Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Slide Intervento Zanero Giornata del Perito 2015

358 views

Published on

Le slide dell'intervento del Prof. Stefano Zanero alla Giornata del perito 2015 di Modena dal titolo "Mobile malware tra mito e realtà: quante volte possiamo gridare al lupo?"

Published in: Internet
  • Be the first to comment

  • Be the first to like this

Slide Intervento Zanero Giornata del Perito 2015

  1. 1. Stefano Zanero, Politecnico di Milano Collaboration work with: - Technical University of Vienna (TUV) - FOundation for Research & Technology Hellas (FORTH) Wolf, Wolf! So much malware. So little malware.
  2. 2. Low infection rates? • The Core of the Matter (NDSS13) 0.0009% • The Company You Keep (WWW14) 0.28% Google: Android Security From The Ground Up (VirusBulletin 2013)
  3. 3. AV vendors paint a different picture… Fortinet 2014 Threat Landscape Report TrendMicro TrendLabs 1Q 2014 Security Roundup McAfee Labs Threats Report June 2014
  4. 4. Motivation • How are malicious apps distributed? - Official Google Play Store - Torrents, One-Click Hosters - Websites, Blogs, … - Alternative App Markets • How wide-spread are malicious apps, how often are they downloaded? • Do alternative markets employ security measures? • Collect metadata for malware analysis - Andrubis, AndroTotal
  5. 5. Metadata • Malware for traditional devices (desktop) - No metadata - Best case: we know the website that tried to perform a drive-by download infection • Malware for mobile devices - Internal metadata • App name, developer pseudonym • Package name • Resources (e.g., assets, images) - External metadata • App name (as on the market) • Description, comments, rating • Popularity
  6. 6. Market Metadata: Google Play
  7. 7. Market Metadata: Google Play
  8. 8. Outline • Market Characterization • Android Market Radar (AndRadar) • Evaluation and Case Study • Future Work and Conclusion MST Workshop 2015
  9. 9. Market Characterization • Alternative markets are popular because of … - Country gaps (e.g. no paid apps in Google Play China) - Promotion - Specific needs and specialization • Sometimes, too specific: check removedapps.com … • Preliminary study on 8 alternative marketplaces - Crawled them entirely between July and Nov 2013 - Downloaded 318,515 apps
  10. 10. (1) Distribution of Unwanted Apps Do markets distribute known, unwanted apps? • Yes, they do! • 5-8% malicious apps in whole dataset • (10+ AV detections, excluding adware) • Some markets specialize in adware/”madware”
  11. 11. (2) Publication of malicious apps Do markets allow the publication of malicious apps? • Yes, they do! • Ranking based on number • of published apps • Well visible and known to • market operators • Top authors publish both • benign and malicious apps andapponline camangi opera pandaapp slideme 0 50 100 150 1 2 3 4 5 1 2 3 4 5 1 2 3 4 5 1 2 3 4 5 1 2 3 4 5 Top 5 authors per market Number of apps published Malware Goodware
  12. 12. (3) Distinctive metadata Do malicious apps have distinctive metadata? • Yes, they do! • Malicious apps are downloaded more often •  Inflation of ranking with app rank boosting services • Malicious apps slightly larger than goodware •  Additional malicious code in repackaged apps
  13. 13. How are markets related to each other? • Markets share up to 47% MD5s, 75% package names (4) Market Overlap andapponline opera getjar blackmart pandaapp slideme fdroid camangi 59% 38% 15% 19% 12% 22% 12% 36% 16% 15% 13% 63% 32% 16% 31% 12% 75% 26% 41% 21% 26% 22% Intersection by MD5 Intersection by package name
  14. 14. Outline • Market Characterization • Android Market Radar (AndRadar) • Evaluation and Case Study • Future Work and Conclusion
  15. 15. AndRadar Design Goals • Discover apps in markets in real-time • Track distribution of apps across markets • Increasing space and time requirements • Meta data is dynamic: regular crawling of apps • Crawling of complete markets becomes infeasible • Plethora of alternative markets • ~ 196 in October 2011 (Vidas et al. CODASPY13) • ~ 500 in Juniper Threats Report March 2012/2013 - ~ 89 in our market study in June 2013
  16. 16. AndRadar Architecture Metadata  Scraper Downloader Search App Metadata Market  Specifications Tracker Seed
  17. 17. App Discovery • Lightweight identifier to select target apps • Package name uniquely identifies app on device • Package name identifies app in markets • Part of an app’s “Branding”
  18. 18. App Discover: AppChina
  19. 19. App Discovery: Appszoom
  20. 20. APP MATCHING WORKFLOW
  21. 21. Speed for a full market scan
  22. 22. Collected Metadata • Continuous monitoring of discovered apps • Harvest meta information from market listing - Upload date - Description - Screenshots - Number of downloads - User ratings - Reviews - Other apps by the same author - Delete date
  23. 23. Outline • Market Characterization • Android Market Radar (AndRadar) • Evaluation and Case Study • Future Work and Conclusion
  24. 24. Overall performance • Track tens of thousands of apps per market/day • Tracked 20,000 malicious apps perfect match + deleted = market-deleted malware weak match + non-deleted = benign app used as host (same package name)
  25. 25. Application Lifecycles Normal Lifecycle (90.75%): Market deletes app after it is detected by AVs
  26. 26. Application Lifecycles Malware Hopping: (7.89%) App republished after detection “Failover” strategy
  27. 27. Application Lifecycles Market Self-Defense (1.56%): Market deletes app before it is detected by AVs
  28. 28. Community Reaction Time Google Play others
  29. 29. Market Reaction Time
  30. 30. Outline • Market Characterization • Android Market Radar (AndRadar) • Evaluation and Case Study • Future Work and Conclusion
  31. 31. Future Current Work • Automated notification system for markets • Extend app discovery in markets based on - Application name - Image characteristics (icon, screenshots) - Description of functionality • Versioning of malicious apps • Identify fraud in markets (“App rank boosting”) - Inflated download numbers - Fake ratings and reviews Want to play? The system is online at: - http://admire.necst.it
  32. 32. ADMIRE Intelligence platform Rank marketplaces Distinguish between malicious and benign developers Evaluate goodness of applications
  33. 33. Data collection Seed collected: 87.115 Marketplaces crawled: 11 Apps collected: 191.851 Developers found: 25.512 Malicious sources Seed Crawler DB Search Collect APK and metadata
  34. 34. Conclusions • In-depth measurement on 8 alternative markets • AndRadar to discover malicious apps in real-time • Tracking of app distribution across markets • Collect metadata about apps - Branding - Updates - Download numbers - Ratings & reviews • Expose publishing patterns of malware authors - “Failover” strategies to migrate between markets
  35. 35. THANKS! Questions? stefano.zanero@polimi.it - @raistolo http://zanero.org

×