Android Malware Analysis on Attacks and Defense Android malware - - PowerPoint PPT Presentation

Android Malware Analysis on Attacks and Defense

Android malware Android malware

• With the explosive growth of mobile device market and

usage, there is an increasing number of malicious mobile applications targeting these devices and platforms, malicious applications - mobile malware.

• Threats to users, enterprises, and service providers
• Largest proportion of the malware are targeting on

Android, mainly due to the dominant market share of Android platform and its open market policy.

• However, many of the smarthphone and tablet users have

not been aware of the risks of the mobile malware. We introduce the working mechanisms of mobile malware and the defense methods.

Why Why so so many many Android malware? Android malware?

• Android is an open source platform where the

applications are java based. In contrast with Iphone OS, that someone needs a Macintosh computer, get into developers program, wait to be verified by Apple and pay initial fee just to get started, Android applications are easier to be developed since anyone can download Android SDK and start working on it.

• A developer on Android doesn’t need also to pass his

applications from any kind of validation program if he is not putting them on the Android market.

• A webserver and a link to the application is all what is

needed for distribution

Working Principles Working Principles of Mobile

• f Mobile Malware

Malware

• An attack of mobile malware usually involves three

phases: the infection of a host, accomplishments of its goal, and spread of the attack.

• Not all the mobile malware conduct the third phase of

attack that is spreading the attack.

• The infection phase refers to the infection of a malware

into a target device. Users may be infected when downloading a malicious email attachment or visiting a phishing website.

• Peer-to-Peer sharing applications, shared links on mobile

social networking can also bring malware into your

• phone. The infection can also occur when the device is

synchronizing with PC's or Cloud services.

Android Malware Android Malware Example Example

• Once infected, the malware would start to

malfunction to accomplish its goal, such as "jailbreaking” or “rooting” the operating system and taking the full control of the operating system, or just disrupting devices' operations (i.e., rebooting device and exhausting device power).

• Popular Mobile Malware (malicious software) are:

Spyware Spyware

• Once installed on a system they run in

background and keep on collecting user’s personal data. These data can include your credit card numbers, passwords, important files and many other personal stuff.

• Spywares don’t harm your device in any way.

Instead, they attack you!

• Spywares can track your keystrokes, scan and

read your data, emails, etc.

Trojan Trojan horse horse

• Trojan horse is a program that appears useful

by pretending to do certain things in foreground, but in reality they are working silently in background with the only objective

• f harming your device and/or stealing

valuable confidential information such as credit card information;

• Trojans often create a backdoor that allows

your device to be remotely controlled, Trojans don't replicate themselves(virus)—they must be installed by an unwitting user.

Rootkits Rootkits

• Rootkit is a malware that is designed by

attackers to gain root or administrative access to your computer. Once an attacker gains admin privilege, it becomes a cakewalk for him to exploit your system.

• Adware - displays unwanted pop-up ads to

gather sensitive data.

Mobile Mobile Malware Detection Malware Detection & Analysis & Analysis

• Static analysis: Static analysis is a reverse-

engineering analysis approach that finds malicious characteristics code segments in an app without execution. The analysis focus on code flaws or malicious code patterns that have been reported before.

• Static analysis breaks apart the malware using

reverse engineering tools and techniques in

• rder to re-create the actual code and

algorithm that the program was created.

Stat Static ic and and Dynamic Dynamic Malware Analysis Malware Analysis

• Dynamic malware analysis checks the behavior of

the application/malware as it’s been executed on the

• system. Most of the times, the use of a virtual

machine/device or sandbox is used for this method.

• The analyst will simply run the application and look
• n the system and network logs analyzing the

behavior of the malware as it’s executed.

• Dynamic analysis involves the execution of the

suspicious mobile apps in an isolated sandbox, such as a virtual machine or emulator to monitor and inspect the app’s dynamic behavior.

Static ic Ana nalys ysis is - Tools

• apktool

– can decode resources to nearly original form and rebuild them after making some modifications

• dex2jar

– used by translator dex to jar

• jd-gui

– a standalone graphical utility that displays Java source codes of “.class” file

Dy Dynamic Ana nalys ysis is - Tools

• Anubis

– can decode resources to nearly original form and rebuild them after making some modifications

• CopperDroid

– used by dex-translator

• VirusT
• tal

– used to check out Anti-Virus results

And ndroidMani anifest.xml .xml

• Convert “AndroidManifest.xml” from

binary format to xml format (by apktool)

• First, check out “Permission”
• Second, check out interesting “Activity,

Service, Receiver”

Permission Permission analysis analysis

• App Permission analysis: Android security

architecture uses permission to protect and detect by permissions in an Android mobile app’s intentions. The permissions are required to be clearly specified by app’s

• authors. Many malware attacks make use of

app’s vulnerability on the permission.

