INTRODUCTION

ANDROID MALWARECharacterization and DetectionBy:- Vishaka Nayak (110CE56) Devyani Patil (110CE60) Akshaya Sanghavi (110CE68)

Guided by:Mrs.Pranita MahajanTable Of ContentsINTRODUCTIONII. MALWARE CHARACTERIZATION A] MALWARE INSTALLATION B] ACTIVATION C] MALICIOUS PAYLOADS D] PERMISSION USESIII. MALWARE DETECTION

IV. CONCLUSION

Android Why??? I. INTRODUCTIONINTRODUCTION (contd)Android-based malware:

Share : > 46% and growing rapidly400% since summer 2010

Dataset of 49 Malware Families of Android Aug 2010 to Sept 2011.

ANDROID SECURITYSANDBOXINGIsolated environment for app execution.Each app its own sandbox apps data and code.Implementation: UNIQUE USER ID (UID) to each app.Runs app as a separate process with the assigned UID.

PERMISSIONSMandatory Access Control (MAC) mechanism for protecting Application components and Data.Each component of an application is assigned an ACCESS PERMISSION LABEL

An application is assigned a collection of Permission Labels of those components which the application needs to access.

A: B: l1C: l2PERMISSION LABELS

l1,l3 PERMISSION LABELS

APPLICATION 1APPLICATION 2Inherits PermissionPERMISSIONS (contd)PERMISSIONS (contd)

II. MALWARE CHARACTERIZATIONMALWARE INSTALLATIONREPACKAGINGMost common technique used to piggyback malicious payloads into applications.

Malware authors:

REPACKAGING (contd)

REPACKAGING (contd)

UPDATE ATTACKRepackaging used No enclosing the payload as a whole.

Instead, includes an Update component that will fetch or download the malicious payload at Runtime Dynamic

UPDATE ATTACK (contd)DRIVE-BY DOWNLOADTraditional download attacksEntice users to download interesting or feature-rich apps.Malware Families: GGTracker Jifake Spitmo Zitmo

DRIVE-BY DOWNLOAD (contd) ACTIVATIONKey terms: System-wide Event Example:

BOOT_COMPLETED

SMS_RECEIVED

ACTION_MAIN

ACTIVATION (contd)Register for related system-wide event.

Launch payload.

BOOT_COMPLETED EVENT for example-Geinimi.

SMS_RECEIVED EVENT for example-zSone.

ACTIVATION (contd)Intent with action ACTION_MAIN - Hijack entry activity. - Bootstrap service before starting host apps primary activity. - Example, DroidDream MALICIOUS PAYLOADPayloadMalicious software payload

PAYLOAD FUNCTIONALITYPRIVILEGE ESCALATIONREMOTE CONTROLFINANCIAL CHARGEINFORMATION COLLECTION PRIVILEGE ESCALATIONRoot Exploit -Asroot. -Exploit. -RATC.

36.7% malware embed at least one root exploit.

PRIVILEGE ESCALATION (contd)DVMDVM

DVM

APP1

APP2APP3comp1comp2

comp1comp2comp1

comp2

PRIVILEGE ESCALATION (contd)Copy exactly same publically available root exploit. for example, DriodDream.PRIVILEGE ESCALATION (contd)Encrypts root exploit.

Store as resources or asset file.

Dynamically uncover. - For example, DroidKungfu REMOTE CONTROL 93% of malware

Turn infected phones into bots.

HTTP-based communicate with C&C servers

REMOTE CONTROL (contd)Encryption of URLs of remote C & C server and their communication with C&C server.

For example,DroidKungfu3 -AES Encryption. -Uses key to hide their C&C servers. FINANCIAL CHARGEPremium-rate services .

Permission guarded function sendTextMessage.

4.4% malware from 7 different families -send SMS messages -premium-rate numbers hardcoded in the infected app

29FINANCIAL CHARGE (contd)No hard code premium-rate numbers.

Flexible remote control to push down numbers runtime.

RougeSPPush and GGTracker -reply y to messages in background. -prevents billing related messages.

INFORMATION COLLECTIONSMS messages.Phone numbers.User account.

For example, .SndApp-email address. .Spitmo-sms verification messages. PERMISSION USESCapabilities of apps strictly constrained by permissions.

Exception: Android apps with root exploits.

Comparison of permissions requested by benign apps v/s malicious apps.

PERMISSION USES (contd)Permissions(Both benign & malicious)-

INTERNETACCESS_NETWORK_STATEREAD_PHONE_STATUSWRITE_EXTERNAL_STORAGECommon malicious app permissions-

READ_SMS

RECEIVE_BOOT_COMPLETED

WRITE_SMS

RECEIVE_SMS

SEND_SMS

CHANGE_WIFI_STATE

PERMISSION USES (contd)Malicious apps request-

more permissions than benign apps.

more of SMS related permissions.

PERMISSION USES (contd)III. MALWARE DETECTIONRapid growth and evolution of malware.

Existing anti-virus software.

Measure their effectiveness.

MALWARE DETECTION (contd)

AVGLookoutNortonTrendMicroAll apps downloaded from Google Play.

Phone chosen- Nexus One.

Android version 2.3.7

All security apps updated to the latest version before testing.MALWARE DETECTION (contd)

MALWARE DETECTION (contd)MALWARE DETECTION (contd)MALWARE DETECTION (contd)Results:Reasons:Different design approaches.Different implementation approaches.Relatively new malware.Old signatures databases.Unique runtime environment.Limited resources and battery.

MALWARE DETECTION (contd)IV. CONCLUSIONLarge volume of new apps.Joint effort involving all parties.

Coarse grained permission model.Include additional context information.

Rapid development and increased sophistication.

In mobile anti-virus software,Best case detects 79.6%, Worst case detects 20.2%Develop better next-gen anti malware solutions.

Yajin Zhou, Xuxian Jiang Dissecting Android Malware: Characterization and Evolution in IEEE Symposium (2012)

Ariel Haneyy, Erika Chin, David Wagner, Adrienne Porter Felt, Elizabeth Hay, Serge Egelman Android Permissions: User Attention, Comprehension, and Behavior.

Malicious Mobile Threats Report: http://www.juniper.net/us/en/company/press-center/press-releases/2011/pr 2011 05 10-09 00.html. (2011)

Repackaged application: http://en-erteam.nprotect.com/2011/07/material-repackaged-fastracing-game_8549.html

Using QR tags to Attack SmartPhones http://kaoticoneutral.blogspot.com/2011/09/using-qr-tags-toattack-smartphones 10.html.

REFERENCES

THANK YOU!!!