sherlockdroid an inspector for android marketplaces

SherlockDroid, an Inspector for Android Marketplaces Axelle - PowerPoint PPT Presentation

Feb 02, 2024 •149 likes •718 views

SherlockDroid, an Inspector for Android Marketplaces Axelle Apvrille - FortiGuard Labs, Fortinet Ludovic Apvrille - Institut Mines-Telecom, Telecom ParisTech, LTCI CNRS Hack.Lu, Luxembourg October 2014 Who are we? Axelle Ludovic Hack.Lu

  1. SherlockDroid, an Inspector for Android Marketplaces Axelle Apvrille - FortiGuard Labs, Fortinet Ludovic Apvrille - Institut Mines-Telecom, Telecom ParisTech, LTCI CNRS Hack.Lu, Luxembourg October 2014

  2. Who are we? Axelle Ludovic Hack.Lu 2014 - Axelle and Ludovic Apvrille 2/34

  3. Many Android Applications Hack.Lu 2014 - Axelle and Ludovic Apvrille 3/34

  4. Many Android Applications Hack.Lu 2014 - Axelle and Ludovic Apvrille 3/34

  5. Unknown number of Android Apps We don’t know exactly how many apps there are Hack.Lu 2014 - Axelle and Ludovic Apvrille 4/34

  6. Unknown number of Android Apps We don’t know exactly how many apps there are ◮ Precise number of Android marketplaces???? ◮ How many duplicate apps? ◮ How many old/retired apps? Hack.Lu 2014 - Axelle and Ludovic Apvrille 4/34

  7. Unknown number of Android Apps We don’t know exactly how many apps there are ◮ Precise number of Android marketplaces???? ◮ How many duplicate apps? ◮ How many old/retired apps? but it’s BIG NUMBERS Hack.Lu 2014 - Axelle and Ludovic Apvrille 4/34

  8. Mobile Malware Infection Risk We don’t know... (exactly) Hack.Lu 2014 - Axelle and Ludovic Apvrille 5/34

  9. Mobile Malware Infection Risk We don’t know... (exactly) What we do know ◮ Oct 2014. 840k malicious Android samples Hack.Lu 2014 - Axelle and Ludovic Apvrille 5/34

  10. Mobile Malware Infection Risk We don’t know... (exactly) What we do know ◮ Oct 2014. 840k malicious Android samples ◮ 1,000+ new malicious Android sample every day Hack.Lu 2014 - Axelle and Ludovic Apvrille 5/34

  11. Known Malware Hack.Lu 2014 - Axelle and Ludovic Apvrille 6/34

  12. Known Malware Hack.Lu 2014 - Axelle and Ludovic Apvrille 6/34

  13. Unknown Malware Do they exist? YES Hack.Lu 2014 - Axelle and Ludovic Apvrille 7/34

  14. Proof: Android Carbon 14 Dating ;) Shortest detection delay for some samples by all AV vendors Name Creation date Detection date Android/Wroba June 16 June 21 +5d Android/Curesec July 3 July 11 +8d Android/ScarePakage July 13 July 24 +11d Hack.Lu 2014 - Axelle and Ludovic Apvrille 8/34

  15. Proof: Android Carbon 14 Dating ;) Shortest detection delay for some samples by all AV vendors Name Creation date Detection date Android/Wroba June 16 June 21 +5d Android/Curesec July 3 July 11 +8d Android/ScarePakage July 13 July 24 +11d Android/Ganlet Nov 1 2013 May 15 2014 +6 months!!! Hack.Lu 2014 - Axelle and Ludovic Apvrille 8/34

  16. So, What Are We Interested In? Hack.Lu 2014 - Axelle and Ludovic Apvrille 9/34

  17. Problems with Manual Search Too many apps and marketplaces to crawl Waste time on clean apps Even a team of 100 analysts is insufficient Hack.Lu 2014 - Axelle and Ludovic Apvrille 10/34

  18. Problems with Manual Search Too many apps and marketplaces to crawl Waste time on clean apps Even a team of 100 analysts is insufficient We need an automated system Hack.Lu 2014 - Axelle and Ludovic Apvrille 10/34

  19. SherlockDroid to the Rescue! Crawl Android marketplaces Spot suspicious apps Focus on major variants and unknown malware Hack.Lu 2014 - Axelle and Ludovic Apvrille 11/34

