SlideShare a Scribd company logo
An Antivirus API for Android Malware Recognition
8th IEEE International Conference on Malicious and Unwanted Software
(MALWARE 2013)
Rafael Fedler, rafael.fedler@aisec.fraunhofer.de, October 23, 2013
An Antivirus API for Android Malware Recognition
Motivation
Problem
Teaser
Background
Android Platform
Android Malware
Android Antivirus Software
Approach: Antivirus API
Objectives
File system traversal for on-demand scanning
File system monitoring
File operations
Discussion
An Antivirus API for Android Malware Recognition | Rafael Fedler | October 23, 2013 | 1
© Fraunhofer
Motivation
Problem

Antivirus software on Android inherently less powerful than on desktop
systems
Has access to only a select few files on the file system (installation
package files)
Cannot scan or monitor file system
Completely oblivious to anything happening at runtime on a device
Cannot detect malicious file downloads (root exploits, other code) at
runtime
Android apps can download & then execute code at runtime (!)

An Antivirus API for Android Malware Recognition | Rafael Fedler | October 23, 2013 | 2
© Fraunhofer
Motivation
Teaser

Our approach: An interface to be added to the Android platform to allow
for AV
on-demand scanning of full or partial file system
on-change scanning of changed file system portions for live monitoring
signature and heuristics based malware detection similar to that deployed
by desktop products

... without breaking Android’s security architecture

An Antivirus API for Android Malware Recognition | Rafael Fedler | October 23, 2013 | 3
© Fraunhofer
An Antivirus API for Android Malware Recognition
Motivation
Problem
Teaser
Background
Android Platform
Android Malware
Android Antivirus Software
Approach: Antivirus API
Objectives
File system traversal for on-demand scanning
File system monitoring
File operations
Discussion
An Antivirus API for Android Malware Recognition | Rafael Fedler | October 23, 2013 | 4
© Fraunhofer
Background
Android Platform

File system sandboxing mechanism
Every app is assigned its own UID
Every app’s files are set to own, read only for its own UID
→ file system sandbox: each app can only access files in its own working
directory
Also applies to antivirus software (!)

Package database
/data/system/packages.xml, world readable
Upon installation of an app, an entry in package DB is created
Contains, among others, the path to every app’s package file
Package files are world readable (!)

An Antivirus API for Android Malware Recognition | Rafael Fedler | October 23, 2013 | 5
© Fraunhofer
Background
Android Malware
36.7% of all malicious apps deployed root exploits by 2012 [4], probably
more by now
Allows to break out of sandbox
Often downloaded at runtime, thus invisible to AV software

Typical course of infection of more advanced malware (e.g., [1, 2])
1. Initial propagation
Disguised as a legitimate app
Repackaged
Update of legitimate app after hijacking of developer’s account and signing
key
etc.

2. Download of root exploit at runtime, in case it is not shipped with app
package file
3. Mark exploit executable with chmod
4. Execute root exploit and carry out payload
An Antivirus API for Android Malware Recognition | Rafael Fedler | October 23, 2013 | 6
© Fraunhofer
Background
Android Antivirus Software

Cannot:
... scan a device’s file system due to sandbox
... monitor other apps’ behavior at runtime or working directories

Can only:
Read installed apps’ installation package files
Remember: Package database world readable, contains app package files
which are also world readable

Read SD card (not used by malware for obvious reasons)

An Antivirus API for Android Malware Recognition | Rafael Fedler | October 23, 2013 | 7
© Fraunhofer
Own conclusion

Adding ability to scan apps’ working directories and monitor them at
runtime: good idea
Current AV is completely blind and oblivious to any runtime behavior or
file system changes
... including malicious code downloaded/created/unpacked/pieced
together at runtime

An Antivirus API for Android Malware Recognition | Rafael Fedler | October 23, 2013 | 8
© Fraunhofer
An Antivirus API for Android Malware Recognition
Motivation
Problem
Teaser
Background
Android Platform
Android Malware
Android Antivirus Software
Approach: Antivirus API
Objectives
File system traversal for on-demand scanning
File system monitoring
File operations
Discussion
An Antivirus API for Android Malware Recognition | Rafael Fedler | October 23, 2013 | 9
© Fraunhofer
Approach: Antivirus API
Objectives

1. Scan file system fully (from /) or partially (e.g., from /data/data) on
demand
2. Monitor file system portions (e.g., working directories) at runtime
3. Operations on arbitrary files allowing for signature- and heuristics-based
malware recognition similar to desktop products
4. All of the above without breaking Android’s security architecture

An Antivirus API for Android Malware Recognition | Rafael Fedler | October 23, 2013 | 10
© Fraunhofer
Approach: Antivirus API
File system traversal for on-demand scanning

Objective: Do not disclose file system names or full paths
Solution: Aliases
Options for implementation:
1. Database mapping aliases ↔ paths
2. Dynamic calculation
3. Trapdoor function, e.g., RSA

Allows for traversal of file system tree

An Antivirus API for Android Malware Recognition | Rafael Fedler | October 23, 2013 | 11
© Fraunhofer
Approach: Antivirus API
File system traversal for on-demand scanning
Listing 1: Usual directory listing
user@computer : / t o p l e v e l d i r $ l s
dir1
dir2
file1
file2
file3

Listing 2: Directory listing using aliases including an entry for parent directory
0
1
2
3
4
5

p
d
d
f
f
f

a55822426a5330c04625a41d264c190b
b72b7253c45f9d22044c86bf4d7e4902
515 dc267bbd0af019d22e766af0cb7e4
f8bb5cc06b4ed23683b276ca05153e82
7b2de0a0f16d100dfbf2d84603840ee2
9fa5ba9abe67916142cb6bc0eee7658b

An Antivirus API for Android Malware Recognition | Rafael Fedler | October 23, 2013 | 12
© Fraunhofer
Approach: Antivirus API
File system traversal for on-demand scanning
Starting from / or /data/data/, an AV app can traverse the file
system using such alias handles

ls and cd equivalent options will be provided
Paths passed by the user can be used as entry points; however, aliases
cannot be translated back to paths
Trapdoor parameter only known to system, not to AV
Path aliases for traversal, file aliases for indirect file access for malware
detection
Permanent translation and communication between AV ↔ not very
efficient, but
/data/data/ usually not very big
Preserves privacy
Sandbox maintained: No direct access outside AV’s working directory
An Antivirus API for Android Malware Recognition | Rafael Fedler | October 23, 2013 | 13
© Fraunhofer
Approach: Antivirus API
File system monitoring

