SlideShare a Scribd company logo

Android Antivirus API for Malware Detection

Fraunhofer AISEC
Fraunhofer AISEC

In this talk, given at the 8th International Conference on Malicious and Unwanted Software (MALWARE 2013), researchers from Fraunhofer AISEC present their paper "An Antivirus API for Android Malware Recognition". The proposed API, if added to the main Android distribution or to third-party distributions such as Cyanogenmod, would significantly increase the effectiveness that antivirus software can achieve on Android. Currently, antivirus software on Android is very limited in its capabilities and very easy to circumvent for malware, as demonstrated by our previous work -> http://ais.ec/techreport - ON THE EFFECTIVENESS OF MALWARE PROTECTION ON ANDROID, AN EVALUATION OF ANDROID ANTIVIRUS APPS by Rafael Fedler. These platform-based antivirus shortcomings are addressed by the paper presented in this talk.

Technology
1 of 24
Download to read offline
An Antivirus API for Android Malware Recognition 8th IEEE International Conference on Malicious and Unwanted Software (MALWARE 2013) Rafael Fedler, rafael.fedler@aisec.fraunhofer.de, October 23, 2013
An Antivirus API for Android Malware Recognition Motivation Problem Teaser Background Android Platform Android Malware Android Antivirus Software Approach: Antivirus API Objectives File system traversal for on-demand scanning File system monitoring File operations Discussion An Antivirus API for Android Malware Recognition | Rafael Fedler | October 23, 2013 | 1 © Fraunhofer
Motivation Problem Antivirus software on Android inherently less powerful than on desktop systems Has access to only a select few files on the file system (installation package files) Cannot scan or monitor file system Completely oblivious to anything happening at runtime on a device Cannot detect malicious file downloads (root exploits, other code) at runtime Android apps can download & then execute code at runtime (!) An Antivirus API for Android Malware Recognition | Rafael Fedler | October 23, 2013 | 2 © Fraunhofer
Motivation Teaser Our approach: An interface to be added to the Android platform to allow for AV on-demand scanning of full or partial file system on-change scanning of changed file system portions for live monitoring signature and heuristics based malware detection similar to that deployed by desktop products ... without breaking Android’s security architecture An Antivirus API for Android Malware Recognition | Rafael Fedler | October 23, 2013 | 3 © Fraunhofer
An Antivirus API for Android Malware Recognition Motivation Problem Teaser Background Android Platform Android Malware Android Antivirus Software Approach: Antivirus API Objectives File system traversal for on-demand scanning File system monitoring File operations Discussion An Antivirus API for Android Malware Recognition | Rafael Fedler | October 23, 2013 | 4 © Fraunhofer
Background Android Platform File system sandboxing mechanism Every app is assigned its own UID Every app’s files are set to own, read only for its own UID → file system sandbox: each app can only access files in its own working directory Also applies to antivirus software (!) Package database /data/system/packages.xml, world readable Upon installation of an app, an entry in package DB is created Contains, among others, the path to every app’s package file Package files are world readable (!) An Antivirus API for Android Malware Recognition | Rafael Fedler | October 23, 2013 | 5 © Fraunhofer
Background Android Malware 36.7% of all malicious apps deployed root exploits by 2012 [4], probably more by now Allows to break out of sandbox Often downloaded at runtime, thus invisible to AV software Typical course of infection of more advanced malware (e.g., [1, 2]) 1. Initial propagation Disguised as a legitimate app Repackaged Update of legitimate app after hijacking of developer’s account and signing key etc. 2. Download of root exploit at runtime, in case it is not shipped with app package file 3. Mark exploit executable with chmod 4. Execute root exploit and carry out payload An Antivirus API for Android Malware Recognition | Rafael Fedler | October 23, 2013 | 6 © Fraunhofer
Background Android Antivirus Software Cannot: ... scan a device’s file system due to sandbox ... monitor other apps’ behavior at runtime or working directories Can only: Read installed apps’ installation package files Remember: Package database world readable, contains app package files which are also world readable Read SD card (not used by malware for obvious reasons) An Antivirus API for Android Malware Recognition | Rafael Fedler | October 23, 2013 | 7 © Fraunhofer
Own conclusion Adding ability to scan apps’ working directories and monitor them at runtime: good idea Current AV is completely blind and oblivious to any runtime behavior or file system changes ... including malicious code downloaded/created/unpacked/pieced together at runtime An Antivirus API for Android Malware Recognition | Rafael Fedler | October 23, 2013 | 8 © Fraunhofer
An Antivirus API for Android Malware Recognition Motivation Problem Teaser Background Android Platform Android Malware Android Antivirus Software Approach: Antivirus API Objectives File system traversal for on-demand scanning File system monitoring File operations Discussion An Antivirus API for Android Malware Recognition | Rafael Fedler | October 23, 2013 | 9 © Fraunhofer
Approach: Antivirus API Objectives 1. Scan file system fully (from /) or partially (e.g., from /data/data) on demand 2. Monitor file system portions (e.g., working directories) at runtime 3. Operations on arbitrary files allowing for signature- and heuristics-based malware recognition similar to desktop products 4. All of the above without breaking Android’s security architecture An Antivirus API for Android Malware Recognition | Rafael Fedler | October 23, 2013 | 10 © Fraunhofer
Approach: Antivirus API File system traversal for on-demand scanning Objective: Do not disclose file system names or full paths Solution: Aliases Options for implementation: 1. Database mapping aliases ↔ paths 2. Dynamic calculation 3. Trapdoor function, e.g., RSA Allows for traversal of file system tree An Antivirus API for Android Malware Recognition | Rafael Fedler | October 23, 2013 | 11 © Fraunhofer
Approach: Antivirus API File system traversal for on-demand scanning Listing 1: Usual directory listing user@computer : / t o p l e v e l d i r $ l s dir1 dir2 file1 file2 file3 Listing 2: Directory listing using aliases including an entry for parent directory 0 1 2 3 4 5 p d d f f f a55822426a5330c04625a41d264c190b b72b7253c45f9d22044c86bf4d7e4902 515 dc267bbd0af019d22e766af0cb7e4 f8bb5cc06b4ed23683b276ca05153e82 7b2de0a0f16d100dfbf2d84603840ee2 9fa5ba9abe67916142cb6bc0eee7658b An Antivirus API for Android Malware Recognition | Rafael Fedler | October 23, 2013 | 12 © Fraunhofer
