Your SlideShare is downloading. ×
AndroTotal: A Scalable Framework for Android Antivirus Testing
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

AndroTotal: A Scalable Framework for Android Antivirus Testing

2,550
views

Published on

Slides of the AndroTotal talk at SECURE2013. …

Slides of the AndroTotal talk at SECURE2013.

Although there are controversial opinions regarding how large the mobile malware phenomenon is in terms of absolute numbers, hype aside, the amount of new Android malware variants is increasing. This trend is mainly due to the fact that, as it happened with traditional malware, the authors are striving to repackage, obfuscate, or otherwise transform the executable code of their malicious apps in order to evade mobile security apps. There are about 85 of these apps only on the official marketplace. However, it is not clear how effective they are. Indeed, the sandboxing mechanism of Android does not allow (security) apps to audit other apps. We present AndroTotal, a publicly available tool, malware repository and research framework that aims at mitigating the above challenges, and allow researchers to automatically scan Android apps against an arbitrary set of malware detectors. We implemented AndroTotal and released it to the research community in April 2013. So far, we collected 18,758 distinct submitted samples and received the attention of several research groups (1,000 distinct accounts), who integrated their malware-analysis services with ours.

Published in: Technology

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
2,550
On Slideshare
0
From Embeds
0
Number of Embeds
11
Actions
Shares
0
Downloads
17
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. ANDROTOTAL A SCALABLE FRAMEWORK FOR ANDROID ANTIMALWARE TESTING , , , SECURE2013 FedericoMaggi Andrea Valdi StefanoZanero Politecnicodi Milano DEIB fede@maggi.cc
  • 2. ROADMAP 1. Androidthreatsandprotections 2. Limitations 3. Testingantimalware 4. AndroTotal 5. Status
  • 3. 1. ANDROID THREATS AND PROTECTIONS 2. LIMITATIONS 3. TESTING ANTIMALWARE 4. ANDROTOTAL 5. STATUS
  • 4. ANDROID FACTS Richmarketplacesstockedwithapps Veryattractivetargetforattackers Androidisthemostpopularmobileplatform(79%)
  • 5. ATTACKERS GOALS Stealsensitivedata(intercepttextsorcalls) Turndevicesintobots(performmaliciousactions) Financialgain(callortextpremiumnumbers)
  • 6. GROWTH OF MALICIOUS APPS (2011—2012) http://blog.trendmicro.com/trendlabs-security- intelligence/byod-a-leap-of-faith-for-enterprise-users/
  • 7. NUMBER OF MOBILE "THREATS" (Q1 2013) Symantec:~3,900 McAfee:~60,000 TrendMicro:~509,000 Google@VB2013:Situationisvastlyexaggerated
  • 8. GOOGLE'S LAYERED SECURITY APPROACH GooglePlayvetting Installandpermissionconfirmation SMS/callblacklistingandquota Runtimechecks(?) App sandboxing
  • 9. APP SANDBOXING "Sensitive" operationsrequirestaticpermissions
  • 10. 1. THREATS AND PROTECTIONS 2. LIMITATIONS 3. TESTING ANTIMALWARE 4. ANDROTOTAL 5. STATUS
  • 11. ANTIMALWARE LIMITATIONS Noprimitivesforauditingrunningprocesses Workarounds: Signature-basedmatching Customkernel(e.g.,interceptsyscalls) Rootthedeviceandincreasetheantimalware'sprivileges
  • 12. MALWARE LIMITATIONS Lessfreedom:amalwareisanisolatedapp itself Workarounds: Socialengineering Signatureevasion
  • 13. SIGNATURE EVASION MORE VARIANTS THAN DISTINCT FAMILIES http://go.eset.com/us/resources/white- papers/Trends_for_2013_preview
  • 14. SIGNATURE EVASION OBFUSCATION, ENCRYPTION, REPACKAGING Basedonthisresearchweimplemented11 mutationscripts. ADAM:AnAutomaticandExtensiblePlatformtoStressTest AndroidAnti-VirusSystems,DIVMA2013 DroidChameleon:Evaluating AndroidAnti-malwareagainst TransformationAttacks,AsiaCCS2013
  • 15. 1. THREATS AND PROTECTIONS 2. LIMITATIONS 3. TESTING ANTIMALWARE 4. ANDROTOTAL 5. STATUS
  • 16. ANTIMALWARE PRODUCTS About100 (free) antimalwareapps Extrafeaturesonrooteddevices
  • 17. HOW TO TEST THEM? 1. ObtainMsamplesofknownmalware 2. ApplyTtransformationstoeachsample 3. AnalyzeM× TvariantswithPantimalwareapps 4. RepeatforeachoftheA Androidversions
  • 18. NUMBERS M= 1,000 (veryconservative) T= 11 P = 100 A = 3 (2.3,4.1,4.2) 1,000 × 11 × 100 × 3 = 3,300,000 TESTS
  • 19. LACK OF AUTOMATION TOOLS VIRUSTOTAL.COM? Command-line,desktop-basedAVswithsignaturesfor Android Unclearwhetherthesamesignatureswillworkonthe respectivemobileproducts Noversioningsupport