Approach: inotify Linux kernel interface
Processes can place inotify handles on file system objects (directories,
files)
Notification upon change to monitored objects

inotify handles to be placed in /data/data/ and all
subdirectories

An Antivirus API for Android Malware Recognition | Rafael Fedler | October 23, 2013 | 14
© Fraunhofer
Approach: Antivirus API
File operations: Regular expressions for signatures and heuristics

Most detection techniques can be formulated as regular expressions
Signatures
Some static heuristics (regexes matching opcodes)
Feature extraction with offsets: regexes with offsets

“Proxy” for regular expressions
API takes signatures in form of regexes, responds “true” if match,
“false” if no match

An Antivirus API for Android Malware Recognition | Rafael Fedler | October 23, 2013 | 15
© Fraunhofer
Approach: Antivirus API
File operations: Hashes

Hashes on desktop/server platforms: very limited effectiveness
Exploit kits, drive-by infections, droppers, personalized malware, morphic
code
Too many variations of one family, sample numbers too high

Mobile platforms: much more useful
Centralized distribution (thus also almost no personalized malware),
virtually no app compromising/infection, virtually no drive-by infections,
sandboxing prohibits morphing code

Allow hashes for arbitrary file system objects
Feature extraction/fast matching/no-matching: hashes from definable
offsets

An Antivirus API for Android Malware Recognition | Rafael Fedler | October 23, 2013 | 16
© Fraunhofer
Approach: Antivirus API
Securing Access to the Interface

Widespread access to device → tight access control
Whitelist based: Check signing keys of package requesting access to AV
interface
Include signing keys of verified AV companies in whitelist
Feasible effort: Less than 50 AV providers

An Antivirus API for Android Malware Recognition | Rafael Fedler | October 23, 2013 | 17
© Fraunhofer
An Antivirus API for Android Malware Recognition
Motivation
Problem
Teaser
Background
Android Platform
Android Malware
Android Antivirus Software
Approach: Antivirus API
Objectives
File system traversal for on-demand scanning
File system monitoring
File operations
Discussion
An Antivirus API for Android Malware Recognition | Rafael Fedler | October 23, 2013 | 18
© Fraunhofer
Discussion
Implementation Details

File system access backend: POSIX-1003.1e ACLs to provide read-only
access to the interface for either the whole file system or a subtree such
as /data/data/
Possible addition: Dynamic heuristics
chroot environment or write/network access interception + strings,
strace, ltrace
However, cloud analysis more effective, lower risks, no limited resources

Risk: File content disclosure through incremental regex construction
Unlikely as only trusted apps will have access to the interface
Secure multi-party computation techniques for privacy preserving regex
matching [3]

An Antivirus API for Android Malware Recognition | Rafael Fedler | October 23, 2013 | 19
© Fraunhofer
An Antivirus API for Android Malware Recognition
Motivation
Problem
Teaser
Background
Android Platform
Android Malware
Android Antivirus Software
Approach: Antivirus API
Objectives
File system traversal for on-demand scanning
File system monitoring
File operations
Discussion
An Antivirus API for Android Malware Recognition | Rafael Fedler | October 23, 2013 | 20
© Fraunhofer
Conclusion
Devised interface allows for:
Signature-based detection
Static heuristics
(Limited) feature extraction/fast matching/no-matching

On-demand file system scanning
Live file system change monitoring
All of the above without disclosing file system names (paths) or file
contents
Interface only grants access to trusted AV software
Novelty: on-device malware detection comparable to that of non-mobile
platforms
Previously only tests of package installation files
AV completely blind to 99% of file system
An Antivirus API for Android Malware Recognition | Rafael Fedler | October 23, 2013 | 21
© Fraunhofer
Bibliography
X. Jiang.
New GappII Trojan Found in Alternative Android Markets, April 27, 2012.
http://www.csc.ncsu.edu/faculty/jiang/GappII/ (18.02.2013).
X. Jiang.
New RootSmart Android Malware Utilizes the GingerBreak Root Exploit,
February 3, 2012.
http://www.csc.ncsu.edu/faculty/jiang/RootSmart/.
F. Kerschbaum.
Practical private regular expression matching.
In Security and Privacy in Dynamic Environments, pages 461–470.
Springer, 2006.
Y. Zhou and X. Jiang.
Dissecting android malware: Characterization and evolution.
In 2012 IEEE Symposium on Security and Privacy (SP), pages 95–109, May
An Antivirus API for Android Malware Recognition | Rafael Fedler | October 23, 2013 | 22
2012.
© Fraunhofer
Contact Information
Rafael Fedler, rafael.fedler@aisec.fraunhofer.de
Group Mobile Security
Department Service & Application Security
Fraunhofer Research Institution for
Applied and Integrated Security (AISEC)
Address: Parkring 4
85748 Garching (near Munich)
Germany
Internet: http://www.aisec.fraunhofer.de
Phone:
Fax:
E-Mail:

+49 89 3229986-173
+49 89 3229986-299
rafael.fedler@aisec.fraunhofer.de

An Antivirus API for Android Malware Recognition | Rafael Fedler | October 23, 2013 | 23
© Fraunhofer

More Related Content

What's hot

CODE BLUE 2014 : how to avoid the Detection by Malware by HIROSHI SNINOTSUKA
CODE BLUE 2014 : how to avoid the Detection by Malware by HIROSHI SNINOTSUKACODE BLUE 2014 : how to avoid the Detection by Malware by HIROSHI SNINOTSUKA
CODE BLUE 2014 : how to avoid the Detection by Malware by HIROSHI SNINOTSUKA
CODE BLUE
 
Intrusion Detection Presentation
Intrusion Detection PresentationIntrusion Detection Presentation
Intrusion Detection Presentation
Mustafash79
 
01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security
Harish Chaudhary
 
Intrusion detection
Intrusion detectionIntrusion detection
Intrusion detection
CAS
 
Threat Analysis on Win10 IoT Core and Recommaended Security Measures by Naohi...
Threat Analysis on Win10 IoT Core and Recommaended Security Measures by Naohi...Threat Analysis on Win10 IoT Core and Recommaended Security Measures by Naohi...
Threat Analysis on Win10 IoT Core and Recommaended Security Measures by Naohi...
CODE BLUE
 
APT - Project
APT - Project APT - Project
APT - Project
Dev Lavaniya
 
3 Nir Zuk Modern Malware Jun 2011
3 Nir Zuk Modern Malware Jun 20113 Nir Zuk Modern Malware Jun 2011
3 Nir Zuk Modern Malware Jun 2011
davidmaciaalcaide
 
Persistence is Key: Advanced Persistent Threats
Persistence is Key: Advanced Persistent ThreatsPersistence is Key: Advanced Persistent Threats
Persistence is Key: Advanced Persistent Threats
Sameer Thadani
 
NIDS ppt
NIDS pptNIDS ppt
NIDS ppt
Mahendar Reddy
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection system
Akhil Kumar
 
Computer Security and Intrusion Detection(IDS/IPS)
Computer Security and Intrusion Detection(IDS/IPS)Computer Security and Intrusion Detection(IDS/IPS)
Computer Security and Intrusion Detection(IDS/IPS)
LJ PROJECTS
 
G. Gritsai, A. Timorin, Y. Goltsev, R. Ilin, S. Gordeychik, and A. Karpin, “S...
G. Gritsai, A. Timorin, Y. Goltsev, R. Ilin, S. Gordeychik, and A. Karpin, “S...G. Gritsai, A. Timorin, Y. Goltsev, R. Ilin, S. Gordeychik, and A. Karpin, “S...
G. Gritsai, A. Timorin, Y. Goltsev, R. Ilin, S. Gordeychik, and A. Karpin, “S...
qqlan
 
Euro mGov Securing Mobile Services
Euro mGov Securing Mobile ServicesEuro mGov Securing Mobile Services
Denial of Service Attack Defense Techniques
Denial of Service Attack Defense TechniquesDenial of Service Attack Defense Techniques
Denial of Service Attack Defense Techniques
IRJET Journal
 
Cyber security webinar 6 - How to build systems that resist attacks?
Cyber security webinar 6 - How to build systems that resist attacks?Cyber security webinar 6 - How to build systems that resist attacks?
Cyber security webinar 6 - How to build systems that resist attacks?
F-Secure Corporation
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
Rick Wanner
 
Understanding advanced persistent threats (APT)
Understanding advanced persistent threats (APT)Understanding advanced persistent threats (APT)
Understanding advanced persistent threats (APT)
Dan Morrill
 
"CERT Secure Coding Standards" by Dr. Mark Sherman
"CERT Secure Coding Standards" by Dr. Mark Sherman"CERT Secure Coding Standards" by Dr. Mark Sherman
"CERT Secure Coding Standards" by Dr. Mark Sherman
Rinaldi Rampen
 
FireEye Engineering
FireEye Engineering FireEye Engineering
FireEye Engineering
Lauren Traurig
 
FireEye - Breaches are inevitable, but the outcome is not
FireEye - Breaches are inevitable, but the outcome is not FireEye - Breaches are inevitable, but the outcome is not
FireEye - Breaches are inevitable, but the outcome is not
MarketingArrowECS_CZ
 

What's hot (20)

CODE BLUE 2014 : how to avoid the Detection by Malware by HIROSHI SNINOTSUKA
CODE BLUE 2014 : how to avoid the Detection by Malware by HIROSHI SNINOTSUKACODE BLUE 2014 : how to avoid the Detection by Malware by HIROSHI SNINOTSUKA
CODE BLUE 2014 : how to avoid the Detection by Malware by HIROSHI SNINOTSUKA
 
Intrusion Detection Presentation
Intrusion Detection PresentationIntrusion Detection Presentation
Intrusion Detection Presentation
 
01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security
 
Intrusion detection
Intrusion detectionIntrusion detection
Intrusion detection
 
Threat Analysis on Win10 IoT Core and Recommaended Security Measures by Naohi...
Threat Analysis on Win10 IoT Core and Recommaended Security Measures by Naohi...Threat Analysis on Win10 IoT Core and Recommaended Security Measures by Naohi...
Threat Analysis on Win10 IoT Core and Recommaended Security Measures by Naohi...
 
APT - Project
APT - Project APT - Project
APT - Project
 
3 Nir Zuk Modern Malware Jun 2011
3 Nir Zuk Modern Malware Jun 20113 Nir Zuk Modern Malware Jun 2011
3 Nir Zuk Modern Malware Jun 2011
 
Persistence is Key: Advanced Persistent Threats
Persistence is Key: Advanced Persistent ThreatsPersistence is Key: Advanced Persistent Threats
Persistence is Key: Advanced Persistent Threats
 
NIDS ppt
NIDS pptNIDS ppt
NIDS ppt
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection system
 
Computer Security and Intrusion Detection(IDS/IPS)
Computer Security and Intrusion Detection(IDS/IPS)Computer Security and Intrusion Detection(IDS/IPS)
Computer Security and Intrusion Detection(IDS/IPS)
 
G. Gritsai, A. Timorin, Y. Goltsev, R. Ilin, S. Gordeychik, and A. Karpin, “S...
G. Gritsai, A. Timorin, Y. Goltsev, R. Ilin, S. Gordeychik, and A. Karpin, “S...G. Gritsai, A. Timorin, Y. Goltsev, R. Ilin, S. Gordeychik, and A. Karpin, “S...
G. Gritsai, A. Timorin, Y. Goltsev, R. Ilin, S. Gordeychik, and A. Karpin, “S...
 
Euro mGov Securing Mobile Services
Euro mGov Securing Mobile ServicesEuro mGov Securing Mobile Services
Euro mGov Securing Mobile Services
 
Denial of Service Attack Defense Techniques
Denial of Service Attack Defense TechniquesDenial of Service Attack Defense Techniques
Denial of Service Attack Defense Techniques
 
Cyber security webinar 6 - How to build systems that resist attacks?
Cyber security webinar 6 - How to build systems that resist attacks?Cyber security webinar 6 - How to build systems that resist attacks?
Cyber security webinar 6 - How to build systems that resist attacks?
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
 
Understanding advanced persistent threats (APT)
Understanding advanced persistent threats (APT)Understanding advanced persistent threats (APT)
Understanding advanced persistent threats (APT)
 
"CERT Secure Coding Standards" by Dr. Mark Sherman
"CERT Secure Coding Standards" by Dr. Mark Sherman"CERT Secure Coding Standards" by Dr. Mark Sherman
"CERT Secure Coding Standards" by Dr. Mark Sherman
 
