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsJhone kinadey
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfkalichargn70th171
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...OnePlan Solutions
 
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...kalichargn70th171
 
VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnAmarnathKambale
 

Último (20)

call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfintroduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
 
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
How to Choose the Right Laravel Development Partner in New York City_compress...
How to Choose the Right Laravel Development Partner in New York City_compress...How to Choose the Right Laravel Development Partner in New York City_compress...
How to Choose the Right Laravel Development Partner in New York City_compress...
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.js
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
 
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
 
VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learn
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 

Android malware presentation

  • 2. Goal of malware Send SMS to premium-rate numbers Bank : steal account info and money Adware : click fraud Spyware : Exfiltrate personal info like location, phone info, contact list, etc. Ransomware Bitcoin mining 2
  • 3. Installation methods 1. Repackaging : Download and decompile a popular App. Add malicious payload. Upload to some other “app store” for download. Upload a benign app to Playstore. Upload new malware version of same app to third-party “app store”. Since both apps share same certificate, app will get updated on device (Trendmicro blog). 2. Update attack : Insert only the update component in the App. Download the actual malware payload at runtime. 3. Drive-by download : Using QR code, SMS link, Social media link, Bluetooth, USB. 3
  • 4. Malicious install of an APK 1. Root exploit 2. Misuse Android Accessibility services 3. Create confusion through popups and look-alikes 4. Prevent removal by storing in system partition Grabos (McAfee) https://securingtomorrow.mcafee.com/mcafee-labs/android-malware-grabo s-exposed-millions-to-pay-per-install-scam-on-google-play/ 4
  • 5. PC to mobile infection Android.Claco: Runs on the Mobile device. Downloads Windows executable and places it in the root directory of the SD card. When the mobile device is connected to a PC, and if the AutoRun feature is enabled, Windows will automatically execute the malicious file. Trojan.Droidpak: Runs on Windows as system service. Downloads malware APK and even “adb”. Attempts to install the APK on the connected Mobile (if USB debugging Mode is On). 5
  • 6. Loopholes in Google Playstore Innovation by Android.dvmap “To bypass Google Play Store security checks, the malware creators used a very interesting method: they uploaded a clean app to the store at the end of March, 2017, and would then update it with a malicious version for short period of time. Usually they would upload a clean version back on Google Play the very same day. They did this at least 5 times between 18 April and 15 May. “ https://securelist.com/dvmap-the-first-android-malware-with-code-inject ion/78648/ 6
  • 7. Activation methods BOOT COMPLETED event to kick off background services SMS RECEIVED broadcast SCREEN TURNED OFF 7
  • 8. Top permissions asked by Malware Unless you have a root exploit, you require “Permissions” in the Manifest. 1. Internet 2. Access_network_state 3. read/write external storage 4. Read phone state 5. Access wifi state 6. Access coarse/fine location 7. Read/write contacts 8
  • 9. How to create overlay windows Bank malware needs to overlay a window which resembles the bank login website. Ways to achieve this overlay: 1. Use permission SYSTEM_ALERT_WINDOW. 2. Seek permission to use “Accessibility services” which allows access to UI of other running apps, and create overlays. (Used by SvPeng) 3. Use “TOAST” notification to create full-screen window (on pre-Oreo). See “Toast overlay attack” in Sept 2017. 9
  • 10. Botnets Evolution of Command and Control (C&C) architecture 1. First generation had single C&C server 2. Semi-distributed 3. Peer-to-peer To avoid hard-coded URLs, C&C URL is generated using domain name generation (DGA) seeded by current date. Or the C&C is a twitter account whose name is generated dynamically (e.g. twikabot). Bot then decrypts and executes tweets. Rapidly rotate the IP address of the C&C server : “Fast flux botnet”. 10
  • 11. Evade detection by anti-malware tools 1. All constant strings in APK are encrypted 2. Use of Base64 encoding 3. Network traffic is encrypted 4. Call via reflection; decrypt class and method names just before call 5. Decryption key is not hard-coded but derived at runtime 6. Hide payload inside images folder 7. Use Android Packers or Protectors 8. Alter behaviour when running inside Emulator 9. Modify the code at runtime to evade static signatures (metamorphic malware). 11
