GroDDViewer: Dynamic dual view of Android malware Jean-Franois - - PowerPoint PPT Presentation

Introduction Malware analysis Visualization Conclusion

GroDDViewer: Dynamic dual view of Android malware

Jean-François Lalande Mathieu Simon Valérie Viet Triem Tong

GraMSec 2020

CIDRE team

June 22th 2020

2 / 16

Introduction Malware analysis Visualization Conclusion

Introduction

3 / 16

Introduction Malware analysis Visualization Conclusion

Android malware analysis

Android malware analysis static analysis: (byte)code parsing + Control Flow Graph analysis dynamic analysis: execution (smartphone, cuckoo sandbox)

3 / 16

Introduction Malware analysis Visualization Conclusion

Android malware analysis

Android malware analysis static analysis: (byte)code parsing + Control Flow Graph analysis dynamic analysis: execution (smartphone, cuckoo sandbox) Reverse engineering: go deep into the bytecode

• bserve what happens when executed

By Con-struct + replicant community [CC BY-SA 3.0]

4 / 16

Introduction Malware analysis Visualization Conclusion

Tools for helping the reverser

Dynamic analysis tools for Android apps: focus on the quality of outputs do not focus on visualizing We believe that a good vizualisation tool should:

1

represents what happens at OS level

2

represents what is inside the bytecode

3

help the investigator to understand a malware

5 / 16

Introduction Malware analysis Visualization Conclusion

Malware analysis

6 / 16

Introduction Malware analysis Visualization Conclusion

Examples

Remote Admin Tools: Badnews: Obeys to a remote server + delays attack DroidKungFu1 (well known): Delays attack Mazar: RAT + Spyware Blocker / Eraser: WipeLocker: Wipes of the SD card

7 / 16

Introduction Malware analysis Visualization Conclusion

Ransomware

SimpleLocker: Encrypts user’s files and asks for paying

7 / 16

Introduction Malware analysis Visualization Conclusion

Ransomware

SimpleLocker: Encrypts user’s files and asks for paying ⇒ We would like to see: the encrypted files the part of the bytecode involved

8 / 16

Introduction Malware analysis Visualization Conclusion

Visualization needs

Observe what happens in the system (files, sockets) Identify the involved parts of the code Observe malware over time

8 / 16

Introduction Malware analysis Visualization Conclusion

Visualization needs

Observe what happens in the system (files, sockets) Identify the involved parts of the code Observe malware over time ⇒ We created GroDDViewer for answering these problems ! Grodd: the intelligent monkey of Marvel’s comics D: Dynamic (replay an experiment) D: Dual view (OS + Code)

9 / 16

Introduction Malware analysis Visualization Conclusion

Our analysis framework: GroddDroid

APK

9 / 16

Introduction Malware analysis Visualization Conclusion

Our analysis framework: GroddDroid

APK Static Analysis CFG Payload Location API usage, etc.

9 / 16

Introduction Malware analysis Visualization Conclusion

Our analysis framework: GroddDroid

APK Static Analysis CFG Payload Location API usage, etc. Control Flow Tracer Targeting One Payload

9 / 16

Introduction Malware analysis Visualization Conclusion

Our analysis framework: GroddDroid

APK Static Analysis CFG Payload Location API usage, etc. Control Flow Tracer Targeting One Payload Real smartphone GroddDroid Runner Reference Execution BLARE Log Collector controls New APK

9 / 16

Introduction Malware analysis Visualization Conclusion

Our analysis framework: GroddDroid

APK Static Analysis CFG Payload Location API usage, etc. Control Flow Tracer Targeting One Payload Real smartphone GroddDroid Runner Reference Execution BLARE Log Collector controls New APK Malicious Code Trigering Coverage Code Coverage

9 / 16

Introduction Malware analysis Visualization Conclusion

Our analysis framework: GroddDroid

APK Static Analysis CFG Payload Location API usage, etc. Control Flow Tracer Targeting One Payload Real smartphone GroddDroid Runner Reference Execution BLARE Log Collector controls New APK Malicious Code Trigering Coverage Code Coverage Visualization

10 / 16

Introduction Malware analysis Visualization Conclusion

Blare monitoring: principle

1

Marks files with a mark

2

Observes propagation of flows

cp cat xx

File 1 File 2 File 3

10 / 16

Introduction Malware analysis Visualization Conclusion

Blare monitoring: principle

1

Marks files with a mark

2

Observes propagation of flows

cp cat xx

File 1 File 2 File 3

10 / 16

Introduction Malware analysis Visualization Conclusion

Blare monitoring: principle

1

Marks files with a mark

2

Observes propagation of flows

cp cat xx

File 1 File 2 File 3

10 / 16

Introduction Malware analysis Visualization Conclusion

Blare monitoring: principle

1

Marks files with a mark

2

Observes propagation of flows

cp cat xx

File 1 File 2 File 3

10 / 16

Introduction Malware analysis Visualization Conclusion

Blare monitoring: principle

1

Marks files with a mark

2

Observes propagation of flows

cp cat xx

File 1 File 2 File 3

11 / 16

Introduction Malware analysis Visualization Conclusion

Visualization

12 / 16

Introduction Malware analysis Visualization Conclusion

GroddViewer example: simplelocker

13 / 16

Introduction Malware analysis Visualization Conclusion

GroddViewer demo

14 / 16

Introduction Malware analysis Visualization Conclusion

Conclusion

15 / 16

Introduction Malware analysis Visualization Conclusion

Future works

Not solved problems for dynamic observation Native code Obfuscation Remote servers New vizualisation problems Enhance the navigation into the code Deal with the visualization of protocols

c Inria / C. Morel Questions ?