andrubis 1 000 000 apps later
play

Andrubis 1,000,000 Apps Later A View on Current Android Malware - PowerPoint PPT Presentation

Jun 08, 2023 •103 likes •425 views

Andrubis 1,000,000 Apps Later A View on Current Android Malware Behaviors Martina Lindorfer, Matthias Neugschwandtner, Lukas Weichselbaum, Yanick Fratantonio, Victor van der Veen, Christian Platzer Vienna University of

  1. Andrubis – 1,000,000 Apps Later 
 A View on Current Android Malware Behaviors � Martina Lindorfer, Matthias Neugschwandtner, Lukas Weichselbaum, � Yanick Fratantonio, Victor van der Veen, Christian Platzer � � Vienna University of Technology � University of California, Santa Barbara � VU University Amsterdam �

  2. Android Malware Pandemic? � TrendMicro: The Mobile Landscape Roundup 1H 2014 � McAfee Labs Threats Report June 2014 � Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS), September 2014 � 1 �

  3. Enter Sandbox � Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS), September 2014 � 2 �

  4. Enter Sandbox � Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS), September 2014 � 3 �

  5. Our Contributions � • Take advantage of our existing Anubis infrastructure � • Build an Android analysis sandbox that … � - is suitable for large-scale analysis � - allows us to collect a comprehensive dataset of 
 Android malware and goodware � - can be easily integrated into other tools and services � - is publicly available � § As a web service: 
 https://anubis.iseclab.org � § For batch submissions via API: 
 http://anubis.iseclab.org/Resources/submit_to_anubis.py � § As a mobile app: https://play.google.com/store/apps/details?id=org.iseclab.andrubis � Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS), September 2014 � 4 �

  6. Outline � • Andrubis System Overview � • Andrubis As A Service � • Android Malware Landscape � • Future Work and Conclusion � Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS), September 2014 � 5 �

  7. System Overview � Static Analysis APK File Dynamic Analysis Emulator Android OS Dalvik VM Auxiliary Network … Analysis Protocols Analysis Report Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS), September 2014 � 6 �

  8. Public Analysis Features � • Static Analysis � - Parse meta information from Android manifest � § Requested permissions � § Activities � § Services � § Registered Broadcast Receivers � - Extract available methods from bytecode � § Used permissions � § Use of DEX and native code loading � - Useful during stimulation � Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS), September 2014 � 7 �

  9. Public Analysis Features � • Dynamic Analysis � - Run app in QEMU-based environment � - Instrumented Dalvik VM � § Log file system, network, phone (calls & SMS), crypto and dynamic code loading activity � - Taint tracking to identify data leaks � - Stimulation � § Invoke all Activities, Services and Broadcast Receivers � § Simulate common events (e.g. SMS receipt) � § Application Exerciser Monkey � • Auxiliary Analysis � - Network capture outside QEMU � - Extraction of high-level network protocol features � Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS), September 2014 � 8 �

  10. Advanced Analysis Features � • Method Tracing � - Extension of the Dalvik VM profiler � - Outputs list of executed methods � - Use Cases: � § Basic code coverage computation � § Permissions actually used during dynamic analysis � § Behavioral signatures and classification � • System-Level Analysis � - QEMU VMI � - Outputs list of executed system calls � - Use Cases: � § Analysis of native libraries, e.g. root exploits � Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS), September 2014 � 9 �

  11. Outline � • Andrubis System Overview � • Andrubis As A Service � • Android Malware Landscape � • Future Work and Conclusion � Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS), September 2014 � 10 �

  12. Submission Statistics � • Online since June 2012 � • 1,778,997 submissions � - 95.82% from bulk submitters � • 1,034,999 unique apps � - 5% of total samples submitted to An(dr)ubis � • Throughput of 3,500 apps per day � Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS), September 2014 � 11 �

  13. Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS), September 2014 � 12 �

  14. Deployment Considerations � • OS version = trade-off between running … � - Old version to observe root exploits � - New version to analyze current apps � • Maintenance effort of constant updates � - Focus on implementing new features instead � • Andrubis supports API level ≤ 10 (Gingerbread) � • Unsupported API level mainly a concern for GW: � - 2.11% of benign apps with API level > 10 � - 0.10% of malicious apps of API level > 10 � - Maximize potential “user base” of malware � Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS), September 2014 � 13 �

  15. Our Dataset � • Samples from a variety of sources � - Google Play and alternative market crawls (AndRadar) � § Main distribution vector for Android apps � - Torrents & Direct Downloads � - Sample exchange with other researchers � - VirusTotal � - Malware Corpora � • Genome Project, Contagio, Drebin � - Anonymous submissions � � • Comparison to other tools � - Based on public malware corpora (mostly outdated) � - (Subset of) our dataset � Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS), September 2014 � 14 �

