Final Android Malware(2007)
-
Upload
devyanipatil -
Category
Documents
-
view
229 -
download
1
description
Transcript of Final Android Malware(2007)
INTRODUCTION
ANDROID MALWARECharacterization and DetectionBy:- Vishaka Nayak (110CE56) Devyani Patil (110CE60) Akshaya Sanghavi (110CE68)
Guided by:Mrs.Pranita MahajanTable Of ContentsINTRODUCTIONII. MALWARE CHARACTERIZATION A] MALWARE INSTALLATION B] ACTIVATION C] MALICIOUS PAYLOADS D] PERMISSION USESIII. MALWARE DETECTION
IV. CONCLUSION
Android Why??? I. INTRODUCTIONINTRODUCTION (contd)Android-based malware:
Share : > 46% and growing rapidly400% since summer 2010
Dataset of 49 Malware Families of Android Aug 2010 to Sept 2011.
ANDROID SECURITYSANDBOXINGIsolated environment for app execution.Each app its own sandbox apps data and code.Implementation: UNIQUE USER ID (UID) to each app.Runs app as a separate process with the assigned UID.
PERMISSIONSMandatory Access Control (MAC) mechanism for protecting Application components and Data.Each component of an application is assigned an ACCESS PERMISSION LABEL
An application is assigned a collection of Permission Labels of those components which the application needs to access.
A: B: l1C: l2PERMISSION LABELS
l1,l3 PERMISSION LABELS
APPLICATION 1APPLICATION 2Inherits PermissionPERMISSIONS (contd)PERMISSIONS (contd)
II. MALWARE CHARACTERIZATIONMALWARE INSTALLATIONREPACKAGINGMost common technique used to piggyback malicious payloads into applications.
Malware authors:
REPACKAGING (contd)
REPACKAGING (contd)
UPDATE ATTACKRepackaging used No enclosing the payload as a whole.
Instead, includes an Update component that will fetch or download the malicious payload at Runtime Dynamic
UPDATE ATTACK (contd)DRIVE-BY DOWNLOADTraditional download attacksEntice users to download interesting or feature-rich apps.Malware Families: GGTracker Jifake Spitmo Zitmo
DRIVE-BY DOWNLOAD (contd) ACTIVATIONKey terms: System-wide Event Example:
BOOT_COMPLETED
SMS_RECEIVED
ACTION_MAIN
ACTIVATION (contd)Register for related system-wide event.
Launch payload.
BOOT_COMPLETED EVENT for example-Geinimi.
SMS_RECEIVED EVENT for example-zSone.
ACTIVATION (contd)Intent with action ACTION_MAIN - Hijack entry activity. - Bootstrap service before starting host apps primary activity. - Example, DroidDream MALICIOUS PAYLOADPayloadMalicious software payload
PAYLOAD FUNCTIONALITYPRIVILEGE ESCALATIONREMOTE CONTROLFINANCIAL CHARGEINFORMATION COLLECTION PRIVILEGE ESCALATIONRoot Exploit -Asroot. -Exploit. -RATC.
36.7% malware embed at least one root exploit.
PRIVILEGE ESCALATION (contd)DVMDVM
DVM
APP1
APP2APP3comp1comp2
comp1comp2comp1
comp2
PRIVILEGE ESCALATION (contd)Copy exactly same publically available root exploit. for example, DriodDream.PRIVILEGE ESCALATION (contd)Encrypts root exploit.
Store as resources or asset file.
Dynamically uncover. - For example, DroidKungfu REMOTE CONTROL 93% of malware
Turn infected phones into bots.
HTTP-based communicate with C&C servers
REMOTE CONTROL (contd)Encryption of URLs of remote C & C server and their communication with C&C server.
For example,DroidKungfu3 -AES Encryption. -Uses key to hide their C&C servers. FINANCIAL CHARGEPremium-rate services .
Permission guarded function sendTextMessage.
4.4% malware from 7 different families -send SMS messages -premium-rate numbers hardcoded in the infected app
29FINANCIAL CHARGE (contd)No hard code premium-rate numbers.
Flexible remote control to push down numbers runtime.
RougeSPPush and GGTracker -reply y to messages in background. -prevents billing related messages.
INFORMATION COLLECTIONSMS messages.Phone numbers.User account.
For example, .SndApp-email address. .Spitmo-sms verification messages. PERMISSION USESCapabilities of apps strictly constrained by permissions.
Exception: Android apps with root exploits.
Comparison of permissions requested by benign apps v/s malicious apps.
PERMISSION USES (contd)Permissions(Both benign & malicious)-
INTERNETACCESS_NETWORK_STATEREAD_PHONE_STATUSWRITE_EXTERNAL_STORAGECommon malicious app permissions-
READ_SMS
RECEIVE_BOOT_COMPLETED
WRITE_SMS
RECEIVE_SMS
SEND_SMS
CHANGE_WIFI_STATE
PERMISSION USES (contd)Malicious apps request-
more permissions than benign apps.
more of SMS related permissions.
PERMISSION USES (contd)III. MALWARE DETECTIONRapid growth and evolution of malware.
Existing anti-virus software.
Measure their effectiveness.
MALWARE DETECTION (contd)
AVGLookoutNortonTrendMicroAll apps downloaded from Google Play.
Phone chosen- Nexus One.
Android version 2.3.7
All security apps updated to the latest version before testing.MALWARE DETECTION (contd)
MALWARE DETECTION (contd)MALWARE DETECTION (contd)MALWARE DETECTION (contd)Results:Reasons:Different design approaches.Different implementation approaches.Relatively new malware.Old signatures databases.Unique runtime environment.Limited resources and battery.
MALWARE DETECTION (contd)IV. CONCLUSIONLarge volume of new apps.Joint effort involving all parties.
Coarse grained permission model.Include additional context information.
Rapid development and increased sophistication.
In mobile anti-virus software,Best case detects 79.6%, Worst case detects 20.2%Develop better next-gen anti malware solutions.
Yajin Zhou, Xuxian Jiang Dissecting Android Malware: Characterization and Evolution in IEEE Symposium (2012)
Ariel Haneyy, Erika Chin, David Wagner, Adrienne Porter Felt, Elizabeth Hay, Serge Egelman Android Permissions: User Attention, Comprehension, and Behavior.
Malicious Mobile Threats Report: http://www.juniper.net/us/en/company/press-center/press-releases/2011/pr 2011 05 10-09 00.html. (2011)
Repackaged application: http://en-erteam.nprotect.com/2011/07/material-repackaged-fastracing-game_8549.html
Using QR tags to Attack SmartPhones http://kaoticoneutral.blogspot.com/2011/09/using-qr-tags-toattack-smartphones 10.html.
REFERENCES
THANK YOU!!!