android malware adventures
play

Android Malware Adventures Mert Can Cokuner Krat Ouzhan Aknc - PowerPoint PPT Presentation

Aug 11, 2023 •349 likes •1.01k views

DeepSec IDSC Android Malware Adventures Mert Can Cokuner Krat Ouzhan Aknc Android Malware Adventures Agenda INTRODUCTION ANDROID MALWARE COMMAND & CONTROL QUESTIONS & ANSWERS 2 1 2 3 4 Android Malware

  1. DeepSec IDSC Android Malware Adventures Mert Can Coşkuner Kürşat Oğuzhan Akıncı

  2. Android Malware Adventures Agenda INTRODUCTION ANDROID MALWARE COMMAND & CONTROL QUESTIONS & ANSWERS 2 1 2 3 4 Android Malware Command&Control Introduction Q&A Who We Are? Types of Android Malware Why C2? 1. 1. 1. What We Do? Android Malware in Turkey Automated C2 Extraction 2. 2. 2. (for some samples) Statistics Analysis: How? 3. 3. Exploiting C2s 3. Google Play Store and Bouncer Analysis: Samples in Turkey 4. 4. Bypassing Bouncer Analysis: Anubis 5. 5. Developments in Android Analysis: Cerberus 6. 6.

  3. Android Malware Adventures Who We Are? INTRODUCTION ANDROID MALWARE COMMAND & CONTROL QUESTIONS & ANSWERS 3 Mert Kürşat Cyber Security Engineer at SecOps Manager at Ministry of Trendyol. (In)frequently Treasury and Finance. blogs at medium as Team Lead at Blackbox Security. @mcoskuner. Hunts mobile Red Team Member at Synack. malware NSA acknowledged bug bounty hunter

  4. Android Malware Adventures What We Do? INTRODUCTION ANDROID MALWARE COMMAND & CONTROL QUESTIONS & ANSWERS 4 Hunt mobile malware samples ● ● Reverse the sample, develop bypass scripts and yara rules Detect IoCs ● ● Break into C2 server, share the details with TRCert, purge stolen data

  5. Android Malware Adventures Statistics INTRODUCTION ANDROID MALWARE COMMAND & CONTROL QUESTIONS & ANSWERS 5 Mobile operating system market share among 4.68bn devices 76.24% Android 1. 2. 22.48% iOS 3. 1.28% others

  6. Android Malware Adventures Statistics INTRODUCTION ANDROID MALWARE COMMAND & CONTROL QUESTIONS & ANSWERS 6 3059 android malware detected per ● day in 2018, 40% more than 2017 ● By the end of June 2019, the number of all known malicious apps had totalled over 94.2 million Why?

  7. Android Malware Adventures Statistics INTRODUCTION ANDROID MALWARE COMMAND & CONTROL QUESTIONS & ANSWERS 7 Only one in every ten devices has the ● latest Android version 9 - Pie - installed ● Android 8 - Oreo - is being used on 28% of smartphones and tablets 60% of the devices are still using outdated ● versions ● Lacking the latest patches make it easy for hackers to install malware on the device

  8. Android Malware Adventures Statistics INTRODUCTION ANDROID MALWARE COMMAND & CONTROL QUESTIONS & ANSWERS 8 Cheap devices with pre-installed malware ● are still available in stores ● The malware is invisible to the owner and cannot be deactivated It is not possible to remove the malware ● manually because it is deeply integrated into the firmware

  9. Android Malware Adventures Statistics INTRODUCTION ANDROID MALWARE COMMAND & CONTROL QUESTIONS & ANSWERS 9 Some vendors and developers distribute ● their apps through alternative sources ● Such alternatives are also a popular gateway for malware developers in order to distribute their work ● Using third party stores to install an application is like walking in a minefield

  10. Android Malware Adventures Google Play Store and Bouncer INTRODUCTION ANDROID MALWARE COMMAND & CONTROL QUESTIONS & ANSWERS 10 Google introduced Bouncer in Feb 2012 as an anti-malware tool ● ● Only performs dynamic analysis and checks for 5 minutes Only has 1 contact and 2 photos under same account in a simulated device ● ● IP range can be revealed if internet permission is granted to the tested application

