The 'Platypus' talk Malware on mobile phones is rapidly increasing. There are many reasons for this, but the primary one is the ease of monetizing malware on mobile phones, Attackers are incentivized to create more malware faster and cheaper. They are overwhelming the limited resources of malware researchers with this glut of cheap and "good enough" malware. Malware can be identified by humans, but there is insufficient time to handle all that is released daily by malware writers. There is a need to develop both better heuristics and the tools that let an analyst separate the wheat from the chaff. The presentation will cover not just the development of heuristics for mobile malware, but also its path from simple detection to more advanced and more successful(i.e fewer false positives) detection. Along the way we will cover the missteps and pitfalls that slow the development of automation.

1. Mobile Malware Heuristics: The
path from 'eh' to pretty good'.
Jimmy Shah, Mobile Malware Researcher, McAfee
Creditrs:
By Google (http://www.android.com/branding.html) [CC-BY-SA-3.0 (http://creativecommons.org/licenses/by-sa/3.0)], via Wikimedia
Commons
Photography by User: MrX [CC-BY-SA-3.0 (http://creativecommons.org/licenses/by-sa/3.0)], via Wikimedia Commons
By Mazenl77 (FindIcons) [CC-BY-3.0-2.5-2.0-1.0 (http://creativecommons.org/licenses/by/3.0-2.5-2.0-1.0)], via Wikimedia Commons

2. The Problem
● About a 1,000,000 apps
● Not all are good
○ How do you tell?
■ Manual Analysis
■ Automate it

3. The Problem, cont.
● How do you tell?
● Manual Analysis
○ Slow, doesn’t scale, ties up resources
● Automate it
○ use knowledge from researchers
○ scale up with more hw
○ catch the majority of copycats/script kiddies

4. Heuristics

5. What are Heuristics?
● heu·ris·tic [hyoo-ris-tik or, often, yoo-]
adjective
1. serving to indicate or point out; stimulating
interest as a means of furthering
investigation.
"heuristic." Dictionary.com Unabridged. Random House, Inc. 5 Aug. 2013. <Dictionary.com http://dictionary.reference.com/browse/heuristic>.

6. What are Heuristics?
● Rules of thumb
○ It looks like a duck
○ It walks like a duck
■ It’s probably a duck
"heuristic." Dictionary.com Unabridged. Random House, Inc. 5 Aug. 2013. <Dictionary.com http://dictionary.reference.com/browse/heuristic>.

7. What are Heuristics?
● Rules of thumb
○ It looks like a duck
■ it has a beak
○ It walks like a duck
■ It has webbed feet
By Pearson Scott Foresman [Public domain], via Wikimedia Commons https://upload.wikimedia.org/wikipedia/commons/thumb
28PSF%29.png/632px-Duck_1_%28PSF%29.png
Duck?
It’s a Duck!

8. What are Heuristics?
● Rules of thumb
○ It looks like a duck
■ it has a beak
○ It walks like a duck
■ It has webbed feet
By Pearson Scott Foresman [Public domain], via Wikimedia Commons
https://upload.wikimedia.org/wikipedia/commons/thumb/c/ca/Platypus_3_%28PSF%29.png/320px-Platypus_3_%28PSF%29.png
Duck?
Nope, it’s a
Platypus.

9. Heuristic scanner: DmpAxml.pl
git://git.assembla.com/dexdump.git

10. Heuristic scanner: DmpAxml.pl
~$ ./DmpAxml.pl
DmpAxml - AndroidManifest.xml File Dumper ver. 0.7
Copyright 2013 Jimmy Shah All rights reserved.
Usage: /home/js/dexdump/DmpAxml.pl [-adspih] filename
Options:
-a Dump all
-d Dump printable AndroidManifest.xml
-s Dump string table
-p Dump Permissions
-i Dump Intents
-r Dump Activities
-h Run heuristics

11. Ideas for Heuristics

12. Heuristic ideas: Permissions
● Bad apps ask for permissions they dont
need
○ True
○ They're more likely to request many permissions that
they do need/use
● Bad apps use a particular set of permissions
○ True
○ So do clean apps
● Insufficently unique.
○ Good chance to FP on clean apps
○ Too many FPs to use by itself

13. Heuristic ideas: Permissions, cont.
~$ ./DmpAxml.pl -h 517298409.apk
---------------------|
Suspcious Permissions|
---------------------|
android.permission.INTERNET
android.permission.ACCESS_FINE_LOCATION
android.permission.READ_CONTACTS
INTERNET Transmit and receive traffic via the Internet
ACCESS_FINE_LOCATION GPS location vs. Wifi or cell tower
READ_CONTACTS Read Contact information
Android/PBL.A - A phone book leaking
malware

14. Heuristic ideas: Certificates
● Blacklisting malicious developers
○ Bad apks from the same malware author are signed
with the same certificate
■ True
■ Not all bad apks from the same author are signed
with the same certificate
■ Newer variants may use different certificates
○ Insufficiently unique.
■ Chance to FP
■ Higher chance for False Negative(missed
heuristic detection)

15. Heuristic ideas: Certificates, cont.
~$ ./DmpAxml.pl -h ./4D60F52138C44B903582C4EBB9661969.apk
----------------|
Possible Variant|
----------------|
Android/FakeInstaller Variant
Android/Fakeinstaller - A trojan that pretends to
be an installer for a legitimate app

16. Heuristic ideas: Activities
● Malware uses specific Activity names to
launch
○ legit apps with injected malicious code
○ trojans
○ spyware
● Not as useful for obfuscated apps
○ unidentifiable or changing activity names
● Complex malware can avoid notice by
injecting code into legitmate Activity

17. Heuristic ideas: Multiple Indicators
● Each Heuristic has its individual FP rate
○ Chances that actual malware is missed
○ Heuristic can not be too specific or it becomes a
unique signature for a particular malware
● Combining multiple indicators can reduce
this rate
○ Ex: Certificate blacklisting plus Permissions
○ Chance is low enough to indicate malware without
excluding too many variants

18. Heuristic ideas: Multiple Indic., cont.
~$ ./DmpAxml.pl -h ./d20cb0bb5d87bfc8394bda0d8964d663.apk
----------------|
Possible Variant|
----------------|
Android/FakeInstaller Variant
---------------------|
Suspcious Permissions|
---------------------|
android.permission.INTERNET
android.permission.ACCESS_FINE_LOCATION
android.permission.READ_CONTACTS
INTERNET Transmit and receive traffic via the Internet
SEND_SMS Send SMS messages
ACCESS_NETWORK_STATE Checks network connectivity
Android/Fakeinstaller - A trojan that
pretends to be an installer for a legitimate
app

19. Heuristic ideas: Multiple Indic., cont.
● 70 unknown samples
● Training set of about 200 known malware
● 10 samples, possible variants of known malware
○ Android/Fladstep
■ fake flash player
■ browser, loads malicious site
○ Android/VDLoader
■ backdoor trojan, steals user info
● 1 out of 7 detection rate(~14%)
○ 10 apps that warrant a closer look

20. Questions?