Hey, You, Get Off of My Market: RAFAEL MICHAEL CS 682- ADVANCED - - PowerPoint PPT Presentation

Hey, You, Get Off

• f My Market:

RAFAEL MICHAEL CS 682- ADVANCED SECURITY TOPICS

Smartphone users over the years

Leading app stores 2019

 Smartphones are

becoming increasingly ubiquitous

With great popularity…

 Comes great malicious activity:

 Malware authors  Malicious apps (DroidDream)  Use of the market’s validity and trust to exploit unaware users.  Dangers:

 Root access to mobile devices  Gain permissions to sensitive mobile information  Market loses validity and becomes unreliable

Motivation

 Android is a natural target for

malware, due to its

• penness/customizability.

 It is important to respond by

assessing the overall health of the marketplaces in terms of the malware present

Who’s going to save the world?

 Studies to understand the overall ‘Health’ of Android Markets  Malware detection on both official and unofficial (3rd party) markets

(e.g Amazon Appstore, Aptoide)

 How it was done?

 Web crawler to collect all possible (free) apps we can obtain  Five representative marketplaces  2 months period

 Large-scale analysis is needed to obtain a better understanding of

the global Android malware status

Approach design considerations

 Design goals:

 Accuracy:

 Effectively detect malicious apps in current marketplaces with low false

positives and negatives

 Scalability and efficiency: too many apps, so little time

 Αt 6 seconds per sample, a collection of 200K apps would take over two

weeks to fully analyze, so speed is very important

 Filter apps which are unlikely to be malware, leaving only a small core to

• analyze. (Permission-based behavorial footprinting)

DroidRanger

 The first systematic study on the overall Health of Markets:

 Focusing on detecting malicious apps  204 040 app samples (~75% from Google marketplace)  DroidRanger has two main functions

 Detecting known malware via permission-based behavioral footprinting  Detecting unknown malware via heuristics-based filtering

 DroidRanger successfully detected:

 171 infected apps (21 from google marketplace)  2 unkown zero-day malware

The stores are dark and full

• f terrors...

DroidRanger System Architecture

 Five app marketplaces are

crawled: Android Market (Google), eoeMarket, alcatelclub, gfan, mmoovv

 Over 200K Apps are loaded

into a database and sent to the two DroidRanger modules (higlighted)

Diving in depth…

DroidRanger performs the following tasks:

 Detecting known malware via permission-based behavioral

footprinting:

 Filters based on permissions, then analyzes based on behaviour 

Uses a set of 10 known malware families as footprints

 Detecting unknown malware via heuristics-based filtering

 Filtering based on dynamic code loading/execution and native code

use

 Analysis based on dynamic monitoring of the execution  Confirmed malware are fed back to step 1

Detecting known malware(1/3)

 Step I. Permission-based filtering

 Exclude unrelated applications  Matching each app’s manifest permissions against permissions

requested by known malware

 Only applications which need these “malware-friendly”

permissions are included in the malware analysis For example, Zsone malware asks for RECEIVE SMS and SEND SMS, and DroidRanger focuses in on apps which request these two permissions...

Detecting known malware(2/3)

 DroidRanger’s first component filtering is reducing the analysis work

significantly: Note: it’s important to select the distinguishing permissions, otherwise we can get many false negatives/positives

Permission RECEIVE_SMS SEND_SMS (both permissions) Apps 5,214 8,235 3,204 Percentage 2.85% 4.50% 1.75%

Detecting known malware(3/3)

 Step II. Behavioral analysis

 After the filtering, there are potentially still thousands of apps left

to analyse

 An attempt to run off-the-shelf mobile antivirus at this point

missed 23.52% of malware, probably due to signature polymorphism

 Instead, DroidRanger analyzes app behaviour through:

 App Manifest info (e.g. receivers)  App bytecode info (e.g. calls to send SMS)  Hierarchical structure of decompiled code

Detecting Unknown Malware (1/2)

 Step I. Heuristic-based filtering

 DroidRanger takes a heuristic-based approach to detecting

unknown malware

 The first heuristic involves looking for dynamic loading of

untrusted code (for example, use of DexClassLoader)

 This type of dynamic loading is present in 1,055 apps (0.58%),

mostly for ads

 Discovered Plankton spyware this way

Detecting Unknown Malware (2/2)

 Step II. Dynamic execution monitoring

 Dynamically execute the apps uncovered by step I  For example, during a call to SmsManager.sendTextMessage, the

analysis can get the destination phone number and content

 System calls like sys mount, a command which can be used to remount

the sys partition as writeable if executed in root mode

 Flagged apps are manually inspected and included in the known

malware detection engine if they are genuinely malicious

Evaluations of known malware (1/4)

