AVTOKYO2012 Android Malware Heuristics(en)

•Download as PPTX, PDF•

3 likes•1,694 views

雅太西田

Technology

Android Malware Heuristics
Masata Nishida

AVTOKYO 2012

2012/11/17

(Photo: Android Lineup – Beige By .RGB.)

Who am I ?
Masata Nishida
• SecureBrain, Advanced Research Laboratory
• I’m not a malware researcher, I’m just a software
developer.
• Rubyist
• @masata_masata

Today’s Theme
Presented the same topic at CSS2012.
• CSS (Computer Security Symposium)2012
– 2012/10/30-11/01
– Matsue City, Shimane Prefecture

Title: “Android Malware Heuristics
using Digital Certificates”
Japanese Title: 署名情報を利用したAndroid マルウェアの推定手法の提案

Android malwares increase
explosively!!

(Photo: High Sheeps By Bertoz)

McAfee Threat Report: Second Quarter 2012 By McAfee Labs

Everyone say:
Android malwares increase
explosively!!
But…(what is reality?)

(Photo: High Sheeps By Bertoz)

Although the number of
malwares is rapidly increasing,
but we don’t actually have
insights into the growth.

Today, we will focus on the
certificate used by Malicious
Android app. Then we can find
another side of Android
malwares.
(Photo: DSC_6557 By euthman)

Background
• Android application must
be digitally signed.
• Self-signed certificate can
be used.
• The signature information
is in META-INF/ directory
in Apk file(zip archive file).

(Photo: Marriage Certificate By The Gearys)

Question
How many Android malwares use
the same certificate?

(Photo: Thinking… By Mr Tickle)

I’m bored.
I counted number
of unique certificates
in Android malwares.

First, collect malware samples
• Target Android malwares Family samples
FakeInst 4,911

– are about 15,000 samples. Kmin 2,464
OpFake 2,360
Boxer
– include many polymorphic 1,399
DroidKungFu 824
samples. Lotoor 432
GingerMaster 272
SmsSend 221
SmsAgent 209
JiFake 137
Others 1,488
Total 14,717
(Photo: Catching Bugs, II, III By New Mexico Forestry Camp)

Then
count certificates.
(Photo: Microscope Night By Machine Project)

Counting certificates requires
lotta patience...

(Photo: Microscope Night By Machine Project)

Unique certificates

14,717 samples

589 certificates
Many malwares use the same certificate!!

FakeInst
Polymorphic sample

4,911 samples

31 certificates
Polymorphic malwares also use the same certificates.

FakeInst
Polymorphic sample

Most reused certificate


Reused by 2,602 samples

Period of use

Certificates used for over a year.


13 certificates
(2,764samples)
Some certificates used for long term.

The Movie (Dougalek) Japan-specific malware

• An incident in Japan (Apr. 2012)
• Malwares are distributed from Google Play.
– About 50 malwares.
– Used 7 developer accounts.
• The malware sends private information to external
server.
• The application name is like “xxx the Movie”.
– “xxx” is replaced with a pop star or famous game name.
• Installed over 90,000 devices.
• Sent 12,000,000 information to external.
• The suspects were arrested last month(30th Oct 2012).

The Movie (Dougalek)
Japan-specific malware

24 samples

7 certificates

Today’s
Conclusion

(Photo: New Blackboard By uncultured)

Many Android malwares are signed
using the same certificate.

We can detect new malwares using the
certificates of well-known malwares.

(for now…)
(Photo: The Detective By paurian)

Many Android malwares are signed
using the same certificate.

Not too many malware developers??
or
The private key of the certificates are shared
between malware developers??
(Photo: DSC_6565 By euthman)

[Appendix]
apk analysis library for Ruby
• Open Source
– Source: https://github.com/securebrain/ruby_apk
– Install: “$ gem install ruby_apk”
• Requirements
– Ruby1.9.x
• Features
– AndroidManifest.xml analysis
• components(activity, service, receiver, provider)
• use-permission, intent-filter,…
– Extract files in apk
– resource analysis(partial)
– dex analysis(partial)
• Extract classes, methods, fields, strings

Viewers also liked

Android malware overview, status and dilemmas

Tech and Law Center

Semantics aware malware detection ppt

Manish Yadav

Кратко про тенденции ИБ к обсуждению (Код ИБ)

Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001

Android Malware Detection Mechanisms

Talha Kabakus

Про практику DLP (Код ИБ)

Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001

Ведущие: Сергей Франкофф и Шон Уилсон Сортировка вредоносного ПО представляет собой процесс быстрого анализа потенциально опасных файлов или URL. Любая тщательно продуманная система реагирования на инциденты безопасности обладает этой важной функцией. Но что, если у вас не установлена программа реагирования на инциденты? Как быть, если вы только начали ее настраивать? А вдруг у вас нет программных средств для проведения анализа? Грамотно выбранный бесплатный онлайн-инструмент, веб-браузер и блокнот — вот все, что вам пригодится. На мастер-классе участники самостоятельно будут заниматься сортировкой вредоносного ПО. Ведущий предоставит информацию о необходимых инструментах.