Approach: Antivirus API File system traversal for on-demand scanning Starting from / or /data/data/, an AV app can traverse the file system using such alias handles ls and cd equivalent options will be provided Paths passed by the user can be used as entry points; however, aliases cannot be translated back to paths Trapdoor parameter only known to system, not to AV Path aliases for traversal, file aliases for indirect file access for malware detection Permanent translation and communication between AV ↔ not very efficient, but /data/data/ usually not very big Preserves privacy Sandbox maintained: No direct access outside AV’s working directory An Antivirus API for Android Malware Recognition | Rafael Fedler | October 23, 2013 | 13 © Fraunhofer
Approach: Antivirus API File system monitoring Approach: inotify Linux kernel interface Processes can place inotify handles on file system objects (directories, files) Notification upon change to monitored objects inotify handles to be placed in /data/data/ and all subdirectories An Antivirus API for Android Malware Recognition | Rafael Fedler | October 23, 2013 | 14 © Fraunhofer
Approach: Antivirus API File operations: Regular expressions for signatures and heuristics Most detection techniques can be formulated as regular expressions Signatures Some static heuristics (regexes matching opcodes) Feature extraction with offsets: regexes with offsets “Proxy” for regular expressions API takes signatures in form of regexes, responds “true” if match, “false” if no match An Antivirus API for Android Malware Recognition | Rafael Fedler | October 23, 2013 | 15 © Fraunhofer
Approach: Antivirus API File operations: Hashes Hashes on desktop/server platforms: very limited effectiveness Exploit kits, drive-by infections, droppers, personalized malware, morphic code Too many variations of one family, sample numbers too high Mobile platforms: much more useful Centralized distribution (thus also almost no personalized malware), virtually no app compromising/infection, virtually no drive-by infections, sandboxing prohibits morphing code Allow hashes for arbitrary file system objects Feature extraction/fast matching/no-matching: hashes from definable offsets An Antivirus API for Android Malware Recognition | Rafael Fedler | October 23, 2013 | 16 © Fraunhofer
Approach: Antivirus API Securing Access to the Interface Widespread access to device → tight access control Whitelist based: Check signing keys of package requesting access to AV interface Include signing keys of verified AV companies in whitelist Feasible effort: Less than 50 AV providers An Antivirus API for Android Malware Recognition | Rafael Fedler | October 23, 2013 | 17 © Fraunhofer
An Antivirus API for Android Malware Recognition Motivation Problem Teaser Background Android Platform Android Malware Android Antivirus Software Approach: Antivirus API Objectives File system traversal for on-demand scanning File system monitoring File operations Discussion An Antivirus API for Android Malware Recognition | Rafael Fedler | October 23, 2013 | 18 © Fraunhofer
Discussion Implementation Details File system access backend: POSIX-1003.1e ACLs to provide read-only access to the interface for either the whole file system or a subtree such as /data/data/ Possible addition: Dynamic heuristics chroot environment or write/network access interception + strings, strace, ltrace However, cloud analysis more effective, lower risks, no limited resources Risk: File content disclosure through incremental regex construction Unlikely as only trusted apps will have access to the interface Secure multi-party computation techniques for privacy preserving regex matching [3] An Antivirus API for Android Malware Recognition | Rafael Fedler | October 23, 2013 | 19 © Fraunhofer
An Antivirus API for Android Malware Recognition Motivation Problem Teaser Background Android Platform Android Malware Android Antivirus Software Approach: Antivirus API Objectives File system traversal for on-demand scanning File system monitoring File operations Discussion An Antivirus API for Android Malware Recognition | Rafael Fedler | October 23, 2013 | 20 © Fraunhofer
Conclusion Devised interface allows for: Signature-based detection Static heuristics (Limited) feature extraction/fast matching/no-matching On-demand file system scanning Live file system change monitoring All of the above without disclosing file system names (paths) or file contents Interface only grants access to trusted AV software Novelty: on-device malware detection comparable to that of non-mobile platforms Previously only tests of package installation files AV completely blind to 99% of file system An Antivirus API for Android Malware Recognition | Rafael Fedler | October 23, 2013 | 21 © Fraunhofer
Bibliography X. Jiang. New GappII Trojan Found in Alternative Android Markets, April 27, 2012. http://www.csc.ncsu.edu/faculty/jiang/GappII/ (18.02.2013). X. Jiang. New RootSmart Android Malware Utilizes the GingerBreak Root Exploit, February 3, 2012. http://www.csc.ncsu.edu/faculty/jiang/RootSmart/. F. Kerschbaum. Practical private regular expression matching. In Security and Privacy in Dynamic Environments, pages 461–470. Springer, 2006. Y. Zhou and X. Jiang. Dissecting android malware: Characterization and evolution. In 2012 IEEE Symposium on Security and Privacy (SP), pages 95–109, May An Antivirus API for Android Malware Recognition | Rafael Fedler | October 23, 2013 | 22 2012. © Fraunhofer
Contact Information Rafael Fedler, rafael.fedler@aisec.fraunhofer.de Group Mobile Security Department Service & Application Security Fraunhofer Research Institution for Applied and Integrated Security (AISEC) Address: Parkring 4 85748 Garching (near Munich) Germany Internet: http://www.aisec.fraunhofer.de Phone: Fax: E-Mail: +49 89 3229986-173 +49 89 3229986-299 rafael.fedler@aisec.fraunhofer.de An Antivirus API for Android Malware Recognition | Rafael Fedler | October 23, 2013 | 23 © Fraunhofer

Recommended

Native Code Execution Control for Attack Mitigation on Android
Native Code Execution Control for Attack Mitigation on AndroidNative Code Execution Control for Attack Mitigation on Android
Native Code Execution Control for Attack Mitigation on AndroidFraunhofer AISEC
 
Fuzzing101: Unknown vulnerability management for Telecommunications
Fuzzing101: Unknown vulnerability management for TelecommunicationsFuzzing101: Unknown vulnerability management for Telecommunications
Fuzzing101: Unknown vulnerability management for TelecommunicationsCodenomicon
 
Reducing attack surface on ICS with Windows native solutions
Reducing attack surface on ICS with Windows native solutionsReducing attack surface on ICS with Windows native solutions
Reducing attack surface on ICS with Windows native solutionsJan Seidl
 
