SlideShare a Scribd company logo

Android Security Research and Malware Threats

FFRI, Inc.
FFRI, Inc.

This document discusses security issues in the Android operating system and possibilities for malware infection. It begins by covering kernel-level protections like DEP and ASLR, which are not fully effective in Android due to issues like prelinking neutralizing ASLR. It then discusses the application layer, explaining Android application internals involving packages, permissions, and intent-based features like activities and broadcasts. Finally, it outlines the evolution of Android malware, characteristics like using intents and premium services, issues with anti-virus software's limited privileges, and how rooting breaks security by enabling malware to gain higher privileges.

Technology
1 of 55
Download to read offline
Fourteenforty Research Institute, Inc. 1 Fourteenforty Research Institute, Inc. PacSec 2011 Tokyo How Security Broken? Android Internals and Malware Infection Possibilities Fourteenforty Research Institute, Inc. http://www.fourteenforty.jp Research Engineer – Tsukasa OI
Fourteenforty Research Institute, Inc. • Increasing Share + Increasing Malware – 3x malware increases in 2010(1) – 2010/08 : SMS malware identified (FakePlayer.A) – 2011/03 : “Undeletable” malware found (DroidDream) • Vulnerabilities and Exploits – 2003- : Implementation to prevent exploits (DEP, ASLR...) – Mobile devices also can be exploited • 2007- : JailbreakMe (payload for iOS) • 2011/03 : DroidDream (utilizing two rooting exploits) • Countermeasure : Anti-virus Software for Android – Android should be protected like PC 2 Background: Android and Threats (1) http://www.adaptivemobile.com/
Fourteenforty Research Institute, Inc. Agenda • Security in Low Layer – Protection in Kernel level • Android Internals – Packages / Permissions – Intent / Activity / Broadcast • Threats and Countermeasures – Malware Infection and Impact – rooting issues – Anti-virus software issues 3
Fourteenforty Research Institute, Inc. SECURITY IN LOW LAYER Kernel-level Memory Protection and Android 4
Fourteenforty Research Institute, Inc. -2.2 2.3-,3.0- 4.0- iOS DEP (Stack) - (1) ✔ (1) ✔ Supported: 2.0- DEP (Others) - (2) ✔ ✔ ASLR (Stack) ✔ ✔ ✔ Supported: 4.3- ASLR (Heap) - - ? / - (3) ASLR (Modules) - - ✔ / - (3) Partially supported: 4.3-(4) Kernel-level Protection : Implementation 5 (1) May vary in compiler flags for native applications. (2) Allocation in portable way (3) According to the Release note / Result in Android 4.0 emulator image (4) Only if application supports ASLR
Fourteenforty Research Institute, Inc. Kernel-level Protection : DEP • Distinguish between “data” and “code” in hardware level and Prevent “data” to be executed • Need a Compiler Flag to enable DEP – Not enabled until Android 2.2 – Kernel *disables* DEP for compatibility • Solved in Android 2.3 6 Memory Code Data Code Data OK ExecuteExecute
Fourteenforty Research Institute, Inc. Android Internals : Zygote 7 ModuleModule Module • All applications are forked from Zygote – To reduce memory footprint – Security parameter in Zygote is *very* important – All applications had “weakness” until Android 2.2 (DEP is disabled)
Fourteenforty Research Institute, Inc. Kernel-level Protection : ASLR • Randomize Memory Layout to prevent exploits – Many of recent exploits utilize *specific* address • Kernel settings : Randomize everything except heap (OK) – But actually, modules (libraries) are not randomized (no good) – Because of Prelinking 8 Target Target Memory Target TargetTarget TargetTarget ? ? ? ?
Fourteenforty Research Institute, Inc. Security Concerns : Prelinking • Prelinking (user-mode mechanism) – Locates system libraries to fixed addresses – ASLR is effectively *neutralized* because of Prelinking • Makes exploitation very easy 9 Module Memory Module Module
Fourteenforty Research Institute, Inc. • 2011/10 : Still no real Android 4.0 device... – Android 4.0 SDK emulator image is available now • Google have announced ASLR is introduced in Android 4.0 (1) – Still no ASLR in the emulator image... – I expect “proper” ASLR is implemented! Kernel-level Protection : ASLR in Android 4.0? 10 (1) http://developer.android.com/sdk/android-4.0-highlights.html
Fourteenforty Research Institute, Inc. Conclusion • Kernel-level Protections are not so effective – Possibility: Native Code exploitation • Improper build settings can be fixed – Fixed by default in Android 2.3 • Prelinking can weaken kernel-level protection – CPU performance increasing – Could be fixed! (Android 4.0) 11
Fourteenforty Research Institute, Inc. APPLICATION LAYER MECHANISMS How Android system works? 12
Fourteenforty Research Institute, Inc. Android Applications • Quite different than other platforms – Intent-based communication • Android Internals – Package and Manifest – Permission system – Intent • Activity • Broadcast and BroadcastReceiver • ... 13
Fourteenforty Research Institute, Inc. Android : How application work • Applications are contained in the Package • Register how “classes” are invoked using Manifest – System calls application “classes” if requested – Activity, Broadcast, ... 14 Package.apk Activity Broadcast Receiver Invoke Application Callback on Event AndroidManifest.xml Android System Install
Fourteenforty Research Institute, Inc. Android : Package • Package itself is only a ZIP archive • AndroidManifest.xml (Manifest) – Application information, permissions – How classes can be called (Activity, BroadcastReceiver...) • Immutable on installation – Can be “updated” along with whole package 15 APK File (ZIP format) AndroidManifest.xml (Manifest) classes.dex (Program) lib/armeabi/* (Native code) ...
Fourteenforty Research Institute, Inc. Android : Package (Permission) • Abstract “Capability” in Android system – More than 100 (internet connection, retrieve phone number...) • No permission, No operation – Permission is the key of Capability 16 App1 App2 Permission: INTERNET The Internet
Fourteenforty Research Institute, Inc. Android : Intent • Intent – Send/Receive Message containing action, target, ... • Intent are used in many form – Inter-Application Communication – Event Notification 17 “Memo” App (Choose Apps) “Mail” App “Twitter” App Post to Twitter Intent and multiple applications (Activities) startActivity
Fourteenforty Research Institute, Inc. Android : Intent (Activity) • Activity = Unit of “Action” with User Interface – Specifying object type (target) and action, Activity is called by the system automatically 18 “Memo” App (Choose Apps) “Mail” App “Twitter” App Post to Twitter Intent and multiple applications (Activities) startActivity
Fourteenforty Research Institute, Inc. Android : Intent (Broadcast) • Broadcast : Feature to Receive system/app-generated Events – All associated (and registered) BroadcastReceiver classes are invoked 19 System Intent and Broadcast (Battery Event Notification) sendBroadcast Receiver ... Receiver ... Show Warning Receiver
Fourteenforty Research Institute, Inc. Android : Intent (Ordered Broadcast) • Broadcast can have “Order” – Few broadcasts are sent “Ordered” • Ordered Broadcast – BroadcastReceiver class is invoked in order of Priority (later) – Abort Processing Broadcast using “abortBroadcast” method 20 P=999 P=100 P=0 Normal: sendBroadcast P=0P=100P=999 Ordered: sendOrderedBroadcast Receiver Receiver Receiver O. ReceiverO. Receiver O. Receiver abortBroadcast High Priority Low
Fourteenforty Research Institute, Inc. MIME Type : text/html Action : SEND Action: INSUFFICIENT BATTERY Protocol : http Host : mypict.com Action : VIEW Android : Intent Filter • Similar to File/Protocol Association in Windows – Action (what to do), Category (how to do) – File Type (MIME), Location, Protocol... • Specify in the Manifest (AndroidManifest.xml) – Android System manages all Intent Filters 21 Activity A Broadcast Receiver Activity B e.g. Application to upload text e.g. Application for specific website e.g. Battery-related service
Fourteenforty Research Institute, Inc. P=0P=100P=999 Android : Intent Filter (Priority) • Priority in Intent Filter (associated with Activity / Broadcast) – Higher Value = Higher Priority – Ordered Broadcast – Activity 22 ActivityActivityActivity P=0P=100P=999 Ordered: sendOrderedBroadcast O. ReceiverO. Receiver O. Receiver abortBroadcast High Priority Low
Fourteenforty Research Institute, Inc. Summary • Android System – Package / Manifest – Permission System • Intent-based Features – Activity – Broadcast • Ordered or not • Intent Filter to help inter-application communication – Flexibleness – Priority 23
Fourteenforty Research Institute, Inc. SECURITY AND THREATS Android Malware and Countermeasure Issues 24
Fourteenforty Research Institute, Inc. • Many malwares and Many anti-virus software – Malware impacts – Is Anti-virus software effective? • Malware – Trends and Characteristics • How Anti-virus software work? – Issue: Insufficient Privileges • rooting issues – How security has broken? – Countermeasure, and problems still left Android Security and Threats 25
Fourteenforty Research Institute, Inc. • Found on 13 Jan (McAfee) – CallAccepter, Radiocutter, SilentMutter – Targeting rooted Android 1.0 devices – Denial of Service • Released on 26 Oct : Mobile Spy – Paid Spyware (Record SMS, GPS, incoming/outgoing calls) – Similar to “Karelog” (2011) in many ways • Different Type of Attack – Not so related to Cybercrime Android Malware : 2009 26