  11. Android Malware Adventures Bypassing Bouncer INTRODUCTION ANDROID MALWARE COMMAND & CONTROL QUESTIONS & ANSWERS 11 Idle for sometime before starting the main activity ● ● Download malicious dex after installation and load externally DexClassLoader ○ ● Implement anti-emulator. Some examples: Known pipes: /dev/socket/qemud, /dev/qemu_pipe ○ ○ Known files: /system/lib/libc_malloc_debug_qemu.so, /sys/qemu_trace, /system/bin/qemu-props ○ Known qemu drivers: goldfish Known geny files: /dev/socket/genyd, /dev/socket/baseband_genyd ○

  12. Android Malware Adventures Developments in Android INTRODUCTION ANDROID MALWARE COMMAND & CONTROL QUESTIONS & ANSWERS 12 Better storage encryption, Adiantum ● ● Better process isolation and attack surface reduction Better authentication, BiometricPrompt API ● ● Google Play policy changes ○ “We will be removing apps from the Play Store that ask for SMS or Call Log permission and have not submitted a permission declaration form ” ○ “ Device admin has been considered a legacy management approach since Android’s managed device (device owner) and work profile (profile owner) modes were introduced in Android 5.0. … To support this transition and focus our resources toward Android’s current management features, we deprecated device admin for enterprise use in the Android 9.0 release and we’ll remove these functions in the Android 10.0 release. ”

  13. Android Malware Adventures Developments in Android INTRODUCTION ANDROID MALWARE COMMAND & CONTROL QUESTIONS & ANSWERS 13 Android Q and beyond ● ○ No more monitoring the clipboard in the background Storage permission restrictions ○ ○ System alert window permission is to be removed and replaced by the restricted Bubbles API ○ Restrictions of starting Activity in the background Screen recording restrictions ○ ● Google introduces App Defense Alliance to find potentially harmful applications and stopping them from being published

  14. Android Malware Adventures Developments in Android INTRODUCTION ANDROID MALWARE COMMAND & CONTROL QUESTIONS & ANSWERS 14 There are a few hidden parts of Android’s framework that aren’t part of the SDK ● ● With Android P , Google was announced that most (not all) hidden functions were no longer available for use to app developers ○ Workaround : Keep your app targeting API 27 (Android 8.1), since the blacklist only applied to apps targeting the latest API

  15. Android Malware Adventures Developments in Android INTRODUCTION ANDROID MALWARE COMMAND & CONTROL QUESTIONS & ANSWERS 15 With Android P , Google was announced that most (not all) hidden functions were ● no longer available for use to app developers Workaround : Keep your app targeting API 27 (Android 8.1), since the ○ blacklist only applied to apps targeting the latest API Thanks to minimum API requirements for publishing on the Play Store; As of ● November 1, 2019, all app updates to the Play Store must target API 28 or later

  16. Android Malware Adventures Developments in Android INTRODUCTION ANDROID MALWARE COMMAND & CONTROL QUESTIONS & ANSWERS 16 Thanks to minimum API requirements for publishing on the Play Store; As of ● November 1, 2019, all app updates to the Play Store must target API 28 or later NEW Workaround: Double reflection ○ val forName = Class::class.java.getMethod("forName", String::class.java) val getMethod = Class::class.java.getMethod("getMethod", String::class.java, arrayOf<Class<*>>()::class.java) val hiddenClass = forName.invoke(null, "android.hidden.Class") as Class<*> val hiddenMethod = getMethod.invoke(hiddenClass, "hiddenMethod", String::class.java) hiddenMethod.invoke(null, "cmd")

  17. Android Malware Adventures Types of Android Malware INTRODUCTION ANDROID MALWARE COMMAND & CONTROL QUESTIONS & ANSWERS 17 Top five 1. Adware 2. Spyware 3. Trojan 4. Ransomware 5. Malicious cryptomining

  18. Android Malware Adventures Android Malware in Turkey INTRODUCTION ANDROID MALWARE COMMAND & CONTROL QUESTIONS & ANSWERS 18 Top five 1. Adware 2. Spyware 3. Trojan 4. Ransomware 5. Malicious cryptomining

  19. Android Malware Adventures Analysis: How? INTRODUCTION ANDROID MALWARE COMMAND & CONTROL QUESTIONS & ANSWERS 19 Finding samples Static analysis Dynamic analysis ● Google Play Store ● androwarn ● frida Koodous jeb / cfr / jadx jeb / jdb / gdb ● ● ● ● apklab.io ● apkid ● appmon Threat intelligence feeds ghidra / ida / r2 ● ●