FireEye Engineering
FireEye Engineering FireEye Engineering
FireEye Engineering
 
FireEye - Breaches are inevitable, but the outcome is not
FireEye - Breaches are inevitable, but the outcome is not FireEye - Breaches are inevitable, but the outcome is not
FireEye - Breaches are inevitable, but the outcome is not
 

Similar to An Antivirus API for Android Malware Recognition

Null Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat DasNull Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
nullowaspmumbai
 
Getting started with android
Getting started with androidGetting started with android
Getting started with android
Vandana Verma
 
Chapter 8
Chapter 8Chapter 8
Chapter 8
gofortution
 
Getting started with Android pentesting
Getting started with Android pentestingGetting started with Android pentesting
Getting started with Android pentesting
Minali Arora
 
It kamus virus security glossary
It kamus virus   security glossaryIt kamus virus   security glossary
It kamus virus security glossary
Fathoni Mahardika II
 
DeepContentInspection Lato
DeepContentInspection LatoDeepContentInspection Lato
DeepContentInspection Lato
Brian Stoner
 
Application security in current era
Application security in current eraApplication security in current era
Application security in current era
ajitdhumale
 
Identifying, Monitoring, and Reporting Malware
Identifying, Monitoring, and Reporting MalwareIdentifying, Monitoring, and Reporting Malware
Identifying, Monitoring, and Reporting Malware
Teodoro Cipresso
 
Modern Malware by Nir Zuk Palo Alto Networks
Modern Malware by Nir Zuk Palo Alto NetworksModern Malware by Nir Zuk Palo Alto Networks
Modern Malware by Nir Zuk Palo Alto Networks
dtimal
 
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black Duck
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black DuckSoftware Security Assurance for DevOps - Hewlett Packard Enterprise + Black Duck
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black Duck
Black Duck by Synopsys
 
Malicious
MaliciousMalicious
Malicious
ashraf karaimeh
 
IT6701-Information Management Unit 2
IT6701-Information Management Unit 2IT6701-Information Management Unit 2
IT6701-Information Management Unit 2
SIMONTHOMAS S
 
Network virus detection & prevention
Network virus detection & preventionNetwork virus detection & prevention
Network virus detection & prevention
Khaleel Assadi
 
O p
O pO p
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
Ishan Girdhar
 
Mobile application security
Mobile application securityMobile application security
Mobile application security
Shubhneet Goel
 
MALWARE DETECTION USING MACHINE LEARNING ALGORITHMS AND REVERSE ENGINEERING O...
MALWARE DETECTION USING MACHINE LEARNING ALGORITHMS AND REVERSE ENGINEERING O...MALWARE DETECTION USING MACHINE LEARNING ALGORITHMS AND REVERSE ENGINEERING O...
MALWARE DETECTION USING MACHINE LEARNING ALGORITHMS AND REVERSE ENGINEERING O...
IJNSA Journal
 
Android security
Android securityAndroid security
Android security
Dr Amira Bibo
 
Android security
Android securityAndroid security
Android security
Dr Amira Bibo
 
Antivirus
AntivirusAntivirus
Antivirus
Pankaj Kumawat
 

Similar to An Antivirus API for Android Malware Recognition (20)

Null Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat DasNull Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
 
Getting started with android
Getting started with androidGetting started with android
Getting started with android
 
Chapter 8
Chapter 8Chapter 8
Chapter 8
 
Getting started with Android pentesting
Getting started with Android pentestingGetting started with Android pentesting
Getting started with Android pentesting
 
It kamus virus security glossary
It kamus virus   security glossaryIt kamus virus   security glossary
It kamus virus security glossary
 
DeepContentInspection Lato
DeepContentInspection LatoDeepContentInspection Lato
DeepContentInspection Lato
 
Application security in current era
Application security in current eraApplication security in current era
Application security in current era
 
Identifying, Monitoring, and Reporting Malware
Identifying, Monitoring, and Reporting MalwareIdentifying, Monitoring, and Reporting Malware
Identifying, Monitoring, and Reporting Malware
 
Modern Malware by Nir Zuk Palo Alto Networks
Modern Malware by Nir Zuk Palo Alto NetworksModern Malware by Nir Zuk Palo Alto Networks
Modern Malware by Nir Zuk Palo Alto Networks
 
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black Duck
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black DuckSoftware Security Assurance for DevOps - Hewlett Packard Enterprise + Black Duck
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black Duck
 
Malicious
MaliciousMalicious
Malicious
 
IT6701-Information Management Unit 2
IT6701-Information Management Unit 2IT6701-Information Management Unit 2
IT6701-Information Management Unit 2
 
Network virus detection & prevention
Network virus detection & preventionNetwork virus detection & prevention
Network virus detection & prevention
 
O p
O pO p
O p
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
 
Mobile application security
Mobile application securityMobile application security
Mobile application security
 
MALWARE DETECTION USING MACHINE LEARNING ALGORITHMS AND REVERSE ENGINEERING O...
MALWARE DETECTION USING MACHINE LEARNING ALGORITHMS AND REVERSE ENGINEERING O...MALWARE DETECTION USING MACHINE LEARNING ALGORITHMS AND REVERSE ENGINEERING O...
MALWARE DETECTION USING MACHINE LEARNING ALGORITHMS AND REVERSE ENGINEERING O...
 
Android security
Android securityAndroid security
Android security
 
Android security
Android securityAndroid security
Android security
 
Antivirus
AntivirusAntivirus
Antivirus
 

More from Fraunhofer AISEC

Fraunhofer Magazin weiter.vorn
Fraunhofer Magazin weiter.vornFraunhofer Magazin weiter.vorn
Fraunhofer Magazin weiter.vorn
Fraunhofer AISEC
 
Internet of (Every)Thing
Internet of (Every)ThingInternet of (Every)Thing
Internet of (Every)Thing
Fraunhofer AISEC
 
App Ray: 10000 Apps
App Ray: 10000 AppsApp Ray: 10000 Apps
App Ray: 10000 Apps
Fraunhofer AISEC
 
Produktschutz-Technologien für elektronische Geräte
Produktschutz-Technologien für elektronische GeräteProduktschutz-Technologien für elektronische Geräte
Produktschutz-Technologien für elektronische Geräte
Fraunhofer AISEC
 
Cyber-Sicherheit - Newsletter 2013
Cyber-Sicherheit - Newsletter 2013Cyber-Sicherheit - Newsletter 2013
Cyber-Sicherheit - Newsletter 2013
Fraunhofer AISEC
 
