An Antivirus API for Android Malware Recognition
8th IEEE International Conference on Malicious and Unwanted Software
(MAL...
An Antivirus API for Android Malware Recognition
Motivation
Problem
Teaser
Background
Android Platform
Android Malware
And...
Motivation
Problem

Antivirus software on Android inherently less powerful than on desktop
systems
Has access to only a se...
Motivation
Teaser

Our approach: An interface to be added to the Android platform to allow
for AV
on-demand scanning of fu...
An Antivirus API for Android Malware Recognition
Motivation
Problem
Teaser
Background
Android Platform
Android Malware
And...
Background
Android Platform

File system sandboxing mechanism
Every app is assigned its own UID
Every app’s files are set t...
Background
Android Malware
36.7% of all malicious apps deployed root exploits by 2012 [4], probably
more by now
Allows to ...
Background
Android Antivirus Software

Cannot:
... scan a device’s file system due to sandbox
... monitor other apps’ behav...
Own conclusion

Adding ability to scan apps’ working directories and monitor them at
runtime: good idea
Current AV is comp...
An Antivirus API for Android Malware Recognition
Motivation
Problem
Teaser
Background
Android Platform
Android Malware
And...
Approach: Antivirus API
Objectives

1. Scan file system fully (from /) or partially (e.g., from /data/data) on
demand
2. Mo...
Approach: Antivirus API
File system traversal for on-demand scanning

Objective: Do not disclose file system names or full ...
Approach: Antivirus API
File system traversal for on-demand scanning
Listing 1: Usual directory listing
user@computer : / ...
Approach: Antivirus API
File system traversal for on-demand scanning
Starting from / or /data/data/, an AV app can travers...
Approach: Antivirus API
File system monitoring

Approach: inotify Linux kernel interface
Processes can place inotify handl...
Approach: Antivirus API
File operations: Regular expressions for signatures and heuristics

Most detection techniques can ...
Approach: Antivirus API
File operations: Hashes

Hashes on desktop/server platforms: very limited effectiveness
Exploit ki...
Approach: Antivirus API
Securing Access to the Interface

Widespread access to device → tight access control
Whitelist bas...
An Antivirus API for Android Malware Recognition
Motivation
Problem
Teaser
Background
Android Platform
Android Malware
And...
Discussion
Implementation Details

File system access backend: POSIX-1003.1e ACLs to provide read-only
access to the inter...
An Antivirus API for Android Malware Recognition
Motivation
Problem
Teaser
Background
Android Platform
Android Malware
And...
Conclusion
Devised interface allows for:
Signature-based detection
Static heuristics
(Limited) feature extraction/fast mat...
Bibliography
X. Jiang.
New GappII Trojan Found in Alternative Android Markets, April 27, 2012.
http://www.csc.ncsu.edu/fac...
Contact Information
Rafael Fedler, rafael.fedler@aisec.fraunhofer.de
Group Mobile Security
Department Service & Applicatio...
Upcoming SlideShare
Loading in...5
×

An Antivirus API for Android Malware Recognition

1,077

Published on

In this talk, given at the 8th International Conference on Malicious and Unwanted Software (MALWARE 2013), researchers from Fraunhofer AISEC present their paper "An Antivirus API for Android Malware Recognition".
The proposed API, if added to the main Android distribution or to third-party distributions such as Cyanogenmod, would significantly increase the effectiveness that antivirus software can achieve on Android. Currently, antivirus software on Android is very limited in its capabilities and very easy to circumvent for malware, as demonstrated by our previous work -> http://ais.ec/techreport - ON THE EFFECTIVENESS OF MALWARE PROTECTION ON ANDROID,
AN EVALUATION OF ANDROID ANTIVIRUS APPS by Rafael Fedler. These platform-based antivirus shortcomings are addressed by the paper presented in this talk.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,077
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
27
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

