1 INVESTIGATE MALWARE BEHAVIOR ON ANDROID PLATFORM ...

1

INVESTIGATE MALWARE BEHAVIOR ON ANDROID PLATFORM

LOH KE LIH

FACULTY OF INFORMATION AND COMMUNICATION TECHNOLOGY UNIVERSITI TEKNIKAL MALAYSIA MELAKA

2014

BORANG PENGESAHAN STATUS TESIS

2

JUDUL: INVESTIGATE MALWARE BEHAVIOR ON ANDROID PLATFORM SESI PENGAJIAN: SESI 2013/2014 Saya LOH KE LIH mengaku membenarkan tesis (PSM/Sarjana/Doktor Falsafah) ini disimpan di Perpustakaan Fakulti Teknologi Maklumat dan Komunikasi dengan syarat-syarat kegunaan seperti berikut: 1. Tesis dan projek adalah hakmilik Universiti Teknikal Malaysia Melaka. 2. Perpustakaan Fakulti Teknologi Maklumat dan Komunikasi dibenarkan membuat salinan untuk tujuan pengajian sahaja. 3. Perpustakaan Fakulti Teknologi Maklumat dan Komunikasi dibenarkan membuat salinan tesis ini sebagai bahan pertukaran antara institusi pengajian tinggi. 4. ** Sila tandakan (/) _____________ SULIT (Mengandungi maklumat yang berdarjah

keselamatan atau kepentingan Malaysia seperti yang termaktub di dalam AKTA RAHSIA RASMI 1972)

_____________ TERHAD (Mengandungi maklumat TERHAD yang telah

ditentukan oleh organisasi/badan di mana penyelidikan dijalankan)

_____/_______ TIDAK TERHAD __________________________ ___________________________ (TANDATANGAN PENULIS) (TANDATANGAN PENYELIA) Alamat tetap : 18, Jalan Khalidi, Nama Penyelia : En. Zulkiflee 84000 Muar, Muslim Johor, Malaysia Tarikh : __________________________ Tarikh: _____________________

3


LOH KE LIH

This report is submitted in partial fulfillment of the requirement for the Bachelor of

Computer Science (Computer Networking)

FACULTY OF INFORMATION AND COMMUNICATION TECHNOLOGY

UNIVERSITI TEKNIKAL MALAYSIA MELAKA

2014

4

DECLARATION

I hereby declare this project report entitled


is written by me and is my own effort and that no part has been plagiarized without

citations.

STUDENT :_____________________________ Date:_____________

(LOH KE LIH)

SUPERVISOR:_____________________________ Date:_____________

(EN ZULKIFLEE BIN MUSLIM)

5

DEDICATION

To my beloved parents…

6

ACKNOWLEDGEMENTS

I would like to show my gratitude and appreciation to my supervisor, En Zulkiflee

bin Muslim for all the ideas and advices in guiding me throughout the project.

I would also like to thank my family members especially my parents because they

have given me the greatest support in all sorts of materials throughout my years of

studying in this university.

Last but not least, I would like to thanks to all my friends and course mates for their

kindness in sharing knowledge and resources.

Thanks a lot.

7

ABSTRACT

This project identifies the behaviours of Android malware, BaseBridge

through dynamic analysis. Scope to be conducted in this project are using only one

specific type of android malware and focusing on behaviour of android malware.

Tcpdump will be used in this project to sniff the network. This research will be

contributed in identifying the behavior of BaseBridge in respective network traffic by

using Santoku Linux operating system which contains several tools such as Android

SDK emulator, Wireshark and Tcpdump. In the end of this project, behaviour of

BaseBridge will be concluded. However, there are several constraints and limitations

on this project which is not fully fit for other android malwares’ behaviours. For

future works, a script can be generate and conducted into a complete software system,

so that the processes of capture data can be done automatically by the system thus

enhances the system fit for other android malwares.

