KEMBAR78
Android malware overview, status and dilemmas | PDF
Tech and Law Center, profile picture
Uploaded byTech and Law Center
PDF, PPTX4,859 views

Android malware overview, status and dilemmas

This document summarizes research on malicious Android apps from 2012-2013. Some key points: - Over 1,260 app samples were analyzed in 2012, with many found to steal user information, turn devices into bots, or generate revenue through premium calls/texts. - Early malware like DroidDream, Plankton, and BaseBridge leveraged exploits to gain root access and stealthily update themselves. Later malware got more sophisticated with techniques like anti-analysis tricks. - Malware has been distributed through third-party app stores and underground affiliate programs. Estimates found infection rates between 0.0009-1% of Android devices by 2013. - While most stole data or made money fraud

Download as PDF, PPTX
Malicious Android Apps Overview, Status and Dilemmas
1,260 Samples Analyzed (2012) Manual analysis of samples by Yajin Zhou & Xuxian Jiang 36.7% leverage root-level exploits 90% turn devices into bots 45.3% dial/text premium numbers in background 51.1% harvest user information Other goods encrypted root-level exploit or obfuscated C&C address
Attackers Goals Steal Sensitive Data intercept texts or calls steal passwords Turn Devices Into Bots perform malicious actions gain root privileges Direct Financial Gain call or text premium numbers steal online banking credentials
ZitMo & SpitMo (2011) ● Companion of the famous ZeuS and SpyEye trojans. ● Steal the mTAN or SMS used for 2-factor authentication.
The attack scheme (1) www.yourbank.com username: user password: ************ INFECTED COMPUTER er *** : us ******* me rna ord: ** use sw pas $$ $$ $ $$ $ $ $$ $$
2-factors authentication (password + secret code) ONE TIME SECRET CODE ************ GO!
The attack scheme (2) www.yourbank.com username: user password: ************ ONE TIME SECRET CODE INFECTED COMPUTER TYPE IN THE ONE TIME SECRET CODE OK EXPIRED TYPE IN THE ONE TIME SECRET CODE
The attack scheme (2) www.yourbank.com username: user password: ************ INFECTED COMPUTER inject QR code
Luring Users with a QR Code USERNAME user PASSWORD ************ SCAN TO LOGIN Login
The attack scheme (3) www.evil.org/fake-login-app.apk
The attack scheme (4) www.yourbank.com username: user password: ************ ONE TIME SECRET CODE INFECTED COMPUTER INFECTED SMARTPHONE TYPE IN THE ONE TIME SECRET CODE OK
The attack scheme (5) FINANCIAL TRANSACTIONS $$$$$$$ ALERT THE MALWARE HIDES SMSs FROM THE BANK
Perkele (2013) ● Sold for $1,000 on underground markets/forums ● Development kit for bypassing 2-factor authentication
Better than Perkele Hand of Thief kit (Android port, late 2013) $950
http://www.lacoon.com/hand-of-thief-hot-moves-its-way-to-android/
M VE A H ST U Retrospective of Predictions E! ID SL Source (Trend Micro, Q2 2012)
M VE A H ST U Prediction vs. Actual Data Number of Android malware samples E! ID SL Q4 2012 120,000 Source (Symantec, October 2013)
The Origin: TapSnake (2010)
Malware Distribution Google Play Store. Alternative markets. Underground affiliate programs (growing business).
Alternative Markets (91) Andapponline Aptoide Soc.io 92Apk T Store Cisco Market SlideMe Insydemarket Android Downloadz AppChina Yandex App Store Lenovo App Store AndroidPit PandaApp MerkaMarket CoolApk Pdassi Omnitel Apps AppsZoom AppsEgg Good Ereader Anzhi Market iMedicalApps TIM Store ApkSuite AppTown Mobile9 EOE Market Barnes & Noble T-Store Opera App Store AppBrain Phoload HiApk Nvidia TegraZone T-Market Brothersoft AppsLib Androidblip Nduoa AppCake AT&T Camangi ESDN 1Mobile Baidu App Store Handmark CNET Blackmart Alpha Mobilism Brophone D.cn Appolicious F-Droid Mob.org LG World Gfan Appitalism Android games room Amazon Handango Samsung App Store Millet App Store WhiteApp AndroLib Mikandi Handster Taobao AppCity GetJar Nexva market AppsFire Tencent App Gem AlternativeTo Tablified Market Yet Another Android Market Mobango Hyper Market Appzil AndroidTapp No Crappy Apps Naver NStore Fetch Moborobo 91mobiles mobiles24 Android Freeware MplayIt Hami Olleh Market wandoujia
DroidDream (2011) - Host Apps Falling Down Super Guitar Solo Super History Eraser Photo Editor Super Ringtone Maker Super Sex Positions Chess Hilton Sex Sound Screaming Sexy Japanese Girls Falling Ball Dodge Scientific Calculator Dice Roller
DroidDream (2011) - Info Stealing Steals C&C http://184.105.245.17:8080/GMServer/GMServlet IMEI IMSI exploid root-level exploit. device model SDK version Copy of the original public exploit! language country
DroidDream (2011) - More Details Downloads 2nd payload. Encrypts C&C messages. Installs payload under /system No icon nor installed application is visible to the user. zHash uses the same exploit.
DroidDreamLight (2011) ● Massive code refactoring. ● No root exploit. ● Steal same data. ● Receives remote updates. ● Affected 30–120k users. Image source (Trend Micro)
What the Malware! Source (Symantec, October 2013)
(our measurement, Nov 2013)
(our measurement, Nov 2013)
Plankton (2011) ● Update only some components. ● Silent update, no user participation. ● Payload hosted on Amazon. ● Inspired the AnserverBot family.
Plankton (2011) Silent update (first family) Command & Control: Image source (Sophos)
Countermeasures Google Play app vetting Install and permission confirmation SMS/call blacklisting and quota App verify (call home when apps are installed - incl. 3rd party) ● App sandboxing ● SELinux in enforcing mode (Android 4.4) ● AV apps ● ● ● ●
Blacklist & SMS Limits CyanogenMod >=10.2 Blacklist numbers 50 SMS per 30 minute limit
App Sandboxing User1 User2 User3 App1 App2 App3 Virtual machine Virtual machine Virtual machine Process1 Process2 Process3 ... ... PERMISSIONS Linux kernel
Apps Must Declare Permissions User1 User2 User3 App1 Malicious App App2 App3 Virtual machine Virtual machine Virtual machine Process1 Process2 Process3 ... ... PERMISSIONS Linux kernel
Permission Declaration
Selective Permissions Introduced in 4.3. Users can selectively filter permissions. That's great!
Google claimed its release was accidental Removed it in 4.4