Fourteenforty Research Institute, Inc. • Found on 10 Aug (Symantec) : FakePlayer.A – First “real” Android threat – Distributed in Russian website masquerading as a harmless movie player – Making money utilizing Premium SMS • Checkpoint : Modern Cybercrime and Android – Thereafter, Android malware became more “malicious” Android Malware : 2010 27
Fourteenforty Research Institute, Inc. • January : Repackaged Android Apps – Redistribute “tainted” Android applications • March : Undeletable Malware – Install code to the System Partition • June : Self-updating Malware – Download and Execute the code dynamically (DexClassLoader) • July, October : Malware utilizing Application Updates – Updated application include malicious code Android Malware : 2011 28
Fourteenforty Research Institute, Inc. • Classification – Spyware – Backdoor – Dialer (utilizing premium services) • China, Russia... – APN/telephone number in specific country – String resources • Messaging Channel – HTTP – SMS Android Malware : Characteristics 29
Fourteenforty Research Institute, Inc. • Paid SMS/telephone services – Japan : “Dial Q2” – Paid numbers/services have no borders • Utilizing Premium Services : Dialer – Dial Premium Services and Make Money *directly* – Dialers Reborn – Android Smartphones Android Malware : Characteristics (Premium Services) 30
Fourteenforty Research Institute, Inc. Android Malware : Utilizing Intent Filter • Receive Broadcasts to (steal information | run automatically | ...) – 39/44 malware samples • “Receiving SMS” is a Ordered Broadcast event – BroadcastReceiver with higher priority can *hide* SMS message (hidden from preinstalled SMS application) – Can hide malicious commands – 14/44 malware samples 31
Fourteenforty Research Institute, Inc. Android Malware : Evolution • Still no “real” obfuscation – Easy to analyze • Evolving Rapidly – DroidDream Use exploits to gain root privilege and install malicious packages silently – Plankton Download DEX file (Dalvik byte code) and Execute it dynamically using class loader • Refined Android malwares will cause problems (specially, the one utilizing rooting techniques) 32
Fourteenforty Research Institute, Inc. Anti-virus : How it works? • Utilizing *many* of Intent Filters and Broadcasts – Real-time scan (partially) – Scan Downloaded Files / Applications – Scan SMS messages 33 Anti-Virus Mount SD card Receive SMS Boot the Device ... Install Package Open some Files
Fourteenforty Research Institute, Inc. • Anti-virus software is working as a normal Android app – Normally implemented as a driver (PC) Anti-virus : Issue by Android Security Design 34 System Anti-Virus Driver App1 App2 Anti-Virus
Fourteenforty Research Institute, Inc. • Android as a Sandbox – Prevent Access to Other Processes – Blocks Anti-Virus software access as well – No driver can be installed Anti-virus : Issue by Android Security Design 35 System Anti-Virus Driver App1 App2 Anti-Virus
Fourteenforty Research Institute, Inc. • Collecting Samples – Vary in Security Vendors – Android Market : Automated Crawler is Prohibited Anti-Virus : Issues 36
Fourteenforty Research Institute, Inc. • Same Privilege : Malware and Anti-virus Software – Can Neutralize each other • Dynamic Heuristics is not easy – No way to intercept system calls – Signature issues – Protect partially • Still, normal existing malware can be detected and warn to the user • If malware can gain higher privilege... – Gaining root privilege = rooting Anti-virus : Same Privilege 37
Fourteenforty Research Institute, Inc. • Gaining Administrator Privileges (not available by default) – Specially, utilizing local vulnerabilities • rooting vulnerabilities – CVE-2009-1185 (exploid) – [no CVE number] (rage against the cage) – CVE-2011-1149 (psneuter) – CVE-2011-1823 (Gingerbreak) – [no CVE number] (zergRush) • Chip/Vendor-specific vulnerabilities! rooting 38
Fourteenforty Research Institute, Inc. • Logic Error in suid program – Some Android Tablet: OS command injection rooting : Vulnerabilities (1) 39 Can invoke arbitrary command in root privileges. [not available in public slides]
Fourteenforty Research Institute, Inc. • Improper User-supplied buffer access – Some Android smartphone: Sensor Device rooting : Vulnerabilities (2) 40 Can write [not available] to arbitrary user memory, bypassing copy-on-write. Destroying setuid function can generate root-privilege process. [not available in public slides]
Fourteenforty Research Institute, Inc. rooting : The Real Problem • Malware can Exploit same Vulnerability – Malware could gain higher privileges – Avoid Anti-virus software • rooting breaks some security mechanisms – Intent Filter priority value (associated with Activity) – Permission System • Security software may be neutralized 41
Fourteenforty Research Institute, Inc. • High priority Activity enables hooking – Dangerous – Reserved for System Applications Broken Security : Activity Priority (1) 42 P=0P=100P=999 User ActivitySystem ActivityUser Activity P=0P=999 0P=100 User ActivityUser ActivitySystem Activity High Priority Low
Fourteenforty Research Institute, Inc. • If malicious package is installed in the System Partition, malware can utilize higher priority of Activity – Hook implicit Intents – e.g. Hook web browser-related Intents for phishing • Does not work since Android 3.0 (because of Browser application changes) Broken Security : Activity Priority (2) 43 P=0P=0P=999 User ActivitySystem ActivitySYSTEM Activity Browser Hooks Real Web Browser High Priority Low
Fourteenforty Research Institute, Inc. Broken Security : Permission (1) • Reserved Permissions – Only available to Vendor Packages or Preinstalled Packages – Bypassing : There’s a way other than modifying System Partition... 44 User App System App INSTALL_PACKAGES permission INSTALL_PACKAGES INSTALL_PACKAGES
Fourteenforty Research Institute, Inc. Broken Security : Permission (2) • In root process, all Permissions are granted – No additional security checks (not even manifest checks) – Enables silent installation for example • GingerMaster utilizes this behavior (indirectly) 45 User App System App INSTALL_PACKAGES permission UID=0 (root) INSTALL_PACKAGES
Fourteenforty Research Institute, Inc. rooting : Countermeasures and Issues (1) • Remove found vulnerabilities – Not so easy to patch... (http://www.ipa.go.jp/about/technicalwatch/pdf/110622report.pdf) • Limit root user : Linux Security Modules (LSM) – SHARP Corp. : Deckard / Miyabi • /system partition is prohibited (cannot be re-written) • ptrace (Debugging) is prohibited • Prevents DroidDream / DroidKungFu infection – Prevent root user to be utilized • Current LSMs are not enough though... • Black Hat Abu Dhabi 2011 46
Fourteenforty Research Institute, Inc. rooting : Countermeasures and Issues (2) • Limiting root user is not enough – Permission checks – Making secure OS policy is difficult – Anti-virus software privilege is left weak • Protection specific to Android • Enabling Privilege Escalation for Security is needed! 47
Fourteenforty Research Institute, Inc. Conclusion • Malware and Anti-virus software is evolving – But, we cannot protect whole system. • rooting breaks security and neutralize Anti-virus software – Even if malware could be found, it could be undeletable. – To encounter, we need privilege improvement and whole new protection system. 48
Fourteenforty Research Institute, Inc. BOTTOM LINE Can Android be protected? 49
Fourteenforty Research Institute, Inc. Is Android Protected? (1) • Vulnerability Attacks – Android depends on many of Native Code (e.g. WebKit) – Kernel-level protection is currently not so effective • Compiler Flag (DEP) • Prelinking (disabling ASLR) – If vulnerability is found in Android, it is not difficult to exploit. – It could possibly change in Android 4.0 50
Fourteenforty Research Institute, Inc. Is Android Protected? (2) • Malware vs. Anti-virus software – Malware (as a Trojan horse) works as a spyware, backdoor or dialer utilizing Android features – rooting can make Anti-virus software completely useless • Currently, it is Difficult to protect Android devices 51
Fourteenforty Research Institute, Inc. What to do (1) • Technical Responsibility : Android Project (AOSP et al.) – Make security mechanism Strict • System Call-Level Protection (LSM) • Secure Android Framework – Help making Security Software • e.g. Giving higher privileges for specific software – Make Kernel-level Protection Better • Removing Prelinking, ... • ... it seems to be done! 52
Fourteenforty Research Institute, Inc. What to do (2) • Technical Responsibility : Device Vendor – Fix existing vulnerabilities (prevent existing malware) – Verify vendor customization • Not to break Android security mechanisms (and not to prevent user rights) 53
Fourteenforty Research Institute, Inc. Conclusion • Protection for Android is not enough, but not impossible to solve – Currently, Users must be aware of threats – Possibly, need to take resolute steps • Work together to improve Android security whilst keeping platform open 54
Fourteenforty Research Institute, Inc. 55 Thank you Fourteenforty Research Institute, Inc. http://www.fourteenforty.jp Research Engineer – Tsukasa OI <oi@fourteenforty.jp>

