Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Enter Sandbox: Android
Sandbox Comparison
Sebastian Neuner, Victor van der Veen,
Martina Lindorfer, Markus Huber,
Georg Me...
Overview
• In a nutshell
– Static analysis
– Dynamic analysis
– Combined approach
• Motivation
• Contributions
– Evaluated...
Analysis in a Nutshell - Static
• Static Analysis
– Check code against rules
• Source is available or
• Application is dis...
Analysis in a Nutshell - Dynamic
• Dynamic analysis
– Execute target application
• Analyse behaviour
• Observe environment...
Combined Approach
• More effective analysis
– Static + dynamic (hybrid)
– Example:
• Static analysis of suspicious sample
...
Combined Approach
• More effective analysis
– Static + dynamic (hybrid)
– Example:
• Static analysis of suspicious sample
...
Combined Approach
• More effective analysis
– Static + dynamic (hybrid)
– Example:
• Static analysis of suspicious sample
...
Sandbox
• Analysis environment for unknown software
– Virtualized
– Mostly hybrid
– Watch network traffic, syscalls and ot...
Motivation
• 1 billion Android devices expected in 2017
• SMSZombie: 500.000 infections (China)
• Too many sandboxes out t...
Why Compare?
• A lot of sandboxes
– Which work and are available
– How are they reused -> Interdependency
• Some sandboxes...
Contributions
• Comparison of 16 available sandboxes
– Level of introspection
– Functionality
– Interdependency
• Discussi...
Contributions
• Effectiveness of 8 sandboxes
– Just online (no source downloaded and run)
– Public malware
– Master Key vu...
16 Sandboxes
Table 1: Framework availability
13
Types of Introspection
Table 2: Results. Part 1. „---“ installable on any Android version. „?“: Not possible to determine
...
Analysis Features
Table 2: Results. Part 2
15
Probing
• Benign.apk
– Unpack with apktool
– Change min and target SDK version (5, 9, 11, 14, 19,
25)
– Repackage with apk...
Sandboxes leaking API level
E.g.
„Errors: Setup command ‚_JBInstallAPK‘ failed:
Installation failed: device is running API...
Interdependecy?
• Read documentations
• Read papers
• Emailed with authors
• Uploaded specific samples to see if
something...
Interdependency!
19
Effectiveness
• Chosen malware
– Public available malware sets:
• Contagio Mobile
• Android Malware Genome Project
– Maste...
Master Key
• How these weaknesses influence
interdependency?
– Wrong handling in massive used software
 Would affect ever...
So this would become…
22
…this
23
Sample Selection
• Coverage (regarding table V in [1]):
– Remote control
– Financial charges
– Personal information steali...
Sample Origin
• 6 samples from Malware Genome Project
• 2 sample from private contact
• 4 crafted helloWorld apps
25
Malware Samples
• Obad
– Kaspersky Labs: „[...] one of the most
sophisticated mobile trojans to date [...]“
– Part of botn...
Malware Samples
• Geinimi
– Sending SMS
– Phone calls
– Total remote control
– From: Malware Genome Project
27
Malware Samples
• DroidKungFu
– Various privilege escalation techniques
• RageAgainstTheCage
– Reads IMEI and other sensit...
Malware Samples
• Basebridge/Nyleaker
– Invalid APK Manifest to evade Androguard
• Successfully launched against a sandbox...
Results (Again Tables)
Table 3: Evaluation results with malware. Two samples per family
30
Tables, Tables, Tables...
Table 4: Evaluation results with Master Key vulnerabilities and the Python ZIP bug
31
Consequences
• Sandbox authors notified
– Appreciated by authors
– A lot of interesting discussions
32
Summary
1. Some sandboxes are hardly maintained or
totally abandoned
2. Some sandboxes do not recognize even
well-known ma...
Suggestions
• Not feasible
– Do a qualified code review of every sandbox
– Share reports to see if sandbox detects well-
k...
Thanks for your Time
• Sebastian Neuner
• SBA Research
– https://www.sba-research.org/
• sneuner@sba-research.org
– PGP: 0...
37
Upcoming SlideShare
Loading in …5
×

Enter Sandbox: Android Sandbox Comparison

1,716 views

Published on

Expecting the shipment of 1 billion Android devices in 2017, cyber criminals have naturally extended their vicious activities towards Google’s mobile operating system. With an estimated number of 700 new Android applications released every day, keeping control over malware is an increasingly challenging task. In recent years, a vast number of static and dynamic code analysis platforms for analyzing Android applications and making decision regarding their maliciousness have been introduced in academia and in the commercial world. These platforms differ heavily in terms of feature support and application properties being analyzed. In this paper, we give an overview of the state-of-the-art dynamic code analysis platforms for Android and evaluate their effectiveness with samples from known malware corpora as well as known Android bugs like Master Key. Our results indicate a low level of diversity in analysis platforms resulting from code reuse that leaves the evaluated systems vulnerable to evasion. Furthermore the Master Key bugs could be exploited by malware to hide malicious behavior from the sandboxes.

