You don’t Need AV for Android?? How modern multi stage Android malware payload is succeeding to infect Android devices

1. You don’t Need AV for Android?? How modern multi stage Android malware is succeeding to infect Android devices Jagadeesh Chandraiah Threat Researcher AVAR 2016

2. Who am I 2 • Threat Researcher at Sophos, UK • Interested in Windows, Mobile Malware Analysis and Research • Spoken at Deepsec, Virus Bulletin in the past AVAR 2016

3. Agenda 3 • You don’t need AV for Android • Android Security services • Infection timeline • Multi-Stage Android Malware • Why we need AV on Android platform AVAR 2016

4. You Don’t Need Android AV !!

5. Mobile Antivirus is not needed - Google 5 https://nakedsecurity.sophos.com/2014/07/09/googles-android-security-chief-dont-bother-with-anti-virus-is-he-serious/

6. Security Software firms are Scammers 6 http://www.smh.com.au/technology/security/charlatans-and-scammers-googler-slams-security-software-firms-20111123-1ntpu.html

7. Android Security Services

8. Security Services 8AVAR 2016 https://static.googleusercontent.com/media/source.android.com/en//security/reports/Google_Android_Security_2015_Report_Final.pdf

9. Security Services 9AVAR 2016

10. Scoring Engine 10AVAR 2016 https://static.googleusercontent.com/media/source.android.com/en//security/reports/Android_WhitePaper_Final_02092016.pdf • Apps are classified on the scale of Safe to Harmful • Harmful apps are sent for Human review

11. Security Services 11AVAR 2016 https://static.googleusercontent.com/media/source.android.com/en//security/reports/Android_WhitePaper_Final_02092016.pdf

12. Potentially Harmful Applications (PHA)

13. PHA 13AVAR 2016

14. 14AVAR 2016 https://static.googleusercontent.com/media/source.android.com/en//security/reports/Google_Android_Security_PHA_classifications.pdf PHA

15. 15AVAR 2016

16. Android Fragmentation

17. Android Fragmentation 17 https://developer.android.com/about/dashboards/index.html , Data from 7 day period ending on Nov 7, 2016 AVAR 2016 GingerBread Ice Cream Sandwich JellyBean KitKat Lollipop Marshmallow Nougat Gingerbread(2.3.x) 1.3% Lollipop(5.x) 34.1% KitKat(4.4) 25.2% Jelly Bean (4.1-4.3) 13.7% Marshmallow(6.0) 24.0% Ice Cream Sandwich(4.0) 1.3% Nougat(7.0) 0.3%

18. Android Fragmentation 18AVAR 2016 • Slow pace of adaptation of new Android versions • Many users with outdated software with lots of security Vulnerabilities. • Latest security fixes are not rolled out quickly • Cannot force manufacturers to roll out security updates. • Business model forces users to buy new phones than update.

19. Android Fragmentation? Fix 19AVAR 2016 • Google has started rolling out its own devices , PIXEL series. • Updated some features and updates through Google play services • Does Google look like solving Fragmentation ? Probably not • Android is still very popular… • Developers are writing more apps ….

20. Android Malware Infections

21. Android Malware Infections 21AVAR 2016

22. Google play Infections 22AVAR 2016 ~10-12 malware occurrences in Google play store in 2015 Malware seen pretty much every month in 2016

23. Google play Infections 23AVAR 2016 - Brain Test2 - Turk Clicker - Xiny Jan 2016 Feb 2016 Porn Clickers (500k) InstaAgent2 (100-500k) Mar 2016 May 2016 -Viking Horde (50-100k) - Clicker -Valeriy -Level Dropper (5k) Jun 2016 Aug 2016 Dress Code1 -Call Jam -Embassy Spyware - Dresscode2 (100-500k) Sep 2016 Nov 2016 Multiple Accounts (1-5Mil) Many Apps with 100-500k Install Count Millions of devices infected 2016

24. Noteworthy Malware

25. Ghost Push

26. Ghost Push 26AVAR 2016 https://static.googleusercontent.com/media/source.android.com/en//security/reports/Google_Android_Security_2015_Report_Final.pdf

27. Ghost Push 27AVAR 2016 https://static.googleusercontent.com/media/source.android.com/en//security/reports/Google_Android_Security_2015_Report_Final.pdf

28. Ghost Push 28AVAR 2016 https://static.googleusercontent.com/media/source.android.com/en//security/reports/Google_Android_Security_2015_Report_Final.pdf 3.5 Billion Installation Attempts New variants spotted in Sep/Oct 2016

29. Ghost Push 29AVAR 2016 • Downloader which downloads other malware and aggressive adware. • Also known as ‘Rootnik’ , ‘Shedun’ etc, • An OTA company update infrastructure and Application Install service was causing several Ghost push installations • Several variants of Ghost push were seen • Highly Persistent

