HOOKER A solution to analyze Android markets Dimitri Kirchner - - PowerPoint PPT Presentation

HOOKER

A solution to analyze Android markets

Dimitri Kirchner – @Tibapbedoum Georges Bossert – @Lapeluche AMOSSYS

PhD candidate AMOSSYS / Supelec IT security engineer AMOSSYS Protocole Reverse Engineering Android

Hooker: a solution to analyze Android markets 2

IT security engineer at AMOSSYS since 2010 Android Informatique de confiance

3 Hooker: a solution to analyze Android markets

4 Hooker: a solution to analyze Android markets

5 Hooker: a solution to analyze Android markets

6 Hooker: a solution to analyze Android markets

7 Hooker: a solution to analyze Android markets

8

Android security model

Ask the user for permissions in order to access phones ressources (texts, GPS, etc.)

Hooker : a solution to analyze your Android market 9

10 Hooker: a solution to analyze Android markets

11 Hooker: a solution to analyze Android markets

12 Hooker: a solution to analyze Android markets

13 Hooker: a solution to analyze Android markets

Let’s say, I really need this app…

What the application does with its ressources ? Are resources really used by the application ? Are resources used in a legitimate way ?

14 Hooker: a solution to analyze Android markets

You already have solutions for that

Static versus dynamic analysis tools

15 Hooker: a solution to analyze Android markets

16 Hooker: a solution to analyze Android markets

Androguard JD-Core/GUI Etc.

Dynamic analysis

Solution 1: Build a custom Android ROM (Droidbox) to instrument the kernel

17 Hooker: a solution to analyze Android markets

Dynamic analysis

Solution 1: Build a custom Android ROM (Droidbox) to instrument the kernel Solution 2: Modify APK before install (APIMonitor / Fino) to instrument the APK

18 Hooker: a solution to analyze Android markets

Dynamic analysis

Solution 1: Build a custom Android ROM (Droidbox) to instrument the kernel Solution 2: Modify APK before install (APIMonitor / Fino) to instrument the APK Solution 3: API hooking framework (Substrate / Xposed)

19 Hooker: a solution to analyze Android markets

Online scanners

Mix of static and dynamic Fancy user interface and reports

20 Hooker: a solution to analyze Android markets

21 Hooker: a solution to analyze Android markets

Analysis are centered on one application

Is it possible to analyze more than one application ? Can you analyze an entire market ?

22 Hooker: a solution to analyze Android markets

Introducing hooker

23 Hooker: a solution to analyze Android markets

What is Hooker

A solution to analyze Android applications Centralize and aggregate analysis of thousands of differents applications

24 Hooker: a solution to analyze Android markets

How Hooker works

Microanalysis versus Macroanalysis

26 Hooker: a solution to analyze Android markets

How Hooker works

Microanalysis versus Macroanalysis

27 Hooker: a solution to analyze Android markets

How Hooker works

Microanalysis versus Macroanalysis

28

Analysis of several applications

Hooker: a solution to analyze Android markets

29

Microanalysis overview

Hooker: a solution to analyze Android markets

Rule n1: Gather all possible information about the application behavior

Hooker : a solution to analyze your Android market 30

Step 1: Androguard

It just works great Framework in python Let us extract basic information about the application

Package name Permissions Services Etc.

31 Hooker: a solution to analyze Android markets

Step 2: Substrate

An API hooking framework Changes behavior of one application, without patches, or specific ROM, or whatever What you need is:

Root access Compatible Android version

32 Hooker: a solution to analyze Android markets

Substrate

Injects code into Zygote process (father of all processes) Therefore, injected in all spawned processes

(Similar to Xposed)

33 Hooker: a solution to analyze Android markets

Use Substrate to:

Hook access to personal information (read contacts, etc.) Hook access to specific API (open socket) Modify return of specific methods (anti-anti-emulation)

34 Hooker: a solution to analyze Android markets

Hook PowerManager methods

35 Hooker: a solution to analyze Android markets

Hook PowerManager methods

36

Methods name

Hooker: a solution to analyze Android markets

37

Build events in real time

Hooker: a solution to analyze Android markets

38

Build events in real time

Hooker: a solution to analyze Android markets

39

Build events in real time

Hooker: a solution to analyze Android markets

Intrusive level indicator

Differentiates critical event from normal event Writing is considered more intrusive than reading Application doing lots of intrusive events is highlighted