8

ABSTRAK

Projek ini mengenal pasti tingkah laku malware Android, BaseBridge melalui

analisis dinamik. Skop yang akan dijalankan dalam projek ini menggunakan hanya

satu jenis tertentu Android malware dan memberi tumpuan kepada tingkah laku

Android malware. Tcpdump akan digunakan dalam projek ini untuk mengesan

rangkaian BaseBridge. Kajian ini akan menyumbang dalam mengenal pasti tingkah

laku dalam BaseBridge trafik rangkaian masing-masing dengan menggunakan sistem

operasi Linux Santoku yang mengandungi beberapa peralatan seperti Android SDK

emulator, Wireshark dan tcpdump. Di akhir projek ini, tingkah laku BaseBridge akan

dibuatkan kesimpulan. Walau bagaimanapun, terdapat beberapa kekangan dan

batasan projek ini, iaitu tidak cergas sepenuhnya untuk tingkah laku lain malwares

Android. Bagi kerja-kerja masa depan, skrip yang boleh dijana dan dijalankan ke

dalam sistem perisian yang lengkap, supaya proses menangkap data boleh dilakukan

secara automatik oleh sistem itu bagi meningkatkan sistem untuk malwares Android

lain.

9

TABLE OF CONTENTS

DECLARATION i

DEDICATION ii

ACKNOWLEDGEMENTS iii

ABSTRACT iv

ABSTRAK v

TABLE OF CONTENTS vi

LIST OF TABLES x

LIST OF FIGURES xi

LIST OF ABBREVIATIONS xiii

LIST OF ATTACHMENTS xiv

INTRODUCTION 1

1.1 Introduction 1

1.2 Project Background 2

1.3 Problem Statement 3

1.4 Objective 4

1.5 Scope 5

1.6 Project Contribution 5

1.7 Report Organization 6

1.8 Summary 7

LITERATURE REVIEW 8

2.1 Introduction 8

2.2 Android 9

2.2.1 Definition 9

10

2.2.2 Android Architecture 9

2.3 Malware 11

2.3.1 Malware Definition and Category 11

2.3.1.1 Trojan Definition and Classification 13

2.3.2 Android Malware 14

2.3.2.1 BaseBridge 16

2.3.2.2 BaseBridge Characteristics and Behaviour 16

2.4 Malware Detection Technique 17

2.4.1 Anomaly-based Detection 18

2.4.1.1 Dynamic Anomaly-based Detection 18

2.4.1.2 Static Anomaly-based Detection 19

2.4.1.3 Hyrid Anomaly-based Detection 19

2.4.2 Specification-based Detection 19

2.4.2.1 Dynamic Specification-based Detection 20

2.4.2.2 Static Specification-based Detection 20

2.4.2.3 Hyrid Specification-based Detection 20

2.4.3 Signature-based Detection 20

2.4.3.1 Dynamic Signature-based Detection 21

2.4.3.2 Static Signature-based Detection 21

2.4.3.3 Hyrid Signature-based Detection 21

2.5 Parameter 22

2.5.1 Network Traffic 22

2.6 Santoku Linux 23

2.7 Summary 24

METHODOLOGY 25

3.1 Introduction 25

3.2 Project Methodology 25

3.3 Phase I: Requirement Analysis 26

3.4 Phase II: Design 26

3.5 Phase III: Implementation 27

3.6 Phase IV: Testing 28

3.7 Phase V: Operate 28

11

3.8 Project Schedule and Milestones 28

3.9 Summary 31

ANALYSIS & DESIGN 32

4.1 Introduction 32

4.2 Problem Analysis 33

4.3 Requirements Analysis 33

4.3.1 Data Requirements 33

4.3.2 Software Requirements 33

4.3.3 Hardware Requirements 34

4.4 BaseBridge Analysis Approach 35

4.4.1 Network Design 35

4.4.2 Environment Setup 37

4.4.3 Install Malware and Capture Network Traffic 38

4.4.4 Analyse Collected Data 38

4.4 Summary 39

IMPLEMENTATION & TESTING 40

5.1 Introduction 40

5.2 Software Development Environment Setup 41

5.3 Activate Malware, Collect Network Traffic 41

5.3.1 Process Collect Network Traffic Data 41

5.3.2 Network Traffic Collected Data 43

5.4 Test Plan 45

5.4.1 Test Organization 45

5.4.2 Test Environment 45

5.4.3 Test Schedule 46

5.4.4 Test Strategy 47

5.4.4.1 Unit Testing 47

5.4.4.2 Integrate Testing 47

5.4.5 Test Design 47

5.4.5.1 Sample APK Set 47

5.5 Test Result & Analysis 48

5.5.1 Network Traffic Attributes 49

12

5.5.2 Network Traffic Graph 49

5.5.2.1 Ideal Graph 50

5.5.2.2 Graph of Number of Packets 51

5.5.2.3 Graph Protocol 52

5.5.2.4 Graph Destination IP Address 53

5.6 Result Analysis 54

5.7 Summary 55

CONCLUSION 56

6.1 Introduction 56

6.2 Project Summarization 56

6.3 Project Contribution 57

6.4 Project Limitation 57

6.5 Future Project 57

6.6 Summary 58

REFERENCES 59

APPENDIX 64

13

LIST OF TABLES

TABLE TITLE PAGE

Table 1.1 Summary of Problem Statement 3

Table 1.2 Summary of Research Question 3

Table 1.3 Summaries of Research Objectives 4

Table 1.4 Summary of Project Contributions 5

Table 2.1 Definitions for Malware Category 12

Table 2.2 Definitions for Trojan Classification 13

Table 2.3 Percentage of Mobile Malware Detected in Different Platform 15

Table 3.1: Milestones 28

Table 4.1: The details of hardware requirement 34

Table 5.1 Software Requirements 45

Table 5.2 Hardware Requirements 46

Table 5.3 Testing Schedule 46

Table 5.4 Sample APK File Summarization 48

Table 5.5 Network Traffic Attribute SA1 49

Table 5.6 Summary of BaseBridge’s Behaviour 54

14

LIST OF FIGURES

FIGURE TITLE PAGE

Figure 2.1 Literature Review Phase 8

Figure 2.2 Android Architecture Structural Diagram 10

Figure 2.3 Malware Categories 11

Figure 2.4 Trojan Classifications 13

Figure 2.5 Type of threats on Android devices 15

Figure 2.6 The Most Frequently Detected Malicious Programs Targeting Android 16

Figure 2.7 The Websites that will access by Android/BaseBridge 17

Figure 2.8 Android Malware Detection Techniques 18

Figure 2.9 IP Header Versions 4 22

Figure 2.10 Santoku Linux Tools 23

Figure 3.1 Project Methodology 26

Figure 4.1 Analysis Approach 35

Figure 4.2 Physical Designs 36

Figure 4.3 Logical Designs 37

Figure 5.1 Steps on Environment Setup 41

Figure 5.2 Process of Collecting Network Traffic 42

Figure 5.3 Collected Network Traffic 43

Figure 5.4 Content of Network Traffic 44

Figure 5.5 Website that visited by BaseBridge 44

Figure 5.6 Ideal Network Traffic Pattern 50

Figure 5.7 Frequency of Packets Number 50

Figure 5.8 Graph of Number of Packets Sample APK 1 51

Figure 5.9 Frequency of Number Packets Sample APK 1 51

Figure 5.10 Graph Protocol per Second 52

15

Figure 5.11 Frequency of Protocol 53

Figure 5.12 Number of Packet from 192.168.61.128 to Destination Port 53

16

LIST OF ABBREVIATIONS

ALPHABET WORDS EXPLANATION

A APK Android Application Package File

ARP Address Resolution Protocol

H HTTP Hypertext Transfer Protocol

T TCP Transmission Control Protocol

U UDP User Datagram Protocol

URL Uniform Resource Locator

17

LIST OF ATTACHMENTS

ATTACHMENT TITLE PAGE

A Gantt Chart 64

B Network Traffic Attributes

B.1 Network Traffic Attributes SA2 65

B.2 Network Traffic Attributes SA3 66

C Network Traffic Graph

C.1 Graph of Number of Packet Sample 67

APK 2

C.2 Frequency of Number Packets Sample 67

APK 2

C.3 Graph of Number of Packet Sample 68

APK 3

C.4 Frequency of Number Packets Sample 68

APK 3

C.5 Graph Protocol for SA 2 69

C.6 Graph Frequency of Protocol SA 2 69

C.5 Graph Protocol for SA 3 70

C.6 Graph Frequency of Protocol SA 3 70

C.9 Number of Packet to Destination Port 71

for SA2

C.10 Number of Packet to Destination Port 71

for SA3

18

CHAPTER I

INTRODUCTION

1.1 Introduction

Nowadays, the mobile platforms and applications are increasing in popularity.

However, the popular platform such as Android has greatly stimulated the spread of

mobile malware. In order to identify the problem that cause mobile malware spread

rapidly, we will discuss about the background of the project which is Android and

malware. The research problem will be formulated into three research questions.

Based on the research questions, the current problem that faced by the Android user

