SlideShare a Scribd company logo

Android malware presentation

S
Sandeep Joshi

This document summarizes information about Android malware, including its goals, installation methods, evasion techniques, and detection methods. Some key points: - Malware goals include sending premium SMS, stealing banking info, adware click fraud, and ransomware. It can also mine bitcoin or exfiltrate personal data. - It installs via repackaged apps, update attacks, drive-by downloads, or by misusing accessibility services. Packers encrypt the APK to evade detection. - Evasion techniques include dynamic C&C domains, encryption, reflection, delaying attacks, and polymorphism/metamorphism. It also checks for emulators or debuggers. - Detection analy

Software
1 of 42
Android Malware Survey 1
Goal of malware Send SMS to premium-rate numbers Bank : steal account info and money Adware : click fraud Spyware : Exfiltrate personal info like location, phone info, contact list, etc. Ransomware Bitcoin mining 2
Installation methods 1. Repackaging : Download and decompile a popular App. Add malicious payload. Upload to some other “app store” for download. Upload a benign app to Playstore. Upload new malware version of same app to third-party “app store”. Since both apps share same certificate, app will get updated on device (Trendmicro blog). 2. Update attack : Insert only the update component in the App. Download the actual malware payload at runtime. 3. Drive-by download : Using QR code, SMS link, Social media link, Bluetooth, USB. 3
Malicious install of an APK 1. Root exploit 2. Misuse Android Accessibility services 3. Create confusion through popups and look-alikes 4. Prevent removal by storing in system partition Grabos (McAfee) https://securingtomorrow.mcafee.com/mcafee-labs/android-malware-grabo s-exposed-millions-to-pay-per-install-scam-on-google-play/ 4
PC to mobile infection Android.Claco: Runs on the Mobile device. Downloads Windows executable and places it in the root directory of the SD card. When the mobile device is connected to a PC, and if the AutoRun feature is enabled, Windows will automatically execute the malicious file. Trojan.Droidpak: Runs on Windows as system service. Downloads malware APK and even “adb”. Attempts to install the APK on the connected Mobile (if USB debugging Mode is On). 5
Loopholes in Google Playstore Innovation by Android.dvmap “To bypass Google Play Store security checks, the malware creators used a very interesting method: they uploaded a clean app to the store at the end of March, 2017, and would then update it with a malicious version for short period of time. Usually they would upload a clean version back on Google Play the very same day. They did this at least 5 times between 18 April and 15 May. “ https://securelist.com/dvmap-the-first-android-malware-with-code-inject ion/78648/ 6
Activation methods BOOT COMPLETED event to kick off background services SMS RECEIVED broadcast SCREEN TURNED OFF 7
Top permissions asked by Malware Unless you have a root exploit, you require “Permissions” in the Manifest. 1. Internet 2. Access_network_state 3. read/write external storage 4. Read phone state 5. Access wifi state 6. Access coarse/fine location 7. Read/write contacts 8
How to create overlay windows Bank malware needs to overlay a window which resembles the bank login website. Ways to achieve this overlay: 1. Use permission SYSTEM_ALERT_WINDOW. 2. Seek permission to use “Accessibility services” which allows access to UI of other running apps, and create overlays. (Used by SvPeng) 3. Use “TOAST” notification to create full-screen window (on pre-Oreo). See “Toast overlay attack” in Sept 2017. 9
Botnets Evolution of Command and Control (C&C) architecture 1. First generation had single C&C server 2. Semi-distributed 3. Peer-to-peer To avoid hard-coded URLs, C&C URL is generated using domain name generation (DGA) seeded by current date. Or the C&C is a twitter account whose name is generated dynamically (e.g. twikabot). Bot then decrypts and executes tweets. Rapidly rotate the IP address of the C&C server : “Fast flux botnet”. 10
Evade detection by anti-malware tools 1. All constant strings in APK are encrypted 2. Use of Base64 encoding 3. Network traffic is encrypted 4. Call via reflection; decrypt class and method names just before call 5. Decryption key is not hard-coded but derived at runtime 6. Hide payload inside images folder 7. Use Android Packers or Protectors 8. Alter behaviour when running inside Emulator 9. Modify the code at runtime to evade static signatures (metamorphic malware). 11
Hide the payload inside an image PNG file has many chunks, each with its header and length If a chunk has an unknown header, the PNG reader will skip it PNG with a legitimate image (app icon) can contain malware (encrypted) Load malware payload from chunk, decrypt and run using DexClassLoader Anomaly : Look for a small image having large size ! 12 Axelle Apvrille. Hide Android Applications in Images. Blackhat Europe 2014
Packers and Protectors Top packers : Bangcle, APKProtect.com, Baidu, Tencent ● Encrypts the APK and stores it in assets folder ● Replaces the APK Main Activity by their own ● Inserts it own decryption library (native C) ● During run, decrypts your APK in the RAM and runs it Packers developed to protect vendor IP, but being misused to distribute malware. Packed APK cannot be detected by static or dynamic analysis. 13
14 http://www.vxsecurity.sg/2014/08/25/android-packers-bangcle/ BEFORE PACKING
15 http://www.vxsecurity.sg/2014/08/25/android-packers-bangcle/ AFTER PACKING
Emulator evasion techniques-1 deviceID, phonenumber, IMEI, IMSI are faked on emulator ● TelephonyManager.getDeviceId().equals(“00000…”) ● TelephonyManager.getSimCountryIso().equals(“Android”) ● TelephonyManager.getSimOperatorName().equals(“Android”) ● TelephonyManager.getLine1Number().equals(“15555215554”) where 15555521 is a constant, and emulator port number is 5554 https://news.sophos.com/en-us/2017/04/13/android-malware-anti-emulation-techniques/ 16
Emulator evasion techniques-2 Inside emulator, the build info is set to fake values ● BUILD.MODEL contains either “google_sdk”, “Emulator”, “Android SDK”. ● BUILD.FINGERPRINT starts with “generic”, “unknown” ● BUILD.MANUFACTURER contains “Genymotion” ● BUILD.BRAND starts with “generic” ● BUILD.DEVICE starts with “generic” 17
Emulator evasion techniques-3 Emulator properties give it away 1. System properties “ro.bootloader”, “ro.bootmode”, “ro.hardware”, “ro.product.mode”, etc are set to “Unknown”, “generic”, “sdk” etc. 2. Emulator related files exist : “/dev/socket/qemud”, “/system/lib/libc_malloc_debug_qemu.so”, “/sys/qemu_trace”, “/system/bin/qemu-props”. 3. getInstallerPackageName() = “com.android.vending” (i.e. app was installed using “adb”). 4. Check if user’s email address contains “google”, “tester”, etc. 18
Detect if running in debugger Check Debug.isDebuggerConnected(), Debug.waitingForDebugger() Launch multiple threads and let one thread attach to another using ptrace(), because a process can only be attached by one process. [Packergrind paper] 19
