Steven Arzt — CHOOSE Talk — 2016-11-15
http://www.choose.s-i.ch/events/arzt-2016/
Android malware is getting more and more sophisticated. So-called "sleeper" applications only trigger their malicious behavior after a certain time has passed or event has happened, effectively evading many dynamic analysis techniques. Other techniques include integrity checks as well as detectors for emulators, rooted devices, and hooks. If any such sign is detected, the malware refrains from its actual malicious behavior. For countering static analyses, these apps apply code encryption, packers, and code obfuscators. Together, these features render most automated analyses ineffective, leaving a manual analysis as the only viable option — a very difficult and time-consuming undertaking.
To alleviate the problem, we propose CodeInspect, a new integrated reverse-engineering environment extending the Eclipse IDE and targeting sophisticated state-of-the-art malware apps for Android. CodeInspect not only features an interactive debugger that can work on the bytecode level, but also various static and dynamic analyses that support the human analyst. One can display data flows inside the app, check which permissions are used where in the code, what strings are computed or decrypted at runtime, which code is dynamically loaded and more. Reverse engineers can even add new Java source classes or projects into the application, which can then be called from the original app’s code. This is especially useful when implementing decryption methods which can be directly tested in place.
Store operator: Collaboration from developer possible, similar to Apple
Still: Attacker can try hide malicious behavior
Underhanded C contest
Android: Binary upload only
Need binary analysis
In the end: Black box analysis on APK file
Mutate code – no more matching
Code changes
Obfuscators
Packers
Construction toolkits
Problem: Fuzzy sginatures may lead to false positives
Hacking Event, one evening with qualification phase before
Apps asking for a password, participants had to find out the password
Nobody solved all challenges
One particularly hard challenge
Nobody solved it until now, even after the challenge
All tools allowed, do whatever you want
Try it!
Too many possible combinations to try
Too many possible combinations to try
Benign and malicious apps use obfuscation
Hardening for banking apps
Environment checks may hint at malicious behavior
Give the human analyst
Static analysis
Dynamic analysis
Hybrid analysis
Explain typed language vs. Smali
Actual malware (Korea threat)
Command&control server can instruct Malware to download and install new APK
Remote code execution
Constant propagator for file name
Variable naming from types, other schemes possible
Explain SMS channel = focus of live demo
Permission uses: Next slide
Sends SMS messages
Next slide: Check where the sendSms() method is called
Registration with command&control server directly after the app is started
Conditions: Behavior triggered by the user or stealthy, emulator/environment checks, cheesy obfuscations
Remote triggers: Command&control server communication
Runtime values: Target phone number, country checks, IMEI check (emulator detection)?
Seems to be doing something with Commerzbank, but is obvisouly not a banking app -> suspicious
Checks whether a certain app is installed -> suspicious
Talk summary
CodeInspect simplifies code understanding and analysis
Features debugger and code manipulation
Plug-ins for enhancing the functionality, more to come