  20. Android Malware Adventures Analysis: Samples Targeting Turkey INTRODUCTION ANDROID MALWARE COMMAND & CONTROL QUESTIONS & ANSWERS 20 Exobot features 1. Dropper 2. Bankbot a. anti-* techniques i. anti-emulator ii. root detection 1

  21. Android Malware Adventures Analysis: Samples Targeting Turkey INTRODUCTION ANDROID MALWARE COMMAND & CONTROL QUESTIONS & ANSWERS 21 Exobot features 1. Dropper 2. Bankbot a. anti-* techniques i. anti-emulator ii. root detection 2

  22. Android Malware Adventures Analysis: Samples Targeting Turkey INTRODUCTION ANDROID MALWARE COMMAND & CONTROL QUESTIONS & ANSWERS 22 Exobot features 1. Dropper 2. Bankbot a. anti-* techniques i. anti-emulator ii. root detection 2

  23. Android Malware Adventures Analysis: Samples Targeting Turkey INTRODUCTION ANDROID MALWARE COMMAND & CONTROL QUESTIONS & ANSWERS 23 Exobot features Java.perform(function() { 1. Dropper var func = Java.use("mcvndicwuz.myturyaivrmkovzxjp.C0481j") 2. Bankbot func.m2107a.implementation = function(ctx) { a. anti-* techniques var deviceId = “b359081a0a39d06d”; //Random deviceid i. anti-emulator return deviceId ii. root detection } });

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the explosive growth of mobile device market and usage, there is an increasing number of malicious mobile applications targeting these devices and

819 views • 44 slides
StormDroid: A streaminglized Machine Learning-Based System for Detecting Android Malware Sen

StormDroid: A streaminglized Machine Learning-Based System for Detecting Android Malware Sen

StormDroid: A streaminglized Machine Learning-Based System for Detecting Android Malware Sen Chen, Minhui Xue, Zhushou Tang, Lihua Xu, Haojin Zhu Malware Detection in Android 1.6 million apps in Google Play Store in July 2015

441 views • 22 slides
ANDROID MALWARE https://www.cnet.com/android-update/ Rafael Estrada Department of Mathematics

ANDROID MALWARE https://www.cnet.com/android-update/ Rafael Estrada Department of Mathematics

DATA ANALYSIS OF ANDROID MALWARE https://www.cnet.com/android-update/ Rafael Estrada Department of Mathematics New Mexico Tech Mentor: Dr. Golden G. Richard III Postdoctoral Researcher: Aisha Ali-Gombe July 26 th 2017 CCT REU 2017 ANDROID

347 views • 10 slides
Dissecting Android Malware: Characterization and Evolution 1 Problems to solve 18 Requirement

Dissecting Android Malware: Characterization and Evolution 1 Problems to solve 18 Requirement

Dissecting Android Malware: Characterization and Evolution 1 Problems to solve 18 Requirement 1: Sufficient Malware data set Anti Virus Communities or Researchers are hampered by the lack of malware data set. Req equires a a suf

648 views • 34 slides
Apposcopy: Semantics- Based Detection of Android Malware through Static Analysis By Feng et al

Apposcopy: Semantics- Based Detection of Android Malware through Static Analysis By Feng et al

Apposcopy: Semantics- Based Detection of Android Malware through Static Analysis By Feng et al [FSE 14] Presented by Maaz Ahmad The Malware Problem (Feb, 2015) Motive Security Labs estimates 16 million infected mobile devices. [1]

828 views • 30 slides
Android malware that wont make you fall asleep ukasz Siewierski lukasz.siewierski@cert.pl

Android malware that wont make you fall asleep ukasz Siewierski lukasz.siewierski@cert.pl

Android malware that wont make you fall asleep ukasz Siewierski lukasz.siewierski@cert.pl @maldr0id Hackito Ergo Sum 2015 Android malware is boring! ukasz Siewierski (@maldr0id) Android malware that wont make you fall asleep 2 / 24

535 views • 34 slides
MaMaDroid: Detecting Android Malware by Building Markov Chains of Behavioral Models Enrico

MaMaDroid: Detecting Android Malware by Building Markov Chains of Behavioral Models Enrico