Delay the attack Delay the attack by fixed time (e.g. 24 hours) which is long enough to beat sandbox testing. Launch malware only when Google Play is launched, by adding the application’s main intent to the the category “android.intent.category.APPMARKET”. (done by “Tascudap”) 20
Polymorphic and metamorphic malware Oligomorphic : Polymorphic ● Use of encryption for strings, payloads; Data append/prepend Metamorphic (hard to detect using file signatures) 1. Reorder instructions or data structures 2. Add Semantic NOPs 3. Register reassignment 21 https://reverseengineering.stackexchange.com/questions/1696/what-are-the-differences-between- metamorphic-oligomorphic-and-polymorphic-malwa
Malware toolkits Adware SDK : MDash, Xavier, lgexin Botnet : Bilal Bot, GM Bot, KNL Bot Rooting tools : https://github.com/android-rooting-tools (older Android versions) 22
Malware databases Android Malware Genome Database (outdated) Contagio Drebin (Individual vendors collect their own databases) 23
Malware Detection Methods 24 ● Static analysis (signature, ML) ● Dynamic analysis (sandbox) ● Opcode analysis (cusom, ML) ● Hybrid
Static analysis Check ● Uses-feature in Manifest ● Permissions in Manifest ● Intents ● Use of DexClassLoader, NDK Loadlib ● Use of crypto API ● OS system calls ● Receiving broadcasts 25
Dynamic Analysis Run APK in Sandbox - e.g. DroidBox, Andrubis Record 1. API calls 2. OS system calls 3. Network traffic 4. Battery consumption 5. CPU usage 26
Network monitoring Malware tends to use DNS, HTTP (OkHttp), IRC, and TOR ! 1. DNS query may be used to locate C&C server. 2. Why OkHttp? It can contact multiple alternative HTTP servers, and retries silently and periodically in case of failure. 3. IRC is popular because it supports redundancy (multi-master), has builtin login protocol, and offers full 2-way communication. 4. TOR : Difficult to shutdown a botnet using TOR, as you cannot de- anonymize the C&C server sitting inside TOR network. 5. App may not request Internet permissions but use other apps like browser to send/recv data over network 27
Dynamic Analysis - Andrubis Andrubis does “Stimulation” instead of passive wait or UI exploration. 1. Invoke all Activities (not just Main) found in the Manifest 2. Patch Android ActivityManager to start all background services automatically. 3. Intercept calls to “registerReceiver” and use ActivityManager to invoke them. 4. Broadcast common events such as SMS, WiFi+3G connectivity, GPS lock, phone calls, phone state changes to trigger OS and App behaviour. Andrubis is now commercial - Lastline [Weichselbaum, et al. Andrubis. Android Malware under the magnifying glass ] 28
TaintDroid Leverages Android virtualized env. Assumes no app is trusted. It labels (taints) data from privacy-sensitive sources Transitively applies labels as sensitive data propagates through program variables, files, and interprocess messages. When tainted data are transmitted over the network, or otherwise leave the system, TaintDroid logs the data’s labels, the application responsible for transmitting the data, and the data’s destination. [Enck, et al. TaintDroid - OSDI 2010] 29
TaintDroid 30
Beat the malware’s emulator detection Make the emulator look like a real device ● Set geo-location : “adb emu geo fix longitude latitude altitude” ● Change hard-coded IMEI and ISMI in the emulator binary ● Set emulator port to be other than 5554 or 5584. ● Use “genymotion” - which apparently has addressed all these issues Axelle Apvrille. Android malware reverse engineering 31
How to beat the Packers Some packers decrypt the original APK at known locations in RAM. Use that to find and analyze the decrypted APK at runtime. [ Strazzere talk at Defcon 14 https://github.com/strazzere/android-unpacker ] DexHunter modified Dalvik runtime(ART/OAT) to trap ClassLoader. [ Zhang, et al. DexHunter ESORICS 2015 https://github.com/zyq8709/DexHunter ] PackerGrind [ Xue, et al. Adaptive Unpacking of Android Apps ] DaBID Debugger [Blackhat Asia 2015] 32
Opcode analysis Classify apps according to n-grams of opcodes in the APK. Dalvik has 218 unique opcodes Split the opcodes at class method boundaries before creating n-grams. Strip the opcode arguments (operands) Here, 1-gram is just a histogram of frequencies This method works with obfuscated code ! 33
ML model over opcode sequences ML : the holy grail ! Treat opcode sequence as text. Formulate malware recognition as an NLP problem. Feed the opcode sequence to a Neural Net. System dynamically learns the length of the n-gram which is most relevant. [ McLaughlin et al. Deep Android Malware Detection. ODASPY 2017 ] 34
ML model over API or OS calls These require first running the App in an emulator to capture dynamic behaviour. Malware may not exhibit all the malicious behaviour during test. 35
Baidu Appstore Baidu has ACS which is equivalent of Google’s Bouncer They offer an APK Protector (http://apkprotect.baidu.com) Evolution of their anti-malware strategy 1. Signature-based rules 2. Behaviour-based rules 3. Opcode-based rules 4. As of 2016 : Deep learning model called “AlphaAv” Thomas Wang (Baidu). AI Based An*virus. Blackhat 2016 36
Baidu Appstore AlphaAv ML model extracts features from APK 1. Permissions in Manifest. 2. Number of picture files in /res 3. Number of fields of type “boolean” 4. Number of methods with parameters > 20 5. Has executable file in /res ? 6. Has apk file in /assets ? 7. Registers for DEVICE_ADMIN_ENABLED broadcast and has sendSMSmessage permission 37
Google Playstore Components 1. Bouncer : test submitted apps in Google Cloud 2. Verify Apps : runs on device. Warn or block installation of harmful apps; continuously scan apps running on device; kill malware apps remotely. 3. SafetyNet : privacy preserving IDS. 4. SafetyNet Attestation : determine if the device is CTS compatible 5. Android Device Manager : locate a stolen or lost device 6. Android Update service : deliver updates to the device through web or OTA. 38
Google Playstore Vertical monitoring : Check if runtime behaviour differs from upload- time (testing) behaviour ? Lateral Monitoring : How does the same App work across all the devices ? A device that fails to perform the periodic “Verify Apps” check after an App install is flagged as DOI (Dead or Insecure) The “Verify Apps” service computes a DOI score of each App. All Apps should have DOI score in same range. https://android-developers.googleblog.com/2017/01/findingmalware.html 39
Malware detection tools Urlvoid : check if a URL is blacklisted. VirusTotal (owned by Alphabet) : collaborative platform. Your submitted APK is checked against large number of malware engines - McAfee, AVG, TrendMicro. Koodous : another collaborative platform 40
Resources 1. Conferences : Blackhat, DefCon, RSA, IEEE Security & Privacy, USENIX Security, ACM. Also see uploaded videos of past conferences. 2. https://github.com/ashishb/android-security-awesome 41
Malware detection Theoretical result by Fred Cohen The “virus detection” problem can be reduced to the “halting problem” - hence undecidable whether a program has a virus. Therefore, Anti-virus algorithms are essentially probabilistic. 42

