Successfully reported this slideshow.
Your SlideShare is downloading. ×

You don’t Need AV for Android?? How modern multi stage Android malware payload is succeeding to infect Android devices

Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad

Check these out next

1 of 65 Ad

You don’t Need AV for Android?? How modern multi stage Android malware payload is succeeding to infect Android devices

Download to read offline

In April 2016 Google released 2015 Android security report. The report mentioned an interesting finding, a malware called Ghost Push Downloader attempted billions of installs on the devices and about 4 million devices were infected [1]. This malware was a Downloader, the downloaded payload in turn downloaded and installed other Trojans. Since then Android Ecosystem has seen growing number of multistage stage malware, which either download or drop malicious component only at the later stage of the malware execution. The Decoy app which drops or downloads the malicious component looks innocent to the user, the malicious activity only starts after the innocent looking decoy app is executed.

In addition to exploiting vulnerabilities, these payloads contact compromised call home sources and use social Engineering techniques. In this research, We want to provide an insight into all the recent second stage malware payload that are successful in penetrating Google play and also in infecting users. We also want to investigate how these payloads are successful in evading advance detection techniques and discuss why existing OS defences are not sufficient.

[1]. https://security.googleblog.com/2016/04/android-security-2015-annual-report.html

In April 2016 Google released 2015 Android security report. The report mentioned an interesting finding, a malware called Ghost Push Downloader attempted billions of installs on the devices and about 4 million devices were infected [1]. This malware was a Downloader, the downloaded payload in turn downloaded and installed other Trojans. Since then Android Ecosystem has seen growing number of multistage stage malware, which either download or drop malicious component only at the later stage of the malware execution. The Decoy app which drops or downloads the malicious component looks innocent to the user, the malicious activity only starts after the innocent looking decoy app is executed.

In addition to exploiting vulnerabilities, these payloads contact compromised call home sources and use social Engineering techniques. In this research, We want to provide an insight into all the recent second stage malware payload that are successful in penetrating Google play and also in infecting users. We also want to investigate how these payloads are successful in evading advance detection techniques and discuss why existing OS defences are not sufficient.

[1]. https://security.googleblog.com/2016/04/android-security-2015-annual-report.html

Advertisement
Advertisement

More Related Content

Advertisement

You don’t Need AV for Android?? How modern multi stage Android malware payload is succeeding to infect Android devices