Marktchancen mit IT-Sicherheit
Marktchancen mit IT-SicherheitMarktchancen mit IT-Sicherheit
Marktchancen mit IT-Sicherheit
Fraunhofer AISEC
 
Cybersecurity 2013 - Design for Security
Cybersecurity 2013 - Design for SecurityCybersecurity 2013 - Design for Security
Cybersecurity 2013 - Design for Security
Fraunhofer AISEC
 
Sicherheitsgipfel - Chancen und Risiken der IT
Sicherheitsgipfel - Chancen und Risiken der ITSicherheitsgipfel - Chancen und Risiken der IT
Sicherheitsgipfel - Chancen und Risiken der IT
Fraunhofer AISEC
 
Tech Report: On the Effectiveness of Malware Protection on Android
Tech Report: On the Effectiveness of Malware Protection on AndroidTech Report: On the Effectiveness of Malware Protection on Android
Tech Report: On the Effectiveness of Malware Protection on Android
Fraunhofer AISEC
 
PEP - Protecting Electronic Products
PEP - Protecting Electronic ProductsPEP - Protecting Electronic Products
PEP - Protecting Electronic Products
Fraunhofer AISEC
 
Firmware Encryption and Secure Remote Update
Firmware Encryption and Secure Remote UpdateFirmware Encryption and Secure Remote Update
Firmware Encryption and Secure Remote Update
Fraunhofer AISEC
 
Infografik Produktschutz
Infografik ProduktschutzInfografik Produktschutz
Infografik Produktschutz
Fraunhofer AISEC
 
Cyber Security aus Sicht der Wissenschaft
Cyber Security aus Sicht der WissenschaftCyber Security aus Sicht der Wissenschaft
Cyber Security aus Sicht der Wissenschaft
Fraunhofer AISEC
 
Produktschutz Infografik
Produktschutz InfografikProduktschutz Infografik
Produktschutz Infografik
Fraunhofer AISEC
 
IKT-Trends und deren Bedeutung für eHealth
IKT-Trends und deren Bedeutung für eHealthIKT-Trends und deren Bedeutung für eHealth
IKT-Trends und deren Bedeutung für eHealth
Fraunhofer AISEC
 
Innovation braucht Sicherheit - Sicherheit braucht Forschung
Innovation braucht Sicherheit - Sicherheit braucht ForschungInnovation braucht Sicherheit - Sicherheit braucht Forschung
Innovation braucht Sicherheit - Sicherheit braucht Forschung
Fraunhofer AISEC
 
Alan Turing
Alan Turing Alan Turing
Alan Turing
Fraunhofer AISEC
 
Sicherheit im Smart Grid
Sicherheit im Smart GridSicherheit im Smart Grid
Sicherheit im Smart Grid
Fraunhofer AISEC
 
40 Jahre Informatik Hamburg
40 Jahre Informatik Hamburg40 Jahre Informatik Hamburg
40 Jahre Informatik Hamburg
Fraunhofer AISEC
 
Security for Automotive with Multicore-based Embedded Systems
Security for Automotive with Multicore-based Embedded SystemsSecurity for Automotive with Multicore-based Embedded Systems
Security for Automotive with Multicore-based Embedded Systems
Fraunhofer AISEC
 

More from Fraunhofer AISEC (20)

Fraunhofer Magazin weiter.vorn
Fraunhofer Magazin weiter.vornFraunhofer Magazin weiter.vorn
Fraunhofer Magazin weiter.vorn
 
Internet of (Every)Thing
Internet of (Every)ThingInternet of (Every)Thing
Internet of (Every)Thing
 
App Ray: 10000 Apps
App Ray: 10000 AppsApp Ray: 10000 Apps
App Ray: 10000 Apps
 
Produktschutz-Technologien für elektronische Geräte
Produktschutz-Technologien für elektronische GeräteProduktschutz-Technologien für elektronische Geräte
Produktschutz-Technologien für elektronische Geräte
 
Cyber-Sicherheit - Newsletter 2013
Cyber-Sicherheit - Newsletter 2013Cyber-Sicherheit - Newsletter 2013
Cyber-Sicherheit - Newsletter 2013
 
Marktchancen mit IT-Sicherheit
Marktchancen mit IT-SicherheitMarktchancen mit IT-Sicherheit
Marktchancen mit IT-Sicherheit
 
Cybersecurity 2013 - Design for Security
Cybersecurity 2013 - Design for SecurityCybersecurity 2013 - Design for Security
Cybersecurity 2013 - Design for Security
 
Sicherheitsgipfel - Chancen und Risiken der IT
Sicherheitsgipfel - Chancen und Risiken der ITSicherheitsgipfel - Chancen und Risiken der IT
Sicherheitsgipfel - Chancen und Risiken der IT
 
Tech Report: On the Effectiveness of Malware Protection on Android
Tech Report: On the Effectiveness of Malware Protection on AndroidTech Report: On the Effectiveness of Malware Protection on Android
Tech Report: On the Effectiveness of Malware Protection on Android
 
PEP - Protecting Electronic Products
PEP - Protecting Electronic ProductsPEP - Protecting Electronic Products
PEP - Protecting Electronic Products
 
Firmware Encryption and Secure Remote Update
Firmware Encryption and Secure Remote UpdateFirmware Encryption and Secure Remote Update
Firmware Encryption and Secure Remote Update
 
Infografik Produktschutz
Infografik ProduktschutzInfografik Produktschutz
Infografik Produktschutz
 
Cyber Security aus Sicht der Wissenschaft
Cyber Security aus Sicht der WissenschaftCyber Security aus Sicht der Wissenschaft
Cyber Security aus Sicht der Wissenschaft
 
Produktschutz Infografik
Produktschutz InfografikProduktschutz Infografik
Produktschutz Infografik
 
IKT-Trends und deren Bedeutung für eHealth
IKT-Trends und deren Bedeutung für eHealthIKT-Trends und deren Bedeutung für eHealth
IKT-Trends und deren Bedeutung für eHealth
 
Innovation braucht Sicherheit - Sicherheit braucht Forschung
Innovation braucht Sicherheit - Sicherheit braucht ForschungInnovation braucht Sicherheit - Sicherheit braucht Forschung
Innovation braucht Sicherheit - Sicherheit braucht Forschung
 
Alan Turing
Alan Turing Alan Turing
Alan Turing
 
Sicherheit im Smart Grid
Sicherheit im Smart GridSicherheit im Smart Grid
Sicherheit im Smart Grid
 
