droidcon2013 security genes_trendmicro

Raimund Genes - CTO

Security under Android

Copyright 2013 Trend Micro Inc.

Android has been designed with security in

mind!

Security in Mind?

Android is a privilege-separated operating system. Each application runs through a unique Linux user ID. No application has permission to impact other applications. Applications can‘t access the network without prior consent

Security in Mind?

When installing an application, the

user is requested by the app

package installer to grant

permission(s)

But!

Then, before or while running the application, it is never checked again by the user. If the permission was granted, the app can then use the desired features without prompting the user – forever!

So

With clever social engineering the bad guys convince the users to install a „useful“ application, the user willingly gives permission, and bingo – device could be misused

Industry  Trends  Malware  increasing  on  “App  Stores”  

Android Malware

•  10K: Middle of 2012! •  100K: End of 2012!

http://blog.trendmicro.com/how-big-will-the-android-malware-threat-be-in-2012/

Chris Di Bona from Google, November 2011:

”virus companies are playing on your fears to try to sell you bs protection software for Android, RIM and IOS. They are charlatans and scammers. IF you work for a company selling virus protection for android, rim or IOS you should be ashamed of yourself.” “The barriers to spreading such a program from phone to phone are large and difficult enough to traverse when you have legitimate access to the phone, but this isn’t independence day, a virus that might work on one device won’t magically spread to the other.” All the major vendors have app markets, and all the major vendors have apps that do bad things, are discovered, and are dropped from the markets.

Industry  Trends  Google’s  Bouncer  

Google Bouncer: “Gone to the Gym”

Slide  13  -­‐  TREND  MICRO  CONFIDENTIAL  

Extended Network: The App Markets Use Case: Personal data exfiltration via an Android Market

App Market

Infiltration Exfiltration & Exploits

Android Malware

120,000 300,000+

ANDROIDOS_JIGENSHA.A

Impact Scope:

760,000 users' data leaked online in Japan Malicious Behavior: The malware collect User's contact list includes phone number and names, then sends them to a remote server.

Your phone as your wallet

Samsung’s Knox software

Types of Threats

Spying Tools Track user data like GPS and send to a 3rd party

Rooter Hacks phone to take

control

Premium Service Secretly subscribes user to paid services

Data Stealer Steals personal

information

Malicious Downloader

Downloads new apps without user consent

Click Fraud Triggers pay-per-click activity on the device

 Viruses  for  Android    

Where’s the problem?

That’s why don‘t we see this under IOS

Mobile App Reputation

•  Mobile App Reputation is a cloud-based technology that automatically identifies mobile threats based on app behavior – Crawl & collect huge number of Android apps

from various Android Markets –  Identifies existing and brand new mobile

malware –  Identifies apps that may abuse privacy / device

resources – World’s first automatic mobile app evaluation

service

                 •  Malware? •  Privacy Risk? •  High Resource

Consumption?

Mobile  App  Reputa<on  

Apps  

No  Issues  

Issue  Iden<fied  

Mobile App Reputation

Generates reputation scores and

detailed report

Collects Apps and scans them in the

cloud

1.

Static Analysis: Dissects app code

and private data access.

2.

Correlates web queries with Smart Protection Network

3.

Dynamic Analysis: Activates app to analyze actual

behaviour

4.

Mobile Application Reputation Architecture

Data  Bus  /  Control  Bus

MSR  (Mobile  Sourcing)

MPAFI  (Mobile  PAFI)

MSA  (Mobile  StaDc    Analyzer)

MDA  (Mobile  Dynamic  

Analyzer)

MSE  (Mobile  Scoring  

Engine)

MDS  (Mobile  Data  

Store)  

SPN  (Smart  Protec<on  Network)  WRS/FRS  Correlate  Services  

PAFI:  Pre-­‐Analysis  File  Interscan  

The Service

Appstore submits

new apps

FTP

Crawler

Web Upload

Apps are scanned

Report is provided

HTML

XML

EMAIL

Appstore removes bad apps and adds detailed

info to app listings

Information provided by MARS

MARS Sample Report

Developers! •  Ensure what public libraries do, before you use them!

•  Corporate customers are very sensitive regarding Data Leakage!

•  CPU load and Battery impact plays a bigger and bigger role in App selection!

•  Quick and Dirty might not be the way to go for a sustainable business!

•  If you write Apps for a 3rd party, expect that the App will be tested not only for functionality but also for potential risks, negative impacts

Mid of May

mars.trendmicro.com to check the rating of your App