  1. 1. You don’t Need AV for Android?? How modern multi stage Android malware is succeeding to infect Android devices Jagadeesh Chandraiah Threat Researcher AVAR 2016
  2. 2. Who am I 2 • Threat Researcher at Sophos, UK • Interested in Windows, Mobile Malware Analysis and Research • Spoken at Deepsec, Virus Bulletin in the past AVAR 2016
  3. 3. Agenda 3 • You don’t need AV for Android • Android Security services • Infection timeline • Multi-Stage Android Malware • Why we need AV on Android platform AVAR 2016
  4. 4. You Don’t Need Android AV !!
  5. 5. Mobile Antivirus is not needed - Google 5 https://nakedsecurity.sophos.com/2014/07/09/googles-android-security-chief-dont-bother-with-anti-virus-is-he-serious/
  6. 6. Security Software firms are Scammers 6 http://www.smh.com.au/technology/security/charlatans-and-scammers-googler-slams-security-software-firms-20111123-1ntpu.html
  7. 7. Android Security Services
  8. 8. Security Services 8AVAR 2016 https://static.googleusercontent.com/media/source.android.com/en//security/reports/Google_Android_Security_2015_Report_Final.pdf
  9. 9. Security Services 9AVAR 2016
  10. 10. Scoring Engine 10AVAR 2016 https://static.googleusercontent.com/media/source.android.com/en//security/reports/Android_WhitePaper_Final_02092016.pdf • Apps are classified on the scale of Safe to Harmful • Harmful apps are sent for Human review
  11. 11. Security Services 11AVAR 2016 https://static.googleusercontent.com/media/source.android.com/en//security/reports/Android_WhitePaper_Final_02092016.pdf
  12. 12. Potentially Harmful Applications (PHA)
  13. 13. PHA 13AVAR 2016
  14. 14. 14AVAR 2016 https://static.googleusercontent.com/media/source.android.com/en//security/reports/Google_Android_Security_PHA_classifications.pdf PHA
  15. 15. 15AVAR 2016
  16. 16. Android Fragmentation
  17. 17. Android Fragmentation 17 https://developer.android.com/about/dashboards/index.html , Data from 7 day period ending on Nov 7, 2016 AVAR 2016 GingerBread Ice Cream Sandwich JellyBean KitKat Lollipop Marshmallow Nougat Gingerbread(2.3.x) 1.3% Lollipop(5.x) 34.1% KitKat(4.4) 25.2% Jelly Bean (4.1-4.3) 13.7% Marshmallow(6.0) 24.0% Ice Cream Sandwich(4.0) 1.3% Nougat(7.0) 0.3%
  18. 18. Android Fragmentation 18AVAR 2016 • Slow pace of adaptation of new Android versions • Many users with outdated software with lots of security Vulnerabilities. • Latest security fixes are not rolled out quickly • Cannot force manufacturers to roll out security updates. • Business model forces users to buy new phones than update.
  19. 19. Android Fragmentation? Fix 19AVAR 2016 • Google has started rolling out its own devices , PIXEL series. • Updated some features and updates through Google play services • Does Google look like solving Fragmentation ? Probably not • Android is still very popular… • Developers are writing more apps ….
  20. 20. Android Malware Infections
  21. 21. Android Malware Infections 21AVAR 2016
  22. 22. Google play Infections 22AVAR 2016 ~10-12 malware occurrences in Google play store in 2015 Malware seen pretty much every month in 2016
  23. 23. Google play Infections 23AVAR 2016 - Brain Test2 - Turk Clicker - Xiny Jan 2016 Feb 2016 Porn Clickers (500k) InstaAgent2 (100-500k) Mar 2016 May 2016 -Viking Horde (50-100k) - Clicker -Valeriy -Level Dropper (5k) Jun 2016 Aug 2016 Dress Code1 -Call Jam -Embassy Spyware - Dresscode2 (100-500k) Sep 2016 Nov 2016 Multiple Accounts (1-5Mil) Many Apps with 100-500k Install Count Millions of devices infected 2016
  24. 24. Noteworthy Malware
  25. 25. Ghost Push
  26. 26. Ghost Push 26AVAR 2016 https://static.googleusercontent.com/media/source.android.com/en//security/reports/Google_Android_Security_2015_Report_Final.pdf
  27. 27. Ghost Push 27AVAR 2016 https://static.googleusercontent.com/media/source.android.com/en//security/reports/Google_Android_Security_2015_Report_Final.pdf
  28. 28. Ghost Push 28AVAR 2016 https://static.googleusercontent.com/media/source.android.com/en//security/reports/Google_Android_Security_2015_Report_Final.pdf 3.5 Billion Installation Attempts New variants spotted in Sep/Oct 2016
  29. 29. Ghost Push 29AVAR 2016 • Downloader which downloads other malware and aggressive adware. • Also known as ‘Rootnik’ , ‘Shedun’ etc, • An OTA company update infrastructure and Application Install service was causing several Ghost push installations • Several variants of Ghost push were seen • Highly Persistent
  30. 30. Ghost Push 30AVAR 2016
  31. 31. 31AVAR 2016 Ghost Push
  32. 32. Ghost Push 32AVAR 2016
  33. 33. Ghost Push 33AVAR 2016
  34. 34. Brain Test
