dissecting android malware characterization and evolution
play

Dissecting Android Malware: Characterization and Evolution 1 - PowerPoint PPT Presentation

Jan 16, 2023 •286 likes •648 views

Dissecting Android Malware: Characterization and Evolution 1 Problems to solve 18 Requirement 1: Sufficient Malware data set Anti Virus Communities or Researchers are hampered by the lack of malware data set. Req equires a a suf

  1. Dissecting Android Malware: Characterization and Evolution 1

  2. Problems to solve 18

  3. Requirement 1: Sufficient Malware data set Anti Virus Communities or Researchers are hampered by the lack of malware data set. Req equires a a suf ufficient Andr droid malware da dataset. 19

  4. Requirement 2: Current Malware Detection Rate How good are top anti-virus software against latest Android malware? Evaluating effectiveness of current Anti-virus software 20

  5. Related work • Felt et al. “A survey of mobile malware in the wild” – Survey 46 malware samples on iOS, Android and Symbian – Choice of breadth over depth – No mention of advanced trojans in the wild 21

  6. Related work What was missing? • In-depth look at Android malware – A technical analysis of advanced attacks • Large pool of malware – Perhaps A/V companies missed stuff? E.g. Malware in third-party markets • Evolution of malware and evaluation of defense 22

  7. Contribution • Large malware dataset presented – 1260 different samples in all – 49 different families each with many variants – More info: http://www.malgenomeproject.org/ 23

  8. Malware dataset How was it collected? 24

  9. Malware dataset Q. How was it collected? A. Crawl app stores! Search for android id mark rketplace cra rawler 25

  10. Contribution • Large malware dataset presented • Analysis of malware samples – Provenance, Design, Harm Installatio Inst ion Ac Activ ivatio ion Cha Characteris isatio ion 26

  11. Malware: Provenance • Official Android market • Alternate android markets ‡ – Eoemarket – Gfan ‡ http://thedroidguy.com/2012/04/android - market-share-doubles-in-china-even-symbian- is-ahead-of-ios/ 27

  12. Malware: Provenance Month of the year Third-party store only Official store only Number of new malware families discovered 28

  13. Malware: Installation How to lure users into installing malware you have written? OR How do bad things happen to good people? 29

  14. Repackaging Third-party Monkey market Bowl App developer (Good guy) End-user • Steal info • Hijack phone • Defraud Repackage Meister (bad guy) Official Android market 30

  15. Repackaging 86% of malware samples repackage! 31

  16. Repackaging ⁼ ⁺ 32

  17. Update attack FinanceAccount.apk Google SSearch Payload DroidKungFu Source: https://www.mylookout.com/mobile- threat-report 33

  18. Update attack Encrypted blog entry: blog.sina.com.cn Original Benign app Payload AnserverBot 34

  19. Drive-by download • “Benign” game with a malvertisement In-app ad pop-up Source: https://www.mylookout.com/mobile- threat-report 35

  20. Malware: Activation When do bad things happen? • Standard Android event notifications – Phone boots up • BOOT_COMPLETED (83.3%) – SMS is received • SMS_RECEIVED – Host app is started • ACTION_MAIN 36

  21. Malware: Purpose What do they do? Source: http://www.textspyware.com/android/android-spyware-software/ 37

  22. Malware: Purpose • Harvesting user information (51.1%) SndApp • What is sent? – Device ID – Phone number/operator – User’s email addresses http://www.fortiguard.com/av/VID3148366 38

  23. Malware: Purpose • SMS to premium numbers (45.3%) FakeRegSMS.B http://www.f-secure.com/weblog/archives/00002305.html 39

  24. Malware: Design • Social engineering • Phones as bots controlled from C&C server (93%) • Privilege escalation (36.7%) – Exploit security flaws in kernel code 40

  25. Malware: Permission use Frequency of top 20 permissions Malware Benign app 688=5.02x 553=12.8x 457=6.43x 424=3.72x 398=11.7x 333=10.1x 137 114 71 43 34 33 41

  26. Malware: Permission use • Summary – Avg. no. of permissions per app • Malware: 11 | Benign apps: 4 – Avg. no. of top 20 permissions per app • Malware: 9 | Benign apps: 3 42