MIT-6-determina-vps.ppt
MIT-6-determina-vps.pptMIT-6-determina-vps.ppt
MIT-6-determina-vps.pptwebhostingguy
 
Ids & ips
Ids & ipsIds & ips
Ids & ipsLan & Wan Solutions
 
Fuzzing101 uvm-reporting-and-mitigation-2011-02-10
Fuzzing101 uvm-reporting-and-mitigation-2011-02-10Fuzzing101 uvm-reporting-and-mitigation-2011-02-10
Fuzzing101 uvm-reporting-and-mitigation-2011-02-10Codenomicon
 
Introduction to Advanced Persistent Threats (APT) for Non-Security Engineers
Introduction to Advanced Persistent Threats (APT) for Non-Security EngineersIntroduction to Advanced Persistent Threats (APT) for Non-Security Engineers
Introduction to Advanced Persistent Threats (APT) for Non-Security EngineersOllie Whitehouse
 
Info Security - Vulnerability Assessment
Info Security - Vulnerability AssessmentInfo Security - Vulnerability Assessment
Info Security - Vulnerability AssessmentMarcelo Silva
 

Recommended

Native Code Execution Control for Attack Mitigation on Android
Native Code Execution Control for Attack Mitigation on AndroidNative Code Execution Control for Attack Mitigation on Android
Native Code Execution Control for Attack Mitigation on AndroidFraunhofer AISEC
 
Fuzzing101: Unknown vulnerability management for Telecommunications
Fuzzing101: Unknown vulnerability management for TelecommunicationsFuzzing101: Unknown vulnerability management for Telecommunications
Fuzzing101: Unknown vulnerability management for TelecommunicationsCodenomicon
 
Reducing attack surface on ICS with Windows native solutions
Reducing attack surface on ICS with Windows native solutionsReducing attack surface on ICS with Windows native solutions
Reducing attack surface on ICS with Windows native solutionsJan Seidl
 
MIT-6-determina-vps.ppt
MIT-6-determina-vps.pptMIT-6-determina-vps.ppt
MIT-6-determina-vps.pptwebhostingguy
 
Ids & ips
Ids & ipsIds & ips
Ids & ipsLan & Wan Solutions
 
Fuzzing101 uvm-reporting-and-mitigation-2011-02-10
Fuzzing101 uvm-reporting-and-mitigation-2011-02-10Fuzzing101 uvm-reporting-and-mitigation-2011-02-10
Fuzzing101 uvm-reporting-and-mitigation-2011-02-10Codenomicon
 
Introduction to Advanced Persistent Threats (APT) for Non-Security Engineers
Introduction to Advanced Persistent Threats (APT) for Non-Security EngineersIntroduction to Advanced Persistent Threats (APT) for Non-Security Engineers
Introduction to Advanced Persistent Threats (APT) for Non-Security EngineersOllie Whitehouse
 
Info Security - Vulnerability Assessment
Info Security - Vulnerability AssessmentInfo Security - Vulnerability Assessment
Info Security - Vulnerability AssessmentMarcelo Silva
 
CODE BLUE 2014 : how to avoid the Detection by Malware by HIROSHI SNINOTSUKA
CODE BLUE 2014 : how to avoid the Detection by Malware by HIROSHI SNINOTSUKACODE BLUE 2014 : how to avoid the Detection by Malware by HIROSHI SNINOTSUKA
CODE BLUE 2014 : how to avoid the Detection by Malware by HIROSHI SNINOTSUKACODE BLUE
 
Intrusion Detection Presentation
Intrusion Detection PresentationIntrusion Detection Presentation
Intrusion Detection PresentationMustafash79
 
01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network SecurityHarish Chaudhary
 
Intrusion detection
Intrusion detectionIntrusion detection
Intrusion detectionCAS
 
Threat Analysis on Win10 IoT Core and Recommaended Security Measures by Naohi...
Threat Analysis on Win10 IoT Core and Recommaended Security Measures by Naohi...Threat Analysis on Win10 IoT Core and Recommaended Security Measures by Naohi...
Threat Analysis on Win10 IoT Core and Recommaended Security Measures by Naohi...CODE BLUE
 
APT - Project
APT - Project APT - Project
APT - Project Dev Lavaniya
 
3 Nir Zuk Modern Malware Jun 2011
3 Nir Zuk Modern Malware Jun 20113 Nir Zuk Modern Malware Jun 2011
3 Nir Zuk Modern Malware Jun 2011davidmaciaalcaide
 
Persistence is Key: Advanced Persistent Threats
Persistence is Key: Advanced Persistent ThreatsPersistence is Key: Advanced Persistent Threats
Persistence is Key: Advanced Persistent ThreatsSameer Thadani
 
NIDS ppt
NIDS pptNIDS ppt
NIDS pptMahendar Reddy
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection systemAkhil Kumar
 
Computer Security and Intrusion Detection(IDS/IPS)
Computer Security and Intrusion Detection(IDS/IPS)Computer Security and Intrusion Detection(IDS/IPS)
Computer Security and Intrusion Detection(IDS/IPS)LJ PROJECTS
 
G. Gritsai, A. Timorin, Y. Goltsev, R. Ilin, S. Gordeychik, and A. Karpin, “S...
G. Gritsai, A. Timorin, Y. Goltsev, R. Ilin, S. Gordeychik, and A. Karpin, “S...G. Gritsai, A. Timorin, Y. Goltsev, R. Ilin, S. Gordeychik, and A. Karpin, “S...
G. Gritsai, A. Timorin, Y. Goltsev, R. Ilin, S. Gordeychik, and A. Karpin, “S...qqlan
 
Euro mGov Securing Mobile Services
Euro mGov Securing Mobile ServicesEuro mGov Securing Mobile Services
Euro mGov Securing Mobile ServicesMiguel Ponce de Leon @ TSSG / Waterford Institute of Technology
 
Denial of Service Attack Defense Techniques
Denial of Service Attack Defense TechniquesDenial of Service Attack Defense Techniques
Denial of Service Attack Defense TechniquesIRJET Journal
 
Cyber security webinar 6 - How to build systems that resist attacks?
Cyber security webinar 6 - How to build systems that resist attacks?Cyber security webinar 6 - How to build systems that resist attacks?
Cyber security webinar 6 - How to build systems that resist attacks?F-Secure Corporation
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing BasicsRick Wanner
 
Understanding advanced persistent threats (APT)
Understanding advanced persistent threats (APT)Understanding advanced persistent threats (APT)
Understanding advanced persistent threats (APT)Dan Morrill
 
"CERT Secure Coding Standards" by Dr. Mark Sherman
"CERT Secure Coding Standards" by Dr. Mark Sherman"CERT Secure Coding Standards" by Dr. Mark Sherman
"CERT Secure Coding Standards" by Dr. Mark ShermanRinaldi Rampen
 
FireEye Engineering
FireEye Engineering FireEye Engineering
FireEye Engineering Lauren Traurig
 
FireEye - Breaches are inevitable, but the outcome is not
FireEye - Breaches are inevitable, but the outcome is not FireEye - Breaches are inevitable, but the outcome is not
FireEye - Breaches are inevitable, but the outcome is not MarketingArrowECS_CZ
 
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat DasNull Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat Dasnullowaspmumbai
 
Getting started with android
Getting started with androidGetting started with android
Getting started with androidVandana Verma
 

More Related Content

What's hot

CODE BLUE 2014 : how to avoid the Detection by Malware by HIROSHI SNINOTSUKA
CODE BLUE 2014 : how to avoid the Detection by Malware by HIROSHI SNINOTSUKACODE BLUE 2014 : how to avoid the Detection by Malware by HIROSHI SNINOTSUKA
CODE BLUE 2014 : how to avoid the Detection by Malware by HIROSHI SNINOTSUKACODE BLUE
 
Intrusion Detection Presentation
Intrusion Detection PresentationIntrusion Detection Presentation
Intrusion Detection PresentationMustafash79
 
01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network SecurityHarish Chaudhary
 
Intrusion detection
Intrusion detectionIntrusion detection
Intrusion detectionCAS
 
Threat Analysis on Win10 IoT Core and Recommaended Security Measures by Naohi...
Threat Analysis on Win10 IoT Core and Recommaended Security Measures by Naohi...Threat Analysis on Win10 IoT Core and Recommaended Security Measures by Naohi...
Threat Analysis on Win10 IoT Core and Recommaended Security Measures by Naohi...CODE BLUE
 
3 Nir Zuk Modern Malware Jun 2011
3 Nir Zuk Modern Malware Jun 20113 Nir Zuk Modern Malware Jun 2011
3 Nir Zuk Modern Malware Jun 2011davidmaciaalcaide
 
Persistence is Key: Advanced Persistent Threats
Persistence is Key: Advanced Persistent ThreatsPersistence is Key: Advanced Persistent Threats
Persistence is Key: Advanced Persistent ThreatsSameer Thadani
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection systemAkhil Kumar
 
Computer Security and Intrusion Detection(IDS/IPS)
Computer Security and Intrusion Detection(IDS/IPS)Computer Security and Intrusion Detection(IDS/IPS)
Computer Security and Intrusion Detection(IDS/IPS)LJ PROJECTS
 
G. Gritsai, A. Timorin, Y. Goltsev, R. Ilin, S. Gordeychik, and A. Karpin, “S...
G. Gritsai, A. Timorin, Y. Goltsev, R. Ilin, S. Gordeychik, and A. Karpin, “S...G. Gritsai, A. Timorin, Y. Goltsev, R. Ilin, S. Gordeychik, and A. Karpin, “S...
G. Gritsai, A. Timorin, Y. Goltsev, R. Ilin, S. Gordeychik, and A. Karpin, “S...qqlan
 
Denial of Service Attack Defense Techniques
Denial of Service Attack Defense TechniquesDenial of Service Attack Defense Techniques
Denial of Service Attack Defense TechniquesIRJET Journal
 
Cyber security webinar 6 - How to build systems that resist attacks?
Cyber security webinar 6 - How to build systems that resist attacks?Cyber security webinar 6 - How to build systems that resist attacks?
Cyber security webinar 6 - How to build systems that resist attacks?F-Secure Corporation
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing BasicsRick Wanner
 
Understanding advanced persistent threats (APT)
Understanding advanced persistent threats (APT)Understanding advanced persistent threats (APT)
Understanding advanced persistent threats (APT)Dan Morrill
 
"CERT Secure Coding Standards" by Dr. Mark Sherman
"CERT Secure Coding Standards" by Dr. Mark Sherman"CERT Secure Coding Standards" by Dr. Mark Sherman
"CERT Secure Coding Standards" by Dr. Mark ShermanRinaldi Rampen
 
FireEye - Breaches are inevitable, but the outcome is not
FireEye - Breaches are inevitable, but the outcome is not FireEye - Breaches are inevitable, but the outcome is not
FireEye - Breaches are inevitable, but the outcome is not MarketingArrowECS_CZ
 

What's hot (20)

CODE BLUE 2014 : how to avoid the Detection by Malware by HIROSHI SNINOTSUKA
CODE BLUE 2014 : how to avoid the Detection by Malware by HIROSHI SNINOTSUKACODE BLUE 2014 : how to avoid the Detection by Malware by HIROSHI SNINOTSUKA
CODE BLUE 2014 : how to avoid the Detection by Malware by HIROSHI SNINOTSUKA
 
Intrusion Detection Presentation
Intrusion Detection PresentationIntrusion Detection Presentation
Intrusion Detection Presentation
 
01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security
 
Intrusion detection
Intrusion detectionIntrusion detection
Intrusion detection
 
Threat Analysis on Win10 IoT Core and Recommaended Security Measures by Naohi...
Threat Analysis on Win10 IoT Core and Recommaended Security Measures by Naohi...Threat Analysis on Win10 IoT Core and Recommaended Security Measures by Naohi...
Threat Analysis on Win10 IoT Core and Recommaended Security Measures by Naohi...
 