  16. Sample Age by Source � Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS), September 2014 � 15 �

  17. Outline � • Andrubis System Overview � • Andrubis As A Service � • Android Malware Landscape � • Future Work and Conclusion � Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS), September 2014 � 16 �

  18. Dataset Classification � • No ground truth for majority of samples � - Besides public malware corpora � • Andrubis itself performs no classification � - Although we are experimenting with machine-learning approaches � • We rely on AV labels for this evaluation � - Goodware: � 27.90% � - Malware: � 41.15% � - Unlabeled: � 30.95% � • Unlabeled set contains mainly adware � - Also possible false positives � • Very inconsistent AV labeling � - Found even Google app labeled as MW by AVs � Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS), September 2014 � 17 �

  19. Dataset by Release Date � • Based on four dates: � - Last modification date of the APK file (ZIP header) � - Release date of the minimum required SDK � - Publication date in alternative markets/Google Play � - First submission date to Andrubis � Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS), September 2014 � 18 �

  20. Key Observations � • Trends in MW/GW development from 2010-2014 � • Static analysis alone becomes increasingly difficult � - Ubiquitous use of reflection, especially in GW � - Increasing use of dynamic code loading � • Common assumptions about MW/GW: � - Malicious apps request more permissions than benign apps, but use less of them � - Dynamic code loading is an indicator for malware � Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS), September 2014 � 19 �

  21. Requested/Used Permissions � • MW requests 12.99 permissions, uses 5.31 of them � • GW requests 5.85 permissions, uses 4.50 of them � • Requested permissions increased for both � • Decreased permission usage ratio � - Only 13.38% in GW in 2014 � - Side-effect of dynamic code loading � - Bad development practices � • Numbers based on static extraction of used permissions � - Permissions used during dynamic analysis from method tracer logs � Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS), September 2014 � 20 �

  22. App Interdependencies � • Apps can share their UID � - Share data, run in the same process and inherit permissions � • Allows collusion attack � - Spread malicious payload over benign looking apps � • Allows privilege escalation by taking advantage of already installed benign apps � - Circumvent signature system with Master Key vulnerability � - Use publicly available test keys � - Even gain system privileges with android.uid.system UID � • Only used in few GW (1.14%) and MW (0.29%) app � Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS), September 2014 � 21 �

  23. Other Findings from Static Analysis � • Application names � - MW often uses legitimate looking package names � § Repackaging/posing as popular benign apps � § Generic names (e.g, com.app.android) � - “Random” names (e.g.; rpyhwytfysl.uikbvktgwp) reused amongst thousands of apps � • Decreasing use of public test keys to sign apps � - Should not be used by legitimate developers � - 8.92% of MW (down from 65.29% in 2010), 2.26% of GW � • Master Key vulnerabilities not widely exploited � - Only ~1.500 MW samples � Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS), September 2014 � 22 �

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Small Business Apps WHAT ARE MOBI LE APPS ? W h a t are mob i le apps ? A little bit of

Small Business Apps WHAT ARE MOBI LE APPS ? W h a t are mob i le apps ? A little bit of

WELCOME Small Business Apps WHAT ARE MOBI LE APPS ? W h a t are mob i le apps ? A little bit of information An App is a piece of so ware (a program) that needs to be installed on Mobile Apps are device specific, meaning that an App that runs

268 views • 12 slides
Boxing them in Buggy apps can crash other apps The Kernel App 1 App 2 App 3 Buggy apps can

Boxing them in Buggy apps can crash other apps The Kernel App 1 App 2 App 3 Buggy apps can

Boxing them in Buggy apps can crash other apps The Kernel App 1 App 2 App 3 Buggy apps can crash OS wants to be your friend Buggy apps can hog all resources Operating System Malicious apps can violate Reading and writing memory, privacy

548 views • 17 slides
F ROM WEBSITES TO APPS , AND NOW FROM APPS TO CHATBOTS ? A NTNIO B RANCO FROM APPS TO CHATBOTS

F ROM WEBSITES TO APPS , AND NOW FROM APPS TO CHATBOTS ? A NTNIO B RANCO FROM APPS TO CHATBOTS

F ROM WEBSITES TO APPS , AND NOW FROM APPS TO CHATBOTS ? A NTNIO B RANCO FROM APPS TO CHATBOTS CEO of large social network in annual development conference 2 months ago Shared vision for next 2 decades: past : with advent of PCs, companies

498 views • 14 slides
The Kernel wants to be your friend Boxing them in Buggy apps can crash other apps App 1 App 2

