AndRadar: Fast Discovery of Android Applications in Alternative - - PowerPoint PPT Presentation

andradar
SMART_READER_LITE
LIVE PREVIEW

AndRadar: Fast Discovery of Android Applications in Alternative - - PowerPoint PPT Presentation

Dec 14, 2022 307 likes •736 views

AndRadar: Fast Discovery of Android Applications in Alternative Markets Martina Lindorfer, Stamatis Volanis, Alessandro Sisto Matthias Neugschwandtner, Elias Athanasopoulos, Federico Maggi Christian Platzer, Sotiris

slide-1
SLIDE 1

Martina Lindorfer, Stamatis Volanis, Alessandro Sisto Matthias Neugschwandtner, Elias Athanasopoulos, Federico Maggi Christian Platzer, Sotiris Ioannidis, Stefano Zanero

  • Vienna University of Technology

Foundation for Research & Technology – Hellas Politecnico di Milano


 AndRadar:


Fast Discovery of Android Applications 
 in Alternative Markets 


slide-2
SLIDE 2

Low infection rates?

Detection of Intrusions and Malware & Vulnerability Assessment, July 2014 1

  • The Core of the Matter (NDSS13)

0.0009%

  • The Company You Keep (WWW14)

0.28%

Google: Android Security From The Ground Up (VirusBulletin 2013)

slide-3
SLIDE 3

AV vendors paint a different picture…

Detection of Intrusions and Malware & Vulnerability Assessment, July 2014 2

Fortinet 2014 Threat Landscape Report TrendMicro TrendLabs 1Q 2014 Security Roundup McAfee Labs Threats Report June 2014

slide-4
SLIDE 4

Motivation

  • How are malicious apps distributed?
  • Official Google Play Store
  • Torrents, One-Click Hosters
  • Websites, Blogs, …
  • Alternative App Markets
  • How wide-spread are malicious apps, how often are

they downloaded?

  • Do alternative markets employ security measures?
  • Collect metadata for malware analysis
  • Andrubis, AndroTotal

Detection of Intrusions and Malware & Vulnerability Assessment, July 2014 3

slide-5
SLIDE 5

Market Metadata: Google Play

Detection of Intrusions and Malware & Vulnerability Assessment, July 2014 4

slide-6
SLIDE 6

Market Metadata: Google Play

Detection of Intrusions and Malware & Vulnerability Assessment, July 2014 5

slide-7
SLIDE 7

Outline

  • Market Characterization
  • Android Market Radar (AndRadar)
  • Evaluation and Case Study
  • Future Work and Conclusion

Detection of Intrusions and Malware & Vulnerability Assessment, July 2014 6

slide-8
SLIDE 8

Market Characterization

  • Alternative markets are popular because of …
  • Country gaps (e.g. no paid apps in Google Play China)
  • Promotion
  • Specific needs and specialization
  • Preliminary study on 8 alternative marketplaces
  • Crawled them entirely between July and Nov 2013
  • Downloaded 318,515 apps

Detection of Intrusions and Malware & Vulnerability Assessment, July 2014 7

slide-9
SLIDE 9

(1) Distribution of Unwanted Apps

Do markets distribute known, unwanted apps?

  • Yes, they do!
  • 5-8% malicious apps in whole dataset


10+ AV detections, excluding adware

  • Some markets specialize in adware/”madware”

  • Detection of Intrusions and Malware & Vulnerability Assessment, July 2014

8

2 4 6 8 10 20 30

Number of positive AV detections Percentage of malware on market

  • pera

andapponline camangi slideme fdroid blackmart getjar pandapp 20 40 60 10 20 30

Number of positive AV detections Percentage of ad−/malware on market

  • pera

andapponline camangi slideme fdroid blackmart getjar pandapp

slide-10
SLIDE 10

(2) Publication of malicious apps

Do markets allow the publication of malicious apps?

  • Yes, they do!
  • Ranking based on number 

  • f published apps
  • Well visible and known to 


market operators

  • Top authors publish both 


benign and malicious apps

Detection of Intrusions and Malware & Vulnerability Assessment, July 2014 9

andapponline camangi

  • pera

pandaapp slideme 50 100 150 1 2 3 4 5 1 2 3 4 5 1 2 3 4 5 1 2 3 4 5 1 2 3 4 5

Top 5 authors per market Number of apps published

Malware Goodware

slide-11
SLIDE 11

(3) Distinctive metadata

Do malicious apps have distinctive metadata?