40 Hooker: a solution to analyze Android markets

41 Hooker: a solution to analyze Android markets

42 Hooker: a solution to analyze Android markets

43 Hooker: a solution to analyze Android markets

44 Hooker: a solution to analyze Android markets

Main limitation

White list enumeration We don’t intercept what we don’t declare

45 Hooker: a solution to analyze Android markets

Main limitation

White list enumeration We don’t intercept what we don’t declare

46 Hooker: a solution to analyze Android markets

47 Hooker: a solution to analyze Android markets

48 Hooker: a solution to analyze Android markets

Store events in a distributed database

Elastic search

Interact with database

Kibana (front-end)

49 Hooker: a solution to analyze Android markets

Hooker : a solution to analyze your Android market 50

You have to build your own Kibana interface Basic malware generates 2000 events in 60 seconds

51 Hooker: a solution to analyze Android markets

Macroanalysis

52 Hooker: a solution to analyze Android markets

Macroanalysis

Automation and parallelization of microanalysis

53 Hooker: a solution to analyze Android markets

Macroanalysis

Automation and parallelization of microanalysis Look for specific patterns in thousands of applications

54 Hooker: a solution to analyze Android markets

Macroanalysis

Automation and parallelization of microanalysis Look for specific patterns in thousands of applications

55 Hooker: a solution to analyze Android markets

Post analysis

Macroanalysis

Automation and parallelization of microanalysis Look for specific patterns in thousands of applications

56 Hooker: a solution to analyze Android markets

Post analysis Data mining

Automation

Step 1: Prepare an Android emulator Step 2: Configure a scenario

Install Execute Stimulate External stimulation Reboot

57 Hooker: a solution to analyze Android markets

Automation

Step 1: Prepare an Android emulator Step 2: Configure a scenario

Install Execute Stimulate External stimulation Reboot

58 Hooker: a solution to analyze Android markets

Automation

Step 1: Prepare an Android emulator Step 2: Configure a scenario

Install Execute Stimulate External stimulation Reboot

59 Hooker: a solution to analyze Android markets

Automation

Step 1: Prepare an Android emulator Step 2: Configure a scenario

Install Execute Stimulate External stimulation Reboot

60 Hooker: a solution to analyze Android markets

Phone call SMS reception GPS stimulation, etc.

Step 3: Run the experiment

$ python hooker_xp.py –c automaticAnalysis.conf Wait and see

61 Hooker: a solution to analyze Android markets

Post-analysis

Python script to query Elasticseach database Query what you want to make:

• Statistics
• Hightlights

62 Hooker: a solution to analyze Android markets

Get thousands of APKs Google store Unofficial markets APK in archives

63 Hooker: a solution to analyze Android markets

Get thousands of APKs Google store Unofficial markets APK in archives What we have tried until now: 1000 apps from SlideMe market in the paper 1000 apps from Google store

64 Hooker: a solution to analyze Android markets

Network statistics

Hooker : a solution to analyze your Android market 65

Hooker : a solution to analyze your Android market 66

50 100 150 200 250 300

setCertificate getProtocol connect close getPort closeSocket getHost

• penConnection

Socket URL getOutputStream getSettings IOException getInputStream getAuthority execute recvfrom sendto getFile

Number of applications

Most used Network methods

Internet permissions 477 apps asking for internet permissions 404 have been found using it

67 Hooker: a solution to analyze Android markets

Hooker : a solution to analyze your Android market 68

10 20 30 40 secure.gameloft.com ade.wooboo.com.cn www.google.com googleads.g.doubleclick.net mm.admob.com www.google-analytics.com Number of applications

Domains most accessed

Hooker : a solution to analyze your Android market 69

10 20 30 40 secure.gameloft.com ade.wooboo.com.cn www.google.com googleads.g.doubleclick.net mm.admob.com www.google-analytics.com Number of applications

Domains most accessed

Advertisements

Hooker : a solution to analyze your Android market 70

50 100 150 80 443 5220 1130 305 5122 Number of applications Port number

Port number accessed by applications

Hooker : a solution to analyze your Android market 71

50 100 150 80 443 5220 1130 305 5122 Number of applications Port number

Port number accessed by applications

Noknok trojan?

Wanna find some vulnerable apps?