  35. 35. Brain Test 35 • Employed Anti analysis • Anti analysis like IP checking , Time Bomb and Dynamic Loading • Persistence methods used to avoid uninstalling • Appeared multiple times on Google play AVAR 2016
  36. 36. Brain Test 36AVAR 2016 http://blog.checkpoint.com/2015/09/21/braintest-a-new-level-of-sophistication-in-mobile-malware/
  37. 37. Brain Test 37AVAR 2016 Check if hostname contains ‘google ‘or ‘android’ Check IP ranges for Google servers 216.58.192.0 - 216.58.223.255 209.85.128.0 - 209.85.255.255
  38. 38. Brain Test 38AVAR 2016 Persistence Modification Script
  39. 39. Many variants with similar execution model 39 • Viking Horde - Botnet • Godless - Exploit kit, Downloader • Xiny - Hides payload in Image, Downloader, Ad network • Rooting exploits and Rooting services used • Watchdog modules for persistence • Ad revenue, Click Fraud, Botnets .. AVAR 2016
  40. 40. Feabme
  41. 41. Feabme 41 • Popular Game on Google play -Up to 1 Million install count • Had a working game with Phishing code AVAR 2016
  42. 42. Feabme 42AVAR 2016 • Uses open source cross platform Dotnet framework • Dll’s inside assemblies folder had malicious code
  43. 43. Feabme 43AVAR 2016
  44. 44. Feabme 44AVAR 2016
  45. 45. Feabme 45AVAR 2016
  46. 46. Feabme 46AVAR 2016
  47. 47. InstaAgent
  48. 48. InstaAgent 48AVAR 2016 • App found on both Google play and ios store • Was very popular app with up to 100k install count • Simple credential stealing app with big Impact • Similar apps appeared multiple times • Injects JS code into web page to steal data
  49. 49. InstaAgent 49AVAR 2016
  50. 50. InstaAgent 50AVAR 2016 http://peppersoft.net/hacking-the-hacker/
  51. 51. InstaAgent 51AVAR 2016
  52. 52. Dress Code
  53. 53. Dress Code 53AVAR 2016
  54. 54. Dress Code 54 • Lots of Infected Apps found on Google Play • Some of the apps were installed 100k-500k times • About 400 Infected apps were found in Google play • Malware appeared multiple times on Google play • Creates botnet when user executes infected app. • Traffic is rerouted to help attacker. AVAR 2016 http://blog.trendmicro.com/trendlabs-security-intelligence/dresscode-potential-impact-enterprises/
  55. 55. Dress Code 55AVAR 2016
  56. 56. Dress Code 56AVAR 2016
  57. 57. Sophistication and Breaking Security Services
  58. 58. Increased Sophistication 58 • Leave the payload for later stage • Pretend as Clean app • Target Popular apps and Games • Use Exploits, Rooting tools and services AVAR 2016
  59. 59. Anti Analysis 59 • Detect analysis Environment • Obfuscation • Encrypt and Hide Payloads • Dynamic/Runtime Code • Detection Evasion using smaller simpler modules and tricks AVAR 2016
  60. 60. Why do we need Security Software?
  61. 61. So, how big is the malware risk ?? 61 • Malware occurrences is still relatively low compared to Windows. • Risk of infection is also low AVAR 2016
  62. 62. Need for Security Software 62 • Google have done many Improvements but NOT ENOUGH !! • Variants have appeared again and again on play store ( Dress Code, Brain Test, Insta care/Agent…) • Popularity means more Risk !! • Many threats on Google play found by AV/security firms • Global AV community, security Researchers , Multiple Solutions • Alert users about undetected Threats by Google • Many AV apps are free and also provide extra security features AVAR 2016
  63. 63. Work Together 63 • Google can’t provide 100% security • Can’t Detect all Threats like any other Security software • Google should Join hands with AV community • Share samples and information for better Eco System AVAR 2016 AntivirusGoogle
  64. 64. References/Further Read 64 • https://nakedsecurity.sophos.com/2014/07/09/googles-android-security-chief-dont-bother-with-anti-virus-is-he-serious/ • https://static.googleusercontent.com/media/source.android.com/en//security/reports/Android_WhitePaper_Final_02092016.pdf • https://static.googleusercontent.com/media/source.android.com/en//security/reports/Google_Android_Security_2015_Report_Final.pdf • https://static.googleusercontent.com/media/source.android.com/en//security/reports/Google_Android_Security_PHA_classifications.pdf http://blog.checkpoint.com/2016/05/09/viking- horde-a-new-type-of-android-malware-on-google-play/ • http://blog.trendmicro.com/trendlabs-security-intelligence/godless-mobile-malware-uses-multiple-exploits-root-devices/ • http://news.drweb.com/show/?i=9803&lng=en&c=5 • http://blog.trustlook.com/2015/07/08/most-successful-malware-on-google-play/ • http://peppersoft.net/hacking-the-hacker/ • http://blog.checkpoint.com/2015/09/21/braintest-a-new-level-of-sophistication-in-mobile-malware/ • http://blog.trendmicro.com/trendlabs-security-intelligence/dresscode-potential-impact-enterprises/ AVAR 2016
  65. 65. @jag_chandra

×