Dissecting Android Malware: Characterization and Evolution 1 - - PowerPoint PPT Presentation

dissecting android malware characterization and evolution
SMART_READER_LITE
LIVE PREVIEW

Dissecting Android Malware: Characterization and Evolution 1 - - PowerPoint PPT Presentation

Jan 16, 2023 286 likes •652 views

Dissecting Android Malware: Characterization and Evolution 1 Problems to solve 18 Requirement 1: Sufficient Malware data set Anti Virus Communities or Researchers are hampered by the lack of malware data set. Req equires a a suf

slide-1
SLIDE 1

Dissecting Android Malware: Characterization and Evolution

1

slide-2
SLIDE 2

Problems to solve

18

slide-3
SLIDE 3

Requirement 1: Sufficient Malware data set

Anti Virus Communities or Researchers are hampered by the lack of malware data set. Req equires a a suf ufficient Andr droid malware da dataset.

19

slide-4
SLIDE 4

How good are top anti-virus software against latest Android malware? Evaluating effectiveness of current Anti-virus software

Requirement 2: Current Malware Detection Rate

20

slide-5
SLIDE 5

Related work

  • Felt et al. “A survey of mobile malware

in the wild”

– Survey 46 malware samples on iOS, Android and Symbian – Choice of breadth over depth – No mention of advanced trojans in the wild

21

slide-6
SLIDE 6

Related work

What was missing?

  • In-depth look at Android malware

– A technical analysis of advanced attacks

  • Large pool of malware

– Perhaps A/V companies missed stuff? E.g. Malware in third-party markets

  • Evolution of malware and evaluation of

defense

22

slide-7
SLIDE 7

Contribution

  • Large malware dataset presented

– 1260 different samples in all – 49 different families each with many variants – More info: http://www.malgenomeproject.org/

23

slide-8
SLIDE 8

Malware dataset

24

How was it collected?

slide-9
SLIDE 9

Malware dataset

25

  • Q. How was it collected?
  • A. Crawl app stores!

Search for android id mark rketplace cra rawler

slide-10
SLIDE 10

Contribution

  • Large malware dataset presented
  • Analysis of malware samples

– Provenance, Design, Harm

26

Inst Installatio ion Ac Activ ivatio ion Cha Characteris isatio ion

slide-11
SLIDE 11

Malware: Provenance

  • Official Android market
  • Alternate android markets

– Eoemarket – Gfan

27

‡ http://thedroidguy.com/2012/04/android- market-share-doubles-in-china-even-symbian- is-ahead-of-ios/
slide-12
SLIDE 12

Malware: Provenance

Month of the year

28

Number of new malware families discovered Third-party store only Official store

  • nly
slide-13
SLIDE 13

Malware: Installation

How to lure users into installing malware you have written? OR How do bad things happen to good people?

29

slide-14
SLIDE 14

Repackaging

30

App developer (Good guy) Monkey Bowl Official Android market Repackage Meister (bad guy) Third-party market End-user

  • Steal info
  • Hijack phone
  • Defraud
slide-15
SLIDE 15

Repackaging

31

86% of malware samples repackage!

slide-16
SLIDE 16

Repackaging

32

⁼ ⁺

slide-17
SLIDE 17

Update attack

33

Google SSearch DroidKungFu

Source: https://www.mylookout.com/mobile- threat-report

Payload FinanceAccount.apk

slide-18
SLIDE 18

Update attack

34

Payload Original Benign app Encrypted blog entry: blog.sina.com.cn AnserverBot

slide-19
SLIDE 19

Drive-by download

  • “Benign” game with a malvertisement

35

In-app ad pop-up

Source: https://www.mylookout.com/mobile- threat-report
slide-20
SLIDE 20

Malware: Activation

When do bad things happen?

  • Standard Android event notifications

– Phone boots up

  • BOOT_COMPLETED (83.3%)

– SMS is received

  • SMS_RECEIVED

– Host app is started

  • ACTION_MAIN

36

slide-21
SLIDE 21

Malware: Purpose

What do they do?

37

Source: http://www.textspyware.com/android/android-spyware-software/
slide-22
SLIDE 22

Malware: Purpose

38

  • Harvesting user information (51.1%)
  • What is sent?

– Device ID – Phone number/operator – User’s email addresses

http://www.fortiguard.com/av/VID3148366

SndApp

slide-23
SLIDE 23

Malware: Purpose

  • SMS to premium numbers (45.3%)

39

http://www.f-secure.com/weblog/archives/00002305.html

FakeRegSMS.B

slide-24
SLIDE 24

Malware: Design

  • Social engineering
  • Phones as bots controlled from C&C

server (93%)

  • Privilege escalation (36.7%)

– Exploit security flaws in kernel code

40

slide-25
SLIDE 25

Malware: Permission use

553=12.8x 398=11.7x 333=10.1x 457=6.43x 688=5.02x 424=3.72x 43 34 33 71 137 114

Frequency of top 20 permissions

Malware Benign app

41

slide-26
SLIDE 26

Malware: Permission use

  • Summary

– Avg. no. of permissions per app

  • Malware: 11 | Benign apps: 4

– Avg. no. of top 20 permissions per app

  • Malware: 9 | Benign apps: 3

42

slide-27
SLIDE 27

Contribution

  • Large malware dataset presented
  • Analysis of malware samples
  • Evolution of malware

– Advanced techniques to beat defense

  • How good is defense?

43

slide-28
SLIDE 28

Malware: Evolution

How are malware writers trying to evade detection?

  • Encryption

– Payload and internal data

  • Running without install

– DexClassLoader, Reflection

  • Thwart reverse engineering

– Class name obfuscation

44

slide-29
SLIDE 29

Malware: Detection Rate

54.7% 79.6% 20.2% 76.7% 10 20 30 40 50 60 70 80 90 100

45

AVG Lookout Norton Trend Micro A few malware samples went undetected!

slide-30
SLIDE 30

Malware: Detection

  • Q. Any clue why some samples were

NOT detected by any?

  • A. They most likely employ signature-

based detection!

46

slide-31
SLIDE 31

Takeaways

Malware

  • Mostly in third-party markets/forums

(~90%)

  • Requests more permissions on average
  • Is evolving and Anti-virus software

needs to catch up

47

slide-32
SLIDE 32

Future Work

How does one reduce the impact of malware?

48

Google’s “Bouncer”

slide-33
SLIDE 33

Future work

Well, Google has a kill switch at least... ...But, what about third-party markets?

49

slide-34
SLIDE 34

50

Making xkcd slightly worse: www.xkcdsw.com