30. Ghost Push 30AVAR 2016

31. 31AVAR 2016 Ghost Push

34. Brain Test

35. Brain Test 35 • Employed Anti analysis • Anti analysis like IP checking , Time Bomb and Dynamic Loading • Persistence methods used to avoid uninstalling • Appeared multiple times on Google play AVAR 2016

36. Brain Test 36AVAR 2016 http://blog.checkpoint.com/2015/09/21/braintest-a-new-level-of-sophistication-in-mobile-malware/

37. Brain Test 37AVAR 2016 Check if hostname contains ‘google ‘or ‘android’ Check IP ranges for Google servers 216.58.192.0 - 216.58.223.255 209.85.128.0 - 209.85.255.255

38. Brain Test 38AVAR 2016 Persistence Modification Script

39. Many variants with similar execution model 39 • Viking Horde - Botnet • Godless - Exploit kit, Downloader • Xiny - Hides payload in Image, Downloader, Ad network • Rooting exploits and Rooting services used • Watchdog modules for persistence • Ad revenue, Click Fraud, Botnets .. AVAR 2016

40. Feabme

41. Feabme 41 • Popular Game on Google play -Up to 1 Million install count • Had a working game with Phishing code AVAR 2016

42. Feabme 42AVAR 2016 • Uses open source cross platform Dotnet framework • Dll’s inside assemblies folder had malicious code

43. Feabme 43AVAR 2016

47. InstaAgent

48. InstaAgent 48AVAR 2016 • App found on both Google play and ios store • Was very popular app with up to 100k install count • Simple credential stealing app with big Impact • Similar apps appeared multiple times • Injects JS code into web page to steal data

49. InstaAgent 49AVAR 2016

50. InstaAgent 50AVAR 2016 http://peppersoft.net/hacking-the-hacker/

51. InstaAgent 51AVAR 2016

52. Dress Code

53. Dress Code 53AVAR 2016

54. Dress Code 54 • Lots of Infected Apps found on Google Play • Some of the apps were installed 100k-500k times • About 400 Infected apps were found in Google play • Malware appeared multiple times on Google play • Creates botnet when user executes infected app. • Traffic is rerouted to help attacker. AVAR 2016 http://blog.trendmicro.com/trendlabs-security-intelligence/dresscode-potential-impact-enterprises/

57. Sophistication and Breaking Security Services

58. Increased Sophistication 58 • Leave the payload for later stage • Pretend as Clean app • Target Popular apps and Games • Use Exploits, Rooting tools and services AVAR 2016

59. Anti Analysis 59 • Detect analysis Environment • Obfuscation • Encrypt and Hide Payloads • Dynamic/Runtime Code • Detection Evasion using smaller simpler modules and tricks AVAR 2016

60. Why do we need Security Software?

61. So, how big is the malware risk ?? 61 • Malware occurrences is still relatively low compared to Windows. • Risk of infection is also low AVAR 2016

62. Need for Security Software 62 • Google have done many Improvements but NOT ENOUGH !! • Variants have appeared again and again on play store ( Dress Code, Brain Test, Insta care/Agent…) • Popularity means more Risk !! • Many threats on Google play found by AV/security firms • Global AV community, security Researchers , Multiple Solutions • Alert users about undetected Threats by Google • Many AV apps are free and also provide extra security features AVAR 2016

63. Work Together 63 • Google can’t provide 100% security • Can’t Detect all Threats like any other Security software • Google should Join hands with AV community • Share samples and information for better Eco System AVAR 2016 AntivirusGoogle

64. References/Further Read 64 • https://nakedsecurity.sophos.com/2014/07/09/googles-android-security-chief-dont-bother-with-anti-virus-is-he-serious/ • https://static.googleusercontent.com/media/source.android.com/en//security/reports/Android_WhitePaper_Final_02092016.pdf • https://static.googleusercontent.com/media/source.android.com/en//security/reports/Google_Android_Security_2015_Report_Final.pdf • https://static.googleusercontent.com/media/source.android.com/en//security/reports/Google_Android_Security_PHA_classifications.pdf http://blog.checkpoint.com/2016/05/09/viking- horde-a-new-type-of-android-malware-on-google-play/ • http://blog.trendmicro.com/trendlabs-security-intelligence/godless-mobile-malware-uses-multiple-exploits-root-devices/ • http://news.drweb.com/show/?i=9803&lng=en&c=5 • http://blog.trustlook.com/2015/07/08/most-successful-malware-on-google-play/ • http://peppersoft.net/hacking-the-hacker/ • http://blog.checkpoint.com/2015/09/21/braintest-a-new-level-of-sophistication-in-mobile-malware/ • http://blog.trendmicro.com/trendlabs-security-intelligence/dresscode-potential-impact-enterprises/ AVAR 2016

65. @jag_chandra

You don’t Need AV for Android?? How modern multi stage Android malware payload is succeeding to infect Android devices

You are reading a preview.

Check these out next

You don’t Need AV for Android?? How modern multi stage Android malware payload is succeeding to infect Android devices

More Related Content

Recently uploaded (20)

Featured (20)