  • 12. Hide the payload inside an image PNG file has many chunks, each with its header and length If a chunk has an unknown header, the PNG reader will skip it PNG with a legitimate image (app icon) can contain malware (encrypted) Load malware payload from chunk, decrypt and run using DexClassLoader Anomaly : Look for a small image having large size ! 12 Axelle Apvrille. Hide Android Applications in Images. Blackhat Europe 2014
  • 13. Packers and Protectors Top packers : Bangcle, APKProtect.com, Baidu, Tencent ● Encrypts the APK and stores it in assets folder ● Replaces the APK Main Activity by their own ● Inserts it own decryption library (native C) ● During run, decrypts your APK in the RAM and runs it Packers developed to protect vendor IP, but being misused to distribute malware. Packed APK cannot be detected by static or dynamic analysis. 13
  • 16. Emulator evasion techniques-1 deviceID, phonenumber, IMEI, IMSI are faked on emulator ● TelephonyManager.getDeviceId().equals(“00000…”) ● TelephonyManager.getSimCountryIso().equals(“Android”) ● TelephonyManager.getSimOperatorName().equals(“Android”) ● TelephonyManager.getLine1Number().equals(“15555215554”) where 15555521 is a constant, and emulator port number is 5554 https://news.sophos.com/en-us/2017/04/13/android-malware-anti-emulation-techniques/ 16
  • 17. Emulator evasion techniques-2 Inside emulator, the build info is set to fake values ● BUILD.MODEL contains either “google_sdk”, “Emulator”, “Android SDK”. ● BUILD.FINGERPRINT starts with “generic”, “unknown” ● BUILD.MANUFACTURER contains “Genymotion” ● BUILD.BRAND starts with “generic” ● BUILD.DEVICE starts with “generic” 17
  • 18. Emulator evasion techniques-3 Emulator properties give it away 1. System properties “ro.bootloader”, “ro.bootmode”, “ro.hardware”, “ro.product.mode”, etc are set to “Unknown”, “generic”, “sdk” etc. 2. Emulator related files exist : “/dev/socket/qemud”, “/system/lib/libc_malloc_debug_qemu.so”, “/sys/qemu_trace”, “/system/bin/qemu-props”. 3. getInstallerPackageName() = “com.android.vending” (i.e. app was installed using “adb”). 4. Check if user’s email address contains “google”, “tester”, etc. 18
  • 19. Detect if running in debugger Check Debug.isDebuggerConnected(), Debug.waitingForDebugger() Launch multiple threads and let one thread attach to another using ptrace(), because a process can only be attached by one process. [Packergrind paper] 19
  • 20. Delay the attack Delay the attack by fixed time (e.g. 24 hours) which is long enough to beat sandbox testing. Launch malware only when Google Play is launched, by adding the application’s main intent to the the category “android.intent.category.APPMARKET”. (done by “Tascudap”) 20
  • 21. Polymorphic and metamorphic malware Oligomorphic : Polymorphic ● Use of encryption for strings, payloads; Data append/prepend Metamorphic (hard to detect using file signatures) 1. Reorder instructions or data structures 2. Add Semantic NOPs 3. Register reassignment 21 https://reverseengineering.stackexchange.com/questions/1696/what-are-the-differences-between- metamorphic-oligomorphic-and-polymorphic-malwa
  • 22. Malware toolkits Adware SDK : MDash, Xavier, lgexin Botnet : Bilal Bot, GM Bot, KNL Bot Rooting tools : https://github.com/android-rooting-tools (older Android versions) 22
  • 23. Malware databases Android Malware Genome Database (outdated) Contagio Drebin (Individual vendors collect their own databases) 23
  • 24. Malware Detection Methods 24 ● Static analysis (signature, ML) ● Dynamic analysis (sandbox) ● Opcode analysis (cusom, ML) ● Hybrid
  • 25. Static analysis Check ● Uses-feature in Manifest ● Permissions in Manifest ● Intents ● Use of DexClassLoader, NDK Loadlib ● Use of crypto API ● OS system calls ● Receiving broadcasts 25
  • 26. Dynamic Analysis Run APK in Sandbox - e.g. DroidBox, Andrubis Record 1. API calls 2. OS system calls 3. Network traffic 4. Battery consumption 5. CPU usage 26
  • 27. Network monitoring Malware tends to use DNS, HTTP (OkHttp), IRC, and TOR ! 1. DNS query may be used to locate C&C server. 2. Why OkHttp? It can contact multiple alternative HTTP servers, and retries silently and periodically in case of failure. 3. IRC is popular because it supports redundancy (multi-master), has builtin login protocol, and offers full 2-way communication. 4. TOR : Difficult to shutdown a botnet using TOR, as you cannot de- anonymize the C&C server sitting inside TOR network. 5. App may not request Internet permissions but use other apps like browser to send/recv data over network 27