Экспресс-анализ вредоносов / Crowdsourced Malware Triage

Positive Hack Days

Максим Ширшин — Регулярные выражения

Yandex

Ведущий: Андрей Масалович Целый арсенал средств информационного воздействия используется в корпоративном коммуникационном маркетинге и в астротурфинге. Докладчик расскажет о том, как подготавливаются информационные атаки, как распознавать их на ранних стадиях и противостоять им. Проанализирует особенности восприятия и распространения информации в социальных сетях с использованием троллей и ботов. Рассмотрит метод экспресс-анализа социальных портретов участников массовых обсуждений — рядовых пользователей, политиков, медийных персон, подростков, вербовщиков и их жертв.

Выживший

Positive Hack Days

Введение в SEO

ROOKEE

Тенденции российского рынка ИБ

Aleksey Lukatskiy

Как защититься рядовому пользователю от динамично меняющих угроз?

Aleksey Lukatskiy

Крупные мероприятия по информационной безопасности на 2017 год

Aleksey Lukatskiy

Ведущий: Макс Мороз Обзор системы ClusterFuzz, позволяющей осуществить проверку браузера Chrome на наличие уязвимостей в режиме реального времени и получить воспроизводимые результаты исследования каждого конкретного сбоя. Будут продемонстрированы преимущества использования различных санитайзеров и LibFuzzer, библиотеки для направленного фаззинга. Будет приведена подробная статистика видов уязвимостей, найденных в Chrome. Слушатели узнают о подводных камнях распределенного фаззинга; о том, как можно запустить свои собственные фаззеры в инфраструктуре Google и получить вознаграждение за найденные уязвимости.

Масштабируемый и эффективный фаззинг Google Chrome

Positive Hack Days

Malware

Tuhin_Das

Viewers also liked (14)

Android malware overview, status and dilemmas

Semantics aware malware detection ppt

Кратко про тенденции ИБ к обсуждению (Код ИБ)

Android Malware Detection Mechanisms

Про практику DLP (Код ИБ)

Экспресс-анализ вредоносов / Crowdsourced Malware Triage

Максим Ширшин — Регулярные выражения

Выживший

Введение в SEO

Тенденции российского рынка ИБ

Как защититься рядовому пользователю от динамично меняющих угроз?

Крупные мероприятия по информационной безопасности на 2017 год

Масштабируемый и эффективный фаззинг Google Chrome

Malware

Similar to AVTOKYO2012 Android Malware Heuristics(en)

I haz you and pwn your maal

c0c0n - International Cyber Security and Policing Conference

Hacking your Android (slides)

Justin Hoang

Since 2014, fifteen new malware or riskware families successfully attacked non-jailbroken iOS devices (e.g., WireLurker, Oneclickfraud, XcodeGhost, InstaAgent, ZergHelper, AceDeceiver), affected thousands of iOS apps and tens of millions users around the world. Ten of them even bypassed Apple’s code vetting and occurred at App Store. In this presentation, we will systematically study how could these malware, riskware and some Proof-of-Concepts infect non-jailbroken devices via practical vectors and approaches including abusing development certificates, bypassing code review by obfuscation, performing FairPlay MITM attack, abusing MDM solution, abusing private APIs, exploiting design flaws or app level vulnerabilities, and stealing privacy data. For each topic, we will introduce its implementation, explore real world cases, analyze its risky and consequences, explain Apple’s countermeasures, and discuss why some problems will still exist in near future. We will also share some stories of how we discovered those interesting iOS malware. Through this topic, audiences could make more effective policies to protect iOS devices in their organizations, build their own systems/tools to evaluate security risks in iOS apps, and hunt more iOS malware in the future.

Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao

Shakacon

Securing your Cloud Environment v2

ShapeBlue

Functional and Behavioral Analysis of Different Type of Ransomware.pptx

tarkovtarkovski

I haz you and pwn your maal

Harsimran Walia

Building Custom Android Malware BruCON 2013

Stephan Chenette

Hacking your Droid (Aditya Gupta)

ClubHack

Malware cryptomining uploadv3

Setia Juli Irzal Ismail

Securing your Cloud Environment

ShapeBlue

Secretary Johnson called the attack on Sony Pictures Entertainment “an attack on our freedom of expression and way of life.” In this MMW session, we dissect Destover malware, responsible for more than 100 terabytes of stolen data from Sony Pictures Entertainment. Added bonus: MMW Watch List of 2014 We will summarize the “most wanted” of the year 2014, including Backoff, the POS malware, and Zberp, the financial Trojan.

Sony Attack by Destover Malware. Part of Cyphort Malware Most Wanted Series.

Cyphort

APTs are known to use advanced Techniques, Tactics, and Procedures (TTP), including advanced malware design with protection layers, sandboxing evasion, and lateral movement inside penetrated networks to seek out high value targets. In this webinar, Nick Bilogorskiy of Cyphort Labs will review various lateral movement techniques and methods used by advanced threats in the past. He will look at some APT samples, e.g. Shamoon, in detail to show the specific steps in the lateral movement by the malware. Understanding the lateral movement of APT should help security defenders to better select and implement protection solutions.

Understanding Malware Lateral Spread Used in High Value Attacks

Cyphort

михаил дударев

apps4allru

Offensive malware usage and defense

Christiaan Beek

Cracking the Mobile Application Code

c0c0n - International Cyber Security and Policing Conference

Cracking the mobile application code

Sreenarayan A

Hacking and Securing iOS Apps : Part 1

Subhransu Behera

This is the presentation video of my talk at FSE 2020 conference. The paper is published on the research track of this conference in which the main contribution is: 1) disclosed a less known mechanism which can let developers invoke the code of other apps, 2) proved its feasibility by showcasing 2 concrete apps of DICI, 3) developed a tool to detect the use of DICI in Android apps, 4) did a large scale empirical study and answered 3 research questions about DICI, 5) also proposed 2 countermeasures from both the Android framework point of view and developer point of view.

Interapp code invocation_fse2020

JUN GAO

As part of this change, all contractors and government software developers will need to think critically and not only ask themselves “does the code have vulnerabilities,” but “could it have vulnerabilities,” and “how do we know either way?” Learn how with the right tools, and embedded security across the entire development process, you can stay ahead of adversary leaving the software supply chain secure so mindshare can be left for other critical national security issues.

Embracing DevSecOps: A Changing Security Landscape for the US Government

DJ Schleen

festival ICT 2013: Gli attacchi mirati e la Difesa Personalizzata Trend Micro

festival ICT 2016

Similar to AVTOKYO2012 Android Malware Heuristics(en) (20)

I haz you and pwn your maal

Hacking your Android (slides)

Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao

Securing your Cloud Environment v2

Functional and Behavioral Analysis of Different Type of Ransomware.pptx

I haz you and pwn your maal

Building Custom Android Malware BruCON 2013

Hacking your Droid (Aditya Gupta)

Malware cryptomining uploadv3

Securing your Cloud Environment

Sony Attack by Destover Malware. Part of Cyphort Malware Most Wanted Series.

Understanding Malware Lateral Spread Used in High Value Attacks

михаил дударев

Offensive malware usage and defense

Cracking the Mobile Application Code

Cracking the mobile application code

Hacking and Securing iOS Apps : Part 1

Interapp code invocation_fse2020

Embracing DevSecOps: A Changing Security Landscape for the US Government

festival ICT 2013: Gli attacchi mirati e la Difesa Personalizzata Trend Micro

Recently uploaded

Tech Trends Report 2024 Future Today Institute.pdf

hans926745

Enterprise Knowledge’s Urmi Majumder, Principal Data Architecture Consultant, and Fernando Aguilar Islas, Senior Data Science Consultant, presented "Driving Behavioral Change for Information Management through Data-Driven Green Strategy" on March 27, 2024 at Enterprise Data World (EDW) in Orlando, Florida. In this presentation, Urmi and Fernando discussed a case study describing how the information management division in a large supply chain organization drove user behavior change through awareness of the carbon footprint of their duplicated and near-duplicated content, identified via advanced data analytics. Check out their presentation to gain valuable perspectives on utilizing data-driven strategies to influence positive behavioral shifts and support sustainability initiatives within your organization. In this session, participants gained answers to the following questions: - What is a Green Information Management (IM) Strategy, and why should you have one? - How can Artificial Intelligence (AI) and Machine Learning (ML) support your Green IM Strategy through content deduplication? - How can an organization use insights into their data to influence employee behavior for IM? - How can you reap additional benefits from content reduction that go beyond Green IM?

Driving Behavioral Change for Information Management through Data-Driven Gree...

Enterprise Knowledge

With more memory available, system performance of three Dell devices increased, which can translate to a better user experience Conclusion When your system has plenty of RAM to meet your needs, you can efficiently access the applications and data you need to finish projects and to-do lists without sacrificing time and focus. Our test results show that with more memory available, three Dell PCs delivered better performance and took less time to complete the Procyon Office Productivity benchmark. These advantages translate to users being able to complete workflows more quickly and multitask more easily. Whether you need the mobility of the Latitude 5440, the creative capabilities of the Precision 3470, or the high performance of the OptiPlex Tower Plus 7010, configuring your system with more RAM can help keep processes running smoothly, enabling you to do more without compromising performance.

Boost PC performance: How more available memory can improve productivity

Principled Technologies

Evaluating the top large language models.pdf

ChristopherTHyatt

2024: Domino Containers - The Next Step. News from the Domino Container commu...

Martijn de Jong

presentation ICT roal in 21st century education

jfdjdjcjdnsjd

What is a good lead in your organisation? Which leads are priority? What happens to leads? When sales and marketing give different answers to these questions, or perhaps aren't sure of the answers at all, frustrations build and opportunities are left on the table. Join us for an illuminating session with Cian McLoughlin, HubSpot Principal Customer Success Manager, as we look at that crucial piece of the customer journey in which leads are transferred from marketing to sales.

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx

HampshireHUG

Building Digital Trust in a Digital Economy Veronica Tan, Director - Cyber Security Agency of Singapore Apidays Singapore 2024: Connecting Customers, Business and Technology (April 17 & 18, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...

apidays

BooK Now Call us at +918448380779 to hire a gorgeous and seductive call girl for sex. Take a Delhi Escort Service. The help of our escort agency is mostly meant for men who want sexual Indian Escorts In Delhi NCR. It should be noted that any impersonator will get 100 attention from our Young Girls Escorts in Delhi. They will assume the position of reliable allies. VIP Call Girl With Original Photos Book Tonight +918448380779 Our Cheap Price 1 Hour not available 2 Hours 5000 Full Night 8000 TAG: Call Girls in Delhi, Noida, Gurgaon, Ghaziabad, Connaught Place, Greater Kailash Delhi, Lajpat Nagar Delhi, Mayur Vihar Delhi, Chanakyapuri Delhi, New Friends Colony Delhi, Majnu Ka Tilla, Karol Bagh, Malviya Nagar, Saket, Khan Market, Noida Sector 18, Noida Sector 76, Noida Sector 51, Gurgaon Mg Road, Iffco Chowk Gurgaon, Rajiv Chowk Gurgaon All Delhi Ncr Free Home Deliver

08448380779 Call Girls In Civil Lines Women Seeking Men

Delhi Call girls

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024

The Digital Insurer

Heather Hedden, Senior Consultant at Enterprise Knowledge, presented “The Role of Taxonomy and Ontology in Semantic Layers” at a webinar hosted by Progress Semaphore on April 16, 2024. Taxonomies at their core enable effective tagging and retrieval of content, and combined with ontologies they extend to the management and understanding of related data. There are even greater benefits of taxonomies and ontologies to enhance your enterprise information architecture when applying them to a semantic layer. A survey by DBP-Institute found that enterprises using a semantic layer see their business outcomes improve by four times, while reducing their data and analytics costs. Extending taxonomies to a semantic layer can be a game-changing solution, allowing you to connect information silos, alleviate knowledge gaps, and derive new insights. Hedden, who specializes in taxonomy design and implementation, presented how the value of taxonomies shouldn’t reside in silos but be integrated with ontologies into a semantic layer. Learn about: - The essence and purpose of taxonomies and ontologies in information and knowledge management; - Advantages of semantic layers leveraging organizational taxonomies; and - Components and approaches to creating a semantic layer, including the integration of taxonomies and ontologies

The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf

Enterprise Knowledge

Abhishek Deb(1), Mr Abdul Kalam(2) M. Des (UX) , School of Design, DIT University , Dehradun. This paper explores the future potential of AI-enabled smartphone processors, aiming to investigate the advancements, capabilities, and implications of integrating artificial intelligence (AI) into smartphone technology. The research study goals consist of evaluating the development of AI in mobile phone processors, analyzing the existing state as well as abilities of AI-enabled cpus determining future patterns as well as chances together with reviewing obstacles as well as factors to consider for more growth.

Exploring the Future Potential of AI-Enabled Smartphone Processors

debabhi2

The 7 Things I Know About Cyber Security After 25 Years | April 2024

Rafal Los

A Domino Admins Adventures (Engage 2024)

Gabriella Davis

🐬 The future of MySQL is Postgres 🐘

RTylerCroy

How to Troubleshoot Apps for the Modern Connected Worker

ThousandEyes

Scaling API-first – The story of a global engineering organization

Radu Cotescu

What are drone anti-jamming systems? The drone anti-jamming systems and anti-spoof technology protect against interference, jamming, and spoofing of the UAVs. To protect their security, countries are beginning to research drone anti-jamming systems, also known as drone strike weapons. The anti-jam and anti-spoof technology protects against interference, jamming and spoofing. A drone strike weapon is a drone attack weapon that can attack and destroy enemy drones. So what is so unique about this amazing system?

What Are The Drone Anti-jamming Systems Technology?

Antenna Manufacturer Coco

The presentation explores the development and application of artificial intelligence (AI) from its inception to its current status in the modern world. The term "artificial intelligence" was first coined by John McCarthy in 1956 to describe efforts to develop computer programs capable of performing tasks that typically require human intelligence. This concept was first introduced at a conference held at Dartmouth College, where programs demonstrated capabilities such as playing chess, proving theorems, and interpreting texts. In the early stages, Alan Turing contributed to the field by defining intelligence as the ability of a being to respond to certain questions intelligently, proposing what is now known as the Turing Test to evaluate the presence of intelligent behavior in machines. As the decades progressed, AI evolved significantly. The 1980s focused on machine learning, teaching computers to learn from data, leading to the development of models that could improve their performance based on their experiences. The 1990s and 2000s saw further advances in algorithms and computational power, which allowed for more sophisticated data analysis techniques, including data mining. By the 2010s, the proliferation of big data and the refinement of deep learning techniques enabled AI to become mainstream. Notable milestones included the success of Google's AlphaGo and advancements in autonomous vehicles by companies like Tesla and Waymo. A major theme of the presentation is the application of generative AI, which has been used for tasks such as natural language text generation, translation, and question answering. Generative AI uses large datasets to train models that can then produce new, coherent pieces of text or other media. The presentation also discusses the ethical implications and the need for regulation in AI, highlighting issues such as privacy, bias, and the potential for misuse. These concerns have prompted calls for comprehensive regulations to ensure the safe and equitable use of AI technologies. Artificial intelligence has also played a significant role in healthcare, particularly highlighted during the COVID-19 pandemic, where it was used in drug discovery, vaccine development, and analyzing the spread of the virus. The capabilities of AI in healthcare are vast, ranging from medical diagnostics to personalized medicine, demonstrating the technology's potential to revolutionize fields beyond just technical or consumer applications. In conclusion, AI continues to be a rapidly evolving field with significant implications for various aspects of society. The development from theoretical concepts to real-world applications illustrates both the potential benefits and the challenges that come with integrating advanced technologies into everyday life. The ongoing discussion about AI ethics and regulation underscores the importance of managing these technologies responsibly to maximize their their benefits while minimizing potential harms.

Artificial Intelligence: Facts and Myths

Joaquim Jorge

CNv6 Instructor Chapter 6 Quality of Service

giselly40

Recently uploaded (20)

Tech Trends Report 2024 Future Today Institute.pdf

Driving Behavioral Change for Information Management through Data-Driven Gree...

Boost PC performance: How more available memory can improve productivity

Evaluating the top large language models.pdf

2024: Domino Containers - The Next Step. News from the Domino Container commu...

presentation ICT roal in 21st century education

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...

08448380779 Call Girls In Civil Lines Women Seeking Men

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024

The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf

Exploring the Future Potential of AI-Enabled Smartphone Processors

The 7 Things I Know About Cyber Security After 25 Years | April 2024

A Domino Admins Adventures (Engage 2024)

🐬 The future of MySQL is Postgres 🐘

How to Troubleshoot Apps for the Modern Connected Worker

Scaling API-first – The story of a global engineering organization

What Are The Drone Anti-jamming Systems Technology?

