hey you get off
play

Hey, You, Get Off of My Market: RAFAEL MICHAEL CS 682- ADVANCED - PowerPoint PPT Presentation

Apr 14, 2023 •15 likes •385 views

Hey, You, Get Off of My Market: RAFAEL MICHAEL CS 682- ADVANCED SECURITY TOPICS Smartphone users over the years Leading app stores 2019 Smartphones are becoming increasingly ubiquitous With great popularity Comes great

  1. Hey, You, Get Off of My Market: RAFAEL MICHAEL CS 682- ADVANCED SECURITY TOPICS

  2. Smartphone users over the years

  3. Leading app stores 2019  Smartphones are becoming increasingly ubiquitous

  4. With great popularity…  Comes great malicious activity:  Malware authors  Malicious apps (DroidDream)  Use of the market’s validity and trust to exploit unaware users.  Dangers:  Root access to mobile devices  Gain permissions to sensitive mobile information  Market loses validity and becomes unreliable

  5. Motivation  Android is a natural target for malware, due to its openness/customizability.  It is important to respond by assessing the overall health of the marketplaces in terms of the malware present

  6. Who’s going to save the world?  Studies to understand the overall ‘ Health ’ of Android Markets  Malware detection on both official and unofficial (3 rd party) markets (e.g Amazon Appstore, Aptoide)  How it was done?  Web crawler to collect all possible (free) apps we can obtain  Five representative marketplaces  2 months period  Large-scale analysis is needed to obtain a better understanding of the global Android malware status

  7. Approach design considerations  Design goals:  Accuracy:  Effectively detect malicious apps in current marketplaces with low false positives and negatives  Scalability and efficiency: too many apps, so little time  Α t 6 seconds per sample, a collection of 200K apps would take over two weeks to fully analyze, so speed is very important  Filter apps which are unlikely to be malware, leaving only a small core to analyze. (Permission-based behavorial footprinting)

  8. DroidRanger  The first systematic study on the overall Health of Markets: The stores are dark and full  Focusing on detecting malicious apps of terrors...  204 040 app samples (~75% from Google marketplace)  DroidRanger has two main functions  Detecting known malware via permission-based behavioral footprinting  Detecting unknown malware via heuristics-based filtering  DroidRanger successfully detected:  171 infected apps (21 from google marketplace)  2 unkown zero-day malware

  9. DroidRanger System Architecture  Five app marketplaces are crawled: Android Market (Google), eoeMarket, alcatelclub, gfan, mmoovv  Over 200K Apps are loaded into a database and sent to the two DroidRanger modules (higlighted)

  10. Diving in depth… DroidRanger performs the following tasks:  Detecting known malware via permission-based behavioral footprinting:  Filters based on permissions, then analyzes based on behaviour Uses a set of 10 known malware families as footprints   Detecting unknown malware via heuristics-based filtering  Filtering based on dynamic code loading/execution and native code use  Analysis based on dynamic monitoring of the execution  Confirmed malware are fed back to step 1

  11. Detecting known malware(1/3)  Step I. Permission-based filtering  Exclude unrelated applications  Matching each app’s manifest permissions against permissions requested by known malware  Only applications which need these “malware - friendly” permissions are included in the malware analysis For example, Zsone malware asks for RECEIVE SMS and SEND SMS, and DroidRanger focuses in on apps which request these two permissions...