  • 28. Dynamic Analysis - Andrubis Andrubis does “Stimulation” instead of passive wait or UI exploration. 1. Invoke all Activities (not just Main) found in the Manifest 2. Patch Android ActivityManager to start all background services automatically. 3. Intercept calls to “registerReceiver” and use ActivityManager to invoke them. 4. Broadcast common events such as SMS, WiFi+3G connectivity, GPS lock, phone calls, phone state changes to trigger OS and App behaviour. Andrubis is now commercial - Lastline [Weichselbaum, et al. Andrubis. Android Malware under the magnifying glass ] 28
  • 29. TaintDroid Leverages Android virtualized env. Assumes no app is trusted. It labels (taints) data from privacy-sensitive sources Transitively applies labels as sensitive data propagates through program variables, files, and interprocess messages. When tainted data are transmitted over the network, or otherwise leave the system, TaintDroid logs the data’s labels, the application responsible for transmitting the data, and the data’s destination. [Enck, et al. TaintDroid - OSDI 2010] 29
  • 31. Beat the malware’s emulator detection Make the emulator look like a real device ● Set geo-location : “adb emu geo fix longitude latitude altitude” ● Change hard-coded IMEI and ISMI in the emulator binary ● Set emulator port to be other than 5554 or 5584. ● Use “genymotion” - which apparently has addressed all these issues Axelle Apvrille. Android malware reverse engineering 31
  • 32. How to beat the Packers Some packers decrypt the original APK at known locations in RAM. Use that to find and analyze the decrypted APK at runtime. [ Strazzere talk at Defcon 14 https://github.com/strazzere/android-unpacker ] DexHunter modified Dalvik runtime(ART/OAT) to trap ClassLoader. [ Zhang, et al. DexHunter ESORICS 2015 https://github.com/zyq8709/DexHunter ] PackerGrind [ Xue, et al. Adaptive Unpacking of Android Apps ] DaBID Debugger [Blackhat Asia 2015] 32
  • 33. Opcode analysis Classify apps according to n-grams of opcodes in the APK. Dalvik has 218 unique opcodes Split the opcodes at class method boundaries before creating n-grams. Strip the opcode arguments (operands) Here, 1-gram is just a histogram of frequencies This method works with obfuscated code ! 33
  • 34. ML model over opcode sequences ML : the holy grail ! Treat opcode sequence as text. Formulate malware recognition as an NLP problem. Feed the opcode sequence to a Neural Net. System dynamically learns the length of the n-gram which is most relevant. [ McLaughlin et al. Deep Android Malware Detection. ODASPY 2017 ] 34
  • 35. ML model over API or OS calls These require first running the App in an emulator to capture dynamic behaviour. Malware may not exhibit all the malicious behaviour during test. 35
  • 36. Baidu Appstore Baidu has ACS which is equivalent of Google’s Bouncer They offer an APK Protector (http://apkprotect.baidu.com) Evolution of their anti-malware strategy 1. Signature-based rules 2. Behaviour-based rules 3. Opcode-based rules 4. As of 2016 : Deep learning model called “AlphaAv” Thomas Wang (Baidu). AI Based An*virus. Blackhat 2016 36
  • 37. Baidu Appstore AlphaAv ML model extracts features from APK 1. Permissions in Manifest. 2. Number of picture files in /res 3. Number of fields of type “boolean” 4. Number of methods with parameters > 20 5. Has executable file in /res ? 6. Has apk file in /assets ? 7. Registers for DEVICE_ADMIN_ENABLED broadcast and has sendSMSmessage permission 37
  • 38. Google Playstore Components 1. Bouncer : test submitted apps in Google Cloud 2. Verify Apps : runs on device. Warn or block installation of harmful apps; continuously scan apps running on device; kill malware apps remotely. 3. SafetyNet : privacy preserving IDS. 4. SafetyNet Attestation : determine if the device is CTS compatible 5. Android Device Manager : locate a stolen or lost device 6. Android Update service : deliver updates to the device through web or OTA. 38
  • 39. Google Playstore Vertical monitoring : Check if runtime behaviour differs from upload- time (testing) behaviour ? Lateral Monitoring : How does the same App work across all the devices ? A device that fails to perform the periodic “Verify Apps” check after an App install is flagged as DOI (Dead or Insecure) The “Verify Apps” service computes a DOI score of each App. All Apps should have DOI score in same range. https://android-developers.googleblog.com/2017/01/findingmalware.html 39
  • 40. Malware detection tools Urlvoid : check if a URL is blacklisted. VirusTotal (owned by Alphabet) : collaborative platform. Your submitted APK is checked against large number of malware engines - McAfee, AVG, TrendMicro. Koodous : another collaborative platform 40
  • 41. Resources 1. Conferences : Blackhat, DefCon, RSA, IEEE Security & Privacy, USENIX Security, ACM. Also see uploaded videos of past conferences. 2. https://github.com/ashishb/android-security-awesome 41
  • 42. Malware detection Theoretical result by Fred Cohen The “virus detection” problem can be reduced to the “halting problem” - hence undecidable whether a program has a virus. Therefore, Anti-virus algorithms are essentially probabilistic. 42