Secure Programming Lecture 17: Malware Analysis for ... · Android Architecture Java API Framework:...
Transcript of Secure Programming Lecture 17: Malware Analysis for ... · Android Architecture Java API Framework:...
![Page 1: Secure Programming Lecture 17: Malware Analysis for ... · Android Architecture Java API Framework: É Components: Activity, Service, Receiver, Content Provider, etc. É Lifecycle:](https://reader033.fdocuments.net/reader033/viewer/2022053005/5f0982647e708231d4272a13/html5/thumbnails/1.jpg)
Secure Programming Lecture 17:Malware Analysis for Android Apps
David Aspinall(with slides courtesy of Wei Chen)
14th November 2019
![Page 2: Secure Programming Lecture 17: Malware Analysis for ... · Android Architecture Java API Framework: É Components: Activity, Service, Receiver, Content Provider, etc. É Lifecycle:](https://reader033.fdocuments.net/reader033/viewer/2022053005/5f0982647e708231d4272a13/html5/thumbnails/2.jpg)
Outline
É Background: Android apps and malwareÉ Introduction: malware analysis in generalÉ Example: construct behavioural models for appsÉ Example: classifiers for detecting malwareÉ Reflection: lessons for secure programming
![Page 3: Secure Programming Lecture 17: Malware Analysis for ... · Android Architecture Java API Framework: É Components: Activity, Service, Receiver, Content Provider, etc. É Lifecycle:](https://reader033.fdocuments.net/reader033/viewer/2022053005/5f0982647e708231d4272a13/html5/thumbnails/3.jpg)
Outline
É Background: Android apps and malwareÉ Introduction: malware analysis in generalÉ Example: construct behavioural models for appsÉ Example: classifiers for detecting malwareÉ Reflection: lessons for secure programming
![Page 4: Secure Programming Lecture 17: Malware Analysis for ... · Android Architecture Java API Framework: É Components: Activity, Service, Receiver, Content Provider, etc. É Lifecycle:](https://reader033.fdocuments.net/reader033/viewer/2022053005/5f0982647e708231d4272a13/html5/thumbnails/4.jpg)
Android apps and markets
![Page 5: Secure Programming Lecture 17: Malware Analysis for ... · Android Architecture Java API Framework: É Components: Activity, Service, Receiver, Content Provider, etc. É Lifecycle:](https://reader033.fdocuments.net/reader033/viewer/2022053005/5f0982647e708231d4272a13/html5/thumbnails/5.jpg)
Android apps and markets
![Page 6: Secure Programming Lecture 17: Malware Analysis for ... · Android Architecture Java API Framework: É Components: Activity, Service, Receiver, Content Provider, etc. É Lifecycle:](https://reader033.fdocuments.net/reader033/viewer/2022053005/5f0982647e708231d4272a13/html5/thumbnails/6.jpg)
App stores own devices
É 2019: Google Play has >2 billion active devicesÉ “less than 1% of devices have PHAs installed”É faulty programming can compromise many
É Many platform security mechanisms, e.g.:É secure boot, access controls, sandboxing, signing,
kernel hardening, keystores, crypto APIs.É App store defences:É reputational trust: 8889 from 22,000 usersÉ vetting, scanning, behavioural testingÉ automatic and manual malware analysisÉ 2017-18: cloud based machine learning
É Problems:É pure sandboxing too extreme (escape via cloud)É access controls hard to configure, understandÉ code signing at best establishes who not what
![Page 7: Secure Programming Lecture 17: Malware Analysis for ... · Android Architecture Java API Framework: É Components: Activity, Service, Receiver, Content Provider, etc. É Lifecycle:](https://reader033.fdocuments.net/reader033/viewer/2022053005/5f0982647e708231d4272a13/html5/thumbnails/7.jpg)
Example: Flashlight
![Page 8: Secure Programming Lecture 17: Malware Analysis for ... · Android Architecture Java API Framework: É Components: Activity, Service, Receiver, Content Provider, etc. É Lifecycle:](https://reader033.fdocuments.net/reader033/viewer/2022053005/5f0982647e708231d4272a13/html5/thumbnails/8.jpg)
Example: Flashlight
89999 “Why in the world would I wanta flashlight app that collects so much info aboutme?”
88888 “This app is extremely brightand does its job well. I don’t know what othersmean when they say that they have so manyproblems with it.”
![Page 9: Secure Programming Lecture 17: Malware Analysis for ... · Android Architecture Java API Framework: É Components: Activity, Service, Receiver, Content Provider, etc. É Lifecycle:](https://reader033.fdocuments.net/reader033/viewer/2022053005/5f0982647e708231d4272a13/html5/thumbnails/9.jpg)
Flashlights still bad... (2018)
![Page 10: Secure Programming Lecture 17: Malware Analysis for ... · Android Architecture Java API Framework: É Components: Activity, Service, Receiver, Content Provider, etc. É Lifecycle:](https://reader033.fdocuments.net/reader033/viewer/2022053005/5f0982647e708231d4272a13/html5/thumbnails/10.jpg)
Flashlights still bad... (2019)
![Page 11: Secure Programming Lecture 17: Malware Analysis for ... · Android Architecture Java API Framework: É Components: Activity, Service, Receiver, Content Provider, etc. É Lifecycle:](https://reader033.fdocuments.net/reader033/viewer/2022053005/5f0982647e708231d4272a13/html5/thumbnails/11.jpg)
Android Security & Privacy Report 2018
Android Security 2018 Year in Review 21
Percentage of PHA installs by category in Google Play, 2017 vs. 2018
Click fraud
Trojan
SMS fraud
Spyware
Toll fraud
Backdoor
Hostile downloader
Privilege escalation
Phishing
Others
54.9%
16.0%
6.8%
5.5%
4.2%
4.2%
Clickfraud
0.023%
SMSfraud
0.003% 0.003%
Spyware
0.003% 0.002%
Tollfraud
0.003% 0.002%
Trojan
0.004%
0.007%
2017 2018
0.003%0.001%
Hostiledownloader
0.000%0.002%
Backdoor
0.002%<0.001%
Phishing0.001% 0.001%
Privilegeescalation
PHA
INST
ALL
RA
TECommercialspyware
<0.001% <0.001%
Distribution of PHA categories in Google Play, 2018
Google Play: Click fraud+P�������ENKEM�HTCWF�CRRU�CEEQWPVGF�HQT�������QH�VJG�VQVCN�KPUVCNNCVKQP�TCVG�QH�2*#U�QT��������QH�CNN�CRR�KPUVCNNU���9G�TGECVGIQTK\GF�ENKEM�HTCWF�CRRU�HTQO�RQNKE[�XKQNCVKQPU�VQ�2*#U��YJKEJ�KPETGCUGF�)QQING�2NC[�2TQVGEVŦU�FