Steven Arzt — CHOOSE Talk — 2016-11-15 http://www.choose.s-i.ch/events/arzt-2016/ Android malware is getting more and more sophisticated. So-called "sleeper" applications only trigger their malicious behavior after a certain time has passed or event has happened, effectively evading many dynamic analysis techniques. Other techniques include integrity checks as well as detectors for emulators, rooted devices, and hooks. If any such sign is detected, the malware refrains from its actual malicious behavior. For countering static analyses, these apps apply code encryption, packers, and code obfuscators. Together, these features render most automated analyses ineffective, leaving a manual analysis as the only viable option — a very difficult and time-consuming undertaking. To alleviate the problem, we propose CodeInspect, a new integrated reverse-engineering environment extending the Eclipse IDE and targeting sophisticated state-of-the-art malware apps for Android. CodeInspect not only features an interactive debugger that can work on the bytecode level, but also various static and dynamic analyses that support the human analyst. One can display data flows inside the app, check which permissions are used where in the code, what strings are computed or decrypted at runtime, which code is dynamically loaded and more. Reverse engineers can even add new Java source classes or projects into the application, which can then be called from the original app’s code. This is especially useful when implementing decryption methods which can be directly tested in place.

1. © Fraunhofer
Partner in
MALWARE ANALYSIS WITH
CODEINSPECT
Combating sophisticated Android malware

2. © Fraunhofer
Partner in
AGENDA
 Android Malware: Quo Vadis?
 Dissecting Malware with CodeInspect
 Advanced Static Analysis
 Conclusions

3. © Fraunhofer
Partner in
Who Am I?
 4th year PhD Student at TU Darmstadt
 Researcher at Fraunhofer SIT
 Research interests:
 Static analysis
 IT security
 Community service
 Reviewer for conferences & journals
 Maintainer of Soot and FlowDroid

4. © Fraunhofer
Partner in
The Android Ecosystem
Developer
User

5. © Fraunhofer
Partner in
The Android Ecosystem (2)
vs.

6. © Fraunhofer
Partner in
Are Virus Scanners The Solution?
Signature 1
Signature 2
…
Signature 3

7. © Fraunhofer
Partner in
How Hard Can It Be?

8. © Fraunhofer
Partner in
Malware Evades Detection – Dynamic Analysis (1)
Timing Bombs Emulator Detection Country Targeting
IP Restrictions Provider Checking Integrity Checking

9. © Fraunhofer
Partner in
Malware Evades Detection – Dynamic Analysis (2)
Command-and-
Control
UI Dependencies Logic Bombs
File Checking App Checking

10. © Fraunhofer
Partner in
Malware Evades Detection – Static Analysis
Packers Reflection
Dynamic Code
Loading
Native Code Interpreters

11. © Fraunhofer
Partner in
What Do You Have to Hide?
vs.

12. © Fraunhofer
Partner in
First Takeaway Messages (1)
 No practically usable analysis can be sound
 Over-approximate everywhere -> useless analysis
 Real-world apps escape academic models quickly
 Use full language with reflection, etc.
 Mix of programming languages and libraries

13. © Fraunhofer
Partner in
First Takeaway Messages (2)
 Real-world constraints
 Large apps
 Immense volume of apps published or updated daily
 Minimum burden for developers and users
 Get new features out quickly
 Need good reasons to block apps or people out

14. © Fraunhofer
Partner in
Hybrid Analysis Approach
Static Analysis Dynamic Analysis
Analysis Information

15. © Fraunhofer
Partner in
FuzzDroid (1)
Under which environment does the app execute the
given API call?

16. © Fraunhofer
Partner in
FuzzDroid (2)
Static Analysis Dynamic Analysis
Environment
Runtime Data

17. © Fraunhofer
Partner in
FuzzDroid Evaluation
0 10 20 30 40 50 60 70 80
Locations
Apps
Launch Launch & Trigger FuzzDroid

18. © Fraunhofer
Partner in
Human in The Loop
Static Analysis Dynamic Analysis

19. © Fraunhofer
Partner in

20. © Fraunhofer
Partner in
CodeInspect At A Glance (1)
• Based on Eclipse RCP
• Work as you would on source code in Eclipse
• Navigate through the code
• Add, change, and remove code
• Inject arbitrary Java code
• Start and debug your app
• Inspect and change runtime values

21. © Fraunhofer
Partner in
CodeInspect At A Glance (2)

22. © Fraunhofer
Partner in
CodeInspect At A Glance (3)
• Sophisticated Static and Dynamic Analysis
• Permission Use Analysis
• Sensitive API Call Detection
• Data Flow Tracking
• Runtime Code Injection
• App Communication Analysis

23. © Fraunhofer
Partner in
public void foo() {
byte[] $arrbyte;
java.io.FileOutputStream $FileOutputStream;
…
specialinvoke this.<android.app.Service: void onCreate()>();
$File = new java.io.File;
specialinvoke $File.<java.io.File: void <init>(java.lang.String)>("/sdcard/test.apk");
specialinvoke $FileOutputStream.<java.io.FileOutputStream: void <init>(java.io.File)>($File);
$arrbyte = newarray (byte)[1024];
$int = virtualinvoke $InputStream.<java.io.InputStream: int read(byte[])>($arrbyte);
…
The Jimple IR
Method Declaration
Variable Declarations
Implementation

24. © Fraunhofer
Partner in
Live Demo (1)

25. © Fraunhofer
Partner in
Live Demo (2)

26. © Fraunhofer
Partner in
Live Demo (3)

27. © Fraunhofer
Partner in
Live Demo Wrap-Up
1. Find interesting starting points
 External guidance (network sniff, etc.)
 Text search
 Manifest analysis: main activity, application class, etc.
 Permission uses
2. Debug the app for the details
 Circumvent environment checks (e.g., emulator)
 Step over reflective calls for free
 URLs, IP addresses, e-mail addresses, telephone numbers, etc.

28. © Fraunhofer
Partner in
Advanced Static Analysis: Permission Usage

29. © Fraunhofer
Partner in
Where is this called?

30. © Fraunhofer
Partner in
Investigating the SMS Message
 Set breakpoints
 in onCreate()
 in sendSms()
 Look at the path in between
 Conditions?
 Remote triggers?
 Runtime values?
 Emulate necessary events
 Incoming SMS message, location change, etc.

31. © Fraunhofer
Partner in
Advanced Static Analysis: String Constants (1)

32. © Fraunhofer
Partner in
Advanced Static Analysis: String Constants (2)

33. © Fraunhofer
Partner in
Advanced Static Analysis: String Constants (3)
 Look for common patterns
 http:// and https:// connections
 Telephone Numbers
 File paths (/sdcard/)
 Case-specific patterns
 Bank names
 Country names
 Strings from SMS messages or e-mails

34. © Fraunhofer
Partner in
Advanced Static Analysis: Sensitive API Calls

35. © Fraunhofer
Partner in
Conclusions
 Android malware protected against
 Static analysis
 Dynamic analysis
 Solution 1: Hybrid analyses
 FuzzDroid reconstructs environments
 Solution 2: Aid the human analyst
 CodeInspect combines debugger, static, and dynamic analysis

36. © Fraunhofer
Partner in
www.codeinspect.de
Free Demo Version Available!