Recommended

A Hypervisor IPS based on Hardware Assisted Virtualization Technology
A Hypervisor IPS based on Hardware Assisted Virtualization TechnologyA Hypervisor IPS based on Hardware Assisted Virtualization Technology
A Hypervisor IPS based on Hardware Assisted Virtualization TechnologyFFRI, Inc.
 
Inside Winnyp
Inside WinnypInside Winnyp
Inside WinnypFFRI, Inc.
 
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory AccessDetect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory AccessIgor Korkin
 
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...Felipe Prado
 
TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)
TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)
TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)FFRI, Inc.
 
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...Maksim Shudrak
 
ShinoBOT Suite
ShinoBOT SuiteShinoBOT Suite
ShinoBOT SuiteShota Shinogi
 
Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...
Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...
Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...Maksim Shudrak
 

Recommended

A Hypervisor IPS based on Hardware Assisted Virtualization Technology
A Hypervisor IPS based on Hardware Assisted Virtualization TechnologyA Hypervisor IPS based on Hardware Assisted Virtualization Technology
A Hypervisor IPS based on Hardware Assisted Virtualization TechnologyFFRI, Inc.
 
Inside Winnyp
Inside WinnypInside Winnyp
Inside WinnypFFRI, Inc.
 
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory AccessDetect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory AccessIgor Korkin
 
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...Felipe Prado
 
TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)
TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)
TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)FFRI, Inc.
 
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...Maksim Shudrak
 
ShinoBOT Suite
ShinoBOT SuiteShinoBOT Suite
ShinoBOT SuiteShota Shinogi
 
Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...
Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...
Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...Maksim Shudrak
 
CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...
CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...
CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...CODE BLUE
 
Shusei tomonaga pac_sec_20171026
Shusei tomonaga pac_sec_20171026Shusei tomonaga pac_sec_20171026
Shusei tomonaga pac_sec_20171026PacSecJP
 
A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...
A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...
A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...CODE BLUE
 
Indicators of compromise: From malware analysis to eradication
Indicators of compromise: From malware analysis to eradicationIndicators of compromise: From malware analysis to eradication
Indicators of compromise: From malware analysis to eradicationMichael Boman
 
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon YangPractical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon YangLyon Yang
 
"egg" - A stealth fine grained code analyzer
"egg" - A stealth fine grained code analyzer"egg" - A stealth fine grained code analyzer
"egg" - A stealth fine grained code analyzerFFRI, Inc.
 
Protected Process Light will be Protected – MemoryRanger Fills the Gap Again
Protected Process Light will be Protected – MemoryRanger Fills the Gap AgainProtected Process Light will be Protected – MemoryRanger Fills the Gap Again
Protected Process Light will be Protected – MemoryRanger Fills the Gap AgainIgor Korkin
 
How to drive a malware analyst crazy
How to drive a malware analyst crazyHow to drive a malware analyst crazy
How to drive a malware analyst crazyMichael Boman
 
FFR GreenKiller - Automatic kernel-mode malware analysis system
FFR GreenKiller - Automatic kernel-mode malware analysis systemFFR GreenKiller - Automatic kernel-mode malware analysis system
FFR GreenKiller - Automatic kernel-mode malware analysis systemFFRI, Inc.
 
Malicious File for Exploiting Forensic Software
Malicious File for Exploiting Forensic SoftwareMalicious File for Exploiting Forensic Software
Malicious File for Exploiting Forensic SoftwareTakahiro Haruyama
 
One-Byte Modification for Breaking Memory Forensic Analysis
One-Byte Modification for Breaking Memory Forensic AnalysisOne-Byte Modification for Breaking Memory Forensic Analysis
One-Byte Modification for Breaking Memory Forensic AnalysisTakahiro Haruyama
 
Two Challenges of Stealthy Hypervisors Detection: Time Cheating and Data Fluc...
Two Challenges of Stealthy Hypervisors Detection: Time Cheating and Data Fluc...Two Challenges of Stealthy Hypervisors Detection: Time Cheating and Data Fluc...
Two Challenges of Stealthy Hypervisors Detection: Time Cheating and Data Fluc...Igor Korkin
 
Fuzzing
FuzzingFuzzing
FuzzingKhalegh Salehi
 
Advanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCONAdvanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCONLyon Yang
 
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARMAppearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARMFFRI, Inc.
 
Di shen pacsec_final
Di shen pacsec_finalDi shen pacsec_final
Di shen pacsec_finalPacSecJP
 
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...CODE BLUE
 
Tapping into the core
Tapping into the coreTapping into the core
Tapping into the corePositive Hack Days
 
Mr201305 tizen security_eng
Mr201305 tizen security_engMr201305 tizen security_eng
Mr201305 tizen security_engFFRI, Inc.
 
IDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki ChidaIDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki ChidaCODE BLUE
 
Yet Another Android Rootkit
Yet Another Android RootkitYet Another Android Rootkit
Yet Another Android RootkitFFRI, Inc.
 
Advanced malware analysis training session8 introduction to android
Advanced malware analysis training session8 introduction to androidAdvanced malware analysis training session8 introduction to android
Advanced malware analysis training session8 introduction to androidCysinfo Cyber Security Community
 

More Related Content

What's hot

CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...
CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...
CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...CODE BLUE
 
Shusei tomonaga pac_sec_20171026
Shusei tomonaga pac_sec_20171026Shusei tomonaga pac_sec_20171026
Shusei tomonaga pac_sec_20171026PacSecJP
 
A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...
A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...
A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...CODE BLUE
 
Indicators of compromise: From malware analysis to eradication
Indicators of compromise: From malware analysis to eradicationIndicators of compromise: From malware analysis to eradication
Indicators of compromise: From malware analysis to eradicationMichael Boman
 
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon YangPractical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon YangLyon Yang
 
"egg" - A stealth fine grained code analyzer
"egg" - A stealth fine grained code analyzer"egg" - A stealth fine grained code analyzer
"egg" - A stealth fine grained code analyzerFFRI, Inc.
 