  • 20. STATE OF THE ART H.Pilz,"BuildingatestenvironmentforAndroidanti-malware tests,"VirusBulletinConference'12 Humanoracleisneeded M.Zheng,P.P.C.Lee,andJ.C.S.Lui,"ADAM:AnAutomaticand Extensible PlatformtoStressTestAndroidAnti-VirusSystems," DIMVA'12 Focusontransformation V.Rastogi,Y.Chen,andX.Jiang,"DroidChameleon:Evaluating AndroidAnti-malware againstTransformationAttacks," AsiaCCS'13 Focusontransformation
  • 21. TECHNICAL REQUIREMENTS Scalablearchitecture AndroidantimalwareproductsareUIdriven
  • 22. 1. THREATS AND PROTECTIONS 2. LIMITATIONS 3. TESTING ANTIMALWARE 4. ANDROTOTAL 5. STATUS
  • 23. SDKforwritingUItests/scrapers Pluggableadaptersforeachantimalware Parametrictests(e.g.,version,platform) Taskqueueswithdistributedworkers
  • 24. CHARACTERISTICS Webfrontendforhumans JSON/RESTAPIformachines Pluggablecode-transformationmodules Worksonbothemulatorsandphysicaldevices
  • 25. WRITING TESTS WAS TEDIOUS Wehaveabstractedawaythelow leveldetails,sothat wecanfocusontheimportantthings:extractingthe results. IS
  • 26. ANDROPILOT TEST RECIPE (ON-INSTALL DETECTION) #andrototal-adapters/ComZonerAndroidAntivirus.py classTestSuite(base.BaseTestSuite): defon_install_detection(self,sample_path): self.pilot.install_package(sample_path) ifself.pilot.wait_for_activity( "com.zoner.android.antivirus_common.ActScanResults",10): result=self.pilot.get_view_by_id("scaninfected_row_virus") else: result=False
  • 27. TEST RECIPE (ON-DEMAND DETECTION) #... defon_demand_detection(self,sample_path): self.pilot.install_package(sample_path) self.pilot.start_activity("com.zoner.android.antivirus",".ActMain") self.pilot.wait_for_activity("com.zoner.android.antivirus.ActMain") self.pilot.tap_on_coordinates(120,130) self.pilot.wait_for_activity("com.zoner.android.antivirus.ActMalware") #startscan self.pilot.tap_on_coordinates(120,80) self.pilot.wait_for_activity( "com.zoner.android.antivirus_common.ActScanResults") self.pilot.refredsh() #...
  • 28. WORKFLOW 1. RetrieveasuspiciousAPK 2. Chooseparameters Androidversion(s) Listofantimalwareproductandversions Applychainofmutations 3. Pullcleanimage(s) fromrepository 4. Instantiateonetestpercombinationof Androidversion Productversion 5. Enqueuetestinstances
  • 29. ARCHITECTURE Webfrontend RepositoryofcleanAndroidimages Asynchronoustaskdispatcher Distributedworkers
  • 30. REST/JSON API AND CLIENT Push(public) andpull(inviteonly) samples Pythonclient: https://bitbucket.org/andrototal/tools $pythonandrototal_cli.py-lDEBUGscan-at-key<...>-ms-key<...>path/to/sample.ap Runningcommand:scan Uploadingfilesample.apk Scanresponse:{"resource":"10a6f3efc8bc40c1922facde7d055208"} Uploadingfilesample2.apk Scanresponse:{"resource":"e870c6748ca3409f84c9c9e1a91daf3f"} Uploadingfile40156a176bb4554853f767bb6647fd0ac1925eac.apk Scanresponse:{"resource":"21d6c7234a184db6b8e52f2bab523787"} Uploadingfilesamples-3.apk Scanresponse:{"resource":"ec5b3c94ed624d6993b52a50d63153fa"}
  • 31. SCALABILITY
  • 32. 1. THREATS AND PROTECTIONS 2. LIMITATIONS 3. TESTING ANTIMALWARE 4. ANDROTOTAL 5. STATUS
  • 33. NUMBERS 1,275 userssubscribed 13 antimalwarevendorssupported(notallpublic) 16 productsoverall(notallpublic) 23,215 distinctAPKssubmittedandanalyzed
  • 34. SUPPORTED APPS (PUBLIC) ZONER,Inc.-ZonerAntiVirusFree1.8.0 ZONER,Inc.-ZonerAntiVirusFree1.7.6 AVASTSoftware-avast!MobileSecurity2.0.3917 DoctorWeb,Ltd-Dr.WebAnti-virusLight(free) 7.00.3 KasperskyLab-KasperskyMobileSecurityLite9.36.28 KasperskyLab-KasperskyMobileSecurity10.4.41 TrendMicro-MobileSecurity&Antivirus2.6.2 TrendMicro-MobileSecurity&Antivirus3.1 NortonMobile-NortonSecurity&Antivirus3.2.0.769 NortonMobile-NortonSecurity&Antivirus3.3.4.970
  • 35. Label # UDS:DangerousObject.Multi.Generic 3963 HEUR:Trojan-SMS.AndroidOS.Opfake.bo 1252 notavirusAdware.Airpush.origin.7 701 AndroidOSOpfake.CTD 700 HEUR:Trojan-SMS.AndroidOS.Opfake.a 628 Android.SmsSend.origin.281 620 Android:FakeNotify-A[Trj] 620 HEUR:Trojan-SMS.AndroidOS.FakeInst.a 512 Android.SmsSend.origin.315 485 HEUR:Backdoor.AndroidOS.KungFu.a 466 Android.SmsSend.origin.585 462 Android.SmsSend.origin.629 461 Adware.AndroidOS.Airpush-Gen 432 HEUR:Backdoor.AndroidOS.BaseBrid.a 390 AndroidOSOpfake.CTC 386
  • 36. AVERAGE SPEED: NO MAJOR WINNER
  • 37. FUTURE WORK Addmorecoresandscale ComparelabelsanddetectionresultswithVirusTotal.com DeployonARMboardsandmonitorpowerconsumption OpenmalwarerepositoryandAPI:anyoneinterested?
  • 38. GRAB A STICKER! QUESTIONS?http://andrototal.org @andrototal_org fede@maggi.cc