Recommended

Android Malware Detection Mechanisms
Android Malware Detection MechanismsAndroid Malware Detection Mechanisms
Android Malware Detection MechanismsTalha Kabakus
 
Trojan horse
Trojan horseTrojan horse
Trojan horse
Gaurang Rathod
 
Password Cracking
Password CrackingPassword Cracking
Password Cracking
Sagar Verma
 
Module 2 Foot Printing
Module 2 Foot PrintingModule 2 Foot Printing
Module 2 Foot Printingleminhvuong
 
Virus and Malicious Code Chapter 5
Virus and Malicious Code Chapter 5Virus and Malicious Code Chapter 5
Virus and Malicious Code Chapter 5AfiqEfendy Zaen
 
What is malware
What is malwareWhat is malware
What is malwareMalcolm York
 
Mobile security
Mobile securityMobile security
Mobile security
priyanka pandey
 
Web application attacks
Web application attacksWeb application attacks
Web application attacks
hruth
 

Recommended

Android Malware Detection Mechanisms
Android Malware Detection MechanismsAndroid Malware Detection Mechanisms
Android Malware Detection MechanismsTalha Kabakus
 
Trojan horse
Trojan horseTrojan horse
Trojan horse
Gaurang Rathod
 
Password Cracking
Password CrackingPassword Cracking
Password Cracking
Sagar Verma
 
Module 2 Foot Printing
Module 2 Foot PrintingModule 2 Foot Printing
Module 2 Foot Printingleminhvuong
 
Virus and Malicious Code Chapter 5
Virus and Malicious Code Chapter 5Virus and Malicious Code Chapter 5
Virus and Malicious Code Chapter 5AfiqEfendy Zaen
 
What is malware
What is malwareWhat is malware
What is malwareMalcolm York
 
Mobile security
Mobile securityMobile security
Mobile security
priyanka pandey
 
Web application attacks
Web application attacksWeb application attacks
Web application attacks
hruth
 
Computer Worms
Computer WormsComputer Worms
Computer Worms
sadique_ghitm
 
Browser forensics
Browser forensicsBrowser forensics
Browser forensics
Prince Boonlia
 
Mobile security
Mobile securityMobile security
Mobile security
Tapan Khilar
 
Fast detection of Android malware: machine learning approach
Fast detection of Android malware: machine learning approachFast detection of Android malware: machine learning approach
Fast detection of Android malware: machine learning approach
Yury Leonychev
 
Ransomware Attack.pptx
Ransomware Attack.pptxRansomware Attack.pptx
Ransomware Attack.pptx
IkramSabir4
 
The Rise of Ransomware
The Rise of RansomwareThe Rise of Ransomware
The Rise of Ransomware
Tharindu Edirisinghe
 
Android security
Android securityAndroid security
Android securityMidhun P Gopi
 
Deep and Dark Web
Deep and Dark WebDeep and Dark Web
Deep and Dark Web
Md. Nazmus Shakib Robin
 
Android security
Android securityAndroid security
Android security
Mobile Rtpl
 
Mobile security
Mobile securityMobile security
Mobile security
dilipdubey5
 
Mobile Device Security
Mobile Device SecurityMobile Device Security
Mobile Device Security
Nemwos
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware Analysis
Andrew McNicol
 
Introduction to Cyber Crime
Introduction to Cyber CrimeIntroduction to Cyber Crime
Introduction to Cyber Crime
Dr Raghu Khimani
 
Android malware analysis
Android malware analysisAndroid malware analysis
Android malware analysis
Jason Ross
 
Advanced persistent threat (apt)
Advanced persistent threat (apt)Advanced persistent threat (apt)
Advanced persistent threat (apt)mmubashirkhan
 
Mobile security in Cyber Security
Mobile security in Cyber SecurityMobile security in Cyber Security
Mobile security in Cyber Security
Geo Marian
 
Malware & Safe Browsing
Malware & Safe BrowsingMalware & Safe Browsing
Malware & Safe Browsing
jgswift
 
Trojan Horse Presentation
Trojan Horse PresentationTrojan Horse Presentation
Trojan Horse Presentationikmal91
 
Dark Web
Dark WebDark Web
Dark Web
KunalDas889957
 
Analysing Ransomware
Analysing RansomwareAnalysing Ransomware
Analysing Ransomware
Napier University
 
Mobile application security
Mobile application securityMobile application security
Mobile application securityShubhneet Goel
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
Ishan Girdhar
 

More Related Content

What's hot

Computer Worms
Computer WormsComputer Worms
Computer Worms
sadique_ghitm
 
Browser forensics
Browser forensicsBrowser forensics
Browser forensics
Prince Boonlia
 
Mobile security
Mobile securityMobile security
Mobile security
Tapan Khilar
 
Fast detection of Android malware: machine learning approach
Fast detection of Android malware: machine learning approachFast detection of Android malware: machine learning approach
Fast detection of Android malware: machine learning approach
Yury Leonychev
 
Ransomware Attack.pptx
Ransomware Attack.pptxRansomware Attack.pptx
Ransomware Attack.pptx
IkramSabir4
 
The Rise of Ransomware
The Rise of RansomwareThe Rise of Ransomware
The Rise of Ransomware
Tharindu Edirisinghe
 
