Android Malware Analysis on Attacks and Defense
Android malware Android malware • With the explosive growth of mobile device market and usage, there is an increasing number of malicious mobile applications targeting these devices and platforms, malicious applications - mobile malware. • • Threats to users, enterprises, and service providers • Largest proportion of the malware are targeting on Android, mainly due to the dominant market share of Android platform and its open market policy. • However, many of the smarthphone and tablet users have not been aware of the risks of the mobile malware. We introduce the working mechanisms of mobile malware and the defense methods.
Why Why so so many many Android malware? Android malware? • Android is an open source platform where the applications are java based. In contrast with Iphone OS, that someone needs a Macintosh computer, get into developers program, wait to be verified by Apple and pay initial fee just to get started, Android applications are easier to be developed since anyone can download Android SDK and start working on it. • A developer on Android doesn’t need also to pass his applications from any kind of validation program if he is not putting them on the Android market. • A webserver and a link to the application is all what is needed for distribution
Working Principles Working Principles of Mobile of Mobile Malware Malware • An attack of mobile malware usually involves three phases: the infection of a host, accomplishments of its goal, and spread of the attack. • Not all the mobile malware conduct the third phase of attack that is spreading the attack. • The infection phase refers to the infection of a malware into a target device. Users may be infected when downloading a malicious email attachment or visiting a phishing website. • Peer-to-Peer sharing applications, shared links on mobile social networking can also bring malware into your phone. The infection can also occur when the device is synchronizing with PC's or Cloud services.
Android Malware Android Malware Example Example • Once infected, the malware would start to malfunction to accomplish its goal, such as "jailbreaking” or “rooting” the operating system and taking the full control of the operating system, or just disrupting devices' operations (i.e., rebooting device and exhausting device power). • Popular Mobile Malware (malicious software) are:
Spyware Spyware • Once installed on a system they run in background and keep on collecting user’s personal data. These data can include your credit card numbers, passwords, important files and many other personal stuff. • Spywares don’t harm your device in any way. Instead, they attack you! • Spywares can track your keystrokes, scan and read your data, emails, etc.
Trojan Trojan horse horse • Trojan horse is a program that appears useful by pretending to do certain things in foreground, but in reality they are working silently in background with the only objective of harming your device and/or stealing valuable confidential information such as credit card information; • Trojans often create a backdoor that allows your device to be remotely controlled, Trojans don't replicate themselves(virus) — they must be installed by an unwitting user.
Rootkits Rootkits • Rootkit is a malware that is designed by attackers to gain root or administrative access to your computer. Once an attacker gains admin privilege, it becomes a cakewalk for him to exploit your system. • Adware - displays unwanted pop-up ads to gather sensitive data.
Mobile Mobile Malware Detection Malware Detection & Analysis & Analysis • Static analysis: Static analysis is a reverse- engineering analysis approach that finds malicious characteristics code segments in an app without execution. The analysis focus on code flaws or malicious code patterns that have been reported before. • Static analysis breaks apart the malware using reverse engineering tools and techniques in order to re-create the actual code and algorithm that the program was created.
Stat Static ic and and Dynamic Dynamic Malware Analysis Malware Analysis • Dynamic malware analysis checks the behavior of the application/malware as it’s been executed on the system. Most of the times, the use of a virtual machine/device or sandbox is used for this method. • The analyst will simply run the application and look on the system and network logs analyzing the behavior of the malware as it’s executed . • Dynamic analysis involves the execution of the suspicious mobile apps in an isolated sandbox, such as a virtual machine or emulator to monitor and inspect the app’s dynamic behavior .
Static ic Ana nalys ysis is - Tools • apktool – can decode resources to nearly original form and rebuild them after making some modifications • dex2jar – used by translator dex to jar • jd-gui – a standalone graphical utility that displays Java source codes of “.class” file
Dy Dynamic Ana nalys ysis is - Tools • Anubis – can decode resources to nearly original form and rebuild them after making some modifications • CopperDroid – used by dex-translator • VirusT otal – used to check out Anti-Virus results
And ndroidMani anifest.xml .xml • Convert “ AndroidManifest.xml ” from binary format to xml format (by apktool) • First, check out “Permission” • Second, check out interesting “Act ivity, Service, Receiver”
Permission Permission analysis analysis • App Permission analysis: Android security architecture uses permission to protect and detect by permissions in an Android mobile app’s intentions. The permissions are required to be clearly specified by app’s authors. Many malware attacks make use of app’s vulnerability on the permission.
Permi miss ssion • Track your location, steal sms and contracts, and do tapping. • ACCESS_COARSE_LOCATION based on WIFI • ACCESS_FINE_LOCATION based on GPS • CALL_PHONE Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call being placed. • READ_PHONE_STATE Allows read only access to phone state.(ex. phone number)
Static ic Ana nalys ysis is • Decompile – Convert classes.dex to .jar by dex2jar and take a look at it by jd-gui. • Strategy is very simple 1. Examine the “ .MainActivity ”. 2. Follow the piece of the code. Example: http://www.slideshare.net/jongwonkim10/android- malware-analysis
Malware Dataset
Malware Types • Android Malware is on the rise. Android-based malware growing rapidly 400 % ↑ since summer 2010 Q & A Q & A • Malware samples(1260) & families(49) • http://www.mcafee.com/us/resources/reports/rp-quarterly-threat-q2-2012.pdf • SMS-Sending: send/register users to premium numbers • Spyware: collect sensitive/private information and upload to remote servers • Destructive Trojans: modify content on the devices • Mobile botnets: receive command from remote Command-and- Control (C&C) servers • Ransomware: steal information and ask for money to get back
How do How do they g they get t et to o our phones? our phones? • Malware installation is driven by three main social engineering-based techniques: • Repackaging • Update attack • Drive-by download • These techniques can be used in combination They require the user intervention
Repackaging Repackaging • Malicious payload is piggybacked into popular apps. Users are then lured to download these infected apps. • Repackaging Locate and download popular apps, Disassemble apps, and enclose malicious payloads • Re-assemble the apps and upload onto official and/or alternative markets Apps used include paid apps, popular game apps, utility apps, security tools, and porn-related apps
Repackaging Repackaging • To hide malicious payload authors use class names that look legitimate: • AnserverBot uses com.sec.android.provider.drm DroidKungFu uses com.google.ssearch and com.google.update • The malware family jSMSHider has used a private key of the AOSP to sign its apps! • Download popular apps -> Disassemble -> Enclose malicious payloads -> Re-assemble->Submit
Update Update Attack Attack • Repackaging techniques put the whole malicious code in the host apps. This might expose them to the risk of being detected. • Update attacks lower this risk by inserting only an update component as payload • This component can be still inserted in a repackaged popular app • Update component -> it download malicious payload
Update Update Attack Attack Exam Examples ples • BaseBridge malware requests the user that a new version of the app is available • The new version contains the malicious payload Note that the updated version is hidden within the main app! • DroidKungFuUpdate is similar to BaseBridge However the malicious payload is download remotely
III. A. 2) Update Attack
Recommend
More recommend