Protected Process Light will be Protected – MemoryRanger Fills the Gap Again
Protected Process Light will be Protected – MemoryRanger Fills the Gap AgainProtected Process Light will be Protected – MemoryRanger Fills the Gap Again
Protected Process Light will be Protected – MemoryRanger Fills the Gap AgainIgor Korkin
 
How to drive a malware analyst crazy
How to drive a malware analyst crazyHow to drive a malware analyst crazy
How to drive a malware analyst crazyMichael Boman
 
FFR GreenKiller - Automatic kernel-mode malware analysis system
FFR GreenKiller - Automatic kernel-mode malware analysis systemFFR GreenKiller - Automatic kernel-mode malware analysis system
FFR GreenKiller - Automatic kernel-mode malware analysis systemFFRI, Inc.
 
Malicious File for Exploiting Forensic Software
Malicious File for Exploiting Forensic SoftwareMalicious File for Exploiting Forensic Software
Malicious File for Exploiting Forensic SoftwareTakahiro Haruyama
 
One-Byte Modification for Breaking Memory Forensic Analysis
One-Byte Modification for Breaking Memory Forensic AnalysisOne-Byte Modification for Breaking Memory Forensic Analysis
One-Byte Modification for Breaking Memory Forensic AnalysisTakahiro Haruyama
 
Two Challenges of Stealthy Hypervisors Detection: Time Cheating and Data Fluc...
Two Challenges of Stealthy Hypervisors Detection: Time Cheating and Data Fluc...Two Challenges of Stealthy Hypervisors Detection: Time Cheating and Data Fluc...
Two Challenges of Stealthy Hypervisors Detection: Time Cheating and Data Fluc...Igor Korkin
 
Advanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCONAdvanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCONLyon Yang
 
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARMAppearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARMFFRI, Inc.
 
Di shen pacsec_final
Di shen pacsec_finalDi shen pacsec_final
Di shen pacsec_finalPacSecJP
 
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...CODE BLUE
 
Mr201305 tizen security_eng
Mr201305 tizen security_engMr201305 tizen security_eng
Mr201305 tizen security_engFFRI, Inc.
 
IDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki ChidaIDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki ChidaCODE BLUE
 

What's hot (20)

CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...
CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...
CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...
 
Shusei tomonaga pac_sec_20171026
Shusei tomonaga pac_sec_20171026Shusei tomonaga pac_sec_20171026
Shusei tomonaga pac_sec_20171026
 
A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...
A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...
A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...
 
Indicators of compromise: From malware analysis to eradication
Indicators of compromise: From malware analysis to eradicationIndicators of compromise: From malware analysis to eradication
Indicators of compromise: From malware analysis to eradication
 
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon YangPractical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
 
"egg" - A stealth fine grained code analyzer
"egg" - A stealth fine grained code analyzer"egg" - A stealth fine grained code analyzer
"egg" - A stealth fine grained code analyzer
 
Protected Process Light will be Protected – MemoryRanger Fills the Gap Again
Protected Process Light will be Protected – MemoryRanger Fills the Gap AgainProtected Process Light will be Protected – MemoryRanger Fills the Gap Again
Protected Process Light will be Protected – MemoryRanger Fills the Gap Again
 
How to drive a malware analyst crazy
How to drive a malware analyst crazyHow to drive a malware analyst crazy
How to drive a malware analyst crazy
 
FFR GreenKiller - Automatic kernel-mode malware analysis system
FFR GreenKiller - Automatic kernel-mode malware analysis systemFFR GreenKiller - Automatic kernel-mode malware analysis system
FFR GreenKiller - Automatic kernel-mode malware analysis system
 
Malicious File for Exploiting Forensic Software
Malicious File for Exploiting Forensic SoftwareMalicious File for Exploiting Forensic Software
Malicious File for Exploiting Forensic Software
 
One-Byte Modification for Breaking Memory Forensic Analysis
One-Byte Modification for Breaking Memory Forensic AnalysisOne-Byte Modification for Breaking Memory Forensic Analysis
One-Byte Modification for Breaking Memory Forensic Analysis
 
Two Challenges of Stealthy Hypervisors Detection: Time Cheating and Data Fluc...
Two Challenges of Stealthy Hypervisors Detection: Time Cheating and Data Fluc...Two Challenges of Stealthy Hypervisors Detection: Time Cheating and Data Fluc...
Two Challenges of Stealthy Hypervisors Detection: Time Cheating and Data Fluc...
 
Fuzzing
FuzzingFuzzing
Fuzzing
 
Advanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCONAdvanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCON
 
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARMAppearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
 
Di shen pacsec_final
Di shen pacsec_finalDi shen pacsec_final
Di shen pacsec_final
 
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
 
Tapping into the core
Tapping into the coreTapping into the core
Tapping into the core
 
Mr201305 tizen security_eng
Mr201305 tizen security_engMr201305 tizen security_eng
Mr201305 tizen security_eng
 
IDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki ChidaIDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki Chida
 

Similar to Android Security Research and Malware Threats

Yet Another Android Rootkit
Yet Another Android RootkitYet Another Android Rootkit
Yet Another Android RootkitFFRI, Inc.
 
Advanced malware analysis training session8 introduction to android
Advanced malware analysis training session8 introduction to androidAdvanced malware analysis training session8 introduction to android
Advanced malware analysis training session8 introduction to androidCysinfo Cyber Security Community
 
Mobile security
Mobile securityMobile security
Mobile securityStefaan
 
CNIT 128 Ch 4: Android
CNIT 128 Ch 4: AndroidCNIT 128 Ch 4: Android
CNIT 128 Ch 4: AndroidSam Bowne
 
H@dfex 2015 malware analysis
H@dfex 2015 malware analysisH@dfex 2015 malware analysis
H@dfex 2015 malware analysisCharles Lim
 
Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Stephan Chenette
 
The Android vs. Apple iOS Security Showdown
The Android vs. Apple iOS Security Showdown The Android vs. Apple iOS Security Showdown
The Android vs. Apple iOS Security Showdown Tom Eston
 
Advanced Malware Analysis Training Session 8 - Introduction to Android
Advanced Malware Analysis Training Session 8 - Introduction to AndroidAdvanced Malware Analysis Training Session 8 - Introduction to Android
Advanced Malware Analysis Training Session 8 - Introduction to Androidsecurityxploded
 
Malwares Malwares Malwares Malwares Malwares
Malwares Malwares Malwares Malwares MalwaresMalwares Malwares Malwares Malwares Malwares
Malwares Malwares Malwares Malwares MalwaresNioLemuelLazatinConc
 
Sasa milic, cisco advanced malware protection
Sasa milic, cisco advanced malware protectionSasa milic, cisco advanced malware protection
Sasa milic, cisco advanced malware protectionDejan Jeremic
 
Mobile Forensics on a Shoestring Budget
Mobile Forensics on a Shoestring BudgetMobile Forensics on a Shoestring Budget
Mobile Forensics on a Shoestring BudgetBrent Muir
 
Smart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationSmart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationTom Eston
 
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
2013 Toorcon San Diego Building Custom Android Malware for Penetration TestingStephan Chenette
 
MOBISEC 2018 - 08 - Reverse Engineering.pptx
MOBISEC 2018 - 08 - Reverse Engineering.pptxMOBISEC 2018 - 08 - Reverse Engineering.pptx
MOBISEC 2018 - 08 - Reverse Engineering.pptxEnigma58
 