The Kernel wants to be your friend Boxing them in Buggy apps can crash other apps App 1 App 2

The Kernel wants to be your friend Boxing them in Buggy apps can crash other apps App 1 App 2 App 3 Buggy apps can crash OS Buggy apps can hog all resources Operating System Malicious apps can violate Reading and writing memory, privacy

1.15k views • 67 slides
By: Taylor Thomas & Ashley Fischer There are apps for just about EVERYTHING! There are

By: Taylor Thomas & Ashley Fischer There are apps for just about EVERYTHING! There are

By: Taylor Thomas & Ashley Fischer There are apps for just about EVERYTHING! There are new apps being developed and posted everyday. Some of the best apps you will ever find are FREE! There are two ways to download apps for

606 views • 38 slides
Adaptive Progressive Web Apps PWA Progressive Web Apps are just great websites that can behave

Adaptive Progressive Web Apps PWA Progressive Web Apps are just great websites that can behave

Adaptive Progressive Web Apps PWA Progressive Web Apps are just great websites that can behave like native apps Progressive Web Apps are just great apps, powered by Web technologies and delivered with Web infrastructure.

454 views • 32 slides
2015-16 Results: Thank You! Goal = 415,000 apps Actual = 427,695 apps $30,000 in

2015-16 Results: Thank You! Goal = 415,000 apps Actual = 427,695 apps $30,000 in

More Than a Meal Campaign 2016-17 Two applications, one deadline, many student resources 2015-16 Results: Thank You! Goal = 415,000 apps Actual = 427,695 apps $30,000 in recognition awards $60M/3 yrs in new revenue to the

345 views • 10 slides
All About Apps Well cover... Whats an app? What are app permissions? What do

All About Apps Well cover... Whats an app? What are app permissions? What do

All About Apps Well cover... Whats an app? What are app permissions? What do companies gain by getting your permission? Typical permissions requested by apps How to check up on apps already on your phone App safety

134 views • 11 slides
in Android apps Shin Hwei Zhen Xiang Abhik Tan Dong Gao Roychoudhury 2 Prevalence of

in Android apps Shin Hwei Zhen Xiang Abhik Tan Dong Gao Roychoudhury 2 Prevalence of

Repairing crashes in Android apps Shin Hwei Zhen Xiang Abhik Tan Dong Gao Roychoudhury 2 Prevalence of Mobile Apps App Store Google Play Launched with 500 apps. 3.5 millions apps By July 17, 10 millions available for download apps

518 views • 22 slides
On the Road: Websites and Apps for Travel Loading the Right Apps Lets you get the most out

On the Road: Websites and Apps for Travel Loading the Right Apps Lets you get the most out

On the Road: Websites and Apps for Travel Loading the Right Apps Lets you get the most out of your vacation Helps you avoid missing important sites Eliminates confusion while travelling Keeps you connected to home Tips for

971 views • 39 slides
Mobile Apps INFM 603 Week 10 Agenda Questions Mobile Apps HCI Project

Mobile Apps INFM 603 Week 10 Agenda Questions Mobile Apps HCI Project

Mobile Apps INFM 603 Week 10 Agenda Questions Mobile Apps HCI Project discussions Native Apps Live on device Access to all device features GPS, accelerometer, compass, list of contacts Written for specific

654 views • 38 slides
Build beautiful native apps in record time with flutter Eduardo Telaya - CTO / Software

Build beautiful native apps in record time with flutter Eduardo Telaya - CTO / Software

Build beautiful native apps in record time with flutter Eduardo Telaya - CTO / Software Architect / Drupal Developer Agenda Context about Apps Native apps Web apps Hybrid apps Whats flutter? Whos

2.59k views • 42 slides
Educational Mobile Apps Dr. Agnieszka (Aga) Palalas October 2013 1 Educational Mobile Apps

Educational Mobile Apps Dr. Agnieszka (Aga) Palalas October 2013 1 Educational Mobile Apps

Educational Mobile Apps Dr. Agnieszka (Aga) Palalas October 2013 1 Educational Mobile Apps Outcome : To determine the key benefits and uses of mobile apps inside and outside the classroom. To identify the main issues to be considered when

620 views • 14 slides
THE ROAD TO ANGULAR 2.0 ABOUT ME Angular 1.x apps iOS apps REST API's in Java

THE ROAD TO ANGULAR 2.0 ABOUT ME Angular 1.x apps iOS apps REST API's in Java

THE ROAD TO ANGULAR 2.0 ABOUT ME Angular 1.x apps iOS apps REST API's in Java Maarten Hus, Developer @ WHY THIS TALK? WAIT WHAT?! GRAVEYARD WHY? DISCLAIMER THE ROAD 1.x T emplate Syntax 2.0 T ypes Bindings ES6