  12. Detecting known malware(2/3)  DroidRanger’s first component filtering is reducing the analysis work significantly: Permission RECEIVE_SMS SEND_SMS (both permissions) Apps 5,214 8,235 3,204 Percentage 2.85% 4.50% 1.75% Note: it’s important to select the distinguishing permissions, otherwise we can get many false negatives/positives

  13. Detecting known malware(3/3)  Step II. Behavioral analysis  After the filtering, there are potentially still thousands of apps left to analyse  An attempt to run off-the-shelf mobile antivirus at this point missed 23.52% of malware, probably due to signature polymorphism  Instead, DroidRanger analyzes app behaviour through:  App Manifest info (e.g. receivers)  App bytecode info (e.g. calls to send SMS)  Hierarchical structure of decompiled code

  14. Detecting Unknown Malware (1/2)  Step I. Heuristic-based filtering  DroidRanger takes a heuristic-based approach to detecting unknown malware  The first heuristic involves looking for dynamic loading of untrusted code (for example, use of DexClassLoader)  This type of dynamic loading is present in 1,055 apps (0.58%), mostly for ads  Discovered Plankton spyware this way

  15. Detecting Unknown Malware (2/2)  Step II. Dynamic execution monitoring  Dynamically execute the apps uncovered by step I  For example, during a call to SmsManager.sendTextMessage, the analysis can get the destination phone number and content  System calls like sys mount, a command which can be used to remount the sys partition as writeable if executed in root mode  Flagged apps are manually inspected and included in the known malware detection engine if they are genuinely malicious

  16. Evaluations of known malware (1/4)  Crawled Android markets and collected 200K free apps: Ofifcial Market Alter M1 Alter M2 Alter M3 Alter M4 No. of apps 153,002 17,229 14.943 10.385 8.481 (74.98%) (8.44%) (7.33%) (5.09%) (4.16%) Totals apps 204,040

  17. Evaluations of known malware(2/4)  Used 10 known malware families for behavorial footprints

  18. Evaluations of known malware(3/4)  1.Permission-based filtering  Extracted permissions form each of the test apps  Compares with malware permissions

  19. Evaluations of known malware(4/4)  2. Behavorial footprint analysis  Total scan time 4.5 hours (a lot less than typical analysis)

  20. Evaluations of unknown malware Uncovered plankton malware  Found in “Angry Birds Cheater” app  Uncovered 10 similar instances in Google marketplace  Google removed these 11 malicious apps on the same day 

  21. Observations  Malware can persist longer on non-google markets.  4/10 malware families have root exploits  Anti-malware mobile softwares don’t always detect threats.

  22. Detecting android malware Characterization and evolution

  23. Components Research facts I. Malware Timeline II. Malware Characterization III. IV. Malware Evolution Conclusions V.

  24. Research facts  1260 samples over 49 malware families  27 malware families were examined found to be harvesting users information (user accounts etc)  Found 1260/1083 (86%) of malware samples were repacked versions of legitimate applications with malicious payloads  400% increase in Android-based malware since 2010  Anti-virus softwares like AVG,Norton Mobile Security Lite detected only the 79% of the malicious apps.

  25. Malware timeline

  27. Malware Installation (1/2)  Repackaging: Malware authors locate and download popular apps 1. Disassemble them 2. Enclose malicious payloads 3. Re-assemble and submit the new apps to Android Markets 4.  Update Attack:  Instead of enclosing the payload as a whole, it only includes an update component that will fetch or download the malicious payloads at runtime

  28. Update attack

  29. Malware Installation (2/2)  Drive-by download  Uses small pieces of code designed to slip past simple defenses and go largely unnoticed  The code doesn't need to be highly complex because it mainly has one job: to contact another computer to introduce the rest of the code it needs to access a mobile device or computer.

  30. Malicious Payloads(1/4) Privilege escalation:  Install malware  Stay undercover  Steal another user’s privileges  Use the privileges to gain access up to super administrator  Exploit The researchers found out that 36.7% of the sample apps found to contain at least one root exploit.... (Not good)

  31. Malicious Payloads(2/4)  Remote Control:  Turn the infected phones into bots for remote control  The researchers found that 93% of the samples turned infected phones into bots for remote control  Stealthy communication between Master and server through encrypting the URLs of remote C&C servers

  32. Malicious Payloads(3/4)  Financial Charge:  The attempt of malware to execute financial exchanges  Disquised as a media player  By accessing permission to sendTextMessage in the background without user’s awareness, the device sends messages to premium -rate services. Note: Premium rate services are a form of micro-payment for paid for content, data services and value added services that are subsequently charged to your telephone bill