Permi miss ssion

• Track your location, steal sms and contracts, and do

tapping.

• ACCESS_COARSE_LOCATION based on WIFI
• ACCESS_FINE_LOCATION based on GPS
• CALL_PHONE Allows an application to initiate a

phone call without going through the Dialer user interface for the user to confirm the call being placed.

• READ_PHONE_STATE Allows read only access to

phone state.(ex. phone number)

Static ic Ana nalys ysis is

• Decompile

– Convert classes.dex to .jar by dex2jar and take a look at it by jd-gui.

• Strategy is very simple
• 1. Examine the “.MainActivity”.
• 2. Follow the piece of the code.

Example: http://www.slideshare.net/jongwonkim10/android- malware-analysis

Malware Dataset

Q & A Q & A

• Android Malware is on the rise. Android-based malware growing

rapidly 400% ↑ since summer 2010

• Malware samples(1260) & families(49)
• http://www.mcafee.com/us/resources/reports/rp-quarterly-threat-q2-2012.pdf
• SMS-Sending: send/register users to premium numbers
• Spyware: collect sensitive/private information and upload to

remote servers

• Destructive Trojans: modify content on the devices
• Mobile botnets: receive command from remote Command-and-

Control (C&C) servers

• Ransomware: steal information and ask for money to get back

Malware Types

How do How do they g they get t et to

• our phones?
• ur phones?
• Malware installation is driven by three main

social engineering-based techniques:

• Repackaging
• Update attack
• Drive-by download
• These techniques can be used in combination

They require the user intervention

Repackaging Repackaging

• Malicious payload is piggybacked into popular
• apps. Users are then lured to download these

infected apps.

• Repackaging Locate and download popular

apps, Disassemble apps, and enclose malicious payloads

• Re-assemble the apps and upload onto official

and/or alternative markets Apps used include paid apps, popular game apps, utility apps, security tools, and porn-related apps

Repackaging Repackaging

• To hide malicious payload authors use class names

that look legitimate:

• AnserverBot uses com.sec.android.provider.drm

DroidKungFu uses com.google.ssearch and com.google.update

• The malware family jSMSHider has used a private

key of the AOSP to sign its apps!

• Download popular apps -> Disassemble -> Enclose

malicious payloads -> Re-assemble->Submit

Update Update Attack Attack

• Repackaging techniques put the whole

malicious code in the host apps. This might expose them to the risk of being detected.

• Update attacks lower this risk by inserting
• nly an update component as payload
• This component can be still inserted in a

repackaged popular app

• Update component -> it download malicious payload

Update Update Attack Attack Exam Examples ples

• BaseBridge malware requests the user that a

new version of the app is available

• The new version contains the malicious

payload Note that the updated version is hidden within the main app!

• DroidKungFuUpdate is similar to BaseBridge

However the malicious payload is download remotely

• III. A. 2) Update Attack

Drive Drive-by by Download Download

• Similar to the one used in PC through the browsers,

Lure the user to click a link to download some cool stuff! However, Android malware does not require the browser for performing this attack

• GGTracker uses a in-app advertisement When the user

clicks a special link on an advertisement, it will redirect to a malicious website

• The website claims to analyze the phone battery for

increasing its performance Instead a malicious payload is downloaded that will register the user to a premium- rate service without the user’s consent

Drive Drive-by by Download Download

• Jifake uses a similar technique of GGTracker

Instead of a link in an advert, it uses a QR code The code downloaded is a repackage ICQ client Once installed it will send SMS to premium numbers

• Spitmo and ZitMo are two variants of the SpyEye

and Zeus PC banking malware

• While the user is using an infect PC for her banking,

a link will prompt to download a smartphone app to better protect online banking activities.

• Such malware will collect banking credentials

• III. A. 3) Drive-by

Download

Enticing users to download “interesting”

• r “feature-rich” apps.