  • Yes, they do!
  • Malicious apps slightly larger than goodware


à Additional malicious code in repackaged apps

  • Malicious apps are downloaded more often


à Inflation of ranking with app rank boosting services

  • Detection of Intrusions and Malware & Vulnerability Assessment, July 2014

10

slide-12
SLIDE 12

How are markets related to each other?

  • Markets share up to 47% MD5s, 75% package names

(4) Market Overlap

Detection of Intrusions and Malware & Vulnerability Assessment, July 2014 11

  • 59%

59% 38% 38% 15% 15% 19% 19% 12% 12% 22% 22% 12% 12% 36% 36% 16% 16% 15% 15% 13% 13% 63% 63% 32% 32% 16% 16% 31% 31% 12% 12% 75% 75% 26% 26% 41% 41% 21% 21% 26% 26% 22% 22%

Intersection by MD5 Intersection by package name

slide-13
SLIDE 13

Outline

  • Market Characterization
  • Android Market Radar (AndRadar)
  • Evaluation and Case Study
  • Future Work and Conclusion

Detection of Intrusions and Malware & Vulnerability Assessment, July 2014 12

slide-14
SLIDE 14

AndRadar Design Goals

Detection of Intrusions and Malware & Vulnerability Assessment, July 2014 13

  • Discover apps in markets in real-time
  • Distribution of apps across markets
  • Increasing space and time requirements
  • Meta information dynamic à regular crawling of apps
  • Crawling of complete markets becomes infeasible
  • Plethora of alternative markets


~ 196 in October 2011 (Vidas et al. CODASPY13)
 ~ 500 in Juniper Threats Report March 2012/2013 
 ~ 89 in our market study in June 2013

slide-15
SLIDE 15

AndRadar Architecture

Detection of Intrusions and Malware & Vulnerability Assessment, July 2014 14 Metadata Scraper Downloader Search

App Metadata Market Specifications

Tracker

Seed

slide-16
SLIDE 16

App Discovery

  • Lightweight identifier to select target apps
  • Package name uniquely identifies app on device
  • Package name identifies app in markets
  • Part of an app’s “Branding”

Detection of Intrusions and Malware & Vulnerability Assessment, July 2014 15

slide-17
SLIDE 17

App Discover: AppChina

Detection of Intrusions and Malware & Vulnerability Assessment, July 2014 16

slide-18
SLIDE 18

App Discovery: Appszoom

Detection of Intrusions and Malware & Vulnerability Assessment, July 2014 17

slide-19
SLIDE 19

App Matching

  • Match downloaded app to malicious app in seed
  • Different levels of confidence based on
  • Package name
  • MD5 hash
  • Fingerprint of developer’s certificate
  • Method signatures
  • Detection of Intrusions and Malware & Vulnerability Assessment, July 2014

18

MD5 match? fingerprint match? a.b.c MD5 part of seed a.b.c MD5' from market method signature match? perfect match same application weak match

N N Y Y

strong match different application by same author

N Y

strong match repackaged version method signature match? very strong match different version by same author

Y N

slide-20
SLIDE 20

Collected Metadata

  • Continuous monitoring of discovered apps
  • Harvest meta information from market listing
  • Upload date
  • Description
  • Screenshots
  • Number of downloads
  • User ratings
  • Reviews
  • Other apps by the same author
  • Delete date

Detection of Intrusions and Malware & Vulnerability Assessment, July 2014 19

slide-21
SLIDE 21

Outline

  • Market Characterization
  • Android Market Radar (AndRadar)
  • Evaluation and Case Study
  • Future Work and Conclusion

Detection of Intrusions and Malware & Vulnerability Assessment, July 2014 20

slide-22
SLIDE 22

Overall performance

Detection of Intrusions and Malware & Vulnerability Assessment, July 2014 21

  • Track tens of thousands of apps per market/day
  • Tracked 20,000 apps/1,500 app deletions