Perms: Malware Goodware vs. Source: Y. Zhou and X. Jiang, “Dissecting Android Malware: Characterization and Evolution,” in Proceedings of the 33rd IEEE Symposium on Security and Privacy, 2012, pp. 95–109.
No primitives for process auditing User1 User2 User3 App1 Malicious App ... ANTIVIRUS APP Virtual machine Process1 ... PERMISSIONS Linux kernel Malicious App SD card
Workarounds (back in the '80s) Signature-based matching (evaded by repackaging). Scan (limited) portion of the storage. Send sample to cloud service (malware can sniff network). Custom kernel (not market proof).
TGLoader (2012) - Root 'n text No permissions. Root the phone. Loads 3 malicious APKs. Premium texting. C&C communication. Exploid root exploit
Asroot (2011) Simple, standalone app. Uses asroot root exploit. Not really widespread.
Malware Apps on Google Play 2010 (2) TapSnake, SMSReplicator 2011 (13) DroidDream, zHash, DroidDreamLight, Zsone, Plankton YZHC, SndApps, Zitmo, Asroot, Gone60, DroidKungFu (2)
App Verify Source: A. Ludwig, E. Davis, and J. Larimer, “Android - Practical Security From the Ground Up,” in Virus Bulletin Conference, 2013.
Countermeasures and Downsides Google Play app vetting Few apps made it through it Permission confirmation Unaware users SMS/call blacklisting and Must know the numbers quota Must know the malware App verify Root exploits + ask App sandboxing permissions
Application Signing ● No PKI ○ Apps signed with self-signed certs ○ AppIntegrity proposes a lightweight, neat solution ● Signature not checked at runtime ○ Can add new code at runtime and break the signature ● MasterKey vulnerability (CVE-2013-4787,
Exploited by Adr/MstrKey-A ● ...as well as Skullkey ● Signed-unsigned integer values vulnerability (Jul 2013)
BaseBridge (2011) ● Asset file hides the payload. ● Register to lots of events. ● Gains root privileges via RATC exploit. ○ spawn RLIMIT_NPROC-1 processes ○ kill adbd ○ spawn 1 process to race against adbd setuid()-ing ● Steals data (e.g., IMEI) + premium texts.
BaseBridge (2011) Source: Y. Zhou and X. Jiang, “Dissecting Android Malware: Characterization and Evolution,” in Proceedings of the 33rd IEEE Symposium
Academic Measurements 2010–October 2011 [Zhou et al., 2012] 49 families 20–76% detection rate October 2011 [Vidas et al., 2013] 194 markets facilitate malware distribution 0–32% detection rate (I don't really buy
Our Measurements 2–8% of the apps are known malware (Jun-Nov 2013)
Our Measurements 10–20% of the apps are known adware (Jun-Nov 2013)
CarrierIQ (2011) - Not Really Malware 140M devices including Sprint, HTC, Samsung. Controversial app used for enhancing "customer experience". Log keystrokes. Record calls. Store text messages. Track location.
Fake CarrierIQ Detector :-) Detects CarrierIQ. It actually finds IQ if is there. Premium texter malware. http://www.symantec.com/connect/blogs/day-afteryear-mobile-malware
Find if IQ services are installed. Tries to send premium SMSs (notice the nested try-catch).
RootSmart (2012) ● 2nd malware w/ GingerBreak exploit (1st was GingerMaster) ● Asks lots of permissions (suspicious ones) ○ MOUNT_UNMOUNT_FILESYSTEMS ○ RECEIVE_BOOT_COMPLETED ○ CHANGE_WIFI_STATE ● Suspicious broadcast receiver ○ NEW_OUTGOING_CALL ● Fetches the exploit from obfuscated URL
Friendly Marketplaces Top 5 authors publish both goodware and known malware.
Moghava (2012) - Annoying No monetary gain. Protest intended. Yet, very annoying. http://www.symantec. com/connect/blogs/androidmoghava-recipe-mayhem
LuckyCat (2012) - Used in APT 1st known used in APT. SMS initiated: "[...] time to renew data plan [...]" URL with WebKit exploit (this is drive-by!) Track user GPS, steal data. Naïvely encrypted C&C communication. http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_adding-android-and-mac-
Chuli (2012) - Again, in APT High-profile Tibetan activist email hacked. Used to send malicious APK to other activists. Steals data (SMS, contacts, IMEI, GPS, etc). https://www.securelist.com/en/blog/208194186/Android_Trojan_Found_in_Targeted_Attack
Registration Service Provided By: SHANGHAI MEICHENG TECHNOLOGY INFORMATION DEVELOPMENT CO., LTD. Domain Name: DLMDOCUMENTSEXCHANGE.COM Registration Date: 08-Mar-2013 Expiration Date: 08-Mar-2014 Status:LOCKED The domain registration data indicates the following owner: Registrant Contact Details: peng jia (bdoufwke123010@gmail.com) beijingshiahiidienquc.d beijingshi beijing,100000 CN Tel. +86.01078456689 Fax. +86.01078456689
Obad (2013) - Sophisticated Raises the bar. Could propagate via Bluetooth and WiFi. First emulator-aware malware. Anti dynamic analysis (corrupted XML) Anti static analysis (packed instr. + anti decompiling + encrypted strings) Gains device administration rights to hides itself.
Corrupted XML No attribute names. Accepted by smartphones. Makes sandboxes fail.
Bogus Instructions Targets specifically the dedexer disassembler. Prevents automatic repackaging of dex for analysis. Needed manual intervention. http://joe4mobile.blogspot.com/2013/06/analyzing-obada-aka-most-sophisticated.html
Anti Decompiling
Device Admin Privs Used to administer devices. http://www.comodo. com/resources/Android_OBAD_Tech_Reportv3.pdf Fool the user. http://developer.android. com/guide/topics/admin/device-admin.html
Baseline Features Steal data. Remote update. Execute shell commands. C&C communication (hardcoded...).
Mouabad (2013) - Sneaky Dialer Works when device goes to lock mode. Stops working right away when the user unlocks the device. Calls premium numbers located in China. No sophisticated anti-analysis techniques.
Stels (2013) - Spreads via Botnet Spreads through Cutwail botnet via spam emails. Vulnerable website to drop PHP script. PHP script fingerprints the client. Malicious (non-sophisticated) APK if browser == Android. Steals the usual data. http://www.secureworks.com/cyber-threat-intelligence/threats/stels-android-trojan-malware-analysis/
How Many Infected Devices? Damballa & GaTech DNS traffic analysis (2012) Mobile devices (0.0009%) 3,492 of 380,537,128 Kindsight Security Lab Mobile devices 0.50% (Q1) 0.52% (Q2) Android devices 1.00% (Q2)
Conclusions ● Many infected apps (hundreds of thousands) ● Low infection rate (0.0009–1.0%) ○ Wide range of uncertainty ○ The ROI per infected device must be high! ● Authors have just started to show what they can do.
http://andrototal.org @andrototal_org