Artificial Intelligence: Facts and Myths

CNv6 Instructor Chapter 6 Quality of Service

AVTOKYO2012 Android Malware Heuristics(en)

1. Android Malware Heuristics Masata Nishida AVTOKYO 2012 2012/11/17 (Photo: Android Lineup – Beige By .RGB.)

2. Who am I ? Masata Nishida • SecureBrain, Advanced Research Laboratory • I’m not a malware researcher, I’m just a software developer. • Rubyist • @masata_masata

3. Today’s Theme Presented the same topic at CSS2012. • CSS (Computer Security Symposium)2012 – 2012/10/30-11/01 – Matsue City, Shimane Prefecture Title: “Android Malware Heuristics using Digital Certificates” Japanese Title: 署名情報を利用したAndroid マルウェアの推定手法の提案

4. Android malwares increase explosively!! (Photo: High Sheeps By Bertoz)

5. McAfee Threat Report: Second Quarter 2012 By McAfee Labs

6. Everyone say: Android malwares increase explosively!! But…(what is reality?) (Photo: High Sheeps By Bertoz)

7. Although the number of malwares is rapidly increasing, but we don’t actually have insights into the growth. Today, we will focus on the certificate used by Malicious Android app. Then we can find another side of Android malwares. (Photo: DSC_6557 By euthman)

8. Background • Android application must be digitally signed. • Self-signed certificate can be used. • The signature information is in META-INF/ directory in Apk file(zip archive file). (Photo: Marriage Certificate By The Gearys)

9. Question How many Android malwares use the same certificate? (Photo: Thinking… By Mr Tickle)

10. I’m bored. I counted number of unique certificates in Android malwares.

11. First, collect malware samples • Target Android malwares Family samples FakeInst 4,911 – are about 15,000 samples. Kmin 2,464 OpFake 2,360 Boxer – include many polymorphic 1,399 DroidKungFu 824 samples. Lotoor 432 GingerMaster 272 SmsSend 221 SmsAgent 209 JiFake 137 Others 1,488 Total 14,717 (Photo: Catching Bugs, II, III By New Mexico Forestry Camp)

12. Then count certificates. (Photo: Microscope Night By Machine Project)

13. Counting certificates requires lotta patience... (Photo: Microscope Night By Machine Project)

14. The result…

15. Unique certificates 14,717 samples  589 certificates Many malwares use the same certificate!!

16. FakeInst Polymorphic sample 4,911 samples  31 certificates Polymorphic malwares also use the same certificates.

17. FakeInst Polymorphic sample Most reused certificate  Reused by 2,602 samples

18. Period of use Certificates used for over a year.  13 certificates (2,764samples) Some certificates used for long term.

19. The Movie (Dougalek) Japan-specific malware • An incident in Japan (Apr. 2012) • Malwares are distributed from Google Play. – About 50 malwares. – Used 7 developer accounts. • The malware sends private information to external server. • The application name is like “xxx the Movie”. – “xxx” is replaced with a pop star or famous game name. • Installed over 90,000 devices. • Sent 12,000,000 information to external. • The suspects were arrested last month(30th Oct 2012).

20. The Movie (Dougalek) Japan-specific malware 24 samples  7 certificates

21. Today’s Conclusion (Photo: New Blackboard By uncultured)

22. Many Android malwares are signed using the same certificate. We can detect new malwares using the certificates of well-known malwares. (for now…) (Photo: The Detective By paurian)

23. Many Android malwares are signed using the same certificate. Not too many malware developers?? or The private key of the certificates are shared between malware developers?? (Photo: DSC_6565 By euthman)

24. END

25. [Appendix] apk analysis library for Ruby • Open Source – Source: https://github.com/securebrain/ruby_apk – Install: “$ gem install ruby_apk” • Requirements – Ruby1.9.x • Features – AndroidManifest.xml analysis • components(activity, service, receiver, provider) • use-permission, intent-filter,… – Extract files in apk – resource analysis(partial) – dex analysis(partial) • Extract classes, methods, fields, strings

AVTOKYO2012 Android Malware Heuristics(en)

Recommended

Recommended

More Related Content

Viewers also liked

Viewers also liked (14)

Similar to AVTOKYO2012 Android Malware Heuristics(en)

Similar to AVTOKYO2012 Android Malware Heuristics(en) (20)

Recently uploaded

Recently uploaded (20)

AVTOKYO2012 Android Malware Heuristics(en)