  20. SherlockDroid (Unbiaised) Benefits Hack.Lu 2014 - Axelle and Ludovic Apvrille 12/34

  21. Remarks on SherlockDroid It is not an AV scanner because SherlockDroid does not handle known malware / minor variants Hack.Lu 2014 - Axelle and Ludovic Apvrille 13/34

  22. Remarks on SherlockDroid It is not an AV scanner because SherlockDroid does not handle known malware / minor variants We will miss some malware we’re not perfect :( Hack.Lu 2014 - Axelle and Ludovic Apvrille 13/34

  23. Remarks on SherlockDroid It is not an AV scanner because SherlockDroid does not handle known malware / minor variants We will miss some malware we’re not perfect :( but we would have missed them without SherlockDroid too Hack.Lu 2014 - Axelle and Ludovic Apvrille 13/34

  24. SherlockDroid Architecture Hack.Lu 2014 - Axelle and Ludovic Apvrille 14/34

  25. SherlockDroid: Current Status Hack.Lu 2014 - Axelle and Ludovic Apvrille 15/34

  26. SherlockDroid: Current Tests SherlockDroid is currently in ’heavy testing’ phase Hack.Lu 2014 - Axelle and Ludovic Apvrille 16/34

  27. SherlockDroid: Current Tests SherlockDroid is currently in ’heavy testing’ phase Crawled 140 K samples Hack.Lu 2014 - Axelle and Ludovic Apvrille 16/34

  28. SherlockDroid: Current Tests SherlockDroid is currently in ’heavy testing’ phase Crawled 140 K samples Extracted properties of 550 K + samples Hack.Lu 2014 - Axelle and Ludovic Apvrille 16/34

  29. SherlockDroid: Current Tests SherlockDroid is currently in ’heavy testing’ phase Crawled 140 K samples Extracted properties of 550 K + samples Learning and classification: 480 K clusters! At 50 K, FP: 0.99%, FN: 3.3% Hack.Lu 2014 - Axelle and Ludovic Apvrille 16/34

  30. SherlockDroid: Current Results 8 new unknown malware and Potentially Unwanted Apps Hack.Lu 2014 - Axelle and Ludovic Apvrille 17/34

  31. SherlockDroid: Current Results 8 new unknown malware and Potentially Unwanted Apps Okay, we would have preferred only nasty malware Hack.Lu 2014 - Axelle and Ludovic Apvrille 17/34

  32. SherlockDroid: Current Results 8 new unknown malware and Potentially Unwanted Apps Okay, we would have preferred only nasty malware Do you known any other framework who identified real unknown malware? Hack.Lu 2014 - Axelle and Ludovic Apvrille 17/34

  33. SherlockDroid: Current Results 8 new unknown malware and Potentially Unwanted Apps Okay, we would have preferred only nasty malware Do you known any other framework who identified real unknown malware? Answer: DroidRanger: 2 Hack.Lu 2014 - Axelle and Ludovic Apvrille 17/34

  34. SherlockDroid: Current Results 8 new unknown malware and Potentially Unwanted Apps Okay, we would have preferred only nasty malware Do you known any other framework who identified real unknown malware? Answer: DroidRanger: 2 AAS, Andromaly, CopperDroid, Crowdroid, Drebin, MADAM, MAST, pBMDS, PUMA... tested on artificial or known malware Hack.Lu 2014 - Axelle and Ludovic Apvrille 17/34

  35. SherlockDroid: Hall of “Fame” ◮ Android/MisoSMS.A!tr.spy ◮ Android/Odpa.A!tr.spy ◮ Adware/Geyser!Android ◮ Riskware/Flexion!Android ◮ Riskware/SmsControlSpy!Android ◮ Riskware/Zdchial!Android ◮ Riskware/SmsCred!Android ◮ Riskware/Blued!Android Descriptions: http://www.fortiguard.com/encyclopedia/ Hack.Lu 2014 - Axelle and Ludovic Apvrille 18/34

  36. Into Android/MisoSms Trojan Spyware Android/MisoSms.A!tr.spy ◮ Poses as Google Settings app ◮ Sends 1 initial email with phone number of victim ◮ Listens to incoming SMS ◮ Forwards them by email to attackers Hack.Lu 2014 - Axelle and Ludovic Apvrille 19/34

  37. Into Geyser Adware Adware/Geyser!Android Posts GPS location in clear text http://blog.fortinet.com/post/ alligator-detects-gps-leaking-adware LOL - In falsepositives.txt: ”Reputable companies including banks, US Government/ Military sector are using our tools” Hack.Lu 2014 - Axelle and Ludovic Apvrille 20/34

