2. Who am I ?
Masata Nishida
• SecureBrain, Advanced Research Laboratory
• I’m not a malware researcher, I’m just a software
developer.
• Rubyist
• @masata_masata
3. Today’s Theme
Presented the same topic at CSS2012.
• CSS (Computer Security Symposium)2012
– 2012/10/30-11/01
– Matsue City, Shimane Prefecture
Title: “Android Malware Heuristics
using Digital Certificates”
Japanese Title: 署名情報を利用したAndroid マルウェアの推定手法の提案
6. Everyone say:
Android malwares increase
explosively!!
But…(what is reality?)
(Photo: High Sheeps By Bertoz)
7. Although the number of
malwares is rapidly increasing,
but we don’t actually have
insights into the growth.
Today, we will focus on the
certificate used by Malicious
Android app. Then we can find
another side of Android
malwares.
(Photo: DSC_6557 By euthman)
8. Background
• Android application must
be digitally signed.
• Self-signed certificate can
be used.
• The signature information
is in META-INF/ directory
in Apk file(zip archive file).
(Photo: Marriage Certificate By The Gearys)
9. Question
How many Android malwares use
the same certificate?
(Photo: Thinking… By Mr Tickle)
10. I’m bored.
I counted number
of unique certificates
in Android malwares.
11. First, collect malware samples
• Target Android malwares Family samples
FakeInst 4,911
– are about 15,000 samples. Kmin 2,464
OpFake 2,360
Boxer
– include many polymorphic 1,399
DroidKungFu 824
samples. Lotoor 432
GingerMaster 272
SmsSend 221
SmsAgent 209
JiFake 137
Others 1,488
Total 14,717
(Photo: Catching Bugs, II, III By New Mexico Forestry Camp)
12. Then
count certificates.
(Photo: Microscope Night By Machine Project)
16. FakeInst
Polymorphic sample
4,911 samples
31 certificates
Polymorphic malwares also use the same certificates.
17. FakeInst
Polymorphic sample
Most reused certificate
Reused by 2,602 samples
18. Period of use
Certificates used for over a year.
13 certificates
(2,764samples)
Some certificates used for long term.
19. The Movie (Dougalek) Japan-specific malware
• An incident in Japan (Apr. 2012)
• Malwares are distributed from Google Play.
– About 50 malwares.
– Used 7 developer accounts.
• The malware sends private information to external
server.
• The application name is like “xxx the Movie”.
– “xxx” is replaced with a pop star or famous game name.
• Installed over 90,000 devices.
• Sent 12,000,000 information to external.
• The suspects were arrested last month(30th Oct 2012).
21. Today’s
Conclusion
(Photo: New Blackboard By uncultured)
22. Many Android malwares are signed
using the same certificate.
We can detect new malwares using the
certificates of well-known malwares.
(for now…)
(Photo: The Detective By paurian)
23. Many Android malwares are signed
using the same certificate.
Not too many malware developers??
or
The private key of the certificates are shared
between malware developers??
(Photo: DSC_6565 By euthman)