  27. Contribution • Large malware dataset presented • Analysis of malware samples • Evolution of malware – Advanced techniques to beat defense • How good is defense? 43

  28. Malware: Evolution How are malware writers trying to evade detection? • Encryption – Payload and internal data • Running without install – DexClassLoader, Reflection • Thwart reverse engineering – Class name obfuscation 44

  29. Malware: Detection Rate 100 A few malware samples went undetected! 90 79.6% 76.7% 80 70 60 54.7% 50 40 30 20.2% 20 10 0 AVG Lookout Norton Trend Micro 45

  30. Malware: Detection Q. Any clue why some samples were NOT detected by any? A. They most likely employ signature- based detection! 46

  31. Takeaways Malware • Mostly in third-party markets/forums (~90%) • Requests more permissions on average • Is evolving and Anti-virus software needs to catch up 47

  32. Future Work How does one reduce the impact of malware? Google’s “Bouncer” 48

  33. Future work Well, Google has a kill switch at least... ...But, what about third-party markets? 49

  34. Making xkcd slightly worse: www.xkcdsw.com 50

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the explosive growth of mobile device market and usage, there is an increasing number of malicious mobile applications targeting these devices and

819 views • 44 slides
Android Malware Adventures Mert Can Cokuner Krat Ouzhan Aknc Android Malware

Android Malware Adventures Mert Can Cokuner Krat Ouzhan Aknc Android Malware

DeepSec IDSC Android Malware Adventures Mert Can Cokuner Krat Ouzhan Aknc Android Malware Adventures Agenda INTRODUCTION ANDROID MALWARE COMMAND & CONTROL QUESTIONS & ANSWERS 2 1 2 3 4 Android Malware

1.01k views • 64 slides
StormDroid: A streaminglized Machine Learning-Based System for Detecting Android Malware Sen

StormDroid: A streaminglized Machine Learning-Based System for Detecting Android Malware Sen

StormDroid: A streaminglized Machine Learning-Based System for Detecting Android Malware Sen Chen, Minhui Xue, Zhushou Tang, Lihua Xu, Haojin Zhu Malware Detection in Android 1.6 million apps in Google Play Store in July 2015

441 views • 22 slides
ANDROID MALWARE https://www.cnet.com/android-update/ Rafael Estrada Department of Mathematics

ANDROID MALWARE https://www.cnet.com/android-update/ Rafael Estrada Department of Mathematics

DATA ANALYSIS OF ANDROID MALWARE https://www.cnet.com/android-update/ Rafael Estrada Department of Mathematics New Mexico Tech Mentor: Dr. Golden G. Richard III Postdoctoral Researcher: Aisha Ali-Gombe July 26 th 2017 CCT REU 2017 ANDROID

347 views • 10 slides
Inside a BBB Malware Scheme: Mapping and Dissecting Attacker Infrastructure Prepared for FIRST

Inside a BBB Malware Scheme: Mapping and Dissecting Attacker Infrastructure Prepared for FIRST

Inside a BBB Malware Scheme: Mapping and Dissecting Attacker Infrastructure Prepared for FIRST 2008 Michael La Pilla VeriSign iDefense Malicious Code Operations Team June 26, 2008 Why Should Incident Responders Care? + US Commercial Accounts

458 views • 19 slides
Evolution of Malware and the Next Generation Endpoint Protection against Targeted Attacks Index

Evolution of Malware and the Next Generation Endpoint Protection against Targeted Attacks Index

Evolution of Malware and the Next Generation Endpoint Protection against Targeted Attacks Index 1. Malware volume evolution 2. Malware Eras 3. Panda Adaptive Defense 1. What is it 2. Features & Benefits 3. How does it work 4.