APT - Project
APT - Project APT - Project
APT - Project
 
3 Nir Zuk Modern Malware Jun 2011
3 Nir Zuk Modern Malware Jun 20113 Nir Zuk Modern Malware Jun 2011
3 Nir Zuk Modern Malware Jun 2011
 
Persistence is Key: Advanced Persistent Threats
Persistence is Key: Advanced Persistent ThreatsPersistence is Key: Advanced Persistent Threats
Persistence is Key: Advanced Persistent Threats
 
NIDS ppt
NIDS pptNIDS ppt
NIDS ppt
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection system
 
Computer Security and Intrusion Detection(IDS/IPS)
Computer Security and Intrusion Detection(IDS/IPS)Computer Security and Intrusion Detection(IDS/IPS)
Computer Security and Intrusion Detection(IDS/IPS)
 
G. Gritsai, A. Timorin, Y. Goltsev, R. Ilin, S. Gordeychik, and A. Karpin, “S...
G. Gritsai, A. Timorin, Y. Goltsev, R. Ilin, S. Gordeychik, and A. Karpin, “S...G. Gritsai, A. Timorin, Y. Goltsev, R. Ilin, S. Gordeychik, and A. Karpin, “S...
G. Gritsai, A. Timorin, Y. Goltsev, R. Ilin, S. Gordeychik, and A. Karpin, “S...
 
Euro mGov Securing Mobile Services
Euro mGov Securing Mobile ServicesEuro mGov Securing Mobile Services
Euro mGov Securing Mobile Services
 
Denial of Service Attack Defense Techniques
Denial of Service Attack Defense TechniquesDenial of Service Attack Defense Techniques
Denial of Service Attack Defense Techniques
 
Cyber security webinar 6 - How to build systems that resist attacks?
Cyber security webinar 6 - How to build systems that resist attacks?Cyber security webinar 6 - How to build systems that resist attacks?
Cyber security webinar 6 - How to build systems that resist attacks?
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
 
Understanding advanced persistent threats (APT)
Understanding advanced persistent threats (APT)Understanding advanced persistent threats (APT)
Understanding advanced persistent threats (APT)
 
"CERT Secure Coding Standards" by Dr. Mark Sherman
"CERT Secure Coding Standards" by Dr. Mark Sherman"CERT Secure Coding Standards" by Dr. Mark Sherman
"CERT Secure Coding Standards" by Dr. Mark Sherman
 
FireEye Engineering
FireEye Engineering FireEye Engineering
FireEye Engineering
 
FireEye - Breaches are inevitable, but the outcome is not
FireEye - Breaches are inevitable, but the outcome is not FireEye - Breaches are inevitable, but the outcome is not
FireEye - Breaches are inevitable, but the outcome is not
 

Similar to Android Antivirus API for Malware Detection

Null Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat DasNull Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat Dasnullowaspmumbai
 
Getting started with android
Getting started with androidGetting started with android
Getting started with androidVandana Verma
 
Getting started with Android pentesting
Getting started with Android pentestingGetting started with Android pentesting
Getting started with Android pentestingMinali Arora
 
DeepContentInspection Lato
DeepContentInspection LatoDeepContentInspection Lato
DeepContentInspection LatoBrian Stoner
 
Application security in current era
Application security in current eraApplication security in current era
Application security in current eraajitdhumale
 
Identifying, Monitoring, and Reporting Malware
Identifying, Monitoring, and Reporting MalwareIdentifying, Monitoring, and Reporting Malware
Identifying, Monitoring, and Reporting MalwareTeodoro Cipresso
 
Modern Malware by Nir Zuk Palo Alto Networks
Modern Malware by Nir Zuk Palo Alto NetworksModern Malware by Nir Zuk Palo Alto Networks
Modern Malware by Nir Zuk Palo Alto Networksdtimal
 
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black Duck
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black DuckSoftware Security Assurance for DevOps - Hewlett Packard Enterprise + Black Duck
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black DuckBlack Duck by Synopsys
 
IT6701-Information Management Unit 2
IT6701-Information Management Unit 2IT6701-Information Management Unit 2
IT6701-Information Management Unit 2SIMONTHOMAS S
 
Network virus detection & prevention
Network virus detection & preventionNetwork virus detection & prevention
Network virus detection & preventionKhaleel Assadi
 
Mobile application security
Mobile application securityMobile application security
Mobile application securityShubhneet Goel
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application SecurityIshan Girdhar
 
MALWARE DETECTION USING MACHINE LEARNING ALGORITHMS AND REVERSE ENGINEERING O...
MALWARE DETECTION USING MACHINE LEARNING ALGORITHMS AND REVERSE ENGINEERING O...MALWARE DETECTION USING MACHINE LEARNING ALGORITHMS AND REVERSE ENGINEERING O...
MALWARE DETECTION USING MACHINE LEARNING ALGORITHMS AND REVERSE ENGINEERING O...IJNSA Journal
 

Similar to Android Antivirus API for Malware Detection (20)

Null Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat DasNull Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
 
Getting started with android
Getting started with androidGetting started with android
Getting started with android
 
Chapter 8
Chapter 8Chapter 8
Chapter 8
 
Getting started with Android pentesting
Getting started with Android pentestingGetting started with Android pentesting
Getting started with Android pentesting
 
It kamus virus security glossary
It kamus virus security glossaryIt kamus virus security glossary
It kamus virus security glossary
 
DeepContentInspection Lato
DeepContentInspection LatoDeepContentInspection Lato
DeepContentInspection Lato
 
Application security in current era
Application security in current eraApplication security in current era
Application security in current era
 
Identifying, Monitoring, and Reporting Malware
Identifying, Monitoring, and Reporting MalwareIdentifying, Monitoring, and Reporting Malware
Identifying, Monitoring, and Reporting Malware
 
Modern Malware by Nir Zuk Palo Alto Networks
Modern Malware by Nir Zuk Palo Alto NetworksModern Malware by Nir Zuk Palo Alto Networks
Modern Malware by Nir Zuk Palo Alto Networks
 
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black Duck
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black DuckSoftware Security Assurance for DevOps - Hewlett Packard Enterprise + Black Duck
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black Duck
 
Malicious
MaliciousMalicious
Malicious
 
IT6701-Information Management Unit 2
IT6701-Information Management Unit 2IT6701-Information Management Unit 2
IT6701-Information Management Unit 2
 
Network virus detection & prevention
Network virus detection & preventionNetwork virus detection & prevention
Network virus detection & prevention
 
O p
O pO p
O p
 
Mobile application security
Mobile application securityMobile application security
Mobile application security
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
 
MALWARE DETECTION USING MACHINE LEARNING ALGORITHMS AND REVERSE ENGINEERING O...
MALWARE DETECTION USING MACHINE LEARNING ALGORITHMS AND REVERSE ENGINEERING O...MALWARE DETECTION USING MACHINE LEARNING ALGORITHMS AND REVERSE ENGINEERING O...
MALWARE DETECTION USING MACHINE LEARNING ALGORITHMS AND REVERSE ENGINEERING O...
 
