viruses on mobile platforms why we don't/don't we have viruses on android_

Viruses on mobile platforms: Why we don't/don't we have viruses on Android?

Jimmy ShahMobile Security Researcher

2 Viruses on mobile platforms: Why we don't/don't we have viruses on Android?

• Virus– Self-replicating program

• May inject itself into clean programs• May have destructive or visible payload

• Worm– Self-replicating program that doesn't infect files– E.g. Internet, MMS or Bluetooth worms

• Trojan– Non-replicating, program that pretends to be another

• May have destructive or visible payload

Definitions

Viruses on mobile platforms: Why we don't/don't we have viruses on Android?3

Viruses on Mobile Platforms

PalmOSWindows MobileSymbianAndroid

4 Viruses on mobile platforms: Why we don't/don't we have viruses on Android?

• 2000– Palm/Phage

• File infector– Overwriter

• Code resource replaced with virus code– Potentially smaller programs

Palm OS

Credit: Niels Heidenreich Creative Commons Attribution licensed.

Viruses on mobile platforms: Why we don't/don't we have viruses on Android?5

Viruses on Mobile Platforms

PalmOS

Windows MobileSymbianAndroid

6 Viruses on mobile platforms: Why we don't/don't we have viruses on Android?

• 2007– WinCE/Duts.1536

• Injected itself into all apps in current directory– Asked for permission before running

Windows Mobile

7 Viruses on mobile platforms: Why we don't/don't we have viruses on Android?

• 2009– WinCE/PMCryptic

• Polymorphic• Developed with and only ran within emulator

– Author didn't understand how to do self-modifying code on ARM

Windows Mobile

Viruses on mobile platforms: Why we don't/don't we have viruses on Android?8

Viruses on Mobile Platforms

PalmOSWindows Mobile

SymbianAndroid

9 Viruses on mobile platforms: Why we don't/don't we have viruses on Android?

• 2004– SymbOs/Cabir

• First worm/malware for Symbian

• 2005– SymbOS/Lasco.A

• File infector– Infected SIS installation files

Symbian

Viruses on mobile platforms: Why we don't/don't we have viruses on Android?10

Viruses on Mobile Platforms

PalmOSWindows MobileSymbian

Android

11 Viruses on mobile platforms: Why we don't/don't we have viruses on Android?

• 2010– Android/Fakeplayer.A

• First trojan

• 20??– Android/??????

• File infector– Haven't seen one yet

Android

Viruses on mobile platforms: Why we don't/don't we have viruses on Android?12

Android: What do attackers need to build a virus?

13 Viruses on mobile platforms: Why we don't/don't we have viruses on Android?

• Ability to replicate• Making copies of itself is easy enough

Android – What do attackers need to build a virus?

Replication Infection Evasion

Tool Useful functions

File managers Move, copy,delete files

File transfer programs Network copy,delete files

14 Viruses on mobile platforms: Why we don't/don't we have viruses on Android?

Android – What do attackers need to build a virus?

Replication Infection Evasion

• Ability to inject code into clean apps– This has been done manually in numerous trojans:

– Automating this saves them work and makes actual viruses

Android/Geinimi Android/Jmsonez

Android/PJApp Android/SteamyScr

Android/HippoSMS Android/GoldDream

Android/J.SMSHider Android/DroidKungfu

15 Viruses on mobile platforms: Why we don't/don't we have viruses on Android?

Android – What do attackers need to build a virus?

Replication Infection Evasion

• Locate code– Apps are in APKs.

• APKs are zip files• App code is in classes.dex files.

• Modify Dex files– Format is documented

• http://source.android.com/tech/dalvik/dex-format.html– Multiple tools

Tool Use

Smali/baksmalil Assemnler/disassembler for DEX files.

apktool Unpack/decode APK: resources, smali code, AndroidManifest.xml

16 Viruses on mobile platforms: Why we don't/don't we have viruses on Android?

• Dex files are difficult to modify?• Disassembling easy with baksmali

– Used by Privacy Blocker to mod apps» Memory issues

Attackers – Ability to inject code into clean apps

Replication Infection Evasion

17 Viruses on mobile platforms: Why we don't/don't we have viruses on Android?

• Modifying AndroidManifest.xml can redirect execution– Register for intents

Attackers – Ability to inject code into clean apps

Replication Infection Evasion

Intent Function

android.intent.action.BOOT_COMPLETED Start immediately after system finishes booting

android.permission.RECEIVE_SMS Run when SMS received

android.intent.action.PHONE_STATE Phone state chages; specifically ringing

android.net.wifi.WIFI_STATE_CHANGED Wifi state changes; specifically enabled

18 Viruses on mobile platforms: Why we don't/don't we have viruses on Android?

• Ability to evade detection• Encryption

– Simple obfuscations and ciphers– Complex and well known encryption algorithms

• Pretending to be clean apps– Infected apps– “Legitimate” apps (e.g. Adult entertainment, IM,Web browsers,

games)• Reduce/remove security

– Disable security checks– Remove/disable security & anti-malware software

Android – What do attackers need to build a virus?

Replication Infection Evasion

19 Viruses on mobile platforms: Why we don't/don't we have viruses on Android?

• Ability to evade detection• Encryption

– Simple obfuscations and ciphers– Complex and well known encryption algorithms

• Pretending to be clean apps– Infected apps– “Legitimate” apps (e.g. Adult entertainment, IM,Web browsers,

games)• Reduce/remove security

– Disable security checks– Remove/disable security & anti-malware software

Android – What do attackers need to build a virus?

Replication Infection Evasion

20 Viruses on mobile platforms: Why we don't/don't we have viruses on Android?

Questions?