661 views • 47 slides
Apposcopy: Semantics- Based Detection of Android Malware through Static Analysis By Feng et al

Apposcopy: Semantics- Based Detection of Android Malware through Static Analysis By Feng et al

Apposcopy: Semantics- Based Detection of Android Malware through Static Analysis By Feng et al [FSE 14] Presented by Maaz Ahmad The Malware Problem (Feb, 2015) Motive Security Labs estimates 16 million infected mobile devices. [1]

828 views • 30 slides
Android malware that wont make you fall asleep ukasz Siewierski lukasz.siewierski@cert.pl

Android malware that wont make you fall asleep ukasz Siewierski lukasz.siewierski@cert.pl

Android malware that wont make you fall asleep ukasz Siewierski lukasz.siewierski@cert.pl @maldr0id Hackito Ergo Sum 2015 Android malware is boring! ukasz Siewierski (@maldr0id) Android malware that wont make you fall asleep 2 / 24

535 views • 34 slides
MaMaDroid: Detecting Android Malware by Building Markov Chains of Behavioral Models Enrico

MaMaDroid: Detecting Android Malware by Building Markov Chains of Behavioral Models Enrico

MaMaDroid: Detecting Android Malware by Building Markov Chains of Behavioral Models Enrico Mariconti , Lucky Onwuzurike, Panagiotis Andriotis, Emiliano De Cristofaro, Gordon Ross, Gianluca Stringhini. NDSS 2017, 28-02-2017 Motivation: Android

1.21k views • 37 slides
GroDDViewer: Dynamic dual view of Android malware Jean-Franois Lalande Mathieu Simon Valrie

GroDDViewer: Dynamic dual view of Android malware Jean-Franois Lalande Mathieu Simon Valrie

Introduction Malware analysis Visualization Conclusion GroDDViewer: Dynamic dual view of Android malware Jean-Franois Lalande Mathieu Simon Valrie Viet Triem Tong GraMSec 2020 CIDRE team June 22th 2020 Introduction Malware analysis

530 views • 28 slides
Andrubis 1,000,000 Apps Later A View on Current Android Malware Behaviors Martina

Andrubis 1,000,000 Apps Later A View on Current Android Malware Behaviors Martina

Andrubis 1,000,000 Apps Later A View on Current Android Malware Behaviors Martina Lindorfer, Matthias Neugschwandtner, Lukas Weichselbaum, Yanick Fratantonio, Victor van der Veen, Christian Platzer Vienna University of

425 views • 31 slides
SigPID: Significant Permission Identification for Android Malware Detection Authors: Lichao Sun,

SigPID: Significant Permission Identification for Android Malware Detection Authors: Lichao Sun,

SigPID: Significant Permission Identification for Android Malware Detection Authors: Lichao Sun, Zhiqiang Li, Qiben Yan, Witawas Srisa-an and Yu Pan Department of Computer Science and Engineering University of Nebraska Lincoln Presenters: Yu

999 views • 24 slides
Obfuscated Financial Fraud Android Malware : Detection and Behavior Tracking In Seung, Yang

Obfuscated Financial Fraud Android Malware : Detection and Behavior Tracking In Seung, Yang

Obfuscated Financial Fraud Android Malware : Detection and Behavior Tracking In Seung, Yang (KrCERT/CC, KISA) DeepSEC IDSC 2016 Friday, 11 November 2016 Analysis Team at KrCERT/CC, KISA Mobile malware analyst In Seung, Yang Who am I

1.59k views • 72 slides
AppSpear: Bytecode Decryp0ng and DEX Reassembling for Packed Android Malware Yang Wenbo, Zhang

AppSpear: Bytecode Decryp0ng and DEX Reassembling for Packed Android Malware Yang Wenbo, Zhang

AppSpear: Bytecode Decryp0ng and DEX Reassembling for Packed Android Malware Yang Wenbo, Zhang Yuanyuan, Li Juanru, Shu Junliang, Li Bodong, Hu Wenjun, Gu Dawu Sudeep Nanjappa Jayakumar Agenda Introduc0on AppSpear Goals,

322 views • 19 slides
DroidScribe Classifying Android Malware Based on Runtime Behavior Santanu Kumar Dash, Guillermo

DroidScribe Classifying Android Malware Based on Runtime Behavior Santanu Kumar Dash, Guillermo

DroidScribe Classifying Android Malware Based on Runtime Behavior Santanu Kumar Dash, Guillermo Suarez-Tangil , Salahuddin Khan, Kimberly Tam, Mansour Ahmadi, Johannes Kinder, and Lorenzo Cavallaro Royal Holloway, University of London