Hooker : a solution to analyze your Android market 72

Hooker : a solution to analyze your Android market 73

Hooker : a solution to analyze your Android market 74

Interface to call Java from javascript

Hooker : a solution to analyze your Android market 75

Interface to call Java from javascript

On 1000 applications from Google store 23 apps using addJavascriptInterface method

76 Hooker: a solution to analyze Android markets

Crypto statistics

Hooker : a solution to analyze your Android market 77

Hooker : a solution to analyze your Android market 78

20 40 60 80 100 120 140 PBEWithSHA256And256BitAES-CBC-BC AES DES/CBC/PKCS5Padding AES/CBC/PKCS5Padding DES Blowfish AES/CBC/PKCS7Padding AES/CBC/NoPadding AES/ECB/PKCS5Padding AES/ECB/NoPadding PBEwithMD5andDES DESede Number of applications

Use of cypher functions

Hooker : a solution to analyze your Android market 79

20 40 60 80 100 120 140 PBEWithSHA256And256BitAES-CBC-BC AES DES/CBC/PKCS5Padding AES/CBC/PKCS5Padding DES Blowfish AES/CBC/PKCS7Padding AES/CBC/NoPadding AES/ECB/PKCS5Padding AES/ECB/NoPadding PBEwithMD5andDES DESede Number of applications

Use of cypher functions

No padding

Hooker : a solution to analyze your Android market 80

20 40 60 80 100 120 140 PBEWithSHA256And256BitAES-CBC-BC AES DES/CBC/PKCS5Padding AES/CBC/PKCS5Padding DES Blowfish AES/CBC/PKCS7Padding AES/CBC/NoPadding AES/ECB/PKCS5Padding AES/ECB/NoPadding PBEwithMD5andDES DESede Number of applications

Use of cypher functions

DES…

Hooker : a solution to analyze your Android market 81

Bitcoin miners

Hooker : a solution to analyze your Android market 82

Bitcoin miners « Several apps from the GPlay are infected by crypto miners »

Hooker : a solution to analyze your Android market 83

50 100 150 200 250 Number of "digest" operations Applications

Crypto hashing abuses

Bitcoin miners « Several apps from the GPlay are infected by crypto miners »

File statistics

Hooker : a solution to analyze your Android market 84

Hooker : a solution to analyze your Android market 85

50 100 150 200 /proc/cpuinfo /system/lib/libmedia_jni.so / /proc/meminfo /system/lib/libsoundpool.so /sdcard /system/etc/security/cacerts /mnt/sdcard /vendor/lib/libsoundpool.so /data/misc/keychain/cacerts-removed /vendor/lib/libmedia_jni.so /data/misc/keychain/cacerts-added Number of applications

Files accessed by application other than their /data/

Hooker : a solution to analyze your Android market 86

50 100 150 200 /proc/cpuinfo /system/lib/libmedia_jni.so / /proc/meminfo /system/lib/libsoundpool.so /sdcard /system/etc/security/cacerts /mnt/sdcard /vendor/lib/libsoundpool.so /data/misc/keychain/cacerts-removed /vendor/lib/libmedia_jni.so /data/misc/keychain/cacerts-added Number of applications

Files accessed by application other than their /data/

Shared libraries

Hooker : a solution to analyze your Android market 87

50 100 150 200 /proc/cpuinfo /system/lib/libmedia_jni.so / /proc/meminfo /system/lib/libsoundpool.so /sdcard /system/etc/security/cacerts /mnt/sdcard /vendor/lib/libsoundpool.so /data/misc/keychain/cacerts-removed /vendor/lib/libmedia_jni.so /data/misc/keychain/cacerts-added Number of applications

Files accessed by application other than their /data/

Certificates

Hooker : a solution to analyze your Android market 88

File accesses are illustrating application behavior…

Hooker : a solution to analyze your Android market 89

Backup app

Hooker : a solution to analyze your Android market 90

Hooker : a solution to analyze your Android market 91

Hooker : a solution to analyze your Android market 92

That’s weird right?

Hooker : a solution to analyze your Android market 93

That’s weird right? Is this app legitimate?

Hooker has a lot more capabilities You chose to extract what you want

Hooker : a solution to analyze your Android market 94

Hightlight weaknesses in application Hightlight malwares within thousands of applications Hightlight WTF behavior on your system

Hooker : a solution to analyze your Android market 95

Hightlight weaknesses in application Hightlight malwares within thousands of applications Hightlight WTF behavior on your system Give it a try, play hooker now: https://github.com/AndroidHooker

Hooker : a solution to analyze your Android market 96

Questions

Play hooker now:

https://github.com/AndroidHooker

?