Android security
Android securityAndroid security
Android security
 
Android security
Android securityAndroid security
Android security
 
Antivirus
AntivirusAntivirus
Antivirus
 

More from Fraunhofer AISEC

Fraunhofer Magazin weiter.vorn
Fraunhofer Magazin weiter.vornFraunhofer Magazin weiter.vorn
Fraunhofer Magazin weiter.vornFraunhofer AISEC
 
Produktschutz-Technologien für elektronische Geräte
Produktschutz-Technologien für elektronische GeräteProduktschutz-Technologien für elektronische Geräte
Produktschutz-Technologien für elektronische GeräteFraunhofer AISEC
 
Cyber-Sicherheit - Newsletter 2013
Cyber-Sicherheit - Newsletter 2013Cyber-Sicherheit - Newsletter 2013
Cyber-Sicherheit - Newsletter 2013Fraunhofer AISEC
 
Marktchancen mit IT-Sicherheit
Marktchancen mit IT-SicherheitMarktchancen mit IT-Sicherheit
Marktchancen mit IT-SicherheitFraunhofer AISEC
 
Cybersecurity 2013 - Design for Security
Cybersecurity 2013 - Design for SecurityCybersecurity 2013 - Design for Security
Cybersecurity 2013 - Design for SecurityFraunhofer AISEC
 
Sicherheitsgipfel - Chancen und Risiken der IT
Sicherheitsgipfel - Chancen und Risiken der ITSicherheitsgipfel - Chancen und Risiken der IT
Sicherheitsgipfel - Chancen und Risiken der ITFraunhofer AISEC
 
Tech Report: On the Effectiveness of Malware Protection on Android
Tech Report: On the Effectiveness of Malware Protection on AndroidTech Report: On the Effectiveness of Malware Protection on Android
Tech Report: On the Effectiveness of Malware Protection on AndroidFraunhofer AISEC
 
PEP - Protecting Electronic Products
PEP - Protecting Electronic ProductsPEP - Protecting Electronic Products
PEP - Protecting Electronic ProductsFraunhofer AISEC
 
Firmware Encryption and Secure Remote Update
Firmware Encryption and Secure Remote UpdateFirmware Encryption and Secure Remote Update
Firmware Encryption and Secure Remote UpdateFraunhofer AISEC
 
Cyber Security aus Sicht der Wissenschaft
Cyber Security aus Sicht der WissenschaftCyber Security aus Sicht der Wissenschaft
Cyber Security aus Sicht der WissenschaftFraunhofer AISEC
 
IKT-Trends und deren Bedeutung für eHealth
IKT-Trends und deren Bedeutung für eHealthIKT-Trends und deren Bedeutung für eHealth
IKT-Trends und deren Bedeutung für eHealthFraunhofer AISEC
 
Innovation braucht Sicherheit - Sicherheit braucht Forschung
Innovation braucht Sicherheit - Sicherheit braucht ForschungInnovation braucht Sicherheit - Sicherheit braucht Forschung
Innovation braucht Sicherheit - Sicherheit braucht ForschungFraunhofer AISEC
 
40 Jahre Informatik Hamburg
40 Jahre Informatik Hamburg40 Jahre Informatik Hamburg
40 Jahre Informatik HamburgFraunhofer AISEC
 
Security for Automotive with Multicore-based Embedded Systems
Security for Automotive with Multicore-based Embedded SystemsSecurity for Automotive with Multicore-based Embedded Systems
Security for Automotive with Multicore-based Embedded SystemsFraunhofer AISEC
 

More from Fraunhofer AISEC (20)

Fraunhofer Magazin weiter.vorn
Fraunhofer Magazin weiter.vornFraunhofer Magazin weiter.vorn
Fraunhofer Magazin weiter.vorn
 
Internet of (Every)Thing
Internet of (Every)ThingInternet of (Every)Thing
Internet of (Every)Thing
 
App Ray: 10000 Apps
App Ray: 10000 AppsApp Ray: 10000 Apps
App Ray: 10000 Apps
 
Produktschutz-Technologien für elektronische Geräte
Produktschutz-Technologien für elektronische GeräteProduktschutz-Technologien für elektronische Geräte
Produktschutz-Technologien für elektronische Geräte
 
Cyber-Sicherheit - Newsletter 2013
Cyber-Sicherheit - Newsletter 2013Cyber-Sicherheit - Newsletter 2013
Cyber-Sicherheit - Newsletter 2013
 
Marktchancen mit IT-Sicherheit
Marktchancen mit IT-SicherheitMarktchancen mit IT-Sicherheit
Marktchancen mit IT-Sicherheit
 
Cybersecurity 2013 - Design for Security
Cybersecurity 2013 - Design for SecurityCybersecurity 2013 - Design for Security
Cybersecurity 2013 - Design for Security
 
Sicherheitsgipfel - Chancen und Risiken der IT
Sicherheitsgipfel - Chancen und Risiken der ITSicherheitsgipfel - Chancen und Risiken der IT
Sicherheitsgipfel - Chancen und Risiken der IT
 
Tech Report: On the Effectiveness of Malware Protection on Android
Tech Report: On the Effectiveness of Malware Protection on AndroidTech Report: On the Effectiveness of Malware Protection on Android
Tech Report: On the Effectiveness of Malware Protection on Android
 
PEP - Protecting Electronic Products
PEP - Protecting Electronic ProductsPEP - Protecting Electronic Products
PEP - Protecting Electronic Products
 
Firmware Encryption and Secure Remote Update
Firmware Encryption and Secure Remote UpdateFirmware Encryption and Secure Remote Update
Firmware Encryption and Secure Remote Update
 
Infografik Produktschutz
Infografik ProduktschutzInfografik Produktschutz
Infografik Produktschutz
 
Cyber Security aus Sicht der Wissenschaft
Cyber Security aus Sicht der WissenschaftCyber Security aus Sicht der Wissenschaft
Cyber Security aus Sicht der Wissenschaft
 