352 views • 33 slides
AVPASS: Automatically Bypassing Android Malware Detection System Jinho Jung, Chanil Jeon, Max

AVPASS: Automatically Bypassing Android Malware Detection System Jinho Jung, Chanil Jeon, Max

AVPASS: Automatically Bypassing Android Malware Detection System Jinho Jung, Chanil Jeon, Max Wolotsky, Insu Yun, and Taesoo Kim Georgia Institute of Technology, July 27, 2017 Ab About t Us SSLab (@GT) Focusing on s ystem and security

1.25k views • 72 slides
Application-Level Reconnaissance: Timing Channel Attacks Against Antivirus Software Mohammed I.

Application-Level Reconnaissance: Timing Channel Attacks Against Antivirus Software Mohammed I.

Application-Level Reconnaissance: Timing Channel Attacks Against Antivirus Software Mohammed I. Al-Saleh and Jedidiah R. Crandall Server Reconnaissance OS & Services ports Client Server Client Reconnaissance Hmmm, what can I get about

705 views • 27 slides
Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University

Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University

Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University of Michigan 2013 Network Security Fundamentals Module 5 Viruses & Worms, Botnets, Todays Threats Viruses & Worms Viruses Program

693 views • 31 slides
Cryptography and Network Security Chapter 21 What is the concept of defense: The parrying of a

Cryptography and Network Security Chapter 21 What is the concept of defense: The parrying of a

4/19/2010 Chapter 21 Malicious Software Cryptography and Network Security Chapter 21 What is the concept of defense: The parrying of a blow. What is its characteristic feature: Awaiting the blow Awaiting the blow. Fifth Edition On War,

352 views • 6 slides
Introduction to Security Malware Ming Chow (mchow@cs.tufts.edu) Twitter: @0xmchow Learning

Introduction to Security Malware Ming Chow (mchow@cs.tufts.edu) Twitter: @0xmchow Learning

Introduction to Security Malware Ming Chow (mchow@cs.tufts.edu) Twitter: @0xmchow Learning Objectives By the end of this week, you will be able to: Describe types of malware See certain malware behaviors Scan and analyze malware

883 views • 25 slides
On Static Malware Detection Tayssir Touili LIPN, CNRS & Univ. Paris 13 Motivation: Malware

On Static Malware Detection Tayssir Touili LIPN, CNRS & Univ. Paris 13 Motivation: Malware

On Static Malware Detection Tayssir Touili LIPN, CNRS & Univ. Paris 13 Motivation: Malware Detection The number of new malware exceeds 75 million by the end of 2011, and is still increasing. The number of malware that produced

1.34k views • 91 slides
What is Secure? Engineering Secure Software Last Revised: August 19, 2020 SWEN-331: Engineering

What is Secure? Engineering Secure Software Last Revised: August 19, 2020 SWEN-331: Engineering

What is Secure? Engineering Secure Software Last Revised: August 19, 2020 SWEN-331: Engineering Secure Software Benjamin S Meyers 1 Recent Security Incidents Garmin Ransomware -- $10 million Sync servers down for many days

506 views • 21 slides
AN INSIDE LOOK AT Rationale BOTNETS Codebase Analysis (Agobot, SDBot, SpyBot, GT Bot)

AN INSIDE LOOK AT Rationale BOTNETS Codebase Analysis (Agobot, SDBot, SpyBot, GT Bot)

Table of Contents AN INSIDE LOOK AT Rationale BOTNETS Codebase Analysis (Agobot, SDBot, SpyBot, GT Bot) Architecture Paul Barford and Vinod Yagneswaran Remote Control Mechanisms Host Control Propagation Exploits and

158 views • 4 slides
CS7038 - Malware Analysis - Wk05.1 Static Analyzers Coleman Kane kaneca@mail.uc.edu February 7,

CS7038 - Malware Analysis - Wk05.1 Static Analyzers Coleman Kane kaneca@mail.uc.edu February 7,

CS7038 - Malware Analysis - Wk05.1 Static Analyzers Coleman Kane kaneca@mail.uc.edu February 7, 2017 Signature-based Anti-Virus Systems By far, the most popular weapon against cyber attacks is signature-based antivirus software. When

709 views • 12 slides

More recommend