Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

When Android Apps Go Evil

3,115 views

Published on

Lookout security analyst Jing Xie presented her research at the Grace Hopper Celebration of Women in Computing on October 9, 2014. She explains the Android app landscape, how malicious apps make it onto the marketplace, and how intelligent research can sniff out the evil apps.

Published in: Technology
  • Be the first to comment

When Android Apps Go Evil

  1. 1. When Android Apps Go Evil Jing Xie jing.xie@lookout.com Lookout Inc. 2014 2014 #GHC14 2014
  2. 2. Evil Outline Android OS & App Development Malware Landscape Reverse Engineering Analysis Insights & Challenges 2014
  3. 3. Android OS 2014 Linux based  Open sourced Java for app dev Dalvik VM  (ART since 4.4) Security & Privacy  Sandboxing  Permissions  Secure IPC  Cryptography
  4. 4. Making of Apps 2014
  5. 5. Android Malware (NOT VIRUS PLZ!) 2014
  6. 6. Threat Landscape 2014
  7. 7. Depending on Origin USA France + Spain Russia India Vietnam China 2014 • Trojan • Toll Fraud • Spyware • Chargeware • Surveillanceware • Spam • Ransomware • RootEnabler • Exploit • Riskware
  8. 8. Malware as a Business 2014
  9. 9. Agile Malware Development 2014  SMSActor distribution  SMS Toll Fraud: sending premium text messages without consent April 2012 April 2014 SMSActor: Russian Toll Fraud Variant Life Span: • Activated • Deactivated • Decommissioned
  10. 10. Incentive and Feasibility A HUGE NUMBER OF Apps Not in Google Play Store http://www.onepf.org/appstores/ http://www.techinasia.com/10-android-app-stores-china-2014-edition/ 2014 • Anzhi • AppChina • D.cn Games Center • gFan • HiAPK • Aptoide • Panda App • Taobao App Market • Tencent App Gem • Xiaomi • Mumayi  SK T-Store  Naver NStore  APPZIL  olleh Market o Yandex.Store  SlideMe.org  AppBrain  1MobileMarket  Mobile9  Mobango  Barzaar  Amazon appstore  AppZoom  AppsLib
  11. 11. Incentive and Feasibility 2014 http://www.theguardian.com/technology/2014/aug/22/android-fragmented-developers-opensignal
  12. 12. Reverse Machinery (一) baksmali; apktool dex2jar + jd-gui/luyten; 2014 input: apk/dex Output: smali Output: pseudo Java
  13. 13. Reverse Machinery (二) Demo Time (Click to watch video on YouTube) 2014
  14. 14. Scents of Android Malware (UN) Disingenuous advertisement • Facebook icon && titled facebook; package name: com.facebook.sms 2014 • com.facebook.katana More than advertised • Irrelevant code package • Payment SDK with no pay button (UI) Cost money APIs in unexpected context • A system utility app sends SMS or make phone calls • Free game that requires costs money permission Unnecessary outbound communications • A battery saving app talks to a remote server • Calculator that downloads stuff
  15. 15. Scents of Android Malware (DEUX) Interesting Log Statements • IsFuckSendIsLuckReceiverIsLuckReceiver的finally已经开始加锁 • ** WHELCOME TO HELL ********* Interesting File Assets • /assets/libremotecontrol.so • PNG is actually dex file System Level Operations • Checks the root as a game app Peer Information Exhange • Virus Total says apps is malicious 2014
  16. 16. Analysis Challenges Technical Contextual • Evasion Techniques • Complicated Apps • Sheer Volume • Constraints on Devices 2014 • Nuanced Context • Malware Purpose • Levels of Puzzle Solving
  17. 17. When Android Apps Go 2014 Evil Jing Xie jing.xie@lookout.com Lookout Inc. 2014 #GHC14 2014 Thank You! Thanks to security team + designer @ lookout

×