Deep and Dark Web
Deep and Dark WebDeep and Dark Web
Deep and Dark Web
Md. Nazmus Shakib Robin
 
Android security
Android securityAndroid security
Android security
Mobile Rtpl
 
Mobile security
Mobile securityMobile security
Mobile security
dilipdubey5
 
Mobile Device Security
Mobile Device SecurityMobile Device Security
Mobile Device Security
Nemwos
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware Analysis
Andrew McNicol
 
Introduction to Cyber Crime
Introduction to Cyber CrimeIntroduction to Cyber Crime
Introduction to Cyber Crime
Dr Raghu Khimani
 
Android malware analysis
Android malware analysisAndroid malware analysis
Android malware analysis
Jason Ross
 
Advanced persistent threat (apt)
Advanced persistent threat (apt)Advanced persistent threat (apt)
Advanced persistent threat (apt)mmubashirkhan
 
Mobile security in Cyber Security
Mobile security in Cyber SecurityMobile security in Cyber Security
Mobile security in Cyber Security
Geo Marian
 
Malware & Safe Browsing
Malware & Safe BrowsingMalware & Safe Browsing
Malware & Safe Browsing
jgswift
 
Trojan Horse Presentation
Trojan Horse PresentationTrojan Horse Presentation
Trojan Horse Presentationikmal91
 
Dark Web
Dark WebDark Web
Dark Web
KunalDas889957
 
Analysing Ransomware
Analysing RansomwareAnalysing Ransomware
Analysing Ransomware
Napier University
 

What's hot (20)

Computer Worms
Computer WormsComputer Worms
Computer Worms
 
Browser forensics
Browser forensicsBrowser forensics
Browser forensics
 
Mobile security
Mobile securityMobile security
Mobile security
 
Fast detection of Android malware: machine learning approach
Fast detection of Android malware: machine learning approachFast detection of Android malware: machine learning approach
Fast detection of Android malware: machine learning approach
 
Ransomware Attack.pptx
Ransomware Attack.pptxRansomware Attack.pptx
Ransomware Attack.pptx
 
The Rise of Ransomware
The Rise of RansomwareThe Rise of Ransomware
The Rise of Ransomware
 
Android security
Android securityAndroid security
Android security
 
Deep and Dark Web
Deep and Dark WebDeep and Dark Web
Deep and Dark Web
 
Android security
Android securityAndroid security
Android security
 
Mobile security
Mobile securityMobile security
Mobile security
 
Mobile Device Security
Mobile Device SecurityMobile Device Security
Mobile Device Security
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware Analysis
 
Introduction to Cyber Crime
Introduction to Cyber CrimeIntroduction to Cyber Crime
Introduction to Cyber Crime
 
Android malware analysis
Android malware analysisAndroid malware analysis
Android malware analysis
 
Advanced persistent threat (apt)
Advanced persistent threat (apt)Advanced persistent threat (apt)
Advanced persistent threat (apt)
 
Mobile security in Cyber Security
Mobile security in Cyber SecurityMobile security in Cyber Security
Mobile security in Cyber Security
 
Malware & Safe Browsing
Malware & Safe BrowsingMalware & Safe Browsing
Malware & Safe Browsing
 
Trojan Horse Presentation
Trojan Horse PresentationTrojan Horse Presentation
Trojan Horse Presentation
 
Dark Web
Dark WebDark Web
Dark Web
 
Analysing Ransomware
Analysing RansomwareAnalysing Ransomware
Analysing Ransomware
 

Similar to Android malware presentation

Mobile application security
Mobile application securityMobile application security
Mobile application securityShubhneet Goel
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
Ishan Girdhar
 
Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Stephan Chenette
 
When developers api simplify user mode rootkits development – part ii
When developers api simplify user mode rootkits development – part iiWhen developers api simplify user mode rootkits development – part ii
When developers api simplify user mode rootkits development – part iiSTO STRATEGY
 
pentest mobile app issue
pentest mobile app issuepentest mobile app issue
pentest mobile app issueshekar M
 
Remote Exploitation of the Dropbox SDK for Android
Remote Exploitation of the Dropbox SDK for AndroidRemote Exploitation of the Dropbox SDK for Android
Remote Exploitation of the Dropbox SDK for Android
IBM Security
 
FBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopFBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise Workshop
Ernest Staats
 
Anti-tampering in Android and Take Look at Google SafetyNet Attestation API
Anti-tampering in Android and Take Look at Google SafetyNet Attestation APIAnti-tampering in Android and Take Look at Google SafetyNet Attestation API
Anti-tampering in Android and Take Look at Google SafetyNet Attestation API
Arash Ramez
 
Spiffy Spyware Stuff
Spiffy Spyware StuffSpiffy Spyware Stuff
Spiffy Spyware Stuff
n|u - The Open Security Community
 
Stephanie Vanroelen - Mobile Anti-Virus apps exposed
Stephanie Vanroelen - Mobile Anti-Virus apps exposedStephanie Vanroelen - Mobile Anti-Virus apps exposed
Stephanie Vanroelen - Mobile Anti-Virus apps exposed
NoNameCon
 
When developers api simplify user mode rootkits development – part ii
When developers api simplify user mode rootkits development – part iiWhen developers api simplify user mode rootkits development – part ii
When developers api simplify user mode rootkits development – part ii
Yury Chemerkin
 
Lab-10 Malware Creation and Denial of Service (DoS) In t.docx
Lab-10 Malware Creation and Denial of Service (DoS) In t.docxLab-10 Malware Creation and Denial of Service (DoS) In t.docx
Lab-10 Malware Creation and Denial of Service (DoS) In t.docx
pauline234567
 
Multiple Vulnerabilities in Mozilla Firefox for Android
Multiple Vulnerabilities in Mozilla Firefox for AndroidMultiple Vulnerabilities in Mozilla Firefox for Android
Multiple Vulnerabilities in Mozilla Firefox for Android
The Hacker News
 
Overtaking Firefox Profiles: Vulnerabilities in Firefox for Android
Overtaking Firefox Profiles: Vulnerabilities in Firefox for AndroidOvertaking Firefox Profiles: Vulnerabilities in Firefox for Android
Overtaking Firefox Profiles: Vulnerabilities in Firefox for Android
IBM Security
 
Exploits Attack on Windows Vulnerabilities
Exploits Attack on Windows VulnerabilitiesExploits Attack on Windows Vulnerabilities
Exploits Attack on Windows VulnerabilitiesAmit Kumbhar
 