Introduction to Android Development Part 1
Introduction to Android Development Part 1Introduction to Android Development Part 1
Introduction to Android Development Part 1Kainda Kiniel Daka
 

Similar to Android Security Research and Malware Threats (20)

Yet Another Android Rootkit
Yet Another Android RootkitYet Another Android Rootkit
Yet Another Android Rootkit
 
Advanced malware analysis training session8 introduction to android
Advanced malware analysis training session8 introduction to androidAdvanced malware analysis training session8 introduction to android
Advanced malware analysis training session8 introduction to android
 
Mobile security
Mobile securityMobile security
Mobile security
 
Dissecting Android APK
Dissecting Android APKDissecting Android APK
Dissecting Android APK
 
CNIT 128 Ch 4: Android
CNIT 128 Ch 4: AndroidCNIT 128 Ch 4: Android
CNIT 128 Ch 4: Android
 
Brief Tour about Android Security
Brief Tour about Android SecurityBrief Tour about Android Security
Brief Tour about Android Security
 
H@dfex 2015 malware analysis
H@dfex 2015 malware analysisH@dfex 2015 malware analysis
H@dfex 2015 malware analysis
 
Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013
 
The Android vs. Apple iOS Security Showdown
The Android vs. Apple iOS Security Showdown The Android vs. Apple iOS Security Showdown
The Android vs. Apple iOS Security Showdown
 
Advanced Malware Analysis Training Session 8 - Introduction to Android
Advanced Malware Analysis Training Session 8 - Introduction to AndroidAdvanced Malware Analysis Training Session 8 - Introduction to Android
Advanced Malware Analysis Training Session 8 - Introduction to Android
 
Malwares Malwares Malwares Malwares Malwares
Malwares Malwares Malwares Malwares MalwaresMalwares Malwares Malwares Malwares Malwares
Malwares Malwares Malwares Malwares Malwares
 
128-ch4.pptx
128-ch4.pptx128-ch4.pptx
128-ch4.pptx
 
Securing Android
Securing AndroidSecuring Android
Securing Android
 
Sasa milic, cisco advanced malware protection
Sasa milic, cisco advanced malware protectionSasa milic, cisco advanced malware protection
Sasa milic, cisco advanced malware protection
 
Mobile Forensics on a Shoestring Budget
Mobile Forensics on a Shoestring BudgetMobile Forensics on a Shoestring Budget
Mobile Forensics on a Shoestring Budget
 
Smart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationSmart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and Exploitation
 
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
 
Spyware and rootkit
Spyware and rootkitSpyware and rootkit
Spyware and rootkit
 
MOBISEC 2018 - 08 - Reverse Engineering.pptx
MOBISEC 2018 - 08 - Reverse Engineering.pptxMOBISEC 2018 - 08 - Reverse Engineering.pptx
MOBISEC 2018 - 08 - Reverse Engineering.pptx
 
Introduction to Android Development Part 1
Introduction to Android Development Part 1Introduction to Android Development Part 1
Introduction to Android Development Part 1
 

More from FFRI, Inc.

Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARMAppearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARMFFRI, Inc.
 
TrustZone use case and trend (FFRI Monthly Research Mar 2017)
TrustZone use case and trend (FFRI Monthly Research Mar 2017) TrustZone use case and trend (FFRI Monthly Research Mar 2017)
TrustZone use case and trend (FFRI Monthly Research Mar 2017) FFRI, Inc.
 
Android Things Security Research in Developer Preview 2 (FFRI Monthly Researc...
Android Things Security Research in Developer Preview 2 (FFRI Monthly Researc...Android Things Security Research in Developer Preview 2 (FFRI Monthly Researc...
Android Things Security Research in Developer Preview 2 (FFRI Monthly Researc...FFRI, Inc.
 
An Overview of the Android Things Security (FFRI Monthly Research Jan 2017)
An Overview of the Android Things Security (FFRI Monthly Research Jan 2017) An Overview of the Android Things Security (FFRI Monthly Research Jan 2017)
An Overview of the Android Things Security (FFRI Monthly Research Jan 2017) FFRI, Inc.
 
Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016)
Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016) Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016)
Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016) FFRI, Inc.
 
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)FFRI, Inc.
 
STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...
STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...
STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...FFRI, Inc.
 
Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)
Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)
Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)FFRI, Inc.
 
Black Hat USA 2016 Survey Report (FFRI Monthly Research 2016.8)
Black Hat USA 2016 Survey Report (FFRI Monthly Research 2016.8)Black Hat USA 2016 Survey Report (FFRI Monthly Research 2016.8)
Black Hat USA 2016 Survey Report (FFRI Monthly Research 2016.8)FFRI, Inc.
 
About security assessment framework “CHIPSEC” (FFRI Monthly Research 2016.7)
About security assessment framework “CHIPSEC” (FFRI Monthly Research 2016.7) About security assessment framework “CHIPSEC” (FFRI Monthly Research 2016.7)
About security assessment framework “CHIPSEC” (FFRI Monthly Research 2016.7) FFRI, Inc.
 
Black Hat USA 2016 Pre-Survey (FFRI Monthly Research 2016.6)
Black Hat USA 2016 Pre-Survey (FFRI Monthly Research 2016.6)Black Hat USA 2016 Pre-Survey (FFRI Monthly Research 2016.6)
Black Hat USA 2016 Pre-Survey (FFRI Monthly Research 2016.6)FFRI, Inc.
 
Black Hat Asia 2016 Survey Report (FFRI Monthly Research 2016.4)
Black Hat Asia 2016 Survey Report (FFRI Monthly Research 2016.4)Black Hat Asia 2016 Survey Report (FFRI Monthly Research 2016.4)
Black Hat Asia 2016 Survey Report (FFRI Monthly Research 2016.4)FFRI, Inc.
 
ARMv8-M TrustZone: A New Security Feature for Embedded Systems (FFRI Monthly ...
ARMv8-M TrustZone: A New Security Feature for Embedded Systems (FFRI Monthly ...ARMv8-M TrustZone: A New Security Feature for Embedded Systems (FFRI Monthly ...
ARMv8-M TrustZone: A New Security Feature for Embedded Systems (FFRI Monthly ...FFRI, Inc.
 
CODE BLUE 2015 Report (FFRI Monthly Research 2015.11)
CODE BLUE 2015 Report (FFRI Monthly Research 2015.11)CODE BLUE 2015 Report (FFRI Monthly Research 2015.11)
CODE BLUE 2015 Report (FFRI Monthly Research 2015.11)FFRI, Inc.
 
Latest Security Reports of Automobile and Vulnerability Assessment by CVSS v3...
Latest Security Reports of Automobile and Vulnerability Assessment by CVSS v3...Latest Security Reports of Automobile and Vulnerability Assessment by CVSS v3...
Latest Security Reports of Automobile and Vulnerability Assessment by CVSS v3...FFRI, Inc.
 
Black Hat USA 2015 Survey Report (FFRI Monthly Research 201508)
Black Hat USA 2015 Survey Report (FFRI Monthly Research 201508)Black Hat USA 2015 Survey Report (FFRI Monthly Research 201508)
Black Hat USA 2015 Survey Report (FFRI Monthly Research 201508)FFRI, Inc.
 
A Survey of Threats in OS X and iOS(FFRI Monthly Research 201507)
A Survey of Threats in OS X and iOS(FFRI Monthly Research 201507)A Survey of Threats in OS X and iOS(FFRI Monthly Research 201507)
A Survey of Threats in OS X and iOS(FFRI Monthly Research 201507)FFRI, Inc.
 
Security of Windows 10 IoT Core(FFRI Monthly Research 201506)
Security of Windows 10 IoT Core(FFRI Monthly Research 201506)Security of Windows 10 IoT Core(FFRI Monthly Research 201506)
Security of Windows 10 IoT Core(FFRI Monthly Research 201506)FFRI, Inc.
 