More Related Content

PPTX
Android malware analysis
byJason Ross
 
PDF
Android malware presentation
bySandeep Joshi
 
PDF
Android Malware Detection Mechanisms
byTalha Kabakus
 
PDF
Malware Detection in Android Applications
byijtsrd
 
PDF
Android Malware: Study and analysis of malware for privacy leak in ad-hoc net...
byIOSR Journals
 
PDF
IRJET- Android Malware Detection System
byIRJET Journal
 
PDF
Android mobile platform security and malware survey
byeSAT Journals
 
PDF
Tech Report: On the Effectiveness of Malware Protection on Android
byFraunhofer AISEC
 
Android malware analysis
byJason Ross
 
Android malware presentation
bySandeep Joshi
 
Android Malware Detection Mechanisms
byTalha Kabakus
 
Malware Detection in Android Applications
byijtsrd
 
Android Malware: Study and analysis of malware for privacy leak in ad-hoc net...
byIOSR Journals
 
IRJET- Android Malware Detection System
byIRJET Journal
 
Android mobile platform security and malware survey
byeSAT Journals
 
Tech Report: On the Effectiveness of Malware Protection on Android
byFraunhofer AISEC
 

What's hot

PPTX
[Wroclaw #1] Android Security Workshop
byOWASP
 
PPTX
Android security
byMobile Rtpl
 
PDF
Android Security & Penetration Testing
bySubho Halder
 
PDF
Sperasoft talks: Android Security Threats
bySperasoft
 
PDF
Introduction to Android Development and Security
byKelwin Yang
 
PPTX
Android security
byMidhun P Gopi
 
PDF
"Быстрое обнаружение вредоносного ПО для Android с помощью машинного обучения...
byYandex
 
PPT
Android Security
bySuminda Gunawardhana
 
PDF
Mobile Application Pentest [Fast-Track]
byPrathan Phongthiproek
 
PDF
Deepfake anyone, the ai synthetic media industry enters a dangerous phase
byaditi agarwal
 
PDF
Deep Dive Into Android Security
byMarakana Inc.
 
PDF
SYSTEM CALL DEPENDENCE GRAPH BASED BEHAVIOR DECOMPOSITION OF ANDROID APPLICAT...
byIJNSA Journal
 
PDF
Testing Android Security Codemotion Amsterdam edition
byJose Manuel Ortega Candel
 
PPT
Analysis and research of system security based on android
byRavishankar Kumar
 
PPTX
Android Security
byArqum Ahmad
 
PDF
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.com
byIdexcel Technologies
 
ODP
Android security in depth
bySander Alberink
 
PPTX
Security testing of mobile applications
byGTestClub
 
PDF
Android Security
byLars Jacobs
 
PDF
We explain the security flaw that's freaking out the internet
byaditi agarwal
 
[Wroclaw #1] Android Security Workshop
byOWASP
 
Android security
byMobile Rtpl
 
Android Security & Penetration Testing
bySubho Halder
 
Sperasoft talks: Android Security Threats
bySperasoft
 
Introduction to Android Development and Security
byKelwin Yang
 
Android security
byMidhun P Gopi
 
"Быстрое обнаружение вредоносного ПО для Android с помощью машинного обучения...
byYandex
 
Android Security
bySuminda Gunawardhana
 
Mobile Application Pentest [Fast-Track]
byPrathan Phongthiproek
 
Deepfake anyone, the ai synthetic media industry enters a dangerous phase
byaditi agarwal
 
Deep Dive Into Android Security
byMarakana Inc.
 
SYSTEM CALL DEPENDENCE GRAPH BASED BEHAVIOR DECOMPOSITION OF ANDROID APPLICAT...
byIJNSA Journal
 
Testing Android Security Codemotion Amsterdam edition
byJose Manuel Ortega Candel
 
Analysis and research of system security based on android
byRavishankar Kumar
 
Android Security
byArqum Ahmad
 
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.com
byIdexcel Technologies
 
Android security in depth
bySander Alberink
 
Security testing of mobile applications
byGTestClub
 
Android Security
byLars Jacobs
 
We explain the security flaw that's freaking out the internet
byaditi agarwal
 

Viewers also liked

PDF
Android Malware Analysis
byJongWon Kim
 
PPTX
Semantics aware malware detection ppt
byManish Yadav
 
PPTX
AVTOKYO2012 Android Malware Heuristics(en)
by雅太 西田
 
PDF
PPT_Compiled
byAvineshwar Singh
 
PPT
Malware by Ms. Allwood
byStavia
 
PPTX
Android village @nullcon 2012
byhakersinfo
 
PPT
It Security For Healthcare
byNicholas Davis
 
PDF
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
byStephan Chenette
 
PDF
Кратко про тенденции ИБ к обсуждению (Код ИБ)
byAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
PPT
Tesina Sobri
byAbraham Domínguez Cuña
 
PDF
Про практику DLP (Код ИБ)
byAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
PDF
Экспресс-анализ вредоносов / Crowdsourced Malware Triage
byPositive Hack Days
 
PDF
Максим Ширшин — Регулярные выражения
byYandex
 
PPTX
Template ppt Android Menarik
bySaeful Bahri
 
PPTX
Выживший
byPositive Hack Days
 
PDF
Введение в SEO
byROOKEE
 
PPT
Introduction To SELinux
byRene Cunningham
 
PDF
Тенденции российского рынка ИБ
byAleksey Lukatskiy
 
PPTX
Как защититься рядовому пользователю от динамично меняющих угроз?
byAleksey Lukatskiy
 
PDF
Крупные мероприятия по информационной безопасности на 2017 год
byAleksey Lukatskiy
 
Android Malware Analysis
byJongWon Kim
 
Semantics aware malware detection ppt
byManish Yadav
 
AVTOKYO2012 Android Malware Heuristics(en)
by雅太 西田
 
PPT_Compiled
byAvineshwar Singh
 
Malware by Ms. Allwood
byStavia
 
Android village @nullcon 2012
byhakersinfo
 
It Security For Healthcare
byNicholas Davis
 
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
byStephan Chenette
 
Кратко про тенденции ИБ к обсуждению (Код ИБ)
byAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Tesina Sobri
byAbraham Domínguez Cuña
 
Про практику DLP (Код ИБ)
byAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Экспресс-анализ вредоносов / Crowdsourced Malware Triage
byPositive Hack Days
 
Максим Ширшин — Регулярные выражения
byYandex
 
Template ppt Android Menarik
bySaeful Bahri
 
Выживший
byPositive Hack Days
 
Введение в SEO
byROOKEE
 
Introduction To SELinux
byRene Cunningham
 
Тенденции российского рынка ИБ
byAleksey Lukatskiy
 
Как защититься рядовому пользователю от динамично меняющих угроз?
byAleksey Lukatskiy
 
Крупные мероприятия по информационной безопасности на 2017 год
byAleksey Lukatskiy
 

Similar to Android malware overview, status and dilemmas

PDF
Anti-tampering in Android and Take Look at Google SafetyNet Attestation API
byArash Ramez
 
PDF
ToorCon 14 : Malandroid : The Crux of Android Infections
byAditya K Sood
 
PPTX
Top mobile security threats
byRingtoIndia
 
PDF
Hacking your Android (slides)
byJustin Hoang
 
PPTX
Android security
byHassan Abutair
 
PDF
2012 nq mobile_security_report
byIsnur Rochmad
 
PDF
I haz you and pwn your maal
byc0c0n - International Cyber Security and Policing Conference
 
PPTX
I haz you and pwn your maal
byHarsimran Walia
 
PDF
Mbs w23
bySelectedPresentations
 
PDF
Mobile Malware
byMartin Holovský
 
PDF
thesisSlides
byJoey Allen
 
PDF
thesisSlides
byJoey Allen
 
PDF
Building Custom Android Malware BruCON 2013
byStephan Chenette
 
PDF
Enter Sandbox: Android Sandbox Comparison
byJose Moruno Cadima
 
PDF
CNIT 128 5: Mobile malware
bySam Bowne
 
PDF
Hacking your Droid (Aditya Gupta)
byClubHack
 
PDF
I haz you and pwn your maal whitepaper
byHarsimran Walia
 
PPTX
Threat Lands
byMSC Malaysia Cybercentre @ Bangsar South City
 
PDF
Rpt repeating-history
byAnatoliy Tkachev
 
PDF
F-Secure Mobile Threat Report Quarter 1 2012
byF-Secure Corporation
 
Anti-tampering in Android and Take Look at Google SafetyNet Attestation API
byArash Ramez
 