IRJET- Secure Android Application Development and Security Assessment
IRJET- Secure Android Application Development and Security AssessmentIRJET- Secure Android Application Development and Security Assessment
IRJET- Secure Android Application Development and Security Assessment
IRJET Journal
 
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsInvestigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsAaron ND Sawmadal
 
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsInvestigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsAaron ND Sawmadal
 
When developer's api simplify user mode rootkits developing.
When developer's api simplify user mode rootkits developing.When developer's api simplify user mode rootkits developing.
When developer's api simplify user mode rootkits developing.
Yury Chemerkin
 
Droidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensicsDroidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensics
viaForensics
 

Similar to Android malware presentation (20)

Mobile application security
Mobile application securityMobile application security
Mobile application security
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
 
Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013
 
When developers api simplify user mode rootkits development – part ii
When developers api simplify user mode rootkits development – part iiWhen developers api simplify user mode rootkits development – part ii
When developers api simplify user mode rootkits development – part ii
 
pentest mobile app issue
pentest mobile app issuepentest mobile app issue
pentest mobile app issue
 
Remote Exploitation of the Dropbox SDK for Android
Remote Exploitation of the Dropbox SDK for AndroidRemote Exploitation of the Dropbox SDK for Android
Remote Exploitation of the Dropbox SDK for Android
 
FBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopFBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise Workshop
 
Anti-tampering in Android and Take Look at Google SafetyNet Attestation API
Anti-tampering in Android and Take Look at Google SafetyNet Attestation APIAnti-tampering in Android and Take Look at Google SafetyNet Attestation API
Anti-tampering in Android and Take Look at Google SafetyNet Attestation API
 
Spiffy Spyware Stuff
Spiffy Spyware StuffSpiffy Spyware Stuff
Spiffy Spyware Stuff
 
Stephanie Vanroelen - Mobile Anti-Virus apps exposed
Stephanie Vanroelen - Mobile Anti-Virus apps exposedStephanie Vanroelen - Mobile Anti-Virus apps exposed
Stephanie Vanroelen - Mobile Anti-Virus apps exposed
 
When developers api simplify user mode rootkits development – part ii
When developers api simplify user mode rootkits development – part iiWhen developers api simplify user mode rootkits development – part ii
When developers api simplify user mode rootkits development – part ii
 
Lab-10 Malware Creation and Denial of Service (DoS) In t.docx
Lab-10 Malware Creation and Denial of Service (DoS) In t.docxLab-10 Malware Creation and Denial of Service (DoS) In t.docx
Lab-10 Malware Creation and Denial of Service (DoS) In t.docx
 
Multiple Vulnerabilities in Mozilla Firefox for Android
Multiple Vulnerabilities in Mozilla Firefox for AndroidMultiple Vulnerabilities in Mozilla Firefox for Android
Multiple Vulnerabilities in Mozilla Firefox for Android
 
Overtaking Firefox Profiles: Vulnerabilities in Firefox for Android
Overtaking Firefox Profiles: Vulnerabilities in Firefox for AndroidOvertaking Firefox Profiles: Vulnerabilities in Firefox for Android
Overtaking Firefox Profiles: Vulnerabilities in Firefox for Android
 
Exploits Attack on Windows Vulnerabilities
Exploits Attack on Windows VulnerabilitiesExploits Attack on Windows Vulnerabilities
Exploits Attack on Windows Vulnerabilities
 
IRJET- Secure Android Application Development and Security Assessment
IRJET- Secure Android Application Development and Security AssessmentIRJET- Secure Android Application Development and Security Assessment
IRJET- Secure Android Application Development and Security Assessment
 
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsInvestigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
 
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsInvestigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
 
When developer's api simplify user mode rootkits developing.
When developer's api simplify user mode rootkits developing.When developer's api simplify user mode rootkits developing.
When developer's api simplify user mode rootkits developing.
 
Droidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensicsDroidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensics
 

More from Sandeep Joshi

Block ciphers
Block ciphersBlock ciphers
Block ciphers
Sandeep Joshi
 
Synthetic data generation
Synthetic data generationSynthetic data generation
Synthetic data generation
Sandeep Joshi
 
How to build a feedback loop in software
How to build a feedback loop in softwareHow to build a feedback loop in software
How to build a feedback loop in software
Sandeep Joshi
 
Programming workshop
Programming workshopProgramming workshop
Programming workshop
Sandeep Joshi
 
Hash function landscape
Hash function landscapeHash function landscape
Hash function landscape
Sandeep Joshi
 
Doveryai, no proveryai - Introduction to tla+
Doveryai, no proveryai - Introduction to tla+Doveryai, no proveryai - Introduction to tla+
Doveryai, no proveryai - Introduction to tla+
Sandeep Joshi
 
Apache spark undocumented extensions
Apache spark undocumented extensionsApache spark undocumented extensions
Apache spark undocumented extensions
Sandeep Joshi
 
Lockless
LocklessLockless
Lockless
Sandeep Joshi
 
Rate limiters in big data systems
Rate limiters in big data systemsRate limiters in big data systems
Rate limiters in big data systems
Sandeep Joshi
 
Virtualization overheads
Virtualization overheadsVirtualization overheads
Virtualization overheads
Sandeep Joshi
 
Data streaming algorithms
Data streaming algorithmsData streaming algorithms
Data streaming algorithms
Sandeep Joshi
 

More from Sandeep Joshi (11)

Block ciphers
Block ciphersBlock ciphers
Block ciphers
 
Synthetic data generation
Synthetic data generationSynthetic data generation
Synthetic data generation
 
How to build a feedback loop in software
How to build a feedback loop in softwareHow to build a feedback loop in software
How to build a feedback loop in software
 
Programming workshop
Programming workshopProgramming workshop
Programming workshop
 
Hash function landscape
Hash function landscapeHash function landscape
Hash function landscape
 
Doveryai, no proveryai - Introduction to tla+
Doveryai, no proveryai - Introduction to tla+Doveryai, no proveryai - Introduction to tla+
Doveryai, no proveryai - Introduction to tla+
 
Apache spark undocumented extensions
Apache spark undocumented extensionsApache spark undocumented extensions
Apache spark undocumented extensions
 
Lockless
LocklessLockless
Lockless
 
Rate limiters in big data systems
Rate limiters in big data systemsRate limiters in big data systems
Rate limiters in big data systems
 