Trend of Next-Gen In-Vehicle Network Standard and Current State of Security(F...
Trend of Next-Gen In-Vehicle Network Standard and Current State of Security(F...Trend of Next-Gen In-Vehicle Network Standard and Current State of Security(F...
Trend of Next-Gen In-Vehicle Network Standard and Current State of Security(F...FFRI, Inc.
 
Malwarem armed with PowerShell
Malwarem armed with PowerShellMalwarem armed with PowerShell
Malwarem armed with PowerShellFFRI, Inc.
 

More from FFRI, Inc. (20)

Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARMAppearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
 
TrustZone use case and trend (FFRI Monthly Research Mar 2017)
TrustZone use case and trend (FFRI Monthly Research Mar 2017) TrustZone use case and trend (FFRI Monthly Research Mar 2017)
TrustZone use case and trend (FFRI Monthly Research Mar 2017)
 
Android Things Security Research in Developer Preview 2 (FFRI Monthly Researc...
Android Things Security Research in Developer Preview 2 (FFRI Monthly Researc...Android Things Security Research in Developer Preview 2 (FFRI Monthly Researc...
Android Things Security Research in Developer Preview 2 (FFRI Monthly Researc...
 
An Overview of the Android Things Security (FFRI Monthly Research Jan 2017)
An Overview of the Android Things Security (FFRI Monthly Research Jan 2017) An Overview of the Android Things Security (FFRI Monthly Research Jan 2017)
An Overview of the Android Things Security (FFRI Monthly Research Jan 2017)
 
Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016)
Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016) Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016)
Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016)
 
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)
 
STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...
STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...
STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...
 
Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)
Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)
Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)
 
Black Hat USA 2016 Survey Report (FFRI Monthly Research 2016.8)
Black Hat USA 2016 Survey Report (FFRI Monthly Research 2016.8)Black Hat USA 2016 Survey Report (FFRI Monthly Research 2016.8)
Black Hat USA 2016 Survey Report (FFRI Monthly Research 2016.8)
 
About security assessment framework “CHIPSEC” (FFRI Monthly Research 2016.7)
About security assessment framework “CHIPSEC” (FFRI Monthly Research 2016.7) About security assessment framework “CHIPSEC” (FFRI Monthly Research 2016.7)
About security assessment framework “CHIPSEC” (FFRI Monthly Research 2016.7)
 
Black Hat USA 2016 Pre-Survey (FFRI Monthly Research 2016.6)
Black Hat USA 2016 Pre-Survey (FFRI Monthly Research 2016.6)Black Hat USA 2016 Pre-Survey (FFRI Monthly Research 2016.6)
Black Hat USA 2016 Pre-Survey (FFRI Monthly Research 2016.6)
 
Black Hat Asia 2016 Survey Report (FFRI Monthly Research 2016.4)
Black Hat Asia 2016 Survey Report (FFRI Monthly Research 2016.4)Black Hat Asia 2016 Survey Report (FFRI Monthly Research 2016.4)
Black Hat Asia 2016 Survey Report (FFRI Monthly Research 2016.4)
 
ARMv8-M TrustZone: A New Security Feature for Embedded Systems (FFRI Monthly ...
ARMv8-M TrustZone: A New Security Feature for Embedded Systems (FFRI Monthly ...ARMv8-M TrustZone: A New Security Feature for Embedded Systems (FFRI Monthly ...
ARMv8-M TrustZone: A New Security Feature for Embedded Systems (FFRI Monthly ...
 
CODE BLUE 2015 Report (FFRI Monthly Research 2015.11)
CODE BLUE 2015 Report (FFRI Monthly Research 2015.11)CODE BLUE 2015 Report (FFRI Monthly Research 2015.11)
CODE BLUE 2015 Report (FFRI Monthly Research 2015.11)
 
Latest Security Reports of Automobile and Vulnerability Assessment by CVSS v3...
Latest Security Reports of Automobile and Vulnerability Assessment by CVSS v3...Latest Security Reports of Automobile and Vulnerability Assessment by CVSS v3...
Latest Security Reports of Automobile and Vulnerability Assessment by CVSS v3...
 
Black Hat USA 2015 Survey Report (FFRI Monthly Research 201508)
Black Hat USA 2015 Survey Report (FFRI Monthly Research 201508)Black Hat USA 2015 Survey Report (FFRI Monthly Research 201508)
Black Hat USA 2015 Survey Report (FFRI Monthly Research 201508)
 
A Survey of Threats in OS X and iOS(FFRI Monthly Research 201507)
A Survey of Threats in OS X and iOS(FFRI Monthly Research 201507)A Survey of Threats in OS X and iOS(FFRI Monthly Research 201507)
A Survey of Threats in OS X and iOS(FFRI Monthly Research 201507)
 
Security of Windows 10 IoT Core(FFRI Monthly Research 201506)
Security of Windows 10 IoT Core(FFRI Monthly Research 201506)Security of Windows 10 IoT Core(FFRI Monthly Research 201506)
Security of Windows 10 IoT Core(FFRI Monthly Research 201506)
 
Trend of Next-Gen In-Vehicle Network Standard and Current State of Security(F...
Trend of Next-Gen In-Vehicle Network Standard and Current State of Security(F...Trend of Next-Gen In-Vehicle Network Standard and Current State of Security(F...
Trend of Next-Gen In-Vehicle Network Standard and Current State of Security(F...
 
Malwarem armed with PowerShell
Malwarem armed with PowerShellMalwarem armed with PowerShell
Malwarem armed with PowerShell
 

Recently uploaded

"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Neo4j
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfjimielynbastida
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 

Recently uploaded (20)

"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024
 
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdf
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 

