how current android malware seeks to evade automated code
play

How Current Android Malware Seeks to Evade Automated Code Analysis - PowerPoint PPT Presentation

Sep 21, 2022 •118 likes •344 views

How Current Android Malware Seeks to Evade Automated Code Analysis Siegfried Rasthofer, Irfan Asrar , Stephan Huber, Eric Bodden Technische Universitt Darmstadt, Darmstadt, Germany Fraunhofer SIT, Darmstadt, Germany Appthority, San

  1. How Current Android Malware Seeks to Evade Automated Code Analysis Siegfried Rasthofer, Irfan Asrar , Stephan Huber, Eric Bodden Technische Universität Darmstadt, Darmstadt, Germany Fraunhofer SIT, Darmstadt, Germany Appthority, San Francisco, USA SECURE SOFTWARE ENGINEERING GROUP

  2. SECURE 2 SOFTWARE ENGINEERING GROUP

  3. Intent-Fuzzing (Behavior Analysis) DroidFuzzer[MoMM’13], IntentFuzzer [WODA’14], Andrubis [BADGERS’14] Inspection of the Symbolic/Concolic Emulator - Network Sniffing Execution - SMS interception Acteve[FSE’12], Rozzle [Oakland’12] - … Dataflow Analysis APP FlowDroid [PLDI’14], Security Report TaintDroid [OSDI’10] Machine Learning CHABADA [ICSE’14], Mudflow [ICSE’15] … SECURE 3 SOFTWARE ENGINEERING GROUP

  4. Is this sufficient enough? SECURE 4 SOFTWARE ENGINEERING GROUP

  5. Is this sufficient enough? SECURE 4 SOFTWARE ENGINEERING GROUP

  6. Android/BadAccents infected >20,000 user SECURE 5 SOFTWARE ENGINEERING GROUP

  7. 1. 2. Malware Code-analysis Components Challenges SECURE 6 SOFTWARE ENGINEERING GROUP

  8. SMS E-Mail Tapjacking Activation (Un-)Install Attack Component Fake AV User User User SMS Call Interception Interception Banking Send SMS Trojan HTTP Environment SECURE 7 SOFTWARE ENGINEERING GROUP

  9. Send SMS HTTP Environment Contacts File System 1. Contact’s phone number > 5 digits 2. Contact’s phone number stored into File 3. SMS text sent via C&C server (Internet connection necessary) SECURE 8 SOFTWARE ENGINEERING GROUP

  10. SMS • Checks for incoming number Activation Component +84… or +82… • Receives SMS Call Interception Interception commands from the C&C server Environment File System SECURE 9 SOFTWARE ENGINEERING GROUP

  11. • SMS activation SMS command: ak40_1 (deactivation ak40_0) Activation • Reads E-Mail Component credentials from native code SMS Call Interception Interception • Steals incoming SMS User User User via E-Mail and HTTP Environment File System Native E-Mail HTTP SECURE 10 SOFTWARE ENGINEERING GROUP

  12. ((…( Java ((user(=(stringUser();( E-Mail ((pw(=(stringPassword();(( ((saveToFile("musername",(user);(( ((saveToFile("mpass",(pw);(( SMS ((…( Interception ((sendIncomingSMSViaMail((readFromFile("musername"),(((( ((((((((((((((((((((((((((readFromFile("mpass")); Environment Native Native jstring(Java_stringUser()({( File System ((return("attacker@malicious.com";(( }( jstring(Java_stringPassword()({( ((return("superSecurePW";(( } SECURE 11 SOFTWARE ENGINEERING GROUP

  13. Banking Trojan E-Mail User User User Environment File System Time Bomb HTTP SECURE 12 SOFTWARE ENGINEERING GROUP

  14. Banking Trojan E-Mail User User User Environment File System Time Bomb HTTP Security Alert CANCEL OK SECURE 12 SOFTWARE ENGINEERING GROUP

  15. Banking Trojan E-Mail User User User Environment File System Time Bomb HTTP (previous) (person check) (previous) (security center) (certificate password) (secure mode) (name) (secure mode) (password) (Please enter the security (social security number) card correctly) (ok) (cancel) (account number) (account password) (next) (cancel) (next) (cancel) SECURE 12 SOFTWARE ENGINEERING GROUP

  16. Banking Trojan E-Mail User User User Environment File System Time Bomb HTTP (previous) (person check) (previous) (security center) (certificate password) • Waiting time: 30 minutes (secure mode) (name) (secure mode) (password) (Please enter the security • DER-formated certificates on file system (social security number) card correctly) (ok) (cancel) • Installed korean banking applications (account number) (account password) (next) (cancel) (next) (cancel) SECURE 12 SOFTWARE ENGINEERING GROUP

