AndroTotal: A Scalable Framework for Android Antivirus Testing

4,314 views
4,434 views

Published on

Slides of the AndroTotal talk at SECURE2013.

Although there are controversial opinions regarding how large the mobile malware phenomenon is in terms of absolute numbers, hype aside, the amount of new Android malware variants is increasing. This trend is mainly due to the fact that, as it happened with traditional malware, the authors are striving to repackage, obfuscate, or otherwise transform the executable code of their malicious apps in order to evade mobile security apps. There are about 85 of these apps only on the official marketplace. However, it is not clear how effective they are. Indeed, the sandboxing mechanism of Android does not allow (security) apps to audit other apps. We present AndroTotal, a publicly available tool, malware repository and research framework that aims at mitigating the above challenges, and allow researchers to automatically scan Android apps against an arbitrary set of malware detectors. We implemented AndroTotal and released it to the research community in April 2013. So far, we collected 18,758 distinct submitted samples and received the attention of several research groups (1,000 distinct accounts), who integrated their malware-analysis services with ours.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
4,314
On SlideShare
0
From Embeds
0
Number of Embeds
14
Actions
Shares
0
Downloads
18
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

AndroTotal: A Scalable Framework for Android Antivirus Testing

  1. 1. ANDROTOTAL A SCALABLE FRAMEWORK FOR ANDROID ANTIMALWARE TESTING , , , SECURE2013 FedericoMaggi Andrea Valdi StefanoZanero Politecnicodi Milano DEIB fede@maggi.cc
  2. 2. ROADMAP 1. Androidthreatsandprotections 2. Limitations 3. Testingantimalware 4. AndroTotal 5. Status
  3. 3. 1. ANDROID THREATS AND PROTECTIONS 2. LIMITATIONS 3. TESTING ANTIMALWARE 4. ANDROTOTAL 5. STATUS
  4. 4. ANDROID FACTS Richmarketplacesstockedwithapps Veryattractivetargetforattackers Androidisthemostpopularmobileplatform(79%)
  5. 5. ATTACKERS GOALS Stealsensitivedata(intercepttextsorcalls) Turndevicesintobots(performmaliciousactions) Financialgain(callortextpremiumnumbers)
  6. 6. GROWTH OF MALICIOUS APPS (2011—2012) http://blog.trendmicro.com/trendlabs-security- intelligence/byod-a-leap-of-faith-for-enterprise-users/
  7. 7. NUMBER OF MOBILE "THREATS" (Q1 2013) Symantec:~3,900 McAfee:~60,000 TrendMicro:~509,000 Google@VB2013:Situationisvastlyexaggerated
  8. 8. GOOGLE'S LAYERED SECURITY APPROACH GooglePlayvetting Installandpermissionconfirmation SMS/callblacklistingandquota Runtimechecks(?) App sandboxing
  9. 9. APP SANDBOXING "Sensitive" operationsrequirestaticpermissions
  10. 10. 1. THREATS AND PROTECTIONS 2. LIMITATIONS 3. TESTING ANTIMALWARE 4. ANDROTOTAL 5. STATUS
  11. 11. ANTIMALWARE LIMITATIONS Noprimitivesforauditingrunningprocesses Workarounds: Signature-basedmatching Customkernel(e.g.,interceptsyscalls) Rootthedeviceandincreasetheantimalware'sprivileges
  12. 12. MALWARE LIMITATIONS Lessfreedom:amalwareisanisolatedapp itself Workarounds: Socialengineering Signatureevasion
  13. 13. SIGNATURE EVASION MORE VARIANTS THAN DISTINCT FAMILIES http://go.eset.com/us/resources/white- papers/Trends_for_2013_preview
  14. 14. SIGNATURE EVASION OBFUSCATION, ENCRYPTION, REPACKAGING Basedonthisresearchweimplemented11 mutationscripts. ADAM:AnAutomaticandExtensiblePlatformtoStressTest AndroidAnti-VirusSystems,DIVMA2013 DroidChameleon:Evaluating AndroidAnti-malwareagainst TransformationAttacks,AsiaCCS2013
  15. 15. 1. THREATS AND PROTECTIONS 2. LIMITATIONS 3. TESTING ANTIMALWARE 4. ANDROTOTAL 5. STATUS
  16. 16. ANTIMALWARE PRODUCTS About100 (free) antimalwareapps Extrafeaturesonrooteddevices
  17. 17. HOW TO TEST THEM? 1. ObtainMsamplesofknownmalware 2. ApplyTtransformationstoeachsample 3. AnalyzeM× TvariantswithPantimalwareapps 4. RepeatforeachoftheA Androidversions
  18. 18. NUMBERS M= 1,000 (veryconservative) T= 11 P = 100 A = 3 (2.3,4.1,4.2) 1,000 × 11 × 100 × 3 = 3,300,000 TESTS
  19. 19. LACK OF AUTOMATION TOOLS VIRUSTOTAL.COM? Command-line,desktop-basedAVswithsignaturesfor Android Unclearwhetherthesamesignatureswillworkonthe respectivemobileproducts Noversioningsupport