40 Jahre Informatik Hamburg
40 Jahre Informatik Hamburg40 Jahre Informatik Hamburg
40 Jahre Informatik Hamburg
 
Security for Automotive with Multicore-based Embedded Systems
Security for Automotive with Multicore-based Embedded SystemsSecurity for Automotive with Multicore-based Embedded Systems
Security for Automotive with Multicore-based Embedded Systems
 

Recently uploaded

Vulnerability Management: A Comprehensive Overview
Vulnerability Management: A Comprehensive OverviewVulnerability Management: A Comprehensive Overview
Vulnerability Management: A Comprehensive Overview
Steven Carlson
 
Opencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of MünsterOpencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of Münster
Matthias Neugebauer
 
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
bhumivarma35300
 
Recent Advancements in the NIST-JARVIS Infrastructure
Recent Advancements in the NIST-JARVIS InfrastructureRecent Advancements in the NIST-JARVIS Infrastructure
Recent Advancements in the NIST-JARVIS Infrastructure
KAMAL CHOUDHARY
 
CiscoIconsLibrary cours de réseau VLAN.ppt
CiscoIconsLibrary cours de réseau VLAN.pptCiscoIconsLibrary cours de réseau VLAN.ppt
CiscoIconsLibrary cours de réseau VLAN.ppt
moinahousna
 
Types of Weaving loom machine & it's technology
Types of Weaving loom machine & it's technologyTypes of Weaving loom machine & it's technology
Types of Weaving loom machine & it's technology
ldtexsolbl
 
Figma AI Design Generator_ In-Depth Review.pdf
Figma AI Design Generator_ In-Depth Review.pdfFigma AI Design Generator_ In-Depth Review.pdf
Figma AI Design Generator_ In-Depth Review.pdf
Management Institute of Skills Development
 
Use Cases & Benefits of RPA in Manufacturing in 2024.pptx
Use Cases & Benefits of RPA in Manufacturing in 2024.pptxUse Cases & Benefits of RPA in Manufacturing in 2024.pptx
Use Cases & Benefits of RPA in Manufacturing in 2024.pptx
SynapseIndia
 
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptxDublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Kunal Gupta
 
Active Inference is a veryyyyyyyyyyyyyyyyyyyyyyyy
Active Inference is a veryyyyyyyyyyyyyyyyyyyyyyyyActive Inference is a veryyyyyyyyyyyyyyyyyyyyyyyy
Active Inference is a veryyyyyyyyyyyyyyyyyyyyyyyy
RaminGhanbari2
 
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdfAcumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
BrainSell Technologies
 
“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...
“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...
“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...
Edge AI and Vision Alliance
 
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
shanihomely
 
"Mastering Graphic Design: Essential Tips and Tricks for Beginners and Profes...
"Mastering Graphic Design: Essential Tips and Tricks for Beginners and Profes..."Mastering Graphic Design: Essential Tips and Tricks for Beginners and Profes...
"Mastering Graphic Design: Essential Tips and Tricks for Beginners and Profes...
Anant Gupta
 
CHAPTER-8 COMPONENTS OF COMPUTER SYSTEM CLASS 9 CBSE
CHAPTER-8 COMPONENTS OF COMPUTER SYSTEM CLASS 9 CBSECHAPTER-8 COMPONENTS OF COMPUTER SYSTEM CLASS 9 CBSE
CHAPTER-8 COMPONENTS OF COMPUTER SYSTEM CLASS 9 CBSE
kumarjarun2010
 
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-InTrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
TrustArc
 
[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf
[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf
[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf
Kief Morris
 
The Rise of AI in Cybersecurity How Machine Learning Will Shape Threat Detect...
The Rise of AI in Cybersecurity How Machine Learning Will Shape Threat Detect...The Rise of AI in Cybersecurity How Machine Learning Will Shape Threat Detect...
The Rise of AI in Cybersecurity How Machine Learning Will Shape Threat Detect...
digitalxplive
 
Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)
Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)
Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)
Muhammad Ali
 
RPA In Healthcare Benefits, Use Case, Trend And Challenges 2024.pptx
RPA In Healthcare Benefits, Use Case, Trend And Challenges 2024.pptxRPA In Healthcare Benefits, Use Case, Trend And Challenges 2024.pptx
RPA In Healthcare Benefits, Use Case, Trend And Challenges 2024.pptx
SynapseIndia
 

Recently uploaded (20)

Vulnerability Management: A Comprehensive Overview
Vulnerability Management: A Comprehensive OverviewVulnerability Management: A Comprehensive Overview
Vulnerability Management: A Comprehensive Overview
 
Opencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of MünsterOpencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of Münster
 
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
 
Recent Advancements in the NIST-JARVIS Infrastructure
Recent Advancements in the NIST-JARVIS InfrastructureRecent Advancements in the NIST-JARVIS Infrastructure
Recent Advancements in the NIST-JARVIS Infrastructure
 
CiscoIconsLibrary cours de réseau VLAN.ppt
CiscoIconsLibrary cours de réseau VLAN.pptCiscoIconsLibrary cours de réseau VLAN.ppt
CiscoIconsLibrary cours de réseau VLAN.ppt
 
Types of Weaving loom machine & it's technology
Types of Weaving loom machine & it's technologyTypes of Weaving loom machine & it's technology
Types of Weaving loom machine & it's technology
 
Figma AI Design Generator_ In-Depth Review.pdf
Figma AI Design Generator_ In-Depth Review.pdfFigma AI Design Generator_ In-Depth Review.pdf
Figma AI Design Generator_ In-Depth Review.pdf
 
Use Cases & Benefits of RPA in Manufacturing in 2024.pptx
Use Cases & Benefits of RPA in Manufacturing in 2024.pptxUse Cases & Benefits of RPA in Manufacturing in 2024.pptx
Use Cases & Benefits of RPA in Manufacturing in 2024.pptx
 
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptxDublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
 
Active Inference is a veryyyyyyyyyyyyyyyyyyyyyyyy
Active Inference is a veryyyyyyyyyyyyyyyyyyyyyyyyActive Inference is a veryyyyyyyyyyyyyyyyyyyyyyyy
Active Inference is a veryyyyyyyyyyyyyyyyyyyyyyyy
 
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdfAcumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
 
“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...
“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...
“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...
 