will be clearly shown. After that, the research objective can be generated and all

works done in this project will be based on the research objective.

Firstly, for the purpose to do this project, project background will be discussed. The

background of Android platform and malware will be described. Secondly, the

research problem will be summarised. After that the research question and objective

will be conducted. Project scope and contribution will also be discussed. Lastly, the

report organization will be described to make sure the project is carry out in correct

flow.

19

1.2 Project Background

In recent year, the using of smart phone is increasing. There are several of operating

system used in smart phone such as Android, IOS, Window, Blackberry and

Symbian. Android is the most popular platform used in smart phone which is 79.0%

compare to Apple IOS (14.2%), Windows Phone (3.3%), Blackberry (2.7%) and

other (0.9%) (mobiThinking, 2014). Android is the largest installed platform and

growing fast which placed first among others smart phone operating systems

(Micheal Oleaga, 2014, Guru, 2014).

As more and more smart phones come out, the amount of people accessing the

Internet greatly increases. So, there is a rapid increase in the amount of malware

targeting Android smart phones since it is the most popular operating system used in

smart phone. 99% of mobile malware targeted Android devices last year (Brad Reed,

2014).

Malware, short for malicious software, is software used to damage or control the

computer operation, gather with sensitive information, or gain access to private

computer systems. It can be emerged as a collection of code, script, active content

and embedded in other application (McMahon, 2013). Therefore, a script can be

generating in order to detect the android malware that found in the smart phones.

Examples of android malware such as DroidKungFu, BeanBot, BaseBridge are the

major threats to the security of the android mobile. However, there are some malware

will re-implementing some of their malicious functionalities in native code. The

changes are possibly to make their detection and analysis harder. (Yajin Zhou, 2012).

So, the parameter will be analyzing to know the attack pattern of the malware.

The malware are grows rapidly, some effectively defend should take against the

malware. In order to create a method to defend against the malware, we need to study,

analysis and investigate about the malware. We need to how the malware behaves

when executed, how it got here, what is the purpose and how it runs (Kris Kendall,

2007).

20

Therefore, dynamic analysis will be using in this project to analyse the android

malware. It will focuses on the behaviour of attack, determine how and what it gets

installed, how it run, what files have been added or modified, who they are

communicate to, etc (Dennis Distler, 2007). So, the parameter such as system call

and network traffic will be investigate in this project.

1.3 Problem Statement

Nowadays, malicious code is reportedly infecting Android devices at a rapid speed.

Therefore, Android phone users are advised to take extra precautions on this situation.

However, the malware characteristics cause difficulty for users to identify and detect

their behaviours. The Research Problem (PR) is summarized into Table 1.1.

Table 1.1 Summary of Problem Statement

No Research Problem

RP1 Difficult to detect the appearance of android malware inside the smart

phone because most of the anti-virus software is low accuracy.

Thus, Research Questions (RQ) which depicted in Table 1.2 is constructed to

identify the research problem as discussed in previous section.