  20. 20. STATE OF THE ART H.Pilz,"BuildingatestenvironmentforAndroidanti-malware tests,"VirusBulletinConference'12 Humanoracleisneeded M.Zheng,P.P.C.Lee,andJ.C.S.Lui,"ADAM:AnAutomaticand Extensible PlatformtoStressTestAndroidAnti-VirusSystems," DIMVA'12 Focusontransformation V.Rastogi,Y.Chen,andX.Jiang,"DroidChameleon:Evaluating AndroidAnti-malware againstTransformationAttacks," AsiaCCS'13 Focusontransformation
  21. 21. TECHNICAL REQUIREMENTS Scalablearchitecture AndroidantimalwareproductsareUIdriven
  22. 22. 1. THREATS AND PROTECTIONS 2. LIMITATIONS 3. TESTING ANTIMALWARE 4. ANDROTOTAL 5. STATUS
  23. 23. SDKforwritingUItests/scrapers Pluggableadaptersforeachantimalware Parametrictests(e.g.,version,platform) Taskqueueswithdistributedworkers
  24. 24. CHARACTERISTICS Webfrontendforhumans JSON/RESTAPIformachines Pluggablecode-transformationmodules Worksonbothemulatorsandphysicaldevices
  25. 25. WRITING TESTS WAS TEDIOUS Wehaveabstractedawaythelow leveldetails,sothat wecanfocusontheimportantthings:extractingthe results. IS
  26. 26. ANDROPILOT TEST RECIPE (ON-INSTALL DETECTION) #andrototal-adapters/ComZonerAndroidAntivirus.py classTestSuite(base.BaseTestSuite): defon_install_detection(self,sample_path): self.pilot.install_package(sample_path) ifself.pilot.wait_for_activity( "com.zoner.android.antivirus_common.ActScanResults",10): result=self.pilot.get_view_by_id("scaninfected_row_virus") else: result=False
  27. 27. TEST RECIPE (ON-DEMAND DETECTION) #... defon_demand_detection(self,sample_path): self.pilot.install_package(sample_path) self.pilot.start_activity("com.zoner.android.antivirus",".ActMain") self.pilot.wait_for_activity("com.zoner.android.antivirus.ActMain") self.pilot.tap_on_coordinates(120,130) self.pilot.wait_for_activity("com.zoner.android.antivirus.ActMalware") #startscan self.pilot.tap_on_coordinates(120,80) self.pilot.wait_for_activity( "com.zoner.android.antivirus_common.ActScanResults") self.pilot.refredsh() #...
  28. 28. WORKFLOW 1. RetrieveasuspiciousAPK 2. Chooseparameters Androidversion(s) Listofantimalwareproductandversions Applychainofmutations 3. Pullcleanimage(s) fromrepository 4. Instantiateonetestpercombinationof Androidversion Productversion 5. Enqueuetestinstances
  29. 29. ARCHITECTURE Webfrontend RepositoryofcleanAndroidimages Asynchronoustaskdispatcher Distributedworkers
  30. 30. REST/JSON API AND CLIENT Push(public) andpull(inviteonly) samples Pythonclient: https://bitbucket.org/andrototal/tools $pythonandrototal_cli.py-lDEBUGscan-at-key<...>-ms-key<...>path/to/sample.ap Runningcommand:scan Uploadingfilesample.apk Scanresponse:{"resource":"10a6f3efc8bc40c1922facde7d055208"} Uploadingfilesample2.apk Scanresponse:{"resource":"e870c6748ca3409f84c9c9e1a91daf3f"} Uploadingfile40156a176bb4554853f767bb6647fd0ac1925eac.apk Scanresponse:{"resource":"21d6c7234a184db6b8e52f2bab523787"} Uploadingfilesamples-3.apk Scanresponse:{"resource":"ec5b3c94ed624d6993b52a50d63153fa"}
  31. 31. SCALABILITY
  32. 32. 1. THREATS AND PROTECTIONS 2. LIMITATIONS 3. TESTING ANTIMALWARE 4. ANDROTOTAL 5. STATUS
  33. 33. NUMBERS 1,275 userssubscribed 13 antimalwarevendorssupported(notallpublic) 16 productsoverall(notallpublic) 23,215 distinctAPKssubmittedandanalyzed
  34. 34. SUPPORTED APPS (PUBLIC) ZONER,Inc.-ZonerAntiVirusFree1.8.0 ZONER,Inc.-ZonerAntiVirusFree1.7.6 AVASTSoftware-avast!MobileSecurity2.0.3917 DoctorWeb,Ltd-Dr.WebAnti-virusLight(free) 7.00.3 KasperskyLab-KasperskyMobileSecurityLite9.36.28 KasperskyLab-KasperskyMobileSecurity10.4.41 TrendMicro-MobileSecurity&Antivirus2.6.2 TrendMicro-MobileSecurity&Antivirus3.1 NortonMobile-NortonSecurity&Antivirus3.2.0.769 NortonMobile-NortonSecurity&Antivirus3.3.4.970
  35. 35. Label # UDS:DangerousObject.Multi.Generic 3963 HEUR:Trojan-SMS.AndroidOS.Opfake.bo 1252 notavirusAdware.Airpush.origin.7 701 AndroidOSOpfake.CTD 700 HEUR:Trojan-SMS.AndroidOS.Opfake.a 628 Android.SmsSend.origin.281 620 Android:FakeNotify-A[Trj] 620 HEUR:Trojan-SMS.AndroidOS.FakeInst.a 512 Android.SmsSend.origin.315 485 HEUR:Backdoor.AndroidOS.KungFu.a 466 Android.SmsSend.origin.585 462 Android.SmsSend.origin.629 461 Adware.AndroidOS.Airpush-Gen 432 HEUR:Backdoor.AndroidOS.BaseBrid.a 390 AndroidOSOpfake.CTC 386
  36. 36. AVERAGE SPEED: NO MAJOR WINNER
  37. 37. FUTURE WORK Addmorecoresandscale ComparelabelsanddetectionresultswithVirusTotal.com DeployonARMboardsandmonitorpowerconsumption OpenmalwarerepositoryandAPI:anyoneinterested?
  38. 38. GRAB A STICKER! QUESTIONS?http://andrototal.org @andrototal_org fede@maggi.cc

×