Detecting Malicious Applications in the Android Markets

1. Detecting Malicious Applications
in the Android Markets
Yajin Zhou Zhi Wang Wu Zhou Xuxian Jiang
Presented by:
Hassan Y. A. Abu Tair
habutair@gmail.com
King Saud University
College of Computer and Information Sciences
Computer Science Department

2. The paper is all about:
A systematic study to better understand the overall health of
existing Android Markets
The goal: detecting the malicious apps in these markets.

3.  Smartphones are becoming increasingly ubiquitous.
 there are over 100 million of smartphones sold in the first quarter
of 2011, an increase of 85% over the last year.
 Android smartphones made up 56% of the global smartphones
sold to end users in the first quarter of 2012 [1].
 34.5 million Samsung Android smartphones sold [1].
 33.1 million Apple iPhones sold [1].
 Nokia came in third by selling 11.9 million units [1].
 said that Samsung shipped a record 42.2 million
smartphones in the quarter compared to 35.1 million Apple
iPhones [1].
[1]. http://www.computerworld.com

4.  Android Market reached 600,000 apps on November, 2012 [2].
 Apple
 Over 700,000 apps in its App Store for both iPhone and iPad [2].
 Windows Phone is estimated to have 100,000 apps in its
marketplace [2].
 Alternative marketplaces streamline the process of browsing,
downloading and installing apps.
such popularity of smart phones and its
apps attracts the attention of malware
authors.
The authors have collected the apps Using a Crawler.
[2]. http://www.cnet.com

5. DroidDream and DroidDreamLight malware were detected from
the official Android Market.
DroidDream could compromise a
significant amount of personal data,
also can root the system.
More than 50 applications have been
found to be infected at time of
attack.
Some Known malware families :
Geinimi, ADRD, Pjapps, Bgserv,
DroidDream, zHash, BaseBridge,
DroidDreamLight, Zsone, jSMSHider
run of a leading mobile anti-virus
software missed about 23.52% of
infected apps.

6. The Paper Contributions
 The first systematic study on the overall health Android Markets on the
detection of malicious apps.
 Malicious detections through :
 A permission based behavioral footprinting scheme to detect new
samples of known Android malware families.
 A heuristics-based filtering scheme to identify certain inherent
behaviors of unknown malicious families.
 Both schemes have been implemented in a system called DroidRanger.
 DroidRanger reveals 211 malicious apps out of 204040
 32 from the official android market (0.02%)
 179 from the alternative android markets (0.20% to 0.47%).
 A sophisticated zero-day malware with 40 samples were discovered:
 11 of them appear in the official Android Market.
 29 of them appear in the alternative Android Markets.

7. DroidRanger architecture

8. Detecting Known Android Malware
First step: quickly exclude unrelated apps through permission-
based filtering
Second Step: detect malware though behavioral footprint
matching

9. Permission-based filtering
 Goal: reduce the number of apps that need to be processed afterwards.
 Each known malware will be first pre-processed or distilled into a footprint
 Zsone malware: SEND_SMS & RECEIVE_SMS
an SMS Trojan that sends SMS to premium numbers and
removes billing-related notification messages from
respective service providers

10. The malware families used in the study

11. Why essential permissions only?
The Pjapps malware requires the INTERNET permission to support
the communication with the remote bot server and the
RECEIVE SMS permission to intercept or monitor incoming
SMS messages.
some variants may add WRITE HISTORY BOOKMARKS and others
do not, so it is not essential.

12. The Android Manifest File [3]
 Every application must have an
AndroidManifest.xml file in its root
directory.
 The manifest presents essential
information about the application to
the Android system.
 A permission is a restriction limiting
access to a part of the code or to data
on the device.
 Each permission is identified by a
unique label.
 Some permissions defined by
Android:
android.permission.CALL_EMERGENCY_NUMBERS
android.permission.READ_OWNER_DATA
android.permission.RECEIVE_SMS
android.permission.SEND_SMS
[3] http://developer.android.com

13. DroidRanger architecture

14. Detecting Known Android Malware
First step: quickly exclude unrelated apps through permission-
based filtering
Second Step: detect malware though behavioral footprint
matching

15. Behavioral footprint matching
 Manually analyze and distill essential malware behaviors into their
behavioral footprints
 Multiple-dimension footprinting scheme uses information derived from:
 Manifest file (e.g. broadcast receivers)
if an app needs to listen to system-wide broadcast
messages, the broadcast receivers can be statically
contained in the manifest file
android.provider.Telephony.SMS RECEIVED
 Bytecode (e.g. Android API calls sequence)
what APIs are called, and their sequences in a single
rule, we can associate API calls to a specific component
in the rule. As an example, by extending the previous
rule with a call to the abortBroadcast function.
 Structural layout (e.g. internal tree structure)
Reveal the internal tree structure and then
correspondingly express rules such as what packages are
used by the app.

16. To illustrate:
Regarding Zsone malware:
Generate the following behavioral footprints to describe Zsone:
 An app contains a receiver that listens to
android.provider.Telephony.SMS RECEIVED and
calls abortBroadcast.
 An app sends SMS messages to certain specific numbers.
 An app intercepts SMS messages from certain numbers.
This behavioral footprint can then be efficiently applied to detect
Zsone-infected apps in the apps collection.
leads to the discovery of 9 instances of Zsone-infected apps from the
official Android Market.

17. DroidRanger architecture

18. Detecting Unknown Android Malware
First step: find suspicious Java and native code through
heuristics-based filtering
Second step: detect malware though dynamic execution monitoring

19. Heuristics-based filtering
Heuristics based on Android features that can be misused to dynamic load
new code of:
• Java bytecode from remote untrusted website.
(e.g. DexClassLoader – 0.58%, 1055 apps) (Dalvik VM provides Dex.)
vast majority related advertisement libs (e.g. AdTOUCH 40%)
• Dynamic loading of native code locally (4.52% of apps uses native
In Android the default directory to store the native
code is: lib/armeabi

20. Dynamic execution monitoring
 Inspect runtime behaviors triggered by new code
 For dynamically-loaded java code:
 Record any calls to the Android framework APIs (permission-related) &
their arguments e.g. SmsManager.sendTextMessage
For dynamically-loaded native code:
 Collect system calls used by existing Android root exploits (through a
kernel module)
 e.g. sys_mount (remount the system partition for modification)
After finding suspicious behaviors like:
1- Sending SMS messages to premium numbers.
 2- Executing certain system calls with root privilege.
Manually validation of a zero-day malware then
Extract behavioral footprint & insert it in the 1st detection engine.

21. Performance Evaluation

22. Permission-based filtering evaluation

23. Behavioral footprint matching evaluation
We can note that the malware infection in the alternative
marketplaces is 7 times of that in the official marketplace.

24. Effectiveness of existing Anti Viruses (lookout)
Heuristics based filtering Evaluation

25. Summary of detected malware

26. Thank you …
QUESTIONs …