ToorCon 14 : Malandroid : The Crux of Android Infections
byAditya K Sood
 
Top mobile security threats
byRingtoIndia
 
Hacking your Android (slides)
byJustin Hoang
 
Android security
byHassan Abutair
 
2012 nq mobile_security_report
byIsnur Rochmad
 
I haz you and pwn your maal
byc0c0n - International Cyber Security and Policing Conference
 
I haz you and pwn your maal
byHarsimran Walia
 
Mbs w23
bySelectedPresentations
 
Mobile Malware
byMartin Holovský
 
thesisSlides
byJoey Allen
 
thesisSlides
byJoey Allen
 
Building Custom Android Malware BruCON 2013
byStephan Chenette
 
Enter Sandbox: Android Sandbox Comparison
byJose Moruno Cadima
 
CNIT 128 5: Mobile malware
bySam Bowne
 
Hacking your Droid (Aditya Gupta)
byClubHack
 
I haz you and pwn your maal whitepaper
byHarsimran Walia
 
Threat Lands
byMSC Malaysia Cybercentre @ Bangsar South City
 
Rpt repeating-history
byAnatoliy Tkachev
 
F-Secure Mobile Threat Report Quarter 1 2012
byF-Secure Corporation
 

More from Tech and Law Center

PDF
One step further in the surveillance society the case of predictive policing
byTech and Law Center
 
PDF
2015.11.06. Luca Melette_Mobile threats evolution
byTech and Law Center
 
PDF
Andrea Molino: Applicazione delle tecnologie ICT al settore Agricolo
byTech and Law Center
 
PDF
Emanuela Pala: Internet of Things & Smart Agriculture
byTech and Law Center
 
PDF
Tommaso De Gregorio: Growing Hazelnuts
byTech and Law Center
 
PDF
Smart intelligence
byTech and Law Center
 
PDF
Gillian Cafiero - "Codifying the Harm of Cybercrime": Injecting zemiology in ...
byTech and Law Center
 
PDF
Cybersecurity & Digital Forensics / Dronitaly - 25 Ottobre 2014
byTech and Law Center
 
PDF
Giuseppe Vaciago: From Crime to privacy-oriented crime prevention in the Big ...
byTech and Law Center
 
PPT
SECURITY OF THE DIGITAL NATIVES - Italian version
byTech and Law Center
 
PPT
SECURITY OF THE DIGITAL NATIVES - English version
byTech and Law Center
 
PDF
Cybercrime, Digital Investigation and Public Private Partnership by Francesca...
byTech and Law Center
 
PDF
Digital Native Privacy (Francesca Bosco & Giuseppe Vaciago)
byTech and Law Center
 
PDF
The Death Of Computer Forensics: Digital Forensics After the Singularity
byTech and Law Center
 
PPT
Legal Aspect of the Cloud by Giuseppe Vaciago
byTech and Law Center
 
One step further in the surveillance society the case of predictive policing
byTech and Law Center
 
2015.11.06. Luca Melette_Mobile threats evolution
byTech and Law Center
 
Andrea Molino: Applicazione delle tecnologie ICT al settore Agricolo
byTech and Law Center
 
Emanuela Pala: Internet of Things & Smart Agriculture
byTech and Law Center
 
Tommaso De Gregorio: Growing Hazelnuts
byTech and Law Center
 
Smart intelligence
byTech and Law Center
 
Gillian Cafiero - "Codifying the Harm of Cybercrime": Injecting zemiology in ...
byTech and Law Center
 
Cybersecurity & Digital Forensics / Dronitaly - 25 Ottobre 2014
byTech and Law Center
 
Giuseppe Vaciago: From Crime to privacy-oriented crime prevention in the Big ...
byTech and Law Center
 
SECURITY OF THE DIGITAL NATIVES - Italian version
byTech and Law Center
 
SECURITY OF THE DIGITAL NATIVES - English version
byTech and Law Center
 
Cybercrime, Digital Investigation and Public Private Partnership by Francesca...
byTech and Law Center
 
Digital Native Privacy (Francesca Bosco & Giuseppe Vaciago)
byTech and Law Center
 
The Death Of Computer Forensics: Digital Forensics After the Singularity
byTech and Law Center
 
Legal Aspect of the Cloud by Giuseppe Vaciago
byTech and Law Center
 

Recently uploaded

PDF
Unlocking Full-Stack Observability for AIOps: A Precisely Ironstream for Big ...
byPrecisely
 
PDF
Cassandra vs. ScyllaDB: Evolutionary Differences
byScyllaDB
 
PDF
Data Structure - 12 Graph
byAndiNurkholis1
 
PPTX
"Daily workflows with Cursor IDE", Maksym Anisimov
byFwdays
 
PDF
How to Measure Microsoft 365 Copilot Success and Manage AI Risk: Advanced Str...
byNikki Chapple
 
PDF
A 4-Terminal Approach to Validating Charge Conservation in MOSFET Compact Models
byEalwan Lee
 
PDF
From Data Chaos to Copilot Confidence: A Step-by-Step Microsoft 365 Copilot R...
byNikki Chapple
 