  33. Top 20 permissions requested by malicious samples

  34. Malicious Payloads (4/4)  Information Collection:  Malware are actively harvesting various information on the infected phones  13 malware families (138 samples) in our dataset that collect SMS messages  15 families (563 samples) gather phone numbers  3 families (43 samples) obtain and upload the information about user accounts

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Julia Maddox| Marine Invasive Species Program| May 31 st -August 12 th ,2017 About Me I am a

Julia Maddox| Marine Invasive Species Program| May 31 st -August 12 th ,2017 About Me I am a

Julia Maddox| Marine Invasive Species Program| May 31 st -August 12 th ,2017 About Me I am a senior at Humboldt State University -I study geology and as a result, I collect rocks like a madman. About Me I am a senior at Humboldt State

591 views • 32 slides
Chapter by Loco Power Week 10: High-Fidelity Prototype (Milestone) Dan, Melissa, Irving, &

Chapter by Loco Power Week 10: High-Fidelity Prototype (Milestone) Dan, Melissa, Irving, &

Chapter by Loco Power Week 10: High-Fidelity Prototype (Milestone) Dan, Melissa, Irving, & David 1. Problem & Solution 2. Heuristic Results & Changes 3. Prototype Implementation Status 4. Hi-Fi Demo 1. Problem & Solution How

313 views • 20 slides
A stagnant swimmer What is the meaning of stagnant or plateau? Meaning of Stagnant Standing

A stagnant swimmer What is the meaning of stagnant or plateau? Meaning of Stagnant Standing

A stagnant swimmer What is the meaning of stagnant or plateau? Meaning of Stagnant Standing still, without flow or currant, stale, sluggish or dull from inaction, not growing or developing Meaning of Plateau A relatively long period of

353 views • 6 slides
High School Science Award Presentation Speech High School Science Award Presentation Speech Have

High School Science Award Presentation Speech High School Science Award Presentation Speech Have

High School Science Award Presentation Speech.pdf High School Science Award Presentation Speech High School Science Award Presentation Speech Have spare times? Read High School Science Award Presentation Speech writer by Doreen Schweizer Studio

353 views • 10 slides
Our Beautiful Blue Planet In the seas and rivers, there are lots of 3 Fascinating Facts tiny

Our Beautiful Blue Planet In the seas and rivers, there are lots of 3 Fascinating Facts tiny

Our Beautiful Blue Planet In the seas and rivers, there are lots of 3 Fascinating Facts tiny organisms called plankton . Lots of living things eat these plankton, but On Earth, theres more marine when mobula rays feed on them, the 1 life

338 views • 12 slides
Mitigation for Desalination Plant Intake Impacts: A Fee-Based Approach ($/Million Gallons (MG)

Mitigation for Desalination Plant Intake Impacts: A Fee-Based Approach ($/Million Gallons (MG)

Mitigation for Desalination Plant Intake Impacts: A Fee-Based Approach ($/Million Gallons (MG) SWRCB Expert Review Panel Michael Foster, Moss Landing Marine Laboratories Gregor Cailliet, Moss Landing Marine Laboratories John Callaway,

351 views • 9 slides
INSITE Phase 1 Summary of Outcomes ISAB Independent Scientific Advisory Board Aberdeen

INSITE Phase 1 Summary of Outcomes ISAB Independent Scientific Advisory Board Aberdeen

The Influence of Man-made Structures in the North Sea INSITE Phase 1 Summary of Outcomes ISAB Independent Scientific Advisory Board Aberdeen Symposium, Aberdeen, 11 December 2017 INSITE Background Oil & Gas UK Decommissioning

445 views • 19 slides
LCCMR ID: 021-A3 Project Title: Physics to Fish: Lake Superior Ecosystem Health Transects LCCMR