  38. Crawlers - Evading Detection Easy to implement but constantly needs to be maintained :( ◮ Search Limit ◮ Download activity per IP address ◮ User Agent verification ◮ Android ID verification https: //github.com/Akdeniz/ google-play-crawler Hack.Lu 2014 - Axelle and Ludovic Apvrille 21/34

  39. DroidLysis - Extracting Properties Permissions are good ... but insufficient! Hack.Lu 2014 - Axelle and Ludovic Apvrille 22/34

  40. DroidLysis - Extracting Properties Permissions are good ... but insufficient! In Dalvik, every object points to a string Hack.Lu 2014 - Axelle and Ludovic Apvrille 22/34

  41. DroidLysis - Extracting Properties Permissions are good ... but insufficient! In Dalvik, every object points to a string We also search assets and resources Hack.Lu 2014 - Axelle and Ludovic Apvrille 22/34

  42. Ruling out Third Party Code Hack.Lu 2014 - Axelle and Ludovic Apvrille 23/34

  43. Alligator Gather clusters for learning - only once Test with 1,514 newer clean samples and 3,062 newer malware Learning Learning Classification time FP FN cluster size time time 50,000 2 hours 13 min 1 min 40 s 0.99% 3.3% We can favour minimum False Positives Hack.Lu 2014 - Axelle and Ludovic Apvrille 24/34

  44. Alligator Gather clusters for learning - only once Test with 1,514 newer clean samples and 3,062 newer malware Learning Learning Classification time FP FN cluster size time time 50,000 2 hours 13 min 1 min 40 s 0.99% 3.3% 480,000 approx. 31 hours 9 min 21 s 1.8% 0.5% It works with 480 K clusters ! We can favour minimum False Positives Hack.Lu 2014 - Axelle and Ludovic Apvrille 24/34

  45. Alligator Gather clusters for learning - only once Test with 1,514 newer clean samples and 3,062 newer malware Learning Learning Classification time FP FN cluster size time time 50,000 2 hours 13 min 1 min 40 s 0.99% 3.3% 480,000 approx. 31 hours 9 min 21 s 1.8% 0.5% SVM? Far worse! 50 K: FP: 5.48% FN: 0.65% !!! It works with 480 K clusters ! We can favour minimum False Positives Hack.Lu 2014 - Axelle and Ludovic Apvrille 24/34

  46. Demo Alligator unleashed! Wake up! Hack.Lu 2014 - Axelle and Ludovic Apvrille 25/34

  47. DEMO - SherlockDroid GUI [Preview] Hack.Lu 2014 - Axelle and Ludovic Apvrille 26/34

Recommend

CS619 Android 101 BENCE CSERNA Android: Manifest example Android: Manifest <manifest

CS619 Android 101 BENCE CSERNA Android: Manifest example Android: Manifest <manifest

Project #1: Color Guess Game CS619 Android 101 BENCE CSERNA Android: Manifest example Android: Manifest <manifest xmlns:android="http://schemas.android.com/apk/res/android" package="net.cserna.bence.colorguess

201 views • 3 slides
Access to International Access to International E-Marketplaces for Developing E-Marketplaces for

Access to International Access to International E-Marketplaces for Developing E-Marketplaces for

Access to International Access to International E-Marketplaces for Developing E-Marketplaces for Developing Country MSMEs Country MSMEs Julien Grollier Julien Grollier 1 Background Background Cross-border e-retail on the rise Until

270 views • 9 slides
Developers Google Maps Android API v2 Make your Android app pop with Google Maps Android API v2

Developers Google Maps Android API v2 Make your Android app pop with Google Maps Android API v2

Developers Google Maps Android API v2 Make your Android app pop with Google Maps Android API v2 Anthony Morris Jan-Felix Schmakeit Tech Lead, Android Maps API Android Developer Relations Code, Slides, Worksheet: http://goo.gl/MfY67 Welcome!