  17. Code Analysis Challenges RQ1: Can we automatically trigger malicious behavior (dynamically)? RQ2: Can we automatically extract the E-mail credentials (statically)? SECURE 13 SOFTWARE ENGINEERING GROUP

  18. RQ1 - Dynamic-Challenge: Generate Proper External Events • Specific events need to be sent SMS • Ordering of events is important Activation Component • Simple fuzzing approaches not SMS sufficient Interception SECURE 14 SOFTWARE ENGINEERING GROUP

  19. RQ1 - Dynamic-Challenge: Correct Environment Setup For a single App: Environment Specific Apps Specific Files Specific Contacts Timing Bomb … SECURE 15 SOFTWARE ENGINEERING GROUP

  20. RQ2 - Static-Challenge: Inter-Language Dataflows Java Native user(=(stringUser();( jstring(Java_stringUser()({( pw(=(stringPassword();(( ((return("attacker@malicious.com";(( saveToFile("musername",(user);(( }( saveToFile("mpass",(pw);(( …( jstring(Java_stringPassword()({( sendIncomingSMSViaMail((( ((return("superSecurePW";(( (((readFromFile("musername"),(((((((((((((((((((((((( } (((readFromFile("mpass")( ); SECURE 16 SOFTWARE ENGINEERING GROUP

  21. RQ2 - Static-Challenge: Inter-Language Dataflows Java Native user(=(stringUser();( jstring(Java_stringUser()({( pw(=(stringPassword();(( ((return("attacker@malicious.com";(( saveToFile("musername",(user);(( }( saveToFile("mpass",(pw);(( …( jstring(Java_stringPassword()({( sendIncomingSMSViaMail((( ((return("superSecurePW";(( (((readFromFile("musername"),(((((((((((((((((((((((( } (((readFromFile("mpass")( ); SECURE 16 SOFTWARE ENGINEERING GROUP

  22. APP Code Analysis Challenges Siegfried Rasthofer Secure Software Engineering Group (EC-SPRIDE) Email: siegfried.rasthofer@cased.de Blog: http://sse-blog.ec-spride.de Website: http://sse.ec-spride.de SECURE 17 SOFTWARE ENGINEERING GROUP

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the explosive growth of mobile device market and usage, there is an increasing number of malicious mobile applications targeting these devices and

819 views • 44 slides
Android Malware Adventures Mert Can Cokuner Krat Ouzhan Aknc Android Malware

Android Malware Adventures Mert Can Cokuner Krat Ouzhan Aknc Android Malware

DeepSec IDSC Android Malware Adventures Mert Can Cokuner Krat Ouzhan Aknc Android Malware Adventures Agenda INTRODUCTION ANDROID MALWARE COMMAND & CONTROL QUESTIONS & ANSWERS 2 1 2 3 4 Android Malware

1.01k views • 64 slides
Andrubis 1,000,000 Apps Later A View on Current Android Malware Behaviors Martina

Andrubis 1,000,000 Apps Later A View on Current Android Malware Behaviors Martina

Andrubis 1,000,000 Apps Later A View on Current Android Malware Behaviors Martina Lindorfer, Matthias Neugschwandtner, Lukas Weichselbaum, Yanick Fratantonio, Victor van der Veen, Christian Platzer Vienna University of

425 views • 31 slides
StormDroid: A streaminglized Machine Learning-Based System for Detecting Android Malware Sen

StormDroid: A streaminglized Machine Learning-Based System for Detecting Android Malware Sen

StormDroid: A streaminglized Machine Learning-Based System for Detecting Android Malware Sen Chen, Minhui Xue, Zhushou Tang, Lihua Xu, Haojin Zhu Malware Detection in Android 1.6 million apps in Google Play Store in July 2015

441 views • 22 slides
Impeding Automated Malware Analysis with Environment-sensitive Malware Chengyu Song , Paul Royal

Impeding Automated Malware Analysis with Environment-sensitive Malware Chengyu Song , Paul Royal

Impeding Automated Malware Analysis with Environment-sensitive Malware Chengyu Song , Paul Royal and Wenke Lee College of Computing Georgia Institute of Technology Agenda l Background l Defeating Automated Malware Analysis Host

1.28k views • 28 slides
ANDROID MALWARE https://www.cnet.com/android-update/ Rafael Estrada Department of Mathematics

ANDROID MALWARE https://www.cnet.com/android-update/ Rafael Estrada Department of Mathematics