PDF
Agentic AI Guide for Enterprise Use-cases
byDebmalya Biswas
 
PPTX
UiPath Automation Suite Installation (Hands-On) [2/3]
bysuhanisingh58689
 
PDF
Fairness and Bias in AI Ethics and Explainability
byShiwani Gupta
 
PDF
Session 2 - Agentic Orchestration with UiPath Maestro
byDianaGray10
 
PDF
Morgenbooster: Navigating Ai Criticism with Systems Thinking
by1508 A/S
 
PDF
Application Monitoring and Observability: Elastic Stack Solution for Producti...
byPattabhi Amperayani
 
PDF
2025 October Patch Tuesday
byIvanti
 
PPTX
"Towards React Server Components in Clojure", Roman Liutikov
byFwdays
 
PPTX
Agentic AI Solutions and Services | Aeologic
byankitaeologic
 
PPTX
"The Art of Web Scraping: Tree Algorithms and JS Magic", Dmytro Tarasenko
byFwdays
 
PPTX
Enterprise Architecture for Microsoft 365: From Vision to Value
bySimon Denton
 
PPTX
Session 6 Specialized AI Associate Series: The GenAI Experience in UiPath Doc...
byDianaGray10
 
PDF
The invisible key: Securing the new attack vector of OAuth tokens
byGianluca Varisco
 
Unlocking Full-Stack Observability for AIOps: A Precisely Ironstream for Big ...
byPrecisely
 
Cassandra vs. ScyllaDB: Evolutionary Differences
byScyllaDB
 
Data Structure - 12 Graph
byAndiNurkholis1
 
"Daily workflows with Cursor IDE", Maksym Anisimov
byFwdays
 
How to Measure Microsoft 365 Copilot Success and Manage AI Risk: Advanced Str...
byNikki Chapple
 
A 4-Terminal Approach to Validating Charge Conservation in MOSFET Compact Models
byEalwan Lee
 
From Data Chaos to Copilot Confidence: A Step-by-Step Microsoft 365 Copilot R...
byNikki Chapple
 
Agentic AI Guide for Enterprise Use-cases
byDebmalya Biswas
 
UiPath Automation Suite Installation (Hands-On) [2/3]
bysuhanisingh58689
 
Fairness and Bias in AI Ethics and Explainability
byShiwani Gupta
 
Session 2 - Agentic Orchestration with UiPath Maestro
byDianaGray10
 
Morgenbooster: Navigating Ai Criticism with Systems Thinking
by1508 A/S
 
Application Monitoring and Observability: Elastic Stack Solution for Producti...
byPattabhi Amperayani
 
2025 October Patch Tuesday
byIvanti
 
"Towards React Server Components in Clojure", Roman Liutikov
byFwdays
 
Agentic AI Solutions and Services | Aeologic
byankitaeologic
 
"The Art of Web Scraping: Tree Algorithms and JS Magic", Dmytro Tarasenko
byFwdays
 
Enterprise Architecture for Microsoft 365: From Vision to Value
bySimon Denton
 
Session 6 Specialized AI Associate Series: The GenAI Experience in UiPath Doc...
byDianaGray10
 
The invisible key: Securing the new attack vector of OAuth tokens
byGianluca Varisco
 