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
 
"Mastering Graphic Design: Essential Tips and Tricks for Beginners and Profes...
"Mastering Graphic Design: Essential Tips and Tricks for Beginners and Profes..."Mastering Graphic Design: Essential Tips and Tricks for Beginners and Profes...
"Mastering Graphic Design: Essential Tips and Tricks for Beginners and Profes...
 
CHAPTER-8 COMPONENTS OF COMPUTER SYSTEM CLASS 9 CBSE
CHAPTER-8 COMPONENTS OF COMPUTER SYSTEM CLASS 9 CBSECHAPTER-8 COMPONENTS OF COMPUTER SYSTEM CLASS 9 CBSE
CHAPTER-8 COMPONENTS OF COMPUTER SYSTEM CLASS 9 CBSE
 
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-InTrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
 
[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf
[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf
[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf
 
The Rise of AI in Cybersecurity How Machine Learning Will Shape Threat Detect...
The Rise of AI in Cybersecurity How Machine Learning Will Shape Threat Detect...The Rise of AI in Cybersecurity How Machine Learning Will Shape Threat Detect...
The Rise of AI in Cybersecurity How Machine Learning Will Shape Threat Detect...
 
Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)
Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)
Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)
 
RPA In Healthcare Benefits, Use Case, Trend And Challenges 2024.pptx
RPA In Healthcare Benefits, Use Case, Trend And Challenges 2024.pptxRPA In Healthcare Benefits, Use Case, Trend And Challenges 2024.pptx
RPA In Healthcare Benefits, Use Case, Trend And Challenges 2024.pptx
 