Virtualization overheads
Virtualization overheadsVirtualization overheads
Virtualization overheads
 
Data streaming algorithms
Data streaming algorithmsData streaming algorithms
Data streaming algorithms
 

Recently uploaded

Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Globus
 
Developing Distributed High-performance Computing Capabilities of an Open Sci...
Developing Distributed High-performance Computing Capabilities of an Open Sci...Developing Distributed High-performance Computing Capabilities of an Open Sci...
Developing Distributed High-performance Computing Capabilities of an Open Sci...
Globus
 
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERRORTROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
Tier1 app
 
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Globus
 
A Comprehensive Look at Generative AI in Retail App Testing.pdf
A Comprehensive Look at Generative AI in Retail App Testing.pdfA Comprehensive Look at Generative AI in Retail App Testing.pdf
A Comprehensive Look at Generative AI in Retail App Testing.pdf
kalichargn70th171
 
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, BetterWebinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
XfilesPro
 
RISE with SAP and Journey to the Intelligent Enterprise
RISE with SAP and Journey to the Intelligent EnterpriseRISE with SAP and Journey to the Intelligent Enterprise
RISE with SAP and Journey to the Intelligent Enterprise
Srikant77
 
Enhancing Project Management Efficiency_ Leveraging AI Tools like ChatGPT.pdf
Enhancing Project Management Efficiency_ Leveraging AI Tools like ChatGPT.pdfEnhancing Project Management Efficiency_ Leveraging AI Tools like ChatGPT.pdf
Enhancing Project Management Efficiency_ Leveraging AI Tools like ChatGPT.pdf
Jay Das
 
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
AI Pilot Review: The World’s First Virtual Assistant Marketing SuiteAI Pilot Review: The World’s First Virtual Assistant Marketing Suite
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
Google
 
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
Anthony Dahanne
 
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
Providing Globus Services to Users of JASMIN for Environmental Data AnalysisProviding Globus Services to Users of JASMIN for Environmental Data Analysis
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
Globus
 
Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024
Paco van Beckhoven
 
top nidhi software solution freedownload
top nidhi software solution freedownloadtop nidhi software solution freedownload
top nidhi software solution freedownload
vrstrong314
 
Globus Connect Server Deep Dive - GlobusWorld 2024
Globus Connect Server Deep Dive - GlobusWorld 2024Globus Connect Server Deep Dive - GlobusWorld 2024
Globus Connect Server Deep Dive - GlobusWorld 2024
Globus
 
Corporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMSCorporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMS
Tendenci - The Open Source AMS (Association Management Software)
 
Into the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdfInto the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdf
Ortus Solutions, Corp
 
Lecture 1 Introduction to games development
Lecture 1 Introduction to games developmentLecture 1 Introduction to games development
Lecture 1 Introduction to games development
abdulrafaychaudhry
 
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
informapgpstrackings
 
Using IESVE for Room Loads Analysis - Australia & New Zealand
Using IESVE for Room Loads Analysis - Australia & New ZealandUsing IESVE for Room Loads Analysis - Australia & New Zealand
Using IESVE for Room Loads Analysis - Australia & New Zealand
IES VE
 
Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024
Globus
 

Recently uploaded (20)

Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
 
Developing Distributed High-performance Computing Capabilities of an Open Sci...
Developing Distributed High-performance Computing Capabilities of an Open Sci...Developing Distributed High-performance Computing Capabilities of an Open Sci...
Developing Distributed High-performance Computing Capabilities of an Open Sci...
 
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERRORTROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
 
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
 
A Comprehensive Look at Generative AI in Retail App Testing.pdf
A Comprehensive Look at Generative AI in Retail App Testing.pdfA Comprehensive Look at Generative AI in Retail App Testing.pdf
A Comprehensive Look at Generative AI in Retail App Testing.pdf
 
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, BetterWebinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
 
RISE with SAP and Journey to the Intelligent Enterprise
RISE with SAP and Journey to the Intelligent EnterpriseRISE with SAP and Journey to the Intelligent Enterprise
RISE with SAP and Journey to the Intelligent Enterprise
 
Enhancing Project Management Efficiency_ Leveraging AI Tools like ChatGPT.pdf
Enhancing Project Management Efficiency_ Leveraging AI Tools like ChatGPT.pdfEnhancing Project Management Efficiency_ Leveraging AI Tools like ChatGPT.pdf
Enhancing Project Management Efficiency_ Leveraging AI Tools like ChatGPT.pdf
 
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
AI Pilot Review: The World’s First Virtual Assistant Marketing SuiteAI Pilot Review: The World’s First Virtual Assistant Marketing Suite
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
 
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
 
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
Providing Globus Services to Users of JASMIN for Environmental Data AnalysisProviding Globus Services to Users of JASMIN for Environmental Data Analysis
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
 
Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024
 
top nidhi software solution freedownload
top nidhi software solution freedownloadtop nidhi software solution freedownload
top nidhi software solution freedownload
 
Globus Connect Server Deep Dive - GlobusWorld 2024
Globus Connect Server Deep Dive - GlobusWorld 2024Globus Connect Server Deep Dive - GlobusWorld 2024
Globus Connect Server Deep Dive - GlobusWorld 2024
 
Corporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMSCorporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMS
 
Into the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdfInto the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdf
 
Lecture 1 Introduction to games development
Lecture 1 Introduction to games developmentLecture 1 Introduction to games development
Lecture 1 Introduction to games development
 
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
 
Using IESVE for Room Loads Analysis - Australia & New Zealand
Using IESVE for Room Loads Analysis - Australia & New ZealandUsing IESVE for Room Loads Analysis - Australia & New Zealand
Using IESVE for Room Loads Analysis - Australia & New Zealand
 
Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024
 

Android malware presentation

  • 2. Goal of malware Send SMS to premium-rate numbers Bank : steal account info and money Adware : click fraud Spyware : Exfiltrate personal info like location, phone info, contact list, etc. Ransomware Bitcoin mining 2
  • 3. Installation methods 1. Repackaging : Download and decompile a popular App. Add malicious payload. Upload to some other “app store” for download. Upload a benign app to Playstore. Upload new malware version of same app to third-party “app store”. Since both apps share same certificate, app will get updated on device (Trendmicro blog). 2. Update attack : Insert only the update component in the App. Download the actual malware payload at runtime. 3. Drive-by download : Using QR code, SMS link, Social media link, Bluetooth, USB. 3
  • 4. Malicious install of an APK 1. Root exploit 2. Misuse Android Accessibility services 3. Create confusion through popups and look-alikes 4. Prevent removal by storing in system partition Grabos (McAfee) https://securingtomorrow.mcafee.com/mcafee-labs/android-malware-grabo s-exposed-millions-to-pay-per-install-scam-on-google-play/ 4
  • 5. PC to mobile infection Android.Claco: Runs on the Mobile device. Downloads Windows executable and places it in the root directory of the SD card. When the mobile device is connected to a PC, and if the AutoRun feature is enabled, Windows will automatically execute the malicious file. Trojan.Droidpak: Runs on Windows as system service. Downloads malware APK and even “adb”. Attempts to install the APK on the connected Mobile (if USB debugging Mode is On). 5
  • 6. Loopholes in Google Playstore Innovation by Android.dvmap “To bypass Google Play Store security checks, the malware creators used a very interesting method: they uploaded a clean app to the store at the end of March, 2017, and would then update it with a malicious version for short period of time. Usually they would upload a clean version back on Google Play the very same day. They did this at least 5 times between 18 April and 15 May. “ https://securelist.com/dvmap-the-first-android-malware-with-code-inject ion/78648/ 6
  • 7. Activation methods BOOT COMPLETED event to kick off background services SMS RECEIVED broadcast SCREEN TURNED OFF 7
  • 8. Top permissions asked by Malware Unless you have a root exploit, you require “Permissions” in the Manifest. 1. Internet 2. Access_network_state 3. read/write external storage 4. Read phone state 5. Access wifi state 6. Access coarse/fine location 7. Read/write contacts 8
  • 9. How to create overlay windows Bank malware needs to overlay a window which resembles the bank login website. Ways to achieve this overlay: 1. Use permission SYSTEM_ALERT_WINDOW. 2. Seek permission to use “Accessibility services” which allows access to UI of other running apps, and create overlays. (Used by SvPeng) 3. Use “TOAST” notification to create full-screen window (on pre-Oreo). See “Toast overlay attack” in Sept 2017. 9
  • 10. Botnets Evolution of Command and Control (C&C) architecture 1. First generation had single C&C server 2. Semi-distributed 3. Peer-to-peer To avoid hard-coded URLs, C&C URL is generated using domain name generation (DGA) seeded by current date. Or the C&C is a twitter account whose name is generated dynamically (e.g. twikabot). Bot then decrypts and executes tweets. Rapidly rotate the IP address of the C&C server : “Fast flux botnet”. 10
  • 11. Evade detection by anti-malware tools 1. All constant strings in APK are encrypted 2. Use of Base64 encoding 3. Network traffic is encrypted 4. Call via reflection; decrypt class and method names just before call 5. Decryption key is not hard-coded but derived at runtime 6. Hide payload inside images folder 7. Use Android Packers or Protectors 8. Alter behaviour when running inside Emulator 9. Modify the code at runtime to evade static signatures (metamorphic malware). 11
  • 12. Hide the payload inside an image PNG file has many chunks, each with its header and length If a chunk has an unknown header, the PNG reader will skip it PNG with a legitimate image (app icon) can contain malware (encrypted) Load malware payload from chunk, decrypt and run using DexClassLoader Anomaly : Look for a small image having large size ! 12 Axelle Apvrille. Hide Android Applications in Images. Blackhat Europe 2014
  • 13. Packers and Protectors Top packers : Bangcle, APKProtect.com, Baidu, Tencent ● Encrypts the APK and stores it in assets folder ● Replaces the APK Main Activity by their own ● Inserts it own decryption library (native C) ● During run, decrypts your APK in the RAM and runs it Packers developed to protect vendor IP, but being misused to distribute malware. Packed APK cannot be detected by static or dynamic analysis. 13
  • 16. Emulator evasion techniques-1 deviceID, phonenumber, IMEI, IMSI are faked on emulator ● TelephonyManager.getDeviceId().equals(“00000…”) ● TelephonyManager.getSimCountryIso().equals(“Android”) ● TelephonyManager.getSimOperatorName().equals(“Android”) ● TelephonyManager.getLine1Number().equals(“15555215554”) where 15555521 is a constant, and emulator port number is 5554 https://news.sophos.com/en-us/2017/04/13/android-malware-anti-emulation-techniques/ 16
  • 17. Emulator evasion techniques-2 Inside emulator, the build info is set to fake values ● BUILD.MODEL contains either “google_sdk”, “Emulator”, “Android SDK”. ● BUILD.FINGERPRINT starts with “generic”, “unknown” ● BUILD.MANUFACTURER contains “Genymotion” ● BUILD.BRAND starts with “generic” ● BUILD.DEVICE starts with “generic” 17
  • 18. Emulator evasion techniques-3 Emulator properties give it away 1. System properties “ro.bootloader”, “ro.bootmode”, “ro.hardware”, “ro.product.mode”, etc are set to “Unknown”, “generic”, “sdk” etc. 2. Emulator related files exist : “/dev/socket/qemud”, “/system/lib/libc_malloc_debug_qemu.so”, “/sys/qemu_trace”, “/system/bin/qemu-props”. 3. getInstallerPackageName() = “com.android.vending” (i.e. app was installed using “adb”). 4. Check if user’s email address contains “google”, “tester”, etc. 18
  • 19. Detect if running in debugger Check Debug.isDebuggerConnected(), Debug.waitingForDebugger() Launch multiple threads and let one thread attach to another using ptrace(), because a process can only be attached by one process. [Packergrind paper] 19
  • 20. Delay the attack Delay the attack by fixed time (e.g. 24 hours) which is long enough to beat sandbox testing. Launch malware only when Google Play is launched, by adding the application’s main intent to the the category “android.intent.category.APPMARKET”. (done by “Tascudap”) 20