Produktschutz Infografik
Produktschutz InfografikProduktschutz Infografik
Produktschutz Infografik
 
IKT-Trends und deren Bedeutung für eHealth
IKT-Trends und deren Bedeutung für eHealthIKT-Trends und deren Bedeutung für eHealth
IKT-Trends und deren Bedeutung für eHealth
 
Innovation braucht Sicherheit - Sicherheit braucht Forschung
Innovation braucht Sicherheit - Sicherheit braucht ForschungInnovation braucht Sicherheit - Sicherheit braucht Forschung
Innovation braucht Sicherheit - Sicherheit braucht Forschung
 
Alan Turing
Alan Turing Alan Turing
Alan Turing
 
Sicherheit im Smart Grid
Sicherheit im Smart GridSicherheit im Smart Grid
Sicherheit im Smart Grid
 
40 Jahre Informatik Hamburg
40 Jahre Informatik Hamburg40 Jahre Informatik Hamburg
40 Jahre Informatik Hamburg
 
Security for Automotive with Multicore-based Embedded Systems
Security for Automotive with Multicore-based Embedded SystemsSecurity for Automotive with Multicore-based Embedded Systems
Security for Automotive with Multicore-based Embedded Systems
 

Recently uploaded

Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 

Recently uploaded (20)

Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 

Android Antivirus API for Malware Detection

  • 1. An Antivirus API for Android Malware Recognition 8th IEEE International Conference on Malicious and Unwanted Software (MALWARE 2013) Rafael Fedler, rafael.fedler@aisec.fraunhofer.de, October 23, 2013
  • 2. An Antivirus API for Android Malware Recognition Motivation Problem Teaser Background Android Platform Android Malware Android Antivirus Software Approach: Antivirus API Objectives File system traversal for on-demand scanning File system monitoring File operations Discussion An Antivirus API for Android Malware Recognition | Rafael Fedler | October 23, 2013 | 1 © Fraunhofer
  • 3. Motivation Problem Antivirus software on Android inherently less powerful than on desktop systems Has access to only a select few files on the file system (installation package files) Cannot scan or monitor file system Completely oblivious to anything happening at runtime on a device Cannot detect malicious file downloads (root exploits, other code) at runtime Android apps can download & then execute code at runtime (!) An Antivirus API for Android Malware Recognition | Rafael Fedler | October 23, 2013 | 2 © Fraunhofer
  • 4. Motivation Teaser Our approach: An interface to be added to the Android platform to allow for AV on-demand scanning of full or partial file system on-change scanning of changed file system portions for live monitoring signature and heuristics based malware detection similar to that deployed by desktop products ... without breaking Android’s security architecture An Antivirus API for Android Malware Recognition | Rafael Fedler | October 23, 2013 | 3 © Fraunhofer
  • 5. An Antivirus API for Android Malware Recognition Motivation Problem Teaser Background Android Platform Android Malware Android Antivirus Software Approach: Antivirus API Objectives File system traversal for on-demand scanning File system monitoring File operations Discussion An Antivirus API for Android Malware Recognition | Rafael Fedler | October 23, 2013 | 4 © Fraunhofer
  • 6. Background Android Platform File system sandboxing mechanism Every app is assigned its own UID Every app’s files are set to own, read only for its own UID → file system sandbox: each app can only access files in its own working directory Also applies to antivirus software (!) Package database /data/system/packages.xml, world readable Upon installation of an app, an entry in package DB is created Contains, among others, the path to every app’s package file Package files are world readable (!) An Antivirus API for Android Malware Recognition | Rafael Fedler | October 23, 2013 | 5 © Fraunhofer
  • 7. Background Android Malware 36.7% of all malicious apps deployed root exploits by 2012 [4], probably more by now Allows to break out of sandbox Often downloaded at runtime, thus invisible to AV software Typical course of infection of more advanced malware (e.g., [1, 2]) 1. Initial propagation Disguised as a legitimate app Repackaged Update of legitimate app after hijacking of developer’s account and signing key etc. 2. Download of root exploit at runtime, in case it is not shipped with app package file 3. Mark exploit executable with chmod 4. Execute root exploit and carry out payload An Antivirus API for Android Malware Recognition | Rafael Fedler | October 23, 2013 | 6 © Fraunhofer
  • 8. Background Android Antivirus Software Cannot: ... scan a device’s file system due to sandbox ... monitor other apps’ behavior at runtime or working directories Can only: Read installed apps’ installation package files Remember: Package database world readable, contains app package files which are also world readable Read SD card (not used by malware for obvious reasons) An Antivirus API for Android Malware Recognition | Rafael Fedler | October 23, 2013 | 7 © Fraunhofer
  • 9. Own conclusion Adding ability to scan apps’ working directories and monitor them at runtime: good idea Current AV is completely blind and oblivious to any runtime behavior or file system changes ... including malicious code downloaded/created/unpacked/pieced together at runtime An Antivirus API for Android Malware Recognition | Rafael Fedler | October 23, 2013 | 8 © Fraunhofer
  • 10. An Antivirus API for Android Malware Recognition Motivation Problem Teaser Background Android Platform Android Malware Android Antivirus Software Approach: Antivirus API Objectives File system traversal for on-demand scanning File system monitoring File operations Discussion An Antivirus API for Android Malware Recognition | Rafael Fedler | October 23, 2013 | 9 © Fraunhofer
  • 11. Approach: Antivirus API Objectives 1. Scan file system fully (from /) or partially (e.g., from /data/data) on demand 2. Monitor file system portions (e.g., working directories) at runtime 3. Operations on arbitrary files allowing for signature- and heuristics-based malware recognition similar to desktop products 4. All of the above without breaking Android’s security architecture An Antivirus API for Android Malware Recognition | Rafael Fedler | October 23, 2013 | 10 © Fraunhofer
  • 12. Approach: Antivirus API File system traversal for on-demand scanning Objective: Do not disclose file system names or full paths Solution: Aliases Options for implementation: 1. Database mapping aliases ↔ paths 2. Dynamic calculation 3. Trapdoor function, e.g., RSA Allows for traversal of file system tree An Antivirus API for Android Malware Recognition | Rafael Fedler | October 23, 2013 | 11 © Fraunhofer