Table 1.2 Summary of Research Question

No Research Question

RQ1 What is the behaviour of different android malware?

RQ2 What is the parameter used to detect the android malware's

behaviour?

RQ3 How to detect the android malware using parameter?

RQ1: What is the behaviour of different android malware?

This research question is used to study the behaviour of malware by identify which

techniques is suitable to use for collecting data for different type of malware.

21

RQ2: What is the parameter used to detect the android malware's behaviour?

This research question is formulated by considering the android malware’s behaviour

issue because there are many different type of malware and that may infect to

different parameter. Thus, it is important to identifying which parameter is suitable to

use for study the malware’s behaviour.

RQ3: How to detect the android malware using parameter?

This research question is formulated by considering the way to extract the behavior

of the android malware using parameter and generate the attack pattern dynamically.

1.4 Objective

Based on the research questions formulated in previous section, appropriate research

objectives (RO) are developed as follows:

Table 1.3 Summaries of Research Objectives

RP RQ RO Research Objective

RP1

RQ1 RO1 To classify the android malware's behaviour.

RQ2 RO2 To identify the parameter used to detect the android malware's

behaviour.

RQ3 RO3 To detect the android malware using parameter.

RO1: To classify the android malware's behaviour.

Firstly, we need to classify the type of android malware and the behaviour of android

malware in order to find out the feature of malware. Different type of malware may

have different type of behaviour.

RO2: To identify the parameter used to detect the android malware's behaviour.

We need to investigate the suitable parameter used to identify the behaviour of

android malware in order to generate the attack pattern of malware and do the

detection

22

RO3: To detect the android malware using parameter.

After identify the parameter, we need to develop a script to detect the android

malware automatically using its parameter.

1.5 Scope

Scope of project is going to be conducted as follows:

1. Using only one specific type of android malware.

2. Focusing on behaviour of android malware in order to generate the attack

patterns of android malware by using network traffic.

3. Tcpdump and Wireshark will be used in this project to sniff the network.

1.6 Project Contribution

The contribution of this project are summarized in Table 1.4

Table 1.4 Summary of project contributions

RP RQ RO RC Research Contribution

RP1

RQ1 RO1 RC1 The classification of android malware's behaviour.

RQ2 RO2 RC2 The parameter of android malware's behaviour.

RQ3 RO3 RC3 Detecting the malware’s attack pattern using parameter.

Table 1.4 shows the project contributions based on the research problem, research

questions and research objective.

23

1.7 Report Organization

Chapter 1: Introduction

This chapter will discuss about the introduction, project background, problem

statement, research question, research objective, project scope, project contribution

and report organization.

Chapter 2: Literature Review

This chapter will study about the related works such as android, malware, malware

attack pattern, malware analysis technique, parameter and operating system used.

The related works will be contribute to the next chapter.

Chapter 3: Methodology

This chapter will explain the method used to analyse android malware and project

methodology. Project schedule and milestones will discuss in this chapter to finish

the project in time.

Chapter 4: Analysis and Design

This chapter will introduce the problem analysis, requirements of software and

hardware. The experimental design such as logical design and physical design will

also conduct in this chapter. Environment will setup based on the requirements.

Chapter 5: Implementation and Testing

This chapter will describe the method to implement and test the collected data in

order to carry out the graph to support the evidence. The test result and analysis will

conclude in this chapter.

Chapter 6: Conclusion

This chapter will summarize all chapters as a conclusion. Project summarization,

limitation and future work will discuss.

24

1.8 Summary

As a conclusion, this project will identify the behaviour of Android malware using

dynamic analysis. The problem statement, research questions, research objectives

and scope are discussed in this chapter to identify and solve the problem. Besides

that, report organization also carried out in this chapter to make sure the project runs

in sequence. In the next chapter, more research and related works about Android

malware and malware detection technique will be discussing.

1 INVESTIGATE MALWARE BEHAVIOR ON ANDROID PLATFORM ...

Documents

Transcript of 1 INVESTIGATE MALWARE BEHAVIOR ON ANDROID PLATFORM ...