  • 21. Polymorphic and metamorphic malware Oligomorphic : Polymorphic ● Use of encryption for strings, payloads; Data append/prepend Metamorphic (hard to detect using file signatures) 1. Reorder instructions or data structures 2. Add Semantic NOPs 3. Register reassignment 21 https://reverseengineering.stackexchange.com/questions/1696/what-are-the-differences-between- metamorphic-oligomorphic-and-polymorphic-malwa
  • 22. Malware toolkits Adware SDK : MDash, Xavier, lgexin Botnet : Bilal Bot, GM Bot, KNL Bot Rooting tools : https://github.com/android-rooting-tools (older Android versions) 22
  • 23. Malware databases Android Malware Genome Database (outdated) Contagio Drebin (Individual vendors collect their own databases) 23
  • 24. Malware Detection Methods 24 ● Static analysis (signature, ML) ● Dynamic analysis (sandbox) ● Opcode analysis (cusom, ML) ● Hybrid
  • 25. Static analysis Check ● Uses-feature in Manifest ● Permissions in Manifest ● Intents ● Use of DexClassLoader, NDK Loadlib ● Use of crypto API ● OS system calls ● Receiving broadcasts 25
  • 26. Dynamic Analysis Run APK in Sandbox - e.g. DroidBox, Andrubis Record 1. API calls 2. OS system calls 3. Network traffic 4. Battery consumption 5. CPU usage 26
  • 27. Network monitoring Malware tends to use DNS, HTTP (OkHttp), IRC, and TOR ! 1. DNS query may be used to locate C&C server. 2. Why OkHttp? It can contact multiple alternative HTTP servers, and retries silently and periodically in case of failure. 3. IRC is popular because it supports redundancy (multi-master), has builtin login protocol, and offers full 2-way communication. 4. TOR : Difficult to shutdown a botnet using TOR, as you cannot de- anonymize the C&C server sitting inside TOR network. 5. App may not request Internet permissions but use other apps like browser to send/recv data over network 27
  • 28. Dynamic Analysis - Andrubis Andrubis does “Stimulation” instead of passive wait or UI exploration. 1. Invoke all Activities (not just Main) found in the Manifest 2. Patch Android ActivityManager to start all background services automatically. 3. Intercept calls to “registerReceiver” and use ActivityManager to invoke them. 4. Broadcast common events such as SMS, WiFi+3G connectivity, GPS lock, phone calls, phone state changes to trigger OS and App behaviour. Andrubis is now commercial - Lastline [Weichselbaum, et al. Andrubis. Android Malware under the magnifying glass ] 28
  • 29. TaintDroid Leverages Android virtualized env. Assumes no app is trusted. It labels (taints) data from privacy-sensitive sources Transitively applies labels as sensitive data propagates through program variables, files, and interprocess messages. When tainted data are transmitted over the network, or otherwise leave the system, TaintDroid logs the data’s labels, the application responsible for transmitting the data, and the data’s destination. [Enck, et al. TaintDroid - OSDI 2010] 29
  • 31. Beat the malware’s emulator detection Make the emulator look like a real device ● Set geo-location : “adb emu geo fix longitude latitude altitude” ● Change hard-coded IMEI and ISMI in the emulator binary ● Set emulator port to be other than 5554 or 5584. ● Use “genymotion” - which apparently has addressed all these issues Axelle Apvrille. Android malware reverse engineering 31
  • 32. How to beat the Packers Some packers decrypt the original APK at known locations in RAM. Use that to find and analyze the decrypted APK at runtime. [ Strazzere talk at Defcon 14 https://github.com/strazzere/android-unpacker ] DexHunter modified Dalvik runtime(ART/OAT) to trap ClassLoader. [ Zhang, et al. DexHunter ESORICS 2015 https://github.com/zyq8709/DexHunter ] PackerGrind [ Xue, et al. Adaptive Unpacking of Android Apps ] DaBID Debugger [Blackhat Asia 2015] 32
  • 33. Opcode analysis Classify apps according to n-grams of opcodes in the APK. Dalvik has 218 unique opcodes Split the opcodes at class method boundaries before creating n-grams. Strip the opcode arguments (operands) Here, 1-gram is just a histogram of frequencies This method works with obfuscated code ! 33
  • 34. ML model over opcode sequences ML : the holy grail ! Treat opcode sequence as text. Formulate malware recognition as an NLP problem. Feed the opcode sequence to a Neural Net. System dynamically learns the length of the n-gram which is most relevant. [ McLaughlin et al. Deep Android Malware Detection. ODASPY 2017 ] 34
  • 35. ML model over API or OS calls These require first running the App in an emulator to capture dynamic behaviour. Malware may not exhibit all the malicious behaviour during test. 35
  • 36. Baidu Appstore Baidu has ACS which is equivalent of Google’s Bouncer They offer an APK Protector (http://apkprotect.baidu.com) Evolution of their anti-malware strategy 1. Signature-based rules 2. Behaviour-based rules 3. Opcode-based rules 4. As of 2016 : Deep learning model called “AlphaAv” Thomas Wang (Baidu). AI Based An*virus. Blackhat 2016 36
  • 37. Baidu Appstore AlphaAv ML model extracts features from APK 1. Permissions in Manifest. 2. Number of picture files in /res 3. Number of fields of type “boolean” 4. Number of methods with parameters > 20 5. Has executable file in /res ? 6. Has apk file in /assets ? 7. Registers for DEVICE_ADMIN_ENABLED broadcast and has sendSMSmessage permission 37
  • 38. Google Playstore Components 1. Bouncer : test submitted apps in Google Cloud 2. Verify Apps : runs on device. Warn or block installation of harmful apps; continuously scan apps running on device; kill malware apps remotely. 3. SafetyNet : privacy preserving IDS. 4. SafetyNet Attestation : determine if the device is CTS compatible 5. Android Device Manager : locate a stolen or lost device 6. Android Update service : deliver updates to the device through web or OTA. 38
  • 39. Google Playstore Vertical monitoring : Check if runtime behaviour differs from upload- time (testing) behaviour ? Lateral Monitoring : How does the same App work across all the devices ? A device that fails to perform the periodic “Verify Apps” check after an App install is flagged as DOI (Dead or Insecure) The “Verify Apps” service computes a DOI score of each App. All Apps should have DOI score in same range. https://android-developers.googleblog.com/2017/01/findingmalware.html 39
  • 40. Malware detection tools Urlvoid : check if a URL is blacklisted. VirusTotal (owned by Alphabet) : collaborative platform. Your submitted APK is checked against large number of malware engines - McAfee, AVG, TrendMicro. Koodous : another collaborative platform 40
  • 41. Resources 1. Conferences : Blackhat, DefCon, RSA, IEEE Security & Privacy, USENIX Security, ACM. Also see uploaded videos of past conferences. 2. https://github.com/ashishb/android-security-awesome 41
  • 42. Malware detection Theoretical result by Fred Cohen The “virus detection” problem can be reduced to the “halting problem” - hence undecidable whether a program has a virus. Therefore, Anti-virus algorithms are essentially probabilistic. 42