Android Security Research and Malware Threats

  • 1. Fourteenforty Research Institute, Inc. 1 Fourteenforty Research Institute, Inc. PacSec 2011 Tokyo How Security Broken? Android Internals and Malware Infection Possibilities Fourteenforty Research Institute, Inc. http://www.fourteenforty.jp Research Engineer – Tsukasa OI
  • 2. Fourteenforty Research Institute, Inc. • Increasing Share + Increasing Malware – 3x malware increases in 2010(1) – 2010/08 : SMS malware identified (FakePlayer.A) – 2011/03 : “Undeletable” malware found (DroidDream) • Vulnerabilities and Exploits – 2003- : Implementation to prevent exploits (DEP, ASLR...) – Mobile devices also can be exploited • 2007- : JailbreakMe (payload for iOS) • 2011/03 : DroidDream (utilizing two rooting exploits) • Countermeasure : Anti-virus Software for Android – Android should be protected like PC 2 Background: Android and Threats (1) http://www.adaptivemobile.com/
  • 3. Fourteenforty Research Institute, Inc. Agenda • Security in Low Layer – Protection in Kernel level • Android Internals – Packages / Permissions – Intent / Activity / Broadcast • Threats and Countermeasures – Malware Infection and Impact – rooting issues – Anti-virus software issues 3
  • 4. Fourteenforty Research Institute, Inc. SECURITY IN LOW LAYER Kernel-level Memory Protection and Android 4
  • 5. Fourteenforty Research Institute, Inc. -2.2 2.3-,3.0- 4.0- iOS DEP (Stack) - (1) ✔ (1) ✔ Supported: 2.0- DEP (Others) - (2) ✔ ✔ ASLR (Stack) ✔ ✔ ✔ Supported: 4.3- ASLR (Heap) - - ? / - (3) ASLR (Modules) - - ✔ / - (3) Partially supported: 4.3-(4) Kernel-level Protection : Implementation 5 (1) May vary in compiler flags for native applications. (2) Allocation in portable way (3) According to the Release note / Result in Android 4.0 emulator image (4) Only if application supports ASLR
  • 6. Fourteenforty Research Institute, Inc. Kernel-level Protection : DEP • Distinguish between “data” and “code” in hardware level and Prevent “data” to be executed • Need a Compiler Flag to enable DEP – Not enabled until Android 2.2 – Kernel *disables* DEP for compatibility • Solved in Android 2.3 6 Memory Code Data Code Data OK ExecuteExecute
  • 7. Fourteenforty Research Institute, Inc. Android Internals : Zygote 7 ModuleModule Module • All applications are forked from Zygote – To reduce memory footprint – Security parameter in Zygote is *very* important – All applications had “weakness” until Android 2.2 (DEP is disabled)
  • 8. Fourteenforty Research Institute, Inc. Kernel-level Protection : ASLR • Randomize Memory Layout to prevent exploits – Many of recent exploits utilize *specific* address • Kernel settings : Randomize everything except heap (OK) – But actually, modules (libraries) are not randomized (no good) – Because of Prelinking 8 Target Target Memory Target TargetTarget TargetTarget ? ? ? ?
  • 9. Fourteenforty Research Institute, Inc. Security Concerns : Prelinking • Prelinking (user-mode mechanism) – Locates system libraries to fixed addresses – ASLR is effectively *neutralized* because of Prelinking • Makes exploitation very easy 9 Module Memory Module Module
  • 10. Fourteenforty Research Institute, Inc. • 2011/10 : Still no real Android 4.0 device... – Android 4.0 SDK emulator image is available now • Google have announced ASLR is introduced in Android 4.0 (1) – Still no ASLR in the emulator image... – I expect “proper” ASLR is implemented! Kernel-level Protection : ASLR in Android 4.0? 10 (1) http://developer.android.com/sdk/android-4.0-highlights.html
  • 11. Fourteenforty Research Institute, Inc. Conclusion • Kernel-level Protections are not so effective – Possibility: Native Code exploitation • Improper build settings can be fixed – Fixed by default in Android 2.3 • Prelinking can weaken kernel-level protection – CPU performance increasing – Could be fixed! (Android 4.0) 11
  • 12. Fourteenforty Research Institute, Inc. APPLICATION LAYER MECHANISMS How Android system works? 12
  • 13. Fourteenforty Research Institute, Inc. Android Applications • Quite different than other platforms – Intent-based communication • Android Internals – Package and Manifest – Permission system – Intent • Activity • Broadcast and BroadcastReceiver • ... 13
  • 14. Fourteenforty Research Institute, Inc. Android : How application work • Applications are contained in the Package • Register how “classes” are invoked using Manifest – System calls application “classes” if requested – Activity, Broadcast, ... 14 Package.apk Activity Broadcast Receiver Invoke Application Callback on Event AndroidManifest.xml Android System Install
  • 15. Fourteenforty Research Institute, Inc. Android : Package • Package itself is only a ZIP archive • AndroidManifest.xml (Manifest) – Application information, permissions – How classes can be called (Activity, BroadcastReceiver...) • Immutable on installation – Can be “updated” along with whole package 15 APK File (ZIP format) AndroidManifest.xml (Manifest) classes.dex (Program) lib/armeabi/* (Native code) ...
  • 16. Fourteenforty Research Institute, Inc. Android : Package (Permission) • Abstract “Capability” in Android system – More than 100 (internet connection, retrieve phone number...) • No permission, No operation – Permission is the key of Capability 16 App1 App2 Permission: INTERNET The Internet
  • 17. Fourteenforty Research Institute, Inc. Android : Intent • Intent – Send/Receive Message containing action, target, ... • Intent are used in many form – Inter-Application Communication – Event Notification 17 “Memo” App (Choose Apps) “Mail” App “Twitter” App Post to Twitter Intent and multiple applications (Activities) startActivity
  • 18. Fourteenforty Research Institute, Inc. Android : Intent (Activity) • Activity = Unit of “Action” with User Interface – Specifying object type (target) and action, Activity is called by the system automatically 18 “Memo” App (Choose Apps) “Mail” App “Twitter” App Post to Twitter Intent and multiple applications (Activities) startActivity
  • 19. Fourteenforty Research Institute, Inc. Android : Intent (Broadcast) • Broadcast : Feature to Receive system/app-generated Events – All associated (and registered) BroadcastReceiver classes are invoked 19 System Intent and Broadcast (Battery Event Notification) sendBroadcast Receiver ... Receiver ... Show Warning Receiver
  • 20. Fourteenforty Research Institute, Inc. Android : Intent (Ordered Broadcast) • Broadcast can have “Order” – Few broadcasts are sent “Ordered” • Ordered Broadcast – BroadcastReceiver class is invoked in order of Priority (later) – Abort Processing Broadcast using “abortBroadcast” method 20 P=999 P=100 P=0 Normal: sendBroadcast P=0P=100P=999 Ordered: sendOrderedBroadcast Receiver Receiver Receiver O. ReceiverO. Receiver O. Receiver abortBroadcast High Priority Low
  • 21. Fourteenforty Research Institute, Inc. MIME Type : text/html Action : SEND Action: INSUFFICIENT BATTERY Protocol : http Host : mypict.com Action : VIEW Android : Intent Filter • Similar to File/Protocol Association in Windows – Action (what to do), Category (how to do) – File Type (MIME), Location, Protocol... • Specify in the Manifest (AndroidManifest.xml) – Android System manages all Intent Filters 21 Activity A Broadcast Receiver Activity B e.g. Application to upload text e.g. Application for specific website e.g. Battery-related service
  • 22. Fourteenforty Research Institute, Inc. P=0P=100P=999 Android : Intent Filter (Priority) • Priority in Intent Filter (associated with Activity / Broadcast) – Higher Value = Higher Priority – Ordered Broadcast – Activity 22 ActivityActivityActivity P=0P=100P=999 Ordered: sendOrderedBroadcast O. ReceiverO. Receiver O. Receiver abortBroadcast High Priority Low
  • 23. Fourteenforty Research Institute, Inc. Summary • Android System – Package / Manifest – Permission System • Intent-based Features – Activity – Broadcast • Ordered or not • Intent Filter to help inter-application communication – Flexibleness – Priority 23
  • 24. Fourteenforty Research Institute, Inc. SECURITY AND THREATS Android Malware and Countermeasure Issues 24
  • 25. Fourteenforty Research Institute, Inc. • Many malwares and Many anti-virus software – Malware impacts – Is Anti-virus software effective? • Malware – Trends and Characteristics • How Anti-virus software work? – Issue: Insufficient Privileges • rooting issues – How security has broken? – Countermeasure, and problems still left Android Security and Threats 25
  • 26. Fourteenforty Research Institute, Inc. • Found on 13 Jan (McAfee) – CallAccepter, Radiocutter, SilentMutter – Targeting rooted Android 1.0 devices – Denial of Service • Released on 26 Oct : Mobile Spy – Paid Spyware (Record SMS, GPS, incoming/outgoing calls) – Similar to “Karelog” (2011) in many ways • Different Type of Attack – Not so related to Cybercrime Android Malware : 2009 26
  • 27. Fourteenforty Research Institute, Inc. • Found on 10 Aug (Symantec) : FakePlayer.A – First “real” Android threat – Distributed in Russian website masquerading as a harmless movie player – Making money utilizing Premium SMS • Checkpoint : Modern Cybercrime and Android – Thereafter, Android malware became more “malicious” Android Malware : 2010 27
