Who am I ?Masata Nishida• SecureBrain, Advanced Research Laboratory• I’m not a malware researcher, I’m just a software developer.• Rubyist• @masata_masata
Today’s ThemePresented the same topic at CSS2012.• CSS (Computer Security Symposium)2012 – 2012/10/30-11/01 – Matsue City, Shimane Prefecture Title: “Android Malware Heuristics using Digital Certificates” Japanese Title: 署名情報を利用したAndroid マルウェアの推定手法の提案
Android malwares increase explosively!!(Photo: High Sheeps By Bertoz)
McAfee Threat Report: Second Quarter 2012 By McAfee Labs
Everyone say: Android malwares increase explosively!! But…(what is reality?)(Photo: High Sheeps By Bertoz)
Although the number of malwares is rapidly increasing, but we don’t actually have insights into the growth. Today, we will focus on the certificate used by Malicious Android app. Then we can find another side of Android malwares.(Photo: DSC_6557 By euthman)
Background• Android application must be digitally signed.• Self-signed certificate can be used.• The signature information is in META-INF/ directory in Apk file(zip archive file). (Photo: Marriage Certificate By The Gearys)
Question How many Android malwares use the same certificate?(Photo: Thinking… By Mr Tickle)
I’m bored. I counted numberof unique certificatesin Android malwares.
First, collect malware samples • Target Android malwares Family samples FakeInst 4,911 – are about 15,000 samples. Kmin 2,464 OpFake 2,360 Boxer – include many polymorphic 1,399 DroidKungFu 824 samples. Lotoor 432 GingerMaster 272 SmsSend 221 SmsAgent 209 JiFake 137 Others 1,488 Total 14,717(Photo: Catching Bugs, II, III By New Mexico Forestry Camp)
Then count certificates.(Photo: Microscope Night By Machine Project)
Counting certificates requires lotta patience...(Photo: Microscope Night By Machine Project)
Unique certificates14,717 samples 589 certificates Many malwares use the same certificate!!
FakeInst Polymorphic sample 4,911 samples 31 certificatesPolymorphic malwares also use the same certificates.
FakeInst Polymorphic sample Most reused certificate Reused by 2,602 samples
Period of useCertificates used for over a year. 13 certificates (2,764samples) Some certificates used for long term.
The Movie (Dougalek) Japan-specific malware• An incident in Japan (Apr. 2012)• Malwares are distributed from Google Play. – About 50 malwares. – Used 7 developer accounts.• The malware sends private information to external server.• The application name is like “xxx the Movie”. – “xxx” is replaced with a pop star or famous game name.• Installed over 90,000 devices.• Sent 12,000,000 information to external.• The suspects were arrested last month(30th Oct 2012).
The Movie (Dougalek) Japan-specific malware 24 samples 7 certificates
Today’s Conclusion(Photo: New Blackboard By uncultured)
Many Android malwares are signed using the same certificate. We can detect new malwares using the certificates of well-known malwares. (for now…)(Photo: The Detective By paurian)
Many Android malwares are signed using the same certificate. Not too many malware developers?? or The private key of the certificates are shared between malware developers??(Photo: DSC_6565 By euthman)