DATA ANALYSIS OF ANDROID MALWARE https://www.cnet.com/android-update/ Rafael Estrada Department of Mathematics New Mexico Tech Mentor: Dr. Golden G. Richard III Postdoctoral Researcher: Aisha Ali-Gombe July 26 th 2017 CCT REU 2017 ANDROID

347 views • 10 slides
Dissecting Android Malware: Characterization and Evolution 1 Problems to solve 18 Requirement

Dissecting Android Malware: Characterization and Evolution 1 Problems to solve 18 Requirement

Dissecting Android Malware: Characterization and Evolution 1 Problems to solve 18 Requirement 1: Sufficient Malware data set Anti Virus Communities or Researchers are hampered by the lack of malware data set. Req equires a a suf

648 views • 34 slides
Apposcopy: Semantics- Based Detection of Android Malware through Static Analysis By Feng et al

Apposcopy: Semantics- Based Detection of Android Malware through Static Analysis By Feng et al

Apposcopy: Semantics- Based Detection of Android Malware through Static Analysis By Feng et al [FSE 14] Presented by Maaz Ahmad The Malware Problem (Feb, 2015) Motive Security Labs estimates 16 million infected mobile devices. [1]

828 views • 30 slides
CuriousDroid: Automated User Interface Interaction for Android Application Analysis

CuriousDroid: Automated User Interface Interaction for Android Application Analysis

CuriousDroid: Automated User Interface Interaction for Android Application Analysis Sandboxes Patrick Carter, Collin Mulliner, Martina Lindorfer, William Robertson, Engin Kirda 02/23/2016 Android 2015 Q3 Market Share Android iOS

774 views • 26 slides
Shallow Security: on the Creation of Adversarial Variants to Evade Machine Learning-Based

Shallow Security: on the Creation of Adversarial Variants to Evade Machine Learning-Based

REVERSING AND OFFENSIVE-ORIENTED TRENDS SYMPOSIUM 2019 (ROOTS) 28TH TO 29TH NOVEMBER 2019, VIENNA, AUSTRIA Shallow Security: on the Creation of Adversarial Variants to Evade Machine Learning-Based Malware Detectors Fabrcio Ceschin Marcus

1.12k views • 59 slides
A Survey On Automated Dynamic Malware Analysis Evasion and Counter-Evasion: PC, Mobile, and Web

A Survey On Automated Dynamic Malware Analysis Evasion and Counter-Evasion: PC, Mobile, and Web

A Survey On Automated Dynamic Malware Analysis Evasion and Counter-Evasion: PC, Mobile, and Web Alexei Bulazel & Blent Yener River Loop Security Rensselaer Polytechnic Institute (RPI) Introduction Automated dynamic malware analysis is

684 views • 33 slides
Android malware that wont make you fall asleep ukasz Siewierski lukasz.siewierski@cert.pl

Android malware that wont make you fall asleep ukasz Siewierski lukasz.siewierski@cert.pl

Android malware that wont make you fall asleep ukasz Siewierski lukasz.siewierski@cert.pl @maldr0id Hackito Ergo Sum 2015 Android malware is boring! ukasz Siewierski (@maldr0id) Android malware that wont make you fall asleep 2 / 24

535 views • 34 slides
ANDROID PROGRAMMING - INTRODUCTION Roberto Beraldi Web resources (android) Code

ANDROID PROGRAMMING - INTRODUCTION Roberto Beraldi Web resources (android) Code

ANDROID PROGRAMMING - INTRODUCTION Roberto Beraldi Web resources (android) Code https://developer.android.com/guide/index.html http://www.vogella.com/tutorials/android.html

1.49k views • 60 slides
MaMaDroid: Detecting Android Malware by Building Markov Chains of Behavioral Models Enrico

MaMaDroid: Detecting Android Malware by Building Markov Chains of Behavioral Models Enrico

MaMaDroid: Detecting Android Malware by Building Markov Chains of Behavioral Models Enrico Mariconti , Lucky Onwuzurike, Panagiotis Andriotis, Emiliano De Cristofaro, Gordon Ross, Gianluca Stringhini. NDSS 2017, 28-02-2017 Motivation: Android

1.21k views • 37 slides
GroDDViewer: Dynamic dual view of Android malware Jean-Franois Lalande Mathieu Simon Valrie

GroDDViewer: Dynamic dual view of Android malware Jean-Franois Lalande Mathieu Simon Valrie

Introduction Malware analysis Visualization Conclusion GroDDViewer: Dynamic dual view of Android malware Jean-Franois Lalande Mathieu Simon Valrie Viet Triem Tong GraMSec 2020 CIDRE team June 22th 2020 Introduction Malware analysis