Android malware overview, status and dilemmas

  • 1.
  • 2.
    1,260 Samples Analyzed(2012) Manual analysis of samples by Yajin Zhou & Xuxian Jiang 36.7% leverage root-level exploits 90% turn devices into bots 45.3% dial/text premium numbers in background 51.1% harvest user information Other goods encrypted root-level exploit or obfuscated C&C address
  • 3.
    Attackers Goals Steal SensitiveData intercept texts or calls steal passwords Turn Devices Into Bots perform malicious actions gain root privileges Direct Financial Gain call or text premium numbers steal online banking credentials
  • 4.
    ZitMo & SpitMo(2011) ● Companion of the famous ZeuS and SpyEye trojans. ● Steal the mTAN or SMS used for 2-factor authentication.
  • 5.
    The attack scheme(1) www.yourbank.com username: user password: ************ INFECTED COMPUTER er *** : us ******* me rna ord: ** use sw pas $$ $$ $ $$ $ $ $$ $$
  • 6.
    2-factors authentication (password+ secret code) ONE TIME SECRET CODE ************ GO!
  • 7.
    The attack scheme(2) www.yourbank.com username: user password: ************ ONE TIME SECRET CODE INFECTED COMPUTER TYPE IN THE ONE TIME SECRET CODE OK EXPIRED TYPE IN THE ONE TIME SECRET CODE
  • 8.
    The attack scheme(2) www.yourbank.com username: user password: ************ INFECTED COMPUTER inject QR code
  • 9.
    Luring Users witha QR Code USERNAME user PASSWORD ************ SCAN TO LOGIN Login
  • 10.
    The attack scheme(3) www.evil.org/fake-login-app.apk
  • 11.
    The attack scheme(4) www.yourbank.com username: user password: ************ ONE TIME SECRET CODE INFECTED COMPUTER INFECTED SMARTPHONE TYPE IN THE ONE TIME SECRET CODE OK
  • 12.
    The attack scheme(5) FINANCIAL TRANSACTIONS $$$$$$$ ALERT THE MALWARE HIDES SMSs FROM THE BANK
  • 13.
    Perkele (2013) ● Soldfor $1,000 on underground markets/forums ● Development kit for bypassing 2-factor authentication
  • 14.
    Better than Perkele Handof Thief kit (Android port, late 2013) $950
  • 15.
  • 16.
  • 17.
    M VE A H ST U Prediction vs. ActualData Number of Android malware samples E! ID SL Q4 2012 120,000 Source (Symantec, October 2013)
  • 18.
  • 21.
    Malware Distribution Google PlayStore. Alternative markets. Underground affiliate programs (growing business).
  • 22.
    Alternative Markets (91) Andapponline Aptoide Soc.io 92Apk TStore Cisco Market SlideMe Insydemarket Android Downloadz AppChina Yandex App Store Lenovo App Store AndroidPit PandaApp MerkaMarket CoolApk Pdassi Omnitel Apps AppsZoom AppsEgg Good Ereader Anzhi Market iMedicalApps TIM Store ApkSuite AppTown Mobile9 EOE Market Barnes & Noble T-Store Opera App Store AppBrain Phoload HiApk Nvidia TegraZone T-Market Brothersoft AppsLib Androidblip Nduoa AppCake AT&T Camangi ESDN 1Mobile Baidu App Store Handmark CNET Blackmart Alpha Mobilism Brophone D.cn Appolicious F-Droid Mob.org LG World Gfan Appitalism Android games room Amazon Handango Samsung App Store Millet App Store WhiteApp AndroLib Mikandi Handster Taobao AppCity GetJar Nexva market AppsFire Tencent App Gem AlternativeTo Tablified Market Yet Another Android Market Mobango Hyper Market Appzil AndroidTapp No Crappy Apps Naver NStore Fetch Moborobo 91mobiles mobiles24 Android Freeware MplayIt Hami Olleh Market wandoujia
  • 23.
    DroidDream (2011) -Host Apps Falling Down Super Guitar Solo Super History Eraser Photo Editor Super Ringtone Maker Super Sex Positions Chess Hilton Sex Sound Screaming Sexy Japanese Girls Falling Ball Dodge Scientific Calculator Dice Roller
  • 24.
    DroidDream (2011) -Info Stealing Steals C&C http://184.105.245.17:8080/GMServer/GMServlet IMEI IMSI exploid root-level exploit. device model SDK version Copy of the original public exploit! language country
  • 25.
    DroidDream (2011) -More Details Downloads 2nd payload. Encrypts C&C messages. Installs payload under /system No icon nor installed application is visible to the user. zHash uses the same exploit.
  • 26.
    DroidDreamLight (2011) ● Massivecode refactoring. ● No root exploit. ● Steal same data. ● Receives remote updates. ● Affected 30–120k users. Image source (Trend Micro)
  • 27.
    What the Malware! Source(Symantec, October 2013)
  • 28.
  • 29.
  • 31.
    Plankton (2011) ● Updateonly some components. ● Silent update, no user participation. ● Payload hosted on Amazon. ● Inspired the AnserverBot family.
  • 32.
    Plankton (2011) Silent update (firstfamily) Command & Control: Image source (Sophos)
  • 33.
    Countermeasures Google Play appvetting Install and permission confirmation SMS/call blacklisting and quota App verify (call home when apps are installed - incl. 3rd party) ● App sandboxing ● SELinux in enforcing mode (Android 4.4) ● AV apps ● ● ● ●
  • 34.
    Blacklist & SMSLimits CyanogenMod >=10.2 Blacklist numbers 50 SMS per 30 minute limit
  • 35.
  • 36.
    Apps Must DeclarePermissions User1 User2 User3 App1 Malicious App App2 App3 Virtual machine Virtual machine Virtual machine Process1 Process2 Process3 ... ... PERMISSIONS Linux kernel
  • 37.
  • 38.
    Selective Permissions Introduced in4.3. Users can selectively filter permissions. That's great!
  • 39.
    Google claimed itsrelease was accidental Removed it in 4.4
  • 40.
    Perms: Malware Goodware vs. Source: Y.Zhou and X. Jiang, “Dissecting Android Malware: Characterization and Evolution,” in Proceedings of the 33rd IEEE Symposium on Security and Privacy, 2012, pp. 95–109.
  • 41.
    No primitives forprocess auditing User1 User2 User3 App1 Malicious App ... ANTIVIRUS APP Virtual machine Process1 ... PERMISSIONS Linux kernel Malicious App SD card
  • 42.
    Workarounds (back inthe '80s) Signature-based matching (evaded by repackaging). Scan (limited) portion of the storage. Send sample to cloud service (malware can sniff network). Custom kernel (not market proof).
  • 43.
    TGLoader (2012) -Root 'n text No permissions. Root the phone. Loads 3 malicious APKs. Premium texting. C&C communication. Exploid root exploit