An Antivirus API for Android Malware Recognition

  1. 1. An Antivirus API for Android Malware Recognition 8th IEEE International Conference on Malicious and Unwanted Software (MALWARE 2013) Rafael Fedler, rafael.fedler@aisec.fraunhofer.de, October 23, 2013
  2. 2. An Antivirus API for Android Malware Recognition Motivation Problem Teaser Background Android Platform Android Malware Android Antivirus Software Approach: Antivirus API Objectives File system traversal for on-demand scanning File system monitoring File operations Discussion An Antivirus API for Android Malware Recognition | Rafael Fedler | October 23, 2013 | 1 © Fraunhofer
  3. 3. Motivation Problem Antivirus software on Android inherently less powerful than on desktop systems Has access to only a select few files on the file system (installation package files) Cannot scan or monitor file system Completely oblivious to anything happening at runtime on a device Cannot detect malicious file downloads (root exploits, other code) at runtime Android apps can download & then execute code at runtime (!) An Antivirus API for Android Malware Recognition | Rafael Fedler | October 23, 2013 | 2 © Fraunhofer
  4. 4. Motivation Teaser Our approach: An interface to be added to the Android platform to allow for AV on-demand scanning of full or partial file system on-change scanning of changed file system portions for live monitoring signature and heuristics based malware detection similar to that deployed by desktop products ... without breaking Android’s security architecture An Antivirus API for Android Malware Recognition | Rafael Fedler | October 23, 2013 | 3 © Fraunhofer
  5. 5. An Antivirus API for Android Malware Recognition Motivation Problem Teaser Background Android Platform Android Malware Android Antivirus Software Approach: Antivirus API Objectives File system traversal for on-demand scanning File system monitoring File operations Discussion An Antivirus API for Android Malware Recognition | Rafael Fedler | October 23, 2013 | 4 © Fraunhofer
  6. 6. Background Android Platform File system sandboxing mechanism Every app is assigned its own UID Every app’s files are set to own, read only for its own UID → file system sandbox: each app can only access files in its own working directory Also applies to antivirus software (!) Package database /data/system/packages.xml, world readable Upon installation of an app, an entry in package DB is created Contains, among others, the path to every app’s package file Package files are world readable (!) An Antivirus API for Android Malware Recognition | Rafael Fedler | October 23, 2013 | 5 © Fraunhofer
  7. 7. Background Android Malware 36.7% of all malicious apps deployed root exploits by 2012 [4], probably more by now Allows to break out of sandbox Often downloaded at runtime, thus invisible to AV software Typical course of infection of more advanced malware (e.g., [1, 2]) 1. Initial propagation Disguised as a legitimate app Repackaged Update of legitimate app after hijacking of developer’s account and signing key etc. 2. Download of root exploit at runtime, in case it is not shipped with app package file 3. Mark exploit executable with chmod 4. Execute root exploit and carry out payload An Antivirus API for Android Malware Recognition | Rafael Fedler | October 23, 2013 | 6 © Fraunhofer
  8. 8. Background Android Antivirus Software Cannot: ... scan a device’s file system due to sandbox ... monitor other apps’ behavior at runtime or working directories Can only: Read installed apps’ installation package files Remember: Package database world readable, contains app package files which are also world readable Read SD card (not used by malware for obvious reasons) An Antivirus API for Android Malware Recognition | Rafael Fedler | October 23, 2013 | 7 © Fraunhofer
  9. 9. Own conclusion Adding ability to scan apps’ working directories and monitor them at runtime: good idea Current AV is completely blind and oblivious to any runtime behavior or file system changes ... including malicious code downloaded/created/unpacked/pieced together at runtime An Antivirus API for Android Malware Recognition | Rafael Fedler | October 23, 2013 | 8 © Fraunhofer
  10. 10. An Antivirus API for Android Malware Recognition Motivation Problem Teaser Background Android Platform Android Malware Android Antivirus Software Approach: Antivirus API Objectives File system traversal for on-demand scanning File system monitoring File operations Discussion An Antivirus API for Android Malware Recognition | Rafael Fedler | October 23, 2013 | 9 © Fraunhofer
  11. 11. Approach: Antivirus API Objectives 1. Scan file system fully (from /) or partially (e.g., from /data/data) on demand 2. Monitor file system portions (e.g., working directories) at runtime 3. Operations on arbitrary files allowing for signature- and heuristics-based malware recognition similar to desktop products 4. All of the above without breaking Android’s security architecture An Antivirus API for Android Malware Recognition | Rafael Fedler | October 23, 2013 | 10 © Fraunhofer
  12. 12. Approach: Antivirus API File system traversal for on-demand scanning Objective: Do not disclose file system names or full paths Solution: Aliases Options for implementation: 1. Database mapping aliases ↔ paths 2. Dynamic calculation 3. Trapdoor function, e.g., RSA Allows for traversal of file system tree An Antivirus API for Android Malware Recognition | Rafael Fedler | October 23, 2013 | 11 © Fraunhofer
  13. 13. Approach: Antivirus API File system traversal for on-demand scanning Listing 1: Usual directory listing user@computer : / t o p l e v e l d i r $ l s dir1 dir2 file1 file2 file3 Listing 2: Directory listing using aliases including an entry for parent directory 0 1 2 3 4 5 p d d f f f a55822426a5330c04625a41d264c190b b72b7253c45f9d22044c86bf4d7e4902 515 dc267bbd0af019d22e766af0cb7e4 f8bb5cc06b4ed23683b276ca05153e82 7b2de0a0f16d100dfbf2d84603840ee2 9fa5ba9abe67916142cb6bc0eee7658b An Antivirus API for Android Malware Recognition | Rafael Fedler | October 23, 2013 | 12 © Fraunhofer