  • 13. Approach: Antivirus API File system traversal for on-demand scanning Listing 1: Usual directory listing user@computer : / t o p l e v e l d i r $ l s dir1 dir2 file1 file2 file3 Listing 2: Directory listing using aliases including an entry for parent directory 0 1 2 3 4 5 p d d f f f a55822426a5330c04625a41d264c190b b72b7253c45f9d22044c86bf4d7e4902 515 dc267bbd0af019d22e766af0cb7e4 f8bb5cc06b4ed23683b276ca05153e82 7b2de0a0f16d100dfbf2d84603840ee2 9fa5ba9abe67916142cb6bc0eee7658b An Antivirus API for Android Malware Recognition | Rafael Fedler | October 23, 2013 | 12 © Fraunhofer
  • 14. Approach: Antivirus API File system traversal for on-demand scanning Starting from / or /data/data/, an AV app can traverse the file system using such alias handles ls and cd equivalent options will be provided Paths passed by the user can be used as entry points; however, aliases cannot be translated back to paths Trapdoor parameter only known to system, not to AV Path aliases for traversal, file aliases for indirect file access for malware detection Permanent translation and communication between AV ↔ not very efficient, but /data/data/ usually not very big Preserves privacy Sandbox maintained: No direct access outside AV’s working directory An Antivirus API for Android Malware Recognition | Rafael Fedler | October 23, 2013 | 13 © Fraunhofer
  • 15. Approach: Antivirus API File system monitoring Approach: inotify Linux kernel interface Processes can place inotify handles on file system objects (directories, files) Notification upon change to monitored objects inotify handles to be placed in /data/data/ and all subdirectories An Antivirus API for Android Malware Recognition | Rafael Fedler | October 23, 2013 | 14 © Fraunhofer
  • 16. Approach: Antivirus API File operations: Regular expressions for signatures and heuristics Most detection techniques can be formulated as regular expressions Signatures Some static heuristics (regexes matching opcodes) Feature extraction with offsets: regexes with offsets “Proxy” for regular expressions API takes signatures in form of regexes, responds “true” if match, “false” if no match An Antivirus API for Android Malware Recognition | Rafael Fedler | October 23, 2013 | 15 © Fraunhofer
  • 17. Approach: Antivirus API File operations: Hashes Hashes on desktop/server platforms: very limited effectiveness Exploit kits, drive-by infections, droppers, personalized malware, morphic code Too many variations of one family, sample numbers too high Mobile platforms: much more useful Centralized distribution (thus also almost no personalized malware), virtually no app compromising/infection, virtually no drive-by infections, sandboxing prohibits morphing code Allow hashes for arbitrary file system objects Feature extraction/fast matching/no-matching: hashes from definable offsets An Antivirus API for Android Malware Recognition | Rafael Fedler | October 23, 2013 | 16 © Fraunhofer
  • 18. Approach: Antivirus API Securing Access to the Interface Widespread access to device → tight access control Whitelist based: Check signing keys of package requesting access to AV interface Include signing keys of verified AV companies in whitelist Feasible effort: Less than 50 AV providers An Antivirus API for Android Malware Recognition | Rafael Fedler | October 23, 2013 | 17 © Fraunhofer
  • 19. An Antivirus API for Android Malware Recognition Motivation Problem Teaser Background Android Platform Android Malware Android Antivirus Software Approach: Antivirus API Objectives File system traversal for on-demand scanning File system monitoring File operations Discussion An Antivirus API for Android Malware Recognition | Rafael Fedler | October 23, 2013 | 18 © Fraunhofer
  • 20. Discussion Implementation Details File system access backend: POSIX-1003.1e ACLs to provide read-only access to the interface for either the whole file system or a subtree such as /data/data/ Possible addition: Dynamic heuristics chroot environment or write/network access interception + strings, strace, ltrace However, cloud analysis more effective, lower risks, no limited resources Risk: File content disclosure through incremental regex construction Unlikely as only trusted apps will have access to the interface Secure multi-party computation techniques for privacy preserving regex matching [3] An Antivirus API for Android Malware Recognition | Rafael Fedler | October 23, 2013 | 19 © Fraunhofer
  • 21. An Antivirus API for Android Malware Recognition Motivation Problem Teaser Background Android Platform Android Malware Android Antivirus Software Approach: Antivirus API Objectives File system traversal for on-demand scanning File system monitoring File operations Discussion An Antivirus API for Android Malware Recognition | Rafael Fedler | October 23, 2013 | 20 © Fraunhofer
  • 22. Conclusion Devised interface allows for: Signature-based detection Static heuristics (Limited) feature extraction/fast matching/no-matching On-demand file system scanning Live file system change monitoring All of the above without disclosing file system names (paths) or file contents Interface only grants access to trusted AV software Novelty: on-device malware detection comparable to that of non-mobile platforms Previously only tests of package installation files AV completely blind to 99% of file system An Antivirus API for Android Malware Recognition | Rafael Fedler | October 23, 2013 | 21 © Fraunhofer
  • 23. Bibliography X. Jiang. New GappII Trojan Found in Alternative Android Markets, April 27, 2012. http://www.csc.ncsu.edu/faculty/jiang/GappII/ (18.02.2013). X. Jiang. New RootSmart Android Malware Utilizes the GingerBreak Root Exploit, February 3, 2012. http://www.csc.ncsu.edu/faculty/jiang/RootSmart/. F. Kerschbaum. Practical private regular expression matching. In Security and Privacy in Dynamic Environments, pages 461–470. Springer, 2006. Y. Zhou and X. Jiang. Dissecting android malware: Characterization and evolution. In 2012 IEEE Symposium on Security and Privacy (SP), pages 95–109, May An Antivirus API for Android Malware Recognition | Rafael Fedler | October 23, 2013 | 22 2012. © Fraunhofer
  • 24. Contact Information Rafael Fedler, rafael.fedler@aisec.fraunhofer.de Group Mobile Security Department Service & Application Security Fraunhofer Research Institution for Applied and Integrated Security (AISEC) Address: Parkring 4 85748 Garching (near Munich) Germany Internet: http://www.aisec.fraunhofer.de Phone: Fax: E-Mail: +49 89 3229986-173 +49 89 3229986-299 rafael.fedler@aisec.fraunhofer.de An Antivirus API for Android Malware Recognition | Rafael Fedler | October 23, 2013 | 23 © Fraunhofer