530 views • 28 slides
From SOC to Analyst: bridging automated and manual analyses Practical Considerations and Issues

From SOC to Analyst: bridging automated and manual analyses Practical Considerations and Issues

From SOC to Analyst: bridging automated and manual analyses Practical Considerations and Issues July, 10th 2017 Raphal Rigo Typical (ideal) workflow of a malware sample reverser binary SOC CERT special malware malware SOC

89 views • 7 slides
Message Context for Internet Mail Eric Burger Emily Candell Charles Eliot Graham Klyne 49 th

Message Context for Internet Mail Eric Burger Emily Candell Charles Eliot Graham Klyne 49 th

Message Context for Internet Mail Eric Burger Emily Candell Charles Eliot Graham Klyne 49 th IETF VPIM WG draft-ietf-vpim-hint-01.txt 1 Background: Anyone Not Read draft-ietf-vpim-hint? T Context of Message Important to Many User Agents

802 views • 10 slides
Scattering of transient waves AR & FJS & TQ by piecewise homogeneous obstacles Notation

Scattering of transient waves AR & FJS & TQ by piecewise homogeneous obstacles Notation

A piecewise homogeneous world of waves Scattering of transient waves AR & FJS & TQ by piecewise homogeneous obstacles Notation Problem Approximation Alexander Rieder & FranciscoJavier Sayas Theory & Tianyu Qiu

651 views • 49 slides
File I/O No class on Friday, November 26 CS Cookie Party!!! Friday, December 10 4:30 -

File I/O No class on Friday, November 26 CS Cookie Party!!! Friday, December 10 4:30 -

Reminders... Assignment #9 is special... No lab on Wednesday, November 24 File I/O No class on Friday, November 26 CS Cookie Party!!! Friday, December 10 4:30 - 7:30pm, Lake House Kitchen T- 1 T- 2 Election 2008 Writing a

321 views • 4 slides
Advanced JavaScript dates JavaScript timing events JavaScript Lars Larsson cookies Graceful

Advanced JavaScript dates JavaScript timing events JavaScript Lars Larsson cookies Graceful

Advanced JavaScript Lars Larsson Today JavaScript strings JavaScript Advanced JavaScript dates JavaScript timing events JavaScript Lars Larsson cookies Graceful degradation AJAX Summary Lecture #11 Advanced JavaScript 1

831 views • 38 slides
EN ENGL GLISH ISH LAN ANGUAG GUAGE TOPIC 45 : SOLUTIONS. INTERMEDIATE STUDENTS BOOK. UNIT

EN ENGL GLISH ISH LAN ANGUAG GUAGE TOPIC 45 : SOLUTIONS. INTERMEDIATE STUDENTS BOOK. UNIT

ACADEMIC LYCEUM INTERNATIONAL HOUSE TASHKENT 1 st semester EN ENGL GLISH ISH LAN ANGUAG GUAGE TOPIC 45 : SOLUTIONS. INTERMEDIATE STUDENTS BOOK. UNIT 4. AN EMAIL. AN EMAIL Electronic mail (email or e-mail) is a method of

138 views • 9 slides
Model-Based Classification of Web Documents Represented by Graphs Alex Markov and Mark Last

Model-Based Classification of Web Documents Represented by Graphs Alex Markov and Mark Last

- Ben-Gurion University of the Negev Model-Based Classification of Web Documents Represented by Graphs Alex Markov and Mark Last Department of Information Systems Engineering, Ben-Gurion

484 views • 27 slides
TACOM ILSC FY20 MDEX SOLDIER, CHEM-BIO AND WEAPONS READINESS AND SUSTAINMENT DIRECTORATE

TACOM ILSC FY20 MDEX SOLDIER, CHEM-BIO AND WEAPONS READINESS AND SUSTAINMENT DIRECTORATE

UNCLASSIFIED//FOUO UNCLASSIFIED : Distribution Statement A - Approved for public release; distribution is unlimited TACOM ILSC FY20 MDEX SOLDIER, CHEM-BIO AND WEAPONS READINESS AND SUSTAINMENT DIRECTORATE UNCLASSIFIED//FOUO 1 UNCLASSIFIED :

484 views • 10 slides
CS305 Topic Other Impacts Productivity and jobs Work environment Globalization

CS305 Topic Other Impacts Productivity and jobs Work environment Globalization

CS305 Topic Other Impacts Productivity and jobs Work environment Globalization Society Environmental Sources: Baase: A Gift of Fire and Quinn: Ethics for the Information Age Ethics Spring 2010 Other Impacts 1 Impact

742 views • 26 slides

More recommend