An Antivirus API for Android Malware Recognition

  • 1. An Antivirus API for Android Malware Recognition 8th IEEE International Conference on Malicious and Unwanted Software (MALWARE 2013) Rafael Fedler, rafael.fedler@aisec.fraunhofer.de, October 23, 2013
  • 2. An Antivirus API for Android Malware Recognition Motivation Problem Teaser Background Android Platform Android Malware Android Antivirus Software Approach: Antivirus API Objectives File system traversal for on-demand scanning File system monitoring File operations Discussion An Antivirus API for Android Malware Recognition | Rafael Fedler | October 23, 2013 | 1 © Fraunhofer
  • 3. Motivation Problem Antivirus software on Android inherently less powerful than on desktop systems Has access to only a select few files on the file system (installation package files) Cannot scan or monitor file system Completely oblivious to anything happening at runtime on a device Cannot detect malicious file downloads (root exploits, other code) at runtime Android apps can download & then execute code at runtime (!) An Antivirus API for Android Malware Recognition | Rafael Fedler | October 23, 2013 | 2 © Fraunhofer
  • 4. Motivation Teaser Our approach: An interface to be added to the Android platform to allow for AV on-demand scanning of full or partial file system on-change scanning of changed file system portions for live monitoring signature and heuristics based malware detection similar to that deployed by desktop products ... without breaking Android’s security architecture An Antivirus API for Android Malware Recognition | Rafael Fedler | October 23, 2013 | 3 © Fraunhofer
  • 5. An Antivirus API for Android Malware Recognition Motivation Problem Teaser Background Android Platform Android Malware Android Antivirus Software Approach: Antivirus API Objectives File system traversal for on-demand scanning File system monitoring File operations Discussion An Antivirus API for Android Malware Recognition | Rafael Fedler | October 23, 2013 | 4 © Fraunhofer
  • 6. Background Android Platform File system sandboxing mechanism Every app is assigned its own UID Every app’s files are set to own, read only for its own UID → file system sandbox: each app can only access files in its own working directory Also applies to antivirus software (!) Package database /data/system/packages.xml, world readable Upon installation of an app, an entry in package DB is created Contains, among others, the path to every app’s package file Package files are world readable (!) An Antivirus API for Android Malware Recognition | Rafael Fedler | October 23, 2013 | 5 © Fraunhofer
  • 7. Background Android Malware 36.7% of all malicious apps deployed root exploits by 2012 [4], probably more by now Allows to break out of sandbox Often downloaded at runtime, thus invisible to AV software Typical course of infection of more advanced malware (e.g., [1, 2]) 1. Initial propagation Disguised as a legitimate app Repackaged Update of legitimate app after hijacking of developer’s account and signing key etc. 2. Download of root exploit at runtime, in case it is not shipped with app package file 3. Mark exploit executable with chmod 4. Execute root exploit and carry out payload An Antivirus API for Android Malware Recognition | Rafael Fedler | October 23, 2013 | 6 © Fraunhofer
  • 8. Background Android Antivirus Software Cannot: ... scan a device’s file system due to sandbox ... monitor other apps’ behavior at runtime or working directories Can only: Read installed apps’ installation package files Remember: Package database world readable, contains app package files which are also world readable Read SD card (not used by malware for obvious reasons) An Antivirus API for Android Malware Recognition | Rafael Fedler | October 23, 2013 | 7 © Fraunhofer
  • 9. Own conclusion Adding ability to scan apps’ working directories and monitor them at runtime: good idea Current AV is completely blind and oblivious to any runtime behavior or file system changes ... including malicious code downloaded/created/unpacked/pieced together at runtime An Antivirus API for Android Malware Recognition | Rafael Fedler | October 23, 2013 | 8 © Fraunhofer
  • 10. An Antivirus API for Android Malware Recognition Motivation Problem Teaser Background Android Platform Android Malware Android Antivirus Software Approach: Antivirus API Objectives File system traversal for on-demand scanning File system monitoring File operations Discussion An Antivirus API for Android Malware Recognition | Rafael Fedler | October 23, 2013 | 9 © Fraunhofer
  • 11. Approach: Antivirus API Objectives 1. Scan file system fully (from /) or partially (e.g., from /data/data) on demand 2. Monitor file system portions (e.g., working directories) at runtime 3. Operations on arbitrary files allowing for signature- and heuristics-based malware recognition similar to desktop products 4. All of the above without breaking Android’s security architecture An Antivirus API for Android Malware Recognition | Rafael Fedler | October 23, 2013 | 10 © Fraunhofer
  • 12. Approach: Antivirus API File system traversal for on-demand scanning Objective: Do not disclose file system names or full paths Solution: Aliases Options for implementation: 1. Database mapping aliases ↔ paths 2. Dynamic calculation 3. Trapdoor function, e.g., RSA Allows for traversal of file system tree An Antivirus API for Android Malware Recognition | Rafael Fedler | October 23, 2013 | 11 © Fraunhofer
  • 13. Approach: Antivirus API File system traversal for on-demand scanning Listing 1: Usual directory listing user@computer : / t o p l e v e l d i r $ l s dir1 dir2 file1 file2 file3 Listing 2: Directory listing using aliases including an entry for parent directory 0 1 2 3 4 5 p d d f f f a55822426a5330c04625a41d264c190b b72b7253c45f9d22044c86bf4d7e4902 515 dc267bbd0af019d22e766af0cb7e4 f8bb5cc06b4ed23683b276ca05153e82 7b2de0a0f16d100dfbf2d84603840ee2 9fa5ba9abe67916142cb6bc0eee7658b An Antivirus API for Android Malware Recognition | Rafael Fedler | October 23, 2013 | 12 © Fraunhofer
  • 14. Approach: Antivirus API File system traversal for on-demand scanning Starting from / or /data/data/, an AV app can traverse the file system using such alias handles ls and cd equivalent options will be provided Paths passed by the user can be used as entry points; however, aliases cannot be translated back to paths Trapdoor parameter only known to system, not to AV Path aliases for traversal, file aliases for indirect file access for malware detection Permanent translation and communication between AV ↔ not very efficient, but /data/data/ usually not very big Preserves privacy Sandbox maintained: No direct access outside AV’s working directory An Antivirus API for Android Malware Recognition | Rafael Fedler | October 23, 2013 | 13 © Fraunhofer
  • 15. Approach: Antivirus API File system monitoring Approach: inotify Linux kernel interface Processes can place inotify handles on file system objects (directories, files) Notification upon change to monitored objects inotify handles to be placed in /data/data/ and all subdirectories An Antivirus API for Android Malware Recognition | Rafael Fedler | October 23, 2013 | 14 © Fraunhofer
  • 16. Approach: Antivirus API File operations: Regular expressions for signatures and heuristics Most detection techniques can be formulated as regular expressions Signatures Some static heuristics (regexes matching opcodes) Feature extraction with offsets: regexes with offsets “Proxy” for regular expressions API takes signatures in form of regexes, responds “true” if match, “false” if no match An Antivirus API for Android Malware Recognition | Rafael Fedler | October 23, 2013 | 15 © Fraunhofer
  • 17. Approach: Antivirus API File operations: Hashes Hashes on desktop/server platforms: very limited effectiveness Exploit kits, drive-by infections, droppers, personalized malware, morphic code Too many variations of one family, sample numbers too high Mobile platforms: much more useful Centralized distribution (thus also almost no personalized malware), virtually no app compromising/infection, virtually no drive-by infections, sandboxing prohibits morphing code Allow hashes for arbitrary file system objects Feature extraction/fast matching/no-matching: hashes from definable offsets An Antivirus API for Android Malware Recognition | Rafael Fedler | October 23, 2013 | 16 © Fraunhofer
  • 18. Approach: Antivirus API Securing Access to the Interface Widespread access to device → tight access control Whitelist based: Check signing keys of package requesting access to AV interface Include signing keys of verified AV companies in whitelist Feasible effort: Less than 50 AV providers An Antivirus API for Android Malware Recognition | Rafael Fedler | October 23, 2013 | 17 © Fraunhofer
  • 19. An Antivirus API for Android Malware Recognition Motivation Problem Teaser Background Android Platform Android Malware Android Antivirus Software Approach: Antivirus API Objectives File system traversal for on-demand scanning File system monitoring File operations Discussion An Antivirus API for Android Malware Recognition | Rafael Fedler | October 23, 2013 | 18 © Fraunhofer
  • 20. Discussion Implementation Details File system access backend: POSIX-1003.1e ACLs to provide read-only access to the interface for either the whole file system or a subtree such as /data/data/ Possible addition: Dynamic heuristics chroot environment or write/network access interception + strings, strace, ltrace However, cloud analysis more effective, lower risks, no limited resources Risk: File content disclosure through incremental regex construction Unlikely as only trusted apps will have access to the interface Secure multi-party computation techniques for privacy preserving regex matching [3] An Antivirus API for Android Malware Recognition | Rafael Fedler | October 23, 2013 | 19 © Fraunhofer
  • 21. An Antivirus API for Android Malware Recognition Motivation Problem Teaser Background Android Platform Android Malware Android Antivirus Software Approach: Antivirus API Objectives File system traversal for on-demand scanning File system monitoring File operations Discussion An Antivirus API for Android Malware Recognition | Rafael Fedler | October 23, 2013 | 20 © Fraunhofer
  • 22. Conclusion Devised interface allows for: Signature-based detection Static heuristics (Limited) feature extraction/fast matching/no-matching On-demand file system scanning Live file system change monitoring All of the above without disclosing file system names (paths) or file contents Interface only grants access to trusted AV software Novelty: on-device malware detection comparable to that of non-mobile platforms Previously only tests of package installation files AV completely blind to 99% of file system An Antivirus API for Android Malware Recognition | Rafael Fedler | October 23, 2013 | 21 © Fraunhofer
  • 23. Bibliography X. Jiang. New GappII Trojan Found in Alternative Android Markets, April 27, 2012. http://www.csc.ncsu.edu/faculty/jiang/GappII/ (18.02.2013). X. Jiang. New RootSmart Android Malware Utilizes the GingerBreak Root Exploit, February 3, 2012. http://www.csc.ncsu.edu/faculty/jiang/RootSmart/. F. Kerschbaum. Practical private regular expression matching. In Security and Privacy in Dynamic Environments, pages 461–470. Springer, 2006. Y. Zhou and X. Jiang. Dissecting android malware: Characterization and evolution. In 2012 IEEE Symposium on Security and Privacy (SP), pages 95–109, May An Antivirus API for Android Malware Recognition | Rafael Fedler | October 23, 2013 | 22 2012. © Fraunhofer
  • 24. Contact Information Rafael Fedler, rafael.fedler@aisec.fraunhofer.de Group Mobile Security Department Service & Application Security Fraunhofer Research Institution for Applied and Integrated Security (AISEC) Address: Parkring 4 85748 Garching (near Munich) Germany Internet: http://www.aisec.fraunhofer.de Phone: Fax: E-Mail: +49 89 3229986-173 +49 89 3229986-299 rafael.fedler@aisec.fraunhofer.de An Antivirus API for Android Malware Recognition | Rafael Fedler | October 23, 2013 | 23 © Fraunhofer