  14. 14. Approach: Antivirus API File system traversal for on-demand scanning Starting from / or /data/data/, an AV app can traverse the file system using such alias handles ls and cd equivalent options will be provided Paths passed by the user can be used as entry points; however, aliases cannot be translated back to paths Trapdoor parameter only known to system, not to AV Path aliases for traversal, file aliases for indirect file access for malware detection Permanent translation and communication between AV ↔ not very efficient, but /data/data/ usually not very big Preserves privacy Sandbox maintained: No direct access outside AV’s working directory An Antivirus API for Android Malware Recognition | Rafael Fedler | October 23, 2013 | 13 © Fraunhofer
  15. 15. Approach: Antivirus API File system monitoring Approach: inotify Linux kernel interface Processes can place inotify handles on file system objects (directories, files) Notification upon change to monitored objects inotify handles to be placed in /data/data/ and all subdirectories An Antivirus API for Android Malware Recognition | Rafael Fedler | October 23, 2013 | 14 © Fraunhofer
  16. 16. Approach: Antivirus API File operations: Regular expressions for signatures and heuristics Most detection techniques can be formulated as regular expressions Signatures Some static heuristics (regexes matching opcodes) Feature extraction with offsets: regexes with offsets “Proxy” for regular expressions API takes signatures in form of regexes, responds “true” if match, “false” if no match An Antivirus API for Android Malware Recognition | Rafael Fedler | October 23, 2013 | 15 © Fraunhofer
  17. 17. Approach: Antivirus API File operations: Hashes Hashes on desktop/server platforms: very limited effectiveness Exploit kits, drive-by infections, droppers, personalized malware, morphic code Too many variations of one family, sample numbers too high Mobile platforms: much more useful Centralized distribution (thus also almost no personalized malware), virtually no app compromising/infection, virtually no drive-by infections, sandboxing prohibits morphing code Allow hashes for arbitrary file system objects Feature extraction/fast matching/no-matching: hashes from definable offsets An Antivirus API for Android Malware Recognition | Rafael Fedler | October 23, 2013 | 16 © Fraunhofer
  18. 18. Approach: Antivirus API Securing Access to the Interface Widespread access to device → tight access control Whitelist based: Check signing keys of package requesting access to AV interface Include signing keys of verified AV companies in whitelist Feasible effort: Less than 50 AV providers An Antivirus API for Android Malware Recognition | Rafael Fedler | October 23, 2013 | 17 © Fraunhofer
  19. 19. An Antivirus API for Android Malware Recognition Motivation Problem Teaser Background Android Platform Android Malware Android Antivirus Software Approach: Antivirus API Objectives File system traversal for on-demand scanning File system monitoring File operations Discussion An Antivirus API for Android Malware Recognition | Rafael Fedler | October 23, 2013 | 18 © Fraunhofer
  20. 20. Discussion Implementation Details File system access backend: POSIX-1003.1e ACLs to provide read-only access to the interface for either the whole file system or a subtree such as /data/data/ Possible addition: Dynamic heuristics chroot environment or write/network access interception + strings, strace, ltrace However, cloud analysis more effective, lower risks, no limited resources Risk: File content disclosure through incremental regex construction Unlikely as only trusted apps will have access to the interface Secure multi-party computation techniques for privacy preserving regex matching [3] An Antivirus API for Android Malware Recognition | Rafael Fedler | October 23, 2013 | 19 © Fraunhofer
  21. 21. An Antivirus API for Android Malware Recognition Motivation Problem Teaser Background Android Platform Android Malware Android Antivirus Software Approach: Antivirus API Objectives File system traversal for on-demand scanning File system monitoring File operations Discussion An Antivirus API for Android Malware Recognition | Rafael Fedler | October 23, 2013 | 20 © Fraunhofer
  22. 22. Conclusion Devised interface allows for: Signature-based detection Static heuristics (Limited) feature extraction/fast matching/no-matching On-demand file system scanning Live file system change monitoring All of the above without disclosing file system names (paths) or file contents Interface only grants access to trusted AV software Novelty: on-device malware detection comparable to that of non-mobile platforms Previously only tests of package installation files AV completely blind to 99% of file system An Antivirus API for Android Malware Recognition | Rafael Fedler | October 23, 2013 | 21 © Fraunhofer
  23. 23. Bibliography X. Jiang. New GappII Trojan Found in Alternative Android Markets, April 27, 2012. http://www.csc.ncsu.edu/faculty/jiang/GappII/ (18.02.2013). X. Jiang. New RootSmart Android Malware Utilizes the GingerBreak Root Exploit, February 3, 2012. http://www.csc.ncsu.edu/faculty/jiang/RootSmart/. F. Kerschbaum. Practical private regular expression matching. In Security and Privacy in Dynamic Environments, pages 461–470. Springer, 2006. Y. Zhou and X. Jiang. Dissecting android malware: Characterization and evolution. In 2012 IEEE Symposium on Security and Privacy (SP), pages 95–109, May An Antivirus API for Android Malware Recognition | Rafael Fedler | October 23, 2013 | 22 2012. © Fraunhofer
  24. 24. Contact Information Rafael Fedler, rafael.fedler@aisec.fraunhofer.de Group Mobile Security Department Service & Application Security Fraunhofer Research Institution for Applied and Integrated Security (AISEC) Address: Parkring 4 85748 Garching (near Munich) Germany Internet: http://www.aisec.fraunhofer.de Phone: Fax: E-Mail: +49 89 3229986-173 +49 89 3229986-299 rafael.fedler@aisec.fraunhofer.de An Antivirus API for Android Malware Recognition | Rafael Fedler | October 23, 2013 | 23 © Fraunhofer
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×