  • 28. Fourteenforty Research Institute, Inc. • January : Repackaged Android Apps – Redistribute “tainted” Android applications • March : Undeletable Malware – Install code to the System Partition • June : Self-updating Malware – Download and Execute the code dynamically (DexClassLoader) • July, October : Malware utilizing Application Updates – Updated application include malicious code Android Malware : 2011 28
  • 29. Fourteenforty Research Institute, Inc. • Classification – Spyware – Backdoor – Dialer (utilizing premium services) • China, Russia... – APN/telephone number in specific country – String resources • Messaging Channel – HTTP – SMS Android Malware : Characteristics 29
  • 30. Fourteenforty Research Institute, Inc. • Paid SMS/telephone services – Japan : “Dial Q2” – Paid numbers/services have no borders • Utilizing Premium Services : Dialer – Dial Premium Services and Make Money *directly* – Dialers Reborn – Android Smartphones Android Malware : Characteristics (Premium Services) 30
  • 31. Fourteenforty Research Institute, Inc. Android Malware : Utilizing Intent Filter • Receive Broadcasts to (steal information | run automatically | ...) – 39/44 malware samples • “Receiving SMS” is a Ordered Broadcast event – BroadcastReceiver with higher priority can *hide* SMS message (hidden from preinstalled SMS application) – Can hide malicious commands – 14/44 malware samples 31
  • 32. Fourteenforty Research Institute, Inc. Android Malware : Evolution • Still no “real” obfuscation – Easy to analyze • Evolving Rapidly – DroidDream Use exploits to gain root privilege and install malicious packages silently – Plankton Download DEX file (Dalvik byte code) and Execute it dynamically using class loader • Refined Android malwares will cause problems (specially, the one utilizing rooting techniques) 32
  • 33. Fourteenforty Research Institute, Inc. Anti-virus : How it works? • Utilizing *many* of Intent Filters and Broadcasts – Real-time scan (partially) – Scan Downloaded Files / Applications – Scan SMS messages 33 Anti-Virus Mount SD card Receive SMS Boot the Device ... Install Package Open some Files
  • 34. Fourteenforty Research Institute, Inc. • Anti-virus software is working as a normal Android app – Normally implemented as a driver (PC) Anti-virus : Issue by Android Security Design 34 System Anti-Virus Driver App1 App2 Anti-Virus
  • 35. Fourteenforty Research Institute, Inc. • Android as a Sandbox – Prevent Access to Other Processes – Blocks Anti-Virus software access as well – No driver can be installed Anti-virus : Issue by Android Security Design 35 System Anti-Virus Driver App1 App2 Anti-Virus
  • 36. Fourteenforty Research Institute, Inc. • Collecting Samples – Vary in Security Vendors – Android Market : Automated Crawler is Prohibited Anti-Virus : Issues 36
  • 37. Fourteenforty Research Institute, Inc. • Same Privilege : Malware and Anti-virus Software – Can Neutralize each other • Dynamic Heuristics is not easy – No way to intercept system calls – Signature issues – Protect partially • Still, normal existing malware can be detected and warn to the user • If malware can gain higher privilege... – Gaining root privilege = rooting Anti-virus : Same Privilege 37
  • 38. Fourteenforty Research Institute, Inc. • Gaining Administrator Privileges (not available by default) – Specially, utilizing local vulnerabilities • rooting vulnerabilities – CVE-2009-1185 (exploid) – [no CVE number] (rage against the cage) – CVE-2011-1149 (psneuter) – CVE-2011-1823 (Gingerbreak) – [no CVE number] (zergRush) • Chip/Vendor-specific vulnerabilities! rooting 38
  • 39. Fourteenforty Research Institute, Inc. • Logic Error in suid program – Some Android Tablet: OS command injection rooting : Vulnerabilities (1) 39 Can invoke arbitrary command in root privileges. [not available in public slides]
  • 40. Fourteenforty Research Institute, Inc. • Improper User-supplied buffer access – Some Android smartphone: Sensor Device rooting : Vulnerabilities (2) 40 Can write [not available] to arbitrary user memory, bypassing copy-on-write. Destroying setuid function can generate root-privilege process. [not available in public slides]
  • 41. Fourteenforty Research Institute, Inc. rooting : The Real Problem • Malware can Exploit same Vulnerability – Malware could gain higher privileges – Avoid Anti-virus software • rooting breaks some security mechanisms – Intent Filter priority value (associated with Activity) – Permission System • Security software may be neutralized 41
  • 42. Fourteenforty Research Institute, Inc. • High priority Activity enables hooking – Dangerous – Reserved for System Applications Broken Security : Activity Priority (1) 42 P=0P=100P=999 User ActivitySystem ActivityUser Activity P=0P=999 0P=100 User ActivityUser ActivitySystem Activity High Priority Low
  • 43. Fourteenforty Research Institute, Inc. • If malicious package is installed in the System Partition, malware can utilize higher priority of Activity – Hook implicit Intents – e.g. Hook web browser-related Intents for phishing • Does not work since Android 3.0 (because of Browser application changes) Broken Security : Activity Priority (2) 43 P=0P=0P=999 User ActivitySystem ActivitySYSTEM Activity Browser Hooks Real Web Browser High Priority Low
  • 44. Fourteenforty Research Institute, Inc. Broken Security : Permission (1) • Reserved Permissions – Only available to Vendor Packages or Preinstalled Packages – Bypassing : There’s a way other than modifying System Partition... 44 User App System App INSTALL_PACKAGES permission INSTALL_PACKAGES INSTALL_PACKAGES
  • 45. Fourteenforty Research Institute, Inc. Broken Security : Permission (2) • In root process, all Permissions are granted – No additional security checks (not even manifest checks) – Enables silent installation for example • GingerMaster utilizes this behavior (indirectly) 45 User App System App INSTALL_PACKAGES permission UID=0 (root) INSTALL_PACKAGES
  • 46. Fourteenforty Research Institute, Inc. rooting : Countermeasures and Issues (1) • Remove found vulnerabilities – Not so easy to patch... (http://www.ipa.go.jp/about/technicalwatch/pdf/110622report.pdf) • Limit root user : Linux Security Modules (LSM) – SHARP Corp. : Deckard / Miyabi • /system partition is prohibited (cannot be re-written) • ptrace (Debugging) is prohibited • Prevents DroidDream / DroidKungFu infection – Prevent root user to be utilized • Current LSMs are not enough though... • Black Hat Abu Dhabi 2011 46
  • 47. Fourteenforty Research Institute, Inc. rooting : Countermeasures and Issues (2) • Limiting root user is not enough – Permission checks – Making secure OS policy is difficult – Anti-virus software privilege is left weak • Protection specific to Android • Enabling Privilege Escalation for Security is needed! 47
  • 48. Fourteenforty Research Institute, Inc. Conclusion • Malware and Anti-virus software is evolving – But, we cannot protect whole system. • rooting breaks security and neutralize Anti-virus software – Even if malware could be found, it could be undeletable. – To encounter, we need privilege improvement and whole new protection system. 48
  • 49. Fourteenforty Research Institute, Inc. BOTTOM LINE Can Android be protected? 49
  • 50. Fourteenforty Research Institute, Inc. Is Android Protected? (1) • Vulnerability Attacks – Android depends on many of Native Code (e.g. WebKit) – Kernel-level protection is currently not so effective • Compiler Flag (DEP) • Prelinking (disabling ASLR) – If vulnerability is found in Android, it is not difficult to exploit. – It could possibly change in Android 4.0 50
  • 51. Fourteenforty Research Institute, Inc. Is Android Protected? (2) • Malware vs. Anti-virus software – Malware (as a Trojan horse) works as a spyware, backdoor or dialer utilizing Android features – rooting can make Anti-virus software completely useless • Currently, it is Difficult to protect Android devices 51
  • 52. Fourteenforty Research Institute, Inc. What to do (1) • Technical Responsibility : Android Project (AOSP et al.) – Make security mechanism Strict • System Call-Level Protection (LSM) • Secure Android Framework – Help making Security Software • e.g. Giving higher privileges for specific software – Make Kernel-level Protection Better • Removing Prelinking, ... • ... it seems to be done! 52
  • 53. Fourteenforty Research Institute, Inc. What to do (2) • Technical Responsibility : Device Vendor – Fix existing vulnerabilities (prevent existing malware) – Verify vendor customization • Not to break Android security mechanisms (and not to prevent user rights) 53
  • 54. Fourteenforty Research Institute, Inc. Conclusion • Protection for Android is not enough, but not impossible to solve – Currently, Users must be aware of threats – Possibly, need to take resolute steps • Work together to improve Android security whilst keeping platform open 54
  • 55. Fourteenforty Research Institute, Inc. 55 Thank you Fourteenforty Research Institute, Inc. http://www.fourteenforty.jp Research Engineer – Tsukasa OI <oi@fourteenforty.jp>