  • 44.
    Asroot (2011) Simple, standaloneapp. Uses asroot root exploit. Not really widespread.
  • 45.
    Malware Apps onGoogle Play 2010 (2) TapSnake, SMSReplicator 2011 (13) DroidDream, zHash, DroidDreamLight, Zsone, Plankton YZHC, SndApps, Zitmo, Asroot, Gone60, DroidKungFu (2)
  • 46.
    App Verify Source: A.Ludwig, E. Davis, and J. Larimer, “Android - Practical Security From the Ground Up,” in Virus Bulletin Conference, 2013.
  • 47.
    Countermeasures and Downsides GooglePlay app vetting Few apps made it through it Permission confirmation Unaware users SMS/call blacklisting and Must know the numbers quota Must know the malware App verify Root exploits + ask App sandboxing permissions
  • 48.
    Application Signing ● NoPKI ○ Apps signed with self-signed certs ○ AppIntegrity proposes a lightweight, neat solution ● Signature not checked at runtime ○ Can add new code at runtime and break the signature ● MasterKey vulnerability (CVE-2013-4787,
  • 49.
    Exploited by Adr/MstrKey-A ●...as well as Skullkey ● Signed-unsigned integer values vulnerability (Jul 2013)
  • 50.
    BaseBridge (2011) ● Assetfile hides the payload. ● Register to lots of events. ● Gains root privileges via RATC exploit. ○ spawn RLIMIT_NPROC-1 processes ○ kill adbd ○ spawn 1 process to race against adbd setuid()-ing ● Steals data (e.g., IMEI) + premium texts.
  • 51.
    BaseBridge (2011) Source: Y.Zhou and X. Jiang, “Dissecting Android Malware: Characterization and Evolution,” in Proceedings of the 33rd IEEE Symposium
  • 52.
    Academic Measurements 2010–October 2011[Zhou et al., 2012] 49 families 20–76% detection rate October 2011 [Vidas et al., 2013] 194 markets facilitate malware distribution 0–32% detection rate (I don't really buy
  • 53.
    Our Measurements 2–8% ofthe apps are known malware (Jun-Nov 2013)
  • 54.
    Our Measurements 10–20% ofthe apps are known adware (Jun-Nov 2013)
  • 55.
    CarrierIQ (2011) -Not Really Malware 140M devices including Sprint, HTC, Samsung. Controversial app used for enhancing "customer experience". Log keystrokes. Record calls. Store text messages. Track location.
  • 56.
    Fake CarrierIQ Detector:-) Detects CarrierIQ. It actually finds IQ if is there. Premium texter malware. http://www.symantec.com/connect/blogs/day-afteryear-mobile-malware
  • 57.
    Find if IQservices are installed. Tries to send premium SMSs (notice the nested try-catch).
  • 58.
    RootSmart (2012) ● 2ndmalware w/ GingerBreak exploit (1st was GingerMaster) ● Asks lots of permissions (suspicious ones) ○ MOUNT_UNMOUNT_FILESYSTEMS ○ RECEIVE_BOOT_COMPLETED ○ CHANGE_WIFI_STATE ● Suspicious broadcast receiver ○ NEW_OUTGOING_CALL ● Fetches the exploit from obfuscated URL
  • 59.
    Friendly Marketplaces Top 5authors publish both goodware and known malware.
  • 60.
    Moghava (2012) -Annoying No monetary gain. Protest intended. Yet, very annoying. http://www.symantec. com/connect/blogs/androidmoghava-recipe-mayhem
  • 62.
    LuckyCat (2012) -Used in APT 1st known used in APT. SMS initiated: "[...] time to renew data plan [...]" URL with WebKit exploit (this is drive-by!) Track user GPS, steal data. Naïvely encrypted C&C communication. http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_adding-android-and-mac-
  • 63.
    Chuli (2012) -Again, in APT High-profile Tibetan activist email hacked. Used to send malicious APK to other activists. Steals data (SMS, contacts, IMEI, GPS, etc). https://www.securelist.com/en/blog/208194186/Android_Trojan_Found_in_Targeted_Attack
  • 64.
    Registration Service ProvidedBy: SHANGHAI MEICHENG TECHNOLOGY INFORMATION DEVELOPMENT CO., LTD. Domain Name: DLMDOCUMENTSEXCHANGE.COM Registration Date: 08-Mar-2013 Expiration Date: 08-Mar-2014 Status:LOCKED The domain registration data indicates the following owner: Registrant Contact Details: peng jia (bdoufwke123010@gmail.com) beijingshiahiidienquc.d beijingshi beijing,100000 CN Tel. +86.01078456689 Fax. +86.01078456689
  • 66.
    Obad (2013) -Sophisticated Raises the bar. Could propagate via Bluetooth and WiFi. First emulator-aware malware. Anti dynamic analysis (corrupted XML) Anti static analysis (packed instr. + anti decompiling + encrypted strings) Gains device administration rights to hides itself.
  • 67.
    Corrupted XML No attributenames. Accepted by smartphones. Makes sandboxes fail.
  • 68.
    Bogus Instructions Targets specificallythe dedexer disassembler. Prevents automatic repackaging of dex for analysis. Needed manual intervention. http://joe4mobile.blogspot.com/2013/06/analyzing-obada-aka-most-sophisticated.html
  • 69.
  • 70.
    Device Admin Privs Usedto administer devices. http://www.comodo. com/resources/Android_OBAD_Tech_Reportv3.pdf Fool the user. http://developer.android. com/guide/topics/admin/device-admin.html
  • 71.
    Baseline Features Steal data. Remoteupdate. Execute shell commands. C&C communication (hardcoded...).
  • 72.
    Mouabad (2013) -Sneaky Dialer Works when device goes to lock mode. Stops working right away when the user unlocks the device. Calls premium numbers located in China. No sophisticated anti-analysis techniques.
  • 73.
    Stels (2013) -Spreads via Botnet Spreads through Cutwail botnet via spam emails. Vulnerable website to drop PHP script. PHP script fingerprints the client. Malicious (non-sophisticated) APK if browser == Android. Steals the usual data. http://www.secureworks.com/cyber-threat-intelligence/threats/stels-android-trojan-malware-analysis/
  • 74.
    How Many InfectedDevices? Damballa & GaTech DNS traffic analysis (2012) Mobile devices (0.0009%) 3,492 of 380,537,128 Kindsight Security Lab Mobile devices 0.50% (Q1) 0.52% (Q2) Android devices 1.00% (Q2)
  • 75.
    Conclusions ● Many infectedapps (hundreds of thousands) ● Low infection rate (0.0009–1.0%) ○ Wide range of uncertainty ○ The ROI per infected device must be high! ● Authors have just started to show what they can do.
  • 76.