Published in: Internet
  • Be the first to comment

Enter Sandbox: Android Sandbox Comparison

  1. 1. Enter Sandbox: Android Sandbox Comparison Sebastian Neuner, Victor van der Veen, Martina Lindorfer, Markus Huber, Georg Merzdovnik, Martin Mulazzani and Edgar Weippl
  2. 2. Overview • In a nutshell – Static analysis – Dynamic analysis – Combined approach • Motivation • Contributions – Evaluated sandboxes – Interdependency – Sandbox effectiveness • Summary 2
  3. 3. Analysis in a Nutshell - Static • Static Analysis – Check code against rules • Source is available or • Application is disassembled – Pros • Fast • No execution, no risk – Con • Does not detect runtime specifics 3
  4. 4. Analysis in a Nutshell - Dynamic • Dynamic analysis – Execute target application • Analyse behaviour • Observe environment – Pro • Find runtime specifics (e.g. temporal infos) – Cons • Complex • Risky • Code coverage 4
  5. 5. Combined Approach • More effective analysis – Static + dynamic (hybrid) – Example: • Static analysis of suspicious sample • Build callgraph • Detect GUI elements Trigger GUI elements (not randomly but targeted) Taint analysis on base of callgraph 5
  6. 6. Combined Approach • More effective analysis – Static + dynamic (hybrid) – Example: • Static analysis of suspicious sample • Build callgraph • Detect GUI elements Trigger GUI elements (not randomly but targeted) Taint analysis on base of callgraph 6
  7. 7. Combined Approach • More effective analysis – Static + dynamic (hybrid) – Example: • Static analysis of suspicious sample • Build callgraph • Detect GUI elements Trigger GUI elements (not randomly but targeted) Taint analysis on base of callgraph 7
  8. 8. Sandbox • Analysis environment for unknown software – Virtualized – Mostly hybrid – Watch network traffic, syscalls and other activities – Possible harms in case of malware (for host and guest system) 8
  9. 9. Motivation • 1 billion Android devices expected in 2017 • SMSZombie: 500.000 infections (China) • Too many sandboxes out there – Not enough coverage – No comparison 9
  10. 10. Why Compare? • A lot of sandboxes – Which work and are available – How are they reused -> Interdependency • Some sandboxes provide novel features • No Swiss-Army-Knife 10
  11. 11. Contributions • Comparison of 16 available sandboxes – Level of introspection – Functionality – Interdependency • Discussion of methods to detect and probe dynamic analysis frameworks 11
  12. 12. Contributions • Effectiveness of 8 sandboxes – Just online (no source downloaded and run) – Public malware – Master Key vulnerabilities 12
  13. 13. 16 Sandboxes Table 1: Framework availability 13
  14. 14. Types of Introspection Table 2: Results. Part 1. „---“ installable on any Android version. „?“: Not possible to determine 14
  15. 15. Analysis Features Table 2: Results. Part 2 15
  16. 16. Probing • Benign.apk – Unpack with apktool – Change min and target SDK version (5, 9, 11, 14, 19, 25) – Repackage with apktool – Verify new SDKVersion • A: android:minSdkVersion(0x0101020c)=(type 0x10)0x19 • A: android:targetSdkVersion(0x01010270)=(type 0x10)0x19 16
  17. 17. Sandboxes leaking API level E.g. „Errors: Setup command ‚_JBInstallAPK‘ failed: Installation failed: device is running API Level 15, but APK requires 19“ 17
  18. 18. Interdependecy? • Read documentations • Read papers • Emailed with authors • Uploaded specific samples to see if something crashes :-D 18
  19. 19. Interdependency! 19
  20. 20. Effectiveness • Chosen malware – Public available malware sets: • Contagio Mobile • Android Malware Genome Project – Master Key vulnerabilities • Weaknesses in ZIP fileformat handling within Android ( APK) – Python bug for specific zeros in ZIP header 20
  21. 21. Master Key • How these weaknesses influence interdependency? – Wrong handling in massive used software  Would affect every edge in contact 21
  22. 22. So this would become… 22
  23. 23. …this 23
  24. 24. Sample Selection • Coverage (regarding table V in [1]): – Remote control – Financial charges – Personal information stealing [1] … Y. Zhou and X. Jiang, “Dissecting Android Malware: Characterization and Evolution,” in Proceedings of the 33rd Annual IEEE Symposium on Security and Privacy (S&P), 2012. 24
  25. 25. Sample Origin • 6 samples from Malware Genome Project • 2 sample from private contact • 4 crafted helloWorld apps 25
  26. 26. Malware Samples • Obad – Kaspersky Labs: „[...] one of the most sophisticated mobile trojans to date [...]“ – Part of botnet – 24 requested permissions • Send SMS • Send/receive data over network • ... – (Out of date) anti-emulation techniques – From: Malware Genome Project 26
  27. 27. Malware Samples • Geinimi – Sending SMS – Phone calls – Total remote control – From: Malware Genome Project 27
  28. 28. Malware Samples • DroidKungFu – Various privilege escalation techniques • RageAgainstTheCage – Reads IMEI and other sensitive data – Send data over network – From: Malware Genome Project 28
  29. 29. Malware Samples • Basebridge/Nyleaker – Invalid APK Manifest to evade Androguard • Successfully launched against a sandbox – From: Andrubis 29
  30. 30. Results (Again Tables) Table 3: Evaluation results with malware. Two samples per family 30
  31. 31. Tables, Tables, Tables... Table 4: Evaluation results with Master Key vulnerabilities and the Python ZIP bug 31
  32. 32. Consequences • Sandbox authors notified – Appreciated by authors – A lot of interesting discussions 32
  33. 33. Summary 1. Some sandboxes are hardly maintained or totally abandoned 2. Some sandboxes do not recognize even well-known malware 3. Interdependency and code reuse could lead to serious problems 34
  34. 34. Suggestions • Not feasible – Do a qualified code review of every sandbox – Share reports to see if sandbox detects well- known malware – Build the analysis Swiss-Army-Knife • Feasible – Build a meta-engine that submits a sample to every known sandbox 35
  35. 35. Thanks for your Time • Sebastian Neuner • SBA Research – https://www.sba-research.org/ • sneuner@sba-research.org – PGP: 0xDE76C43A 36
  36. 36. 37

×