MaMaDroid: Detecting Android Malware by Building Markov Chains of Behavioral Models Enrico Mariconti , Lucky Onwuzurike, Panagiotis Andriotis, Emiliano De Cristofaro, Gordon Ross, Gianluca Stringhini. NDSS 2017, 28-02-2017 Motivation: Android

1.21k views • 37 slides
GroDDViewer: Dynamic dual view of Android malware Jean-Franois Lalande Mathieu Simon Valrie

GroDDViewer: Dynamic dual view of Android malware Jean-Franois Lalande Mathieu Simon Valrie

Introduction Malware analysis Visualization Conclusion GroDDViewer: Dynamic dual view of Android malware Jean-Franois Lalande Mathieu Simon Valrie Viet Triem Tong GraMSec 2020 CIDRE team June 22th 2020 Introduction Malware analysis

530 views • 28 slides
Andrubis 1,000,000 Apps Later A View on Current Android Malware Behaviors Martina

Andrubis 1,000,000 Apps Later A View on Current Android Malware Behaviors Martina

Andrubis 1,000,000 Apps Later A View on Current Android Malware Behaviors Martina Lindorfer, Matthias Neugschwandtner, Lukas Weichselbaum, Yanick Fratantonio, Victor van der Veen, Christian Platzer Vienna University of

425 views • 31 slides
SigPID: Significant Permission Identification for Android Malware Detection Authors: Lichao Sun,

SigPID: Significant Permission Identification for Android Malware Detection Authors: Lichao Sun,

SigPID: Significant Permission Identification for Android Malware Detection Authors: Lichao Sun, Zhiqiang Li, Qiben Yan, Witawas Srisa-an and Yu Pan Department of Computer Science and Engineering University of Nebraska Lincoln Presenters: Yu

999 views • 24 slides
Obfuscated Financial Fraud Android Malware : Detection and Behavior Tracking In Seung, Yang

Obfuscated Financial Fraud Android Malware : Detection and Behavior Tracking In Seung, Yang

Obfuscated Financial Fraud Android Malware : Detection and Behavior Tracking In Seung, Yang (KrCERT/CC, KISA) DeepSEC IDSC 2016 Friday, 11 November 2016 Analysis Team at KrCERT/CC, KISA Mobile malware analyst In Seung, Yang Who am I

1.59k views • 72 slides
AppSpear: Bytecode Decryp0ng and DEX Reassembling for Packed Android Malware Yang Wenbo, Zhang

AppSpear: Bytecode Decryp0ng and DEX Reassembling for Packed Android Malware Yang Wenbo, Zhang

AppSpear: Bytecode Decryp0ng and DEX Reassembling for Packed Android Malware Yang Wenbo, Zhang Yuanyuan, Li Juanru, Shu Junliang, Li Bodong, Hu Wenjun, Gu Dawu Sudeep Nanjappa Jayakumar Agenda Introduc0on AppSpear Goals,

322 views • 19 slides
DroidScribe Classifying Android Malware Based on Runtime Behavior Santanu Kumar Dash, Guillermo

DroidScribe Classifying Android Malware Based on Runtime Behavior Santanu Kumar Dash, Guillermo

DroidScribe Classifying Android Malware Based on Runtime Behavior Santanu Kumar Dash, Guillermo Suarez-Tangil , Salahuddin Khan, Kimberly Tam, Mansour Ahmadi, Johannes Kinder, and Lorenzo Cavallaro Royal Holloway, University of London

352 views • 33 slides
AVPASS: Automatically Bypassing Android Malware Detection System Jinho Jung, Chanil Jeon, Max

AVPASS: Automatically Bypassing Android Malware Detection System Jinho Jung, Chanil Jeon, Max

AVPASS: Automatically Bypassing Android Malware Detection System Jinho Jung, Chanil Jeon, Max Wolotsky, Insu Yun, and Taesoo Kim Georgia Institute of Technology, July 27, 2017 Ab About t Us SSLab (@GT) Focusing on s ystem and security

1.25k views • 72 slides
Kharon dataset: Android malware under a microscope Nicolas Kiss Jean-Franois Lalande Mourad

Kharon dataset: Android malware under a microscope Nicolas Kiss Jean-Franois Lalande Mourad

Kharon dataset: Android malware under a microscope Nicolas Kiss Jean-Franois Lalande Mourad Leslous Valrie Viet Triem Tong The LASER Workshop 2016 Learning from Authoritative Security Experiment Results May 26th 2016 N. Kiss &amp; J.-F.