688 views • 49 slides
SPECIAL INSPECTOR GENERAL FOR IRAQ RECONSTRUCTION: J. J. Crowley Deputy Inspector General for

SPECIAL INSPECTOR GENERAL FOR IRAQ RECONSTRUCTION: J. J. Crowley Deputy Inspector General for

SPECIAL INSPECTOR GENERAL FOR IRAQ RECONSTRUCTION: J. J. Crowley Deputy Inspector General for Investigations Office of Inspector General, TX HHSC SPECIAL INSPECTOR GENERAL FOR IRAQ RECONSTRUCTION (SIGIR) History SIGIR Investigative

336 views • 15 slides
Office of the Inspector General Jess Womack Inspector General Budget, Facilities and Audit

Office of the Inspector General Jess Womack Inspector General Budget, Facilities and Audit

Office of the Inspector General Jess Womack Inspector General Budget, Facilities and Audit Committee January 24, 2012 Office of the Inspector General 2 Office of the Inspector General FY 2007/2008 Budget Current Year Budget $11.9

116 views • 7 slides
Combating Organized Crime Inspector Dieter Boeheim Inspector Mike Slack Inspector Keith Merith

Combating Organized Crime Inspector Dieter Boeheim Inspector Mike Slack Inspector Keith Merith

Combating Organized Crime Inspector Dieter Boeheim Inspector Mike Slack Inspector Keith Merith April 22, 2015 Presentation Overview What is Organized Crime Intelligence Bureau Composition Partnerships Illicit Activities

373 views • 36 slides
APPLICATIONS UDAY LINGALA CSCI 5448, Fall 2012 Content Introduction to Android system

APPLICATIONS UDAY LINGALA CSCI 5448, Fall 2012 Content Introduction to Android system

ANDROID AND ANDROID APPLICATIONS UDAY LINGALA CSCI 5448, Fall 2012 Content Introduction to Android system What is android? History Android Market Why Android Design philosophy System Architecture Features

802 views • 40 slides
Android Android Application Development - Ashwin Agenda Android Platform Overview

Android Android Application Development - Ashwin Agenda Android Platform Overview

Android Android Application Development - Ashwin Agenda Android Platform Overview Installation Building Blocks Application Development Development Tools Source walk through Introduction to Android Open software

979 views • 49 slides
CS 403X Mobile and Ubiquitous Computing Lecture 3: Android UI, WebView, Android Activity Lifecycle

CS 403X Mobile and Ubiquitous Computing Lecture 3: Android UI, WebView, Android Activity Lifecycle

CS 403X Mobile and Ubiquitous Computing Lecture 3: Android UI, WebView, Android Activity Lifecycle Emmanuel Agu Android Software Framework Android Software Framework Multi user Linux system Each Android app is a different Linux user

924 views • 71 slides
Running Android on the Mainline Graphics Stack Robert Foss @memcpy_io Agenda Android

Running Android on the Mainline Graphics Stack Robert Foss @memcpy_io Agenda Android

Running Android on the Mainline Graphics Stack Robert Foss @memcpy_io Agenda Android History Android on Mainline Current Status Big Picture Android History Android History Qualcomm diff with mainline, # lines 4000000

981 views • 76 slides
CS 403X Mobile and Ubiquitous Computing Lecture 2: Android UI Design, First Android Program

CS 403X Mobile and Ubiquitous Computing Lecture 2: Android UI Design, First Android Program

CS 403X Mobile and Ubiquitous Computing Lecture 2: Android UI Design, First Android Program Emmanuel Agu Android UI Design in XML Recall: Files Hello World Android Project XML file used to design Android UI 3 Files: Activity_main.xml: XML

1.18k views • 92 slides
HELLO WORLD ON ANDROID Create a new Android Project Open File->New->Android

HELLO WORLD ON ANDROID Create a new Android Project Open File->New->Android

HELLO WORLD ON ANDROID Create a new Android Project Open File->New->Android project Application name Company domain Project location Hello World Project Target Android Devices Hello World Project Add an

213 views • 18 slides
Office of Inspector General NSF Grants Conference June 1-2, 2015 William J. Kilgallin Senior

Office of Inspector General NSF Grants Conference June 1-2, 2015 William J. Kilgallin Senior

Office of Inspector General NSF Grants Conference June 1-2, 2015 William J. Kilgallin Senior Advisor, Investigations Office of Inspector General National Science Foundation Who We Are Inspector General Assistant Inspector Assistant

548 views • 13 slides
Monitoring the Dark Web Simon Wu, Joe Van Buskirk, Amanda Roxburgh, & Lucy Burns Background

Monitoring the Dark Web Simon Wu, Joe Van Buskirk, Amanda Roxburgh, & Lucy Burns Background