 Crawled Android markets and collected 200K free apps:

Ofifcial Market Alter M1 Alter M2 Alter M3 Alter M4

• No. of apps

153,002 (74.98%) 17,229 (8.44%) 14.943 (7.33%) 10.385 (5.09%) 8.481 (4.16%)

Totals apps 204,040

Evaluations of known malware(2/4)

 Used 10 known malware families for behavorial footprints

Evaluations of known malware(3/4)

 1.Permission-based filtering

 Extracted permissions form each of the test apps  Compares with malware permissions

Evaluations of known malware(4/4)

 2. Behavorial footprint analysis

 Total scan time 4.5 hours (a lot less than typical analysis)

Evaluations of unknown malware



Uncovered plankton malware



Found in “Angry Birds Cheater” app



Uncovered 10 similar instances in Google marketplace



Google removed these 11 malicious apps on the same day

Observations

 Malware can persist longer on non-google markets.  4/10 malware families have root exploits  Anti-malware mobile softwares don’t always detect threats.

Detecting android malware Characterization and evolution

Components

I.

Research facts

II.

Malware Timeline

III.

Malware Characterization

• IV. Malware Evolution

V.

Conclusions

Research facts

 1260 samples over 49 malware families  27 malware families were examined found to be harvesting users

information (user accounts etc)

 Found 1260/1083 (86%) of malware samples were repacked versions

• f legitimate applications with malicious payloads

 400% increase in Android-based malware since 2010  Anti-virus softwares like AVG,Norton Mobile Security Lite detected

• nly the 79% of the malicious apps.

Malware timeline

Malware Installation (1/2)

 Repackaging:

1.

Malware authors locate and download popular apps

2.

Disassemble them

3.

Enclose malicious payloads

4.

Re-assemble and submit the new apps to Android Markets

 Update Attack:

 Instead of enclosing the payload as a whole, it only includes an

update component that will fetch or download the malicious payloads at runtime

Update attack

Malware Installation (2/2)

 Drive-by download

 Uses small pieces of code designed to slip past simple defenses

and go largely unnoticed

 The code doesn't need to be highly complex because it mainly

has one job: to contact another computer to introduce the rest

• f the code it needs to access a mobile device or computer.

Malicious Payloads(1/4)

Privilege escalation:

 Install malware  Stay undercover  Steal another user’s privileges  Use the privileges to gain access up

to super administrator

 Exploit

The researchers found out that 36.7% of the sample apps found to contain at least one root exploit.... (Not good)

Malicious Payloads(2/4)

 Remote Control:

 Turn the infected phones into bots for remote control  The researchers found that 93% of the samples turned infected phones

into bots for remote control

 Stealthy communication between Master and server through

encrypting the URLs of remote C&C servers

Malicious Payloads(3/4)

 Financial Charge:

 The attempt of malware to execute financial exchanges  Disquised as a media player  By accessing permission to sendTextMessage in the background without

user’s awareness, the device sends messages to premium-rate services. Note: Premium rate services are a form of micro-payment for paid for content, data services and value added services that are subsequently charged to your telephone bill

Top 20 permissions requested by malicious samples

Malicious Payloads (4/4)

 Information Collection:

 Malware are actively harvesting various information on the infected

phones

 13 malware families (138 samples) in our dataset that collect SMS messages  15 families (563 samples) gather phone numbers  3 families (43 samples) obtain and upload the information about user

accounts

Conclusions

 This paper presents a systematic characterization of existing Android

malware

 Analyzing 1260 Android malware samples in 49 different families

have shown that:

 (1) 86.0% of them repackage legitimate apps to include malicious

payloads

 (2) 36.7% contain platform-level exploits to escalate privilege  (3) 93.0% exhibit the bot-like capability.

 Existing popular mobile security software still lag behind and it

becomes imperative to explore possible solutions to make a difference

References

 https://www.statista.com/statistics/330695/number-of-smartphone-

users-worldwide/

 Y. Zhou, Z. Wang, W. Zhou, and X. Jiang. Hey, you, get off of my

market: Detecting malicious apps in official and alternative android

• markets. In Network and Distributed System Security Symposium,

2012

 A.P. Felt, M. Finifter, E. Chin, S. Hanna, and D. Wagner. A survey of

mobile malware in the wild. In ACM workshop on Security and privacy in smartphones and mobile devices, pages 3–14. ACM, 2011.

Thank you