LCCMR ID: 021-A3 Project Title: Physics to Fish: Lake Superior Ecosystem Health Transects LCCMR

Environment and Natural Resources Trust Fund 2010 Request for Proposals (RFP) LCCMR ID: 021-A3 Project Title: Physics to Fish: Lake Superior Ecosystem Health Transects LCCMR 2010 Funding Priority: A. Water Resources Total Project Budget: $

416 views • 6 slides
Understanding the community dynamics, , tim iming, g, and in intensity of f the 2017 and 2018

Understanding the community dynamics, , tim iming, g, and in intensity of f the 2017 and 2018

Understanding the community dynamics, , tim iming, g, and in intensity of f the 2017 and 2018 cyanobacteria blo looms in in two shall llow eutrophic bays in in Lake Champlain August 1, 2019 || VT EPSCoR 2019 Undergraduate Research

138 views • 10 slides
Coastal The first rule of intelligent tinkering is to California keep all the pieces -

Coastal The first rule of intelligent tinkering is to California keep all the pieces -

The Conservation and Ecology of California's Coastal Prairie May 1, 2003 Coastal The first rule of intelligent tinkering is to California keep all the pieces - Aldo Leopold Grassy Ecosystems Coastal Grasslands: Why are they

358 views • 4 slides
Corporate Capability Presentation by P e l l F r i s c h m a n n e x c e l l e n c

Corporate Capability Presentation by P e l l F r i s c h m a n n e x c e l l e n c

Corporate Capability Presentation by P e l l F r i s c h m a n n e x c e l l e n c e t h r o u g h i n n o v a t i o n IT & TELECOM IT & TELECOM Consulting Audit Design Project Management

678 views • 47 slides
checkerspots Don Edwards San Francisco Bay National Wildlife Refuge Environmental Education

checkerspots Don Edwards San Francisco Bay National Wildlife Refuge Environmental Education

Conservation and management of three imperiled West Coast butterflies: Bay, Quino, and Taylor's checkerspots Don Edwards San Francisco Bay National Wildlife Refuge Environmental Education Center 1751 Grand Blvd, Alviso, CA 95002 This workshop

335 views • 16 slides
Office of the President Administrative & Operational Support * Community & Government

Office of the President Administrative & Operational Support * Community & Government

Office of the President Administrative & Operational Support * Community & Government Relations Institutional Research, Planning and Effectiveness MISSION As stewards of the CI Mission , the Office of the President contributes to the

395 views • 13 slides
EUTF Administrative Rule Changes The following changes are effective immediately: The time

EUTF Administrative Rule Changes The following changes are effective immediately: The time

EUTF Administrative Rule Changes The following changes are effective immediately: The time requirement for submission of enrollment forms and supporting documents will be 45 days from the date of the qualifying event. Exceptions are: o

660 views • 37 slides
WELCOME! MEETING AGENDA 8:30 9:00 Coffee, Meet & Greet, Sign in 9:00 9:20 Welcome,

WELCOME! MEETING AGENDA 8:30 9:00 Coffee, Meet & Greet, Sign in 9:00 9:20 Welcome,

Willamette Valley Native Plant Materials Cooperative WELCOME! MEETING AGENDA 8:30 9:00 Coffee, Meet & Greet, Sign in 9:00 9:20 Welcome, Introductions, Meeting Objectives 9:20 10:00 Survey and questionnaire results + Q&A:

578 views • 22 slides
What to expect from modeling to assist the design of plantain based systems? Philippe Tixier,

What to expect from modeling to assist the design of plantain based systems? Philippe Tixier,

What to expect from modeling to assist the design of plantain based systems? Philippe Tixier, Sylvain Dpigny Atelier CRP-RTB Intensification des systmes mixtes RTB et plantain en Afrique occidentale et centrale Abidjan : 11-14/11/13

560 views • 25 slides
Longboat Energy Creating a full-cycle North Sea E&P company Corporate Presentation, December