For example,

GGTracker : in-app advertisement link Jifake : QR code Spitmo and Zitmo : ported version of nefarious PC malware(SpyEye, Zeus)

• III. B. Activation

Using System Event message For example,

BOOT_COMPLETED SMS_RECEIVED ACTION_MAIN

Spyware Spyware

Other Attack Vectors Apps that claim themselves as spyware – no need to hide! Apps that masquerade as legitimate apps but then perform malicious actions Apps that provide the functionality claimed plus perform malicious actions Apps that rely on root-exploits to gain root privileges

Malware Activation Malware Activation

Once malware is installed it will listen to events to start its malicious activity BOOT_COMPLETE and SMS_RECEIVED are the most common Hijacking events to substitute the legitimate app activity with the malicious one ACTION_MAIN or the user click the app icon

Malicious Malicious Payloads Payloads

Privilege Escalation(Root exploits) Remote Control ( Ex: C&C servers: Amazon cloud, Public blog) Financial Charge (Premium-rate services) Information Collection (SMS messages, Phone numbers, User accounts)

Att Attack ack Types: Types: Financial Financial charges charges

– SMS Trojan Communication with C&C servers – Botnets Information Stealing – Spyware/Ransomware/Destructive Trojan Root- kit exploit One of the main reasons behind these attacks is for monetary gain Subscription to premium SMS services that are often owned by the malware authors Use the permission sendTextMessage that allows an app to send SMS in background (no user in the loop)

Financial Financial Charges Charges

• FakePlayer uses a hard-coded message

“798657” and sends it to several premium numbers in Russia

• GGTracker automatically signs up users to

premium-rate services in the US Malware can download premium numbers from C&C to avoid detection

Hijacking Hijacking

• Hijacking Confirmations In China, registration to

premium service requires second- confirmation SMS

• To avoid that users are notified, malware uses

permission ReceiveSMS and registers a broadcast receiver with highest priority

• When the confirmation SMS arrives it is hijiacked

and a reply is sent with an activation code

• The code can also be delivered by the C&C server

Informat Information ion Stealing Stealing

• Malware also collects information from the

devices SMS, phone numbers, user account numbers

• SndApps collects email addresses
• FakeNetflix collect user name and password

from Netflix users

• Once the data is collected it is sent over to the

C&C servers

Root Root-kit kit Exploit Exploit

• Android has its core of Linux kernel and many open- source

libraries

• Some vulnerabilities can be exploited for gaining root privileges
• These exploits are public available
• Recently, malware started to encrypt these exploits and store

them as app asset files

• Also obfuscation techniques are used
• Store the file and then change the extension (.jpeg)
• At runtime they are recovered and then executed This makes

detection much more difficult

Droidbox Droidbox (Dynamic (Dynamic analysis) analysis)

• An Android Application Sandbox for Dynamic

Analysis, “the sandbox will utilize static pre- check, dynamic taint analysis and API monitoring.

• Data leaks can be detected by tainting

sensitive data and placing taint sinks throughout the API. Additionally, by logging relevant API function parameters and return values, a potential malware can be discovered and reported for further analysis.”

Source: http://www.honeynet.org/gsoc/slot5 Code: http://code.google.com/p/droidbox/

Preventi Prevention

• n

Prevent mobile malware attacks:

• Antivirus: The first and foremost step is to install

antivirus software on the android device and should make a complete scan of installed applications, data, settings, and media files for any infections.

• Monitoring of Battery Usage and Network: Device

should be closely examined for battery usage and network status. If you feel that there is an unusual network usage or draining of the battery on the device, there might be a chance of having infected malware app on the device.

• Device Settings: Check for any suspicious behavior

in the device settings. Best example could be, when you turn off the WI-FI, 3G, GPS etc.. they will turn on automatically without the knowledge or consent of the user. The possible reason could be that an infected app might have changed the device settings automatically.

• Instability of the Device: If you find that the device is

hanged up, overall slowdown in device operation, rebooting frequently, there might be an existence of virus on the device until and unless there is problem with the hardware components.

• Find for the Dodgy Applications: Review each installed

app on the device by comparing the name of the application, developer of the application in the Google android market.

• Ensure that the device is protected from attacks and

suspicious events by installing a good mobile security application.

• Do not install any APK files directly from SD cards or any

USB device. We do not exactly know what an APK file will do until you have already run it; this should be especially done by skilled android developers and also APK files should be digitally signed by developers that they are safe.

• Accept and download applications only from trusted and
• fficial applications providers. Do not download from

unsecured or un-trusted third-party sites.

• Thoroughly read the reviews of the application before installing

the application.

• Read all the permissions during the installation of an

application when it prompts for. If you find any suspicious behavior in application, don’t install it.

• Bluetooth, WI-Fi, Infrared should be turned off when not in use

and also ensure that you are connected to secure public Wi-Fi networks otherwise it involves enabling firewall, disabling sharing.

• All the applications should be kept up-to date and

also the firmware should be updated when available.

• Confidential data stored in the device should be

encrypted and a back-up should be made regularly. Sensitive information should be cached locally.

• Monitor the battery status, SMS, and call charges.
• Android OS should be kept up-to date with latest

releases and patches.