367 views • 18 slides
DroidScope: Seamlessly Reconstructing the OS and Dalvik Semantic Views for Dynamic Android

DroidScope: Seamlessly Reconstructing the OS and Dalvik Semantic Views for Dynamic Android

DroidScope: Seamlessly Reconstructing the OS and Dalvik Semantic Views for Dynamic Android Malware Analysis Lok Yan Heng Yin August 10, 2012 1 Android Java Components System Services Native Components Apps 2 Android Java Components

631 views • 33 slides
A static analyzer for PE executables RMLL 2016 Security Track Ivan Kwiatkowski, AMIR

A static analyzer for PE executables RMLL 2016 Security Track Ivan Kwiatkowski, AMIR

A static analyzer for PE executables RMLL 2016 Security Track Ivan Kwiatkowski, AMIR Consulting Project origins Started in Feb. 2014 Annoyance at AV softwares opaque decisions Needed to automate repetitive tasks Overview: A

567 views • 21 slides
Policing Congestion Response in an Internetwork using Re-feedback Bob Briscoe 1,2 Arnaud Jacquet 1

Policing Congestion Response in an Internetwork using Re-feedback Bob Briscoe 1,2 Arnaud Jacquet 1

Policing Congestion Response in an Internetwork using Re-feedback Bob Briscoe 1,2 Arnaud Jacquet 1 , Carla Di Cairano-Gilfedder 1 , Alessandro Salvatori 1,3 , Andrea Soppera 1 &amp; Martin Koyabe 1 1 BT Research, 2 UCL, 3 Eurcom Based on

508 views • 17 slides
Position-Independent Code Analysis Problem Aleksandr Matrosov Eugene Rodionov @matrosov

Position-Independent Code Analysis Problem Aleksandr Matrosov Eugene Rodionov @matrosov

Reconstructing Gapz: Position-Independent Code Analysis Problem Aleksandr Matrosov Eugene Rodionov @matrosov @vxradius Outline of The Presentation Gapz: dropper exploprer.exe code injection trick Gapz: bootkit Classification

1.2k views • 89 slides
Serial chain test of new quad modules September 08, 2017 Aleksandra Dimitrievska , Katherine

Serial chain test of new quad modules September 08, 2017 Aleksandra Dimitrievska , Katherine

Serial chain test of new quad modules September 08, 2017 Aleksandra Dimitrievska , Katherine Dunne, Maurice Garcia-Sciveres, Timon Heim, Simone Pagan Griso Introduction Quad Module Design Data Previous Katies presentation: Acquisition

393 views • 13 slides
More WordGames Introduction to Java Graphics Check out IntroToJavaGraphics from SVN Review of

More WordGames Introduction to Java Graphics Check out IntroToJavaGraphics from SVN Review of

More WordGames Introduction to Java Graphics Check out IntroToJavaGraphics from SVN Review of WordGames Time to work on the rest of WordGames Basics of Java graphics Follow along in your own Eclipse Youll need the examples

472 views • 11 slides
JReFrameworker: One Year Later ben-holland.com (daedared) jreframeworker.com I Derbycon

JReFrameworker: One Year Later ben-holland.com (daedared) jreframeworker.com I Derbycon

JReFrameworker: One Year Later ben-holland.com (daedared) jreframeworker.com I Derbycon Derbycon 3.0: My first con ever! Loved it. Derbycon 4.0: A Bug or Malware? Catastrophic consequences either way. How would you detect the

627 views • 43 slides
Exam 1 Review Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Format

Exam 1 Review Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Format

Exam 1 Review Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Format Fifty minutes No notes Work alone (copying or sharing answers will result in failing the course) Three questions - Multiple choice - Short

297 views • 18 slides
Examples of modern malware Malware Analysis Seminar Meeting 7 Cody Cutler, Anton Burtsev

Examples of modern malware Malware Analysis Seminar Meeting 7 Cody Cutler, Anton Burtsev

Examples of modern malware Malware Analysis Seminar Meeting 7 Cody Cutler, Anton Burtsev Stuxnet (2009) Organization Core a large .dll file 2 encrypted configuration files Dropper component Core in a stub section

703 views • 43 slides

More recommend