Android security


Published on

Detecting Malicious Applications in the Android Markets

Published in: Education
  • Be the first to comment

  • Be the first to like this

Android security

  1. 1. Detecting Malicious Applications in the Android MarketsYajin Zhou Zhi Wang Wu Zhou Xuxian Jiang Presented by: Hassan Y. A. Abu Tair King Saud University College of Computer and Information Sciences Computer Science Department
  2. 2. The paper is all about: A systematic study to better understand the overall health of existing Android Markets The goal: detecting the malicious apps in these markets.
  3. 3.  Smartphones are becoming increasingly ubiquitous. there are over 100 million of smartphones sold in the first quarter of 2011, an increase of 85% over the last year.  Android smartphones made up 56% of the global smartphones sold to end users in the first quarter of 2012 [1].  34.5 million Samsung Android smartphones sold [1].  33.1 million Apple iPhones sold [1].  Nokia came in third by selling 11.9 million units [1].  said that Samsung shipped a record 42.2 million smartphones in the quarter compared to 35.1 million Apple iPhones [1]. [1].
  4. 4.  Android Market reached 600,000 apps on November, 2012 [2]. Apple  Over 700,000 apps in its App Store for both iPhone and iPad [2].  Windows Phone is estimated to have 100,000 apps in its marketplace [2]. Alternative marketplaces streamline the process of browsing, downloading and installing apps. such popularity of smart phones and its apps attracts the attention of malware authors. The authors have collected the apps Using a Crawler. [2].
  5. 5. DroidDream and DroidDreamLight malware were detected fromthe official Android Market.DroidDream could compromise asignificant amount of personal data,also can root the system.More than 50 applications have beenfound to be infected at time ofattack. Some Known malware families : Geinimi, ADRD, Pjapps, Bgserv, DroidDream, zHash, BaseBridge, DroidDreamLight, Zsone, jSMSHider run of a leading mobile anti-virus software missed about 23.52% of infected apps.
  6. 6. The Paper Contributions The first systematic study on the overall health Android Markets on the detection of malicious apps. Malicious detections through :  A permission based behavioral footprinting scheme to detect new samples of known Android malware families.  A heuristics-based filtering scheme to identify certain inherent behaviors of unknown malicious families. Both schemes have been implemented in a system called DroidRanger. DroidRanger reveals 211 malicious apps out of 204040  32 from the official android market (0.02%)  179 from the alternative android markets (0.20% to 0.47%).  A sophisticated zero-day malware with 40 samples were discovered:  11 of them appear in the official Android Market.  29 of them appear in the alternative Android Markets.
  7. 7. DroidRanger architecture
  8. 8. Detecting Known Android MalwareFirst step: quickly exclude unrelated apps through permission-based filteringSecond Step: detect malware though behavioral footprintmatching
  9. 9. Permission-based filtering Goal: reduce the number of apps that need to be processed afterwards. Each known malware will be first pre-processed or distilled into a footprint Zsone malware: SEND_SMS & RECEIVE_SMS an SMS Trojan that sends SMS to premium numbers and removes billing-related notification messages from respective service providers
  10. 10. The malware families used in the study
  11. 11. Why essential permissions only?The Pjapps malware requires the INTERNET permission to supportthe communication with the remote bot server and theRECEIVE SMS permission to intercept or monitor incomingSMS messages.some variants may add WRITE HISTORY BOOKMARKS and othersdo not, so it is not essential.
  12. 12. The Android Manifest File [3] Every application must have an AndroidManifest.xml file in its root directory. The manifest presents essential information about the application to the Android system. A permission is a restriction limiting access to a part of the code or to data on the device. Each permission is identified by a unique label. Some permissions defined by Android: android.permission.CALL_EMERGENCY_NUMBERS android.permission.READ_OWNER_DATA android.permission.RECEIVE_SMS android.permission.SEND_SMS [3]
  13. 13. DroidRanger architecture
  14. 14. Detecting Known Android MalwareFirst step: quickly exclude unrelated apps through permission-based filteringSecond Step: detect malware though behavioral footprintmatching
  15. 15. Behavioral footprint matching Manually analyze and distill essential malware behaviors into their behavioral footprints Multiple-dimension footprinting scheme uses information derived from:  Manifest file (e.g. broadcast receivers) if an app needs to listen to system-wide broadcast messages, the broadcast receivers can be statically contained in the manifest file android.provider.Telephony.SMS RECEIVED  Bytecode (e.g. Android API calls sequence) what APIs are called, and their sequences in a single rule, we can associate API calls to a specific component in the rule. As an example, by extending the previous rule with a call to the abortBroadcast function.  Structural layout (e.g. internal tree structure) Reveal the internal tree structure and then correspondingly express rules such as what packages are used by the app.
  16. 16. To illustrate:Regarding Zsone malware:Generate the following behavioral footprints to describe Zsone:  An app contains a receiver that listens to android.provider.Telephony.SMS RECEIVED and calls abortBroadcast.  An app sends SMS messages to certain specific numbers.  An app intercepts SMS messages from certain numbers.This behavioral footprint can then be efficiently applied to detectZsone-infected apps in the apps collection.leads to the discovery of 9 instances of Zsone-infected apps from theofficial Android Market.
  17. 17. DroidRanger architecture
  18. 18. Detecting Unknown Android MalwareFirst step: find suspicious Java and native code through heuristics-based filteringSecond step: detect malware though dynamic execution monitoring
  19. 19. Heuristics-based filteringHeuristics based on Android features that can be misused to dynamic loadnew code of: • Java bytecode from remote untrusted website. (e.g. DexClassLoader – 0.58%, 1055 apps) (Dalvik VM provides Dex.) vast majority related advertisement libs (e.g. AdTOUCH 40%) • Dynamic loading of native code locally (4.52% of apps uses native In Android the default directory to store the native code is: lib/armeabi
  20. 20. Dynamic execution monitoring Inspect runtime behaviors triggered by new code For dynamically-loaded java code:  Record any calls to the Android framework APIs (permission-related) & their arguments e.g. SmsManager.sendTextMessage For dynamically-loaded native code:  Collect system calls used by existing Android root exploits (through a kernel module)  e.g. sys_mount (remount the system partition for modification) After finding suspicious behaviors like: 1- Sending SMS messages to premium numbers. 2- Executing certain system calls with root privilege. Manually validation of a zero-day malware then Extract behavioral footprint & insert it in the 1st detection engine.
  21. 21. Performance Evaluation
  22. 22. Permission-based filtering evaluation
  23. 23. Behavioral footprint matching evaluation We can note that the malware infection in the alternative marketplaces is 7 times of that in the official marketplace.
  24. 24. Effectiveness of existing Anti Viruses (lookout) Heuristics based filtering Evaluation
  25. 25. Summary of detected malware
  26. 26. Thank you … QUESTIONs …