Longboat Energy Creating a full-cycle North Sea E&P company Corporate Presentation, December

Longboat Energy Creating a full-cycle North Sea E&P company Corporate Presentation, December 2019 DISCLAIMER These materials do not constitute or form any part of any offer or invitation to sell or issue or purchase or subscribe for any

416 views • 16 slides
In 2007 we denounced affectation to health by pesticides REPORT: EXPERTISE TO HEALTH

In 2007 we denounced affectation to health by pesticides REPORT: EXPERTISE TO HEALTH

In 2007 we denounced affectation to health by pesticides REPORT: EXPERTISE TO HEALTH WORKERS AERIAL SPRAYING BANANA PLANTATIONS In 2009 we filed a lawsuit in the US. against a pesticide manufacturers "Mancozeb" In

547 views • 19 slides
Level of Service and Risk From Theory to Action in 4 Easy Steps IAMA Workshop February 13, 2019

Level of Service and Risk From Theory to Action in 4 Easy Steps IAMA Workshop February 13, 2019

Level of Service and Risk From Theory to Action in 4 Easy Steps IAMA Workshop February 13, 2019 Red Deer Gabrielle Battiste, J.D. Dorian Wandzura, P . Eng. www.ladderupconsulting.ca Level of Service and Risk Welcome to the February 13, 2019,

280 views • 7 slides
Country report : New Zealand Presentation to IRG Annual Meeting Cali, 5 February 2019 Current NZ

Country report : New Zealand Presentation to IRG Annual Meeting Cali, 5 February 2019 Current NZ

Country report : New Zealand Presentation to IRG Annual Meeting Cali, 5 February 2019 Current NZ research to support inventory improvement Understanding cattle CH 4 yields at 500 very low and very high levels of 400 feed intake (< 6kg

395 views • 13 slides
GREENVILLE VEGAN POTLUCK DINNER: ENDURANCE TRIATHLON ON A PLANT- BASED DIET Who Am I???

GREENVILLE VEGAN POTLUCK DINNER: ENDURANCE TRIATHLON ON A PLANT- BASED DIET Who Am I???

GREENVILLE VEGAN POTLUCK DINNER: ENDURANCE TRIATHLON ON A PLANT- BASED DIET Who Am I??? Thomas Skelton III Born and raised in Clemson, SC Currently reside in Greenville, SC Plant-based Endurance Triathlete My Background

417 views • 22 slides
FAIRTRADE 2017 FA I RT R A D E F O OT B A L L S M A K E A D I F F E R E N C E WHAT IS

FAIRTRADE 2017 FA I RT R A D E F O OT B A L L S M A K E A D I F F E R E N C E WHAT IS

FAIRTRADE 2017 FA I RT R A D E F O OT B A L L S M A K E A D I F F E R E N C E WHAT IS FAIRTRADE? P6 have studied Fairtrade this term. We have discovered lots about the way we shop. When we buy something we often forget that someone

329 views • 13 slides
du REDD : le calcul des cots d'opportunit Peter A Minang Global Coordinator, ASB

du REDD : le calcul des cots d'opportunit Peter A Minang Global Coordinator, ASB

Estimer les impacts conomiques du REDD : le calcul des cots d'opportunit Peter A Minang Global Coordinator, ASB Partnership Journe de la Foret en Afrique Centrale, Yaound, 2009 What costs and Benefits Costs Benefits Opportunity

541 views • 13 slides
COMPATIBILITY ANALYSIS OF CEMENT WITH SUPERPLASTICIZERS CONTENTS Objective of work Need

COMPATIBILITY ANALYSIS OF CEMENT WITH SUPERPLASTICIZERS CONTENTS Objective of work Need

COMPATIBILITY ANALYSIS OF CEMENT WITH SUPERPLASTICIZERS CONTENTS Objective of work Need of study Introduction Work till Minor Work post minor Graphs and results Development of equations Conclusion

845 views • 45 slides

More recommend