1 10 100 1000 Deleted Non-deleted Match count MD5 Fingerprint+Similarity Similarity Fingerprint Package name

slide-23
SLIDE 23

Application Lifecycles

Detection of Intrusions and Malware & Vulnerability Assessment, July 2014 22

  • Normal Lifecycle:


Market deletes app after it is detected by AVs

  • Market Self-Defense:


Market deletes app before it is detected by AVs

  • Malware Hopping:


App is republished after detection
 “Failover” strategy

  • tav

tpub tdel

market reaction time first crawl date app detected by AVs app published in market app deleted from market community reaction time

slide-24
SLIDE 24

Market Reaction Time

Detection of Intrusions and Malware & Vulnerability Assessment, July 2014 23

0.5 0.6 0.7 0.8 0.9 1 100 200 300 400 500 600 CDF Days for deletion google-play appchina anzhi

slide-25
SLIDE 25

Community Reaction Time

Detection of Intrusions and Malware & Vulnerability Assessment, July 2014 24

0.2 0.4 0.6 0.8 1 100 200 300 400 500 600 700 CDF Days for detection google-play appchina anzhi

slide-26
SLIDE 26

Outline

  • Market Characterization
  • Android Market Radar (AndRadar)
  • Evaluation and Case Study
  • Future Work and Conclusion

Detection of Intrusions and Malware & Vulnerability Assessment, July 2014 25

slide-27
SLIDE 27

Future Work

Detection of Intrusions and Malware & Vulnerability Assessment, July 2014 26

  • Automated notification system for markets
  • Extend app discovery in markets based on
  • Application name
  • Image characteristics (icon, screenshots)
  • Description of functionality
  • Versioning of malicious apps
  • Identify fraud in markets (“App rank boosting”)
  • Inflated download numbers
  • Fake ratings and reviews
slide-28
SLIDE 28

Conclusion

Detection of Intrusions and Malware & Vulnerability Assessment, July 2014 27

  • In-depth measurement on 8 alternative markets
  • AndRadar to discover malicious apps in real-time
  • Tracking of app distribution across markets
  • Collect metadata about apps
  • Branding
  • Updates
  • Download numbers
  • Ratings & reviews
  • Expose publishing patterns of malware authors
  • “Failover” strategies to migrate between markets
slide-29
SLIDE 29

28

Questions?

  • apking@iseclab.org

mlindorfer@iseclab.org

  • http://www.iseclab.org/people/mlindorfer

Detection of Intrusions and Malware & Vulnerability Assessment, July 2014

slide-30
SLIDE 30

Malicious App Seed

Detection of Intrusions and Malware & Vulnerability Assessment, July 2014 29

  • Feed of known malware or unwanted apps
  • Continuous stream of apps from …
  • Manually vetted malware repository (VirusShare)
  • Submission feed from VirusTotal based on # of AV signatures
  • Submissions to Andrubis based on dynamic analysis result
  • Seed format: APK files

<Package name, Certificate, Method signatures, MD5>

slide-31
SLIDE 31

1Mobile

Detection of Intrusions and Malware & Vulnerability Assessment, July 2014 30

slide-32
SLIDE 32

Anzhi

Detection of Intrusions and Malware & Vulnerability Assessment, July 2014 31

slide-33
SLIDE 33

Aptoide

Detection of Intrusions and Malware & Vulnerability Assessment, July 2014 32

slide-34
SLIDE 34

CoolAPK

Detection of Intrusions and Malware & Vulnerability Assessment, July 2014 33

slide-35
SLIDE 35

F-Droid

Detection of Intrusions and Malware & Vulnerability Assessment, July 2014 34

slide-36
SLIDE 36

Lenovo

Detection of Intrusions and Malware & Vulnerability Assessment, July 2014 35

slide-37
SLIDE 37

Moborobo

Detection of Intrusions and Malware & Vulnerability Assessment, July 2014 36

slide-38
SLIDE 38

Nduoa

Detection of Intrusions and Malware & Vulnerability Assessment, July 2014 37

slide-39
SLIDE 39

SlideME

Detection of Intrusions and Malware & Vulnerability Assessment, July 2014 38

slide-40
SLIDE 40

Wandoujia

Detection of Intrusions and Malware & Vulnerability Assessment, July 2014 39

slide-41
SLIDE 41

Z-Android

Detection of Intrusions and Malware & Vulnerability Assessment, July 2014 40