Monitoring the Dark Web Simon Wu, Joe Van Buskirk, Amanda Roxburgh, & Lucy Burns Background The Silk Road/Dark Web Marketplaces Dark Web marketplaces are anonymous marketplaces accessed via an Onion routed connection

305 views • 6 slides
Hot Spaces How to Pack More Valuable Human Exchange into Real World Marketplaces Hot Spaces

Hot Spaces How to Pack More Valuable Human Exchange into Real World Marketplaces Hot Spaces

Hot Spaces How to Pack More Valuable Human Exchange into Real World Marketplaces Hot Spaces How to Pack More Valuable Human Exchange into Real World Marketplaces Def. Hot: In the Marshall McLuhan sense rich. Def. Marketplace: Where

336 views • 17 slides
Android Michael Greifeneder Image source: Android homepage Inhalt Overwiew Hardware

Android Michael Greifeneder Image source: Android homepage Inhalt Overwiew Hardware

Android Michael Greifeneder Image source: Android homepage Inhalt Overwiew Hardware Software Development Tools Basics Debugging/Emulator Location Demo Android And Me Why I like Android Blend of Linux

1.01k views • 25 slides
Detecting the behavioral relationships of malware connections (slides) Conference Paper August

Detecting the behavioral relationships of malware connections (slides) Conference Paper August

See discussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/307638742 Detecting the behavioral relationships of malware connections (slides) Conference Paper August 2016 CITATIONS READS 0

380 views • 17 slides
Chardae Caine Research Associate ccaine@lkm.org 785.354.9565 What is Cybersecurity? The body

Chardae Caine Research Associate ccaine@lkm.org 785.354.9565 What is Cybersecurity? The body

www.lkm.org Chardae Caine Research Associate ccaine@lkm.org 785.354.9565 What is Cybersecurity? The body of information technologies, processes, and practices designed to protect networks, computers, programs, and data from attack, damage,

444 views • 19 slides
CSCI 4250/6250 Fall 2011 Computer and Networks Security Malware Goodrich, Chapter 4

CSCI 4250/6250 Fall 2011 Computer and Networks Security Malware Goodrich, Chapter 4

CSCI 4250/6250 Fall 2011 Computer and Networks Security Malware Goodrich, Chapter 4 Viruses, Worms, Trojans, Rootkits Malware = Malicious Software can be classified into several categories, depending on propagation and concealment

472 views • 46 slides
Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware virus trojan horse etc. and how do we fight it? AV software Firewalls Filtering Patching Writing more secure software

540 views • 42 slides
AndRadar: Fast Discovery of Android Applications in Alternative Markets

AndRadar: Fast Discovery of Android Applications in Alternative Markets

AndRadar: Fast Discovery of Android Applications in Alternative Markets Martina Lindorfer, Stamatis Volanis, Alessandro Sisto Matthias Neugschwandtner, Elias Athanasopoulos, Federico Maggi Christian Platzer, Sotiris

735 views • 41 slides
Cyber@UC Meeting 29 If Youre New! Join our Slack ucyber.slack.com Follow us on Twitter

Cyber@UC Meeting 29 If Youre New! Join our Slack ucyber.slack.com Follow us on Twitter

Cyber@UC Meeting 29 If Youre New! Join our Slack ucyber.slack.com Follow us on Twitter @UCyb3r and Facebook UC.yber; University of Cincinnati OWASP Chapter Feel free to get involved with one of our committees: Content, Finance,

579 views • 18 slides
MaMaDroid: Detecting Android Malware by Building Markov Chains of Behavioral Models Enrico

MaMaDroid: Detecting Android Malware by Building Markov Chains of Behavioral Models Enrico

MaMaDroid: Detecting Android Malware by Building Markov Chains of Behavioral Models Enrico Mariconti , Lucky Onwuzurike, Panagiotis Andriotis, Emiliano De Cristofaro, Gordon Ross, Gianluca Stringhini. NDSS 2017, 28-02-2017 Motivation: Android

1.21k views • 37 slides
Quantitative Cyber-Security Colorado State University Yashwant K Malaiya CS559 Course Overview

Quantitative Cyber-Security Colorado State University Yashwant K Malaiya CS559 Course Overview

Quantitative Cyber-Security Colorado State University Yashwant K Malaiya CS559 Course Overview (cont) CSU Cybersecurity Center Computer Science Dept 1 1 Today Security Architecture Key terms Access control and authentication 2

703 views • 47 slides

More recommend