969 views • 70 slides
LAKC - 9th Annual IP CLE: US TM Apps and Registrations based on Foreign Apps and Registrations

LAKC - 9th Annual IP CLE: US TM Apps and Registrations based on Foreign Apps and Registrations

2/23/2017 LAKC - 9th Annual IP CLE: US TM Apps and Registrations based on Foreign Apps and Registrations A Review of Issues associated with Identifications and Use Kent Erickson and Timothy Feathers Two Filing Bases for US Owners A US

426 views • 13 slides
social media apps of concern As we make our way through the jungle of applications (apps)

social media apps of concern As we make our way through the jungle of applications (apps)

social media apps of concern As we make our way through the jungle of applications (apps) available on the various markets, there are some that have risen to the top in regards to inappropriate behavior and dangerous activity for children, teens,

614 views • 6 slides
Injection-Angriffe: Szenarien, Analyseanstze, Gegenmanahmen und Erfahrungen aus der Praxis

Injection-Angriffe: Szenarien, Analyseanstze, Gegenmanahmen und Erfahrungen aus der Praxis

Injection-Angriffe: Szenarien, Analyseanstze, Gegenmanahmen und Erfahrungen aus der Praxis Dr. Alexander von Rhein Alexander von Rhein Research Software Verification Software-Product-Line Analysis Taint-Analysis Consulting Software

894 views • 30 slides
Andromeda: XSS Accurate and Scalable Security Attackers evil script Analysis of Web

Andromeda: XSS Accurate and Scalable Security Attackers evil script Analysis of Web

Andromeda: XSS Accurate and Scalable Security Attackers evil script Analysis of Web Applications Web Application <SCRIPT>...</SCRIPT> Attackers evil script executed using victims credentials Omer Tripp Marco

410 views • 6 slides
Static analysis for exploitable vulnerability detection Marie-Laure Potet VERIMAG University of

Static analysis for exploitable vulnerability detection Marie-Laure Potet VERIMAG University of

Static analysis for exploitable vulnerability detection Marie-Laure Potet VERIMAG University of Grenoble September 2014 Static analysis for exploitable vulnerability detection 1/43 Outline 1 Context Vulnerability detection process Static

546 views • 43 slides
Kaestner: Tax, Estate Planning, and Trust Administration Implications By: Jonathan G.

Kaestner: Tax, Estate Planning, and Trust Administration Implications By: Jonathan G.

7/1/2019 Kaestner: Tax, Estate Planning, and Trust Administration Implications Handout materials are available for download or printing on the HANDOUT TAB on the gotowebinar console. If the tab is not open click on that tab to open it and

278 views • 23 slides
QuantDroid: Quantitative Approach towards Mitigating Privilege Escalation on Android Tobias

QuantDroid: Quantitative Approach towards Mitigating Privilege Escalation on Android Tobias

QuantDroid: Quantitative Approach towards Mitigating Privilege Escalation on Android Tobias Markmann 1 Dennis Gessner 2 Dirk Westhoff 3 1 HAW Hamburg, Germany 2 NEC Laboratories Europe, Heidelberg, Germany 3 HFU Furtwangen, Germany IEEE ICC 2013

735 views • 25 slides
Organiza)onal Privilege & Organiza)onal Insiders

Organiza)onal Privilege & Organiza)onal Insiders

Organiza)onal Privilege & Organiza)onal Insiders Kathleen Clark AALS New Orleans January 5, 2013 Lawyers Represen)ng Whistleblowers

546 views • 37 slides
SystemSupportforCustom SpeculationPolicies BenjaminWester,PeterM.Chen

SystemSupportforCustom SpeculationPolicies BenjaminWester,PeterM.Chen

SystemSupportforCustom SpeculationPolicies BenjaminWester,PeterM.Chen UniversityofMichigan SOSP2009 Overview App App Policy App Policy Speculation Infrastructure Mechanism

891 views • 5 slides
Airflow on Kubernetes: Containerizing your Workflows By Michael Hewitt Agenda Kubernetes

Airflow on Kubernetes: Containerizing your Workflows By Michael Hewitt Agenda Kubernetes

Airflow on Kubernetes: Containerizing your Workflows By Michael Hewitt Agenda Kubernetes Overview 1 Airflows integration with Kubernetes 2 Deployment of Airflow on Kubernetes 3 Kubernetes Pod Operator and its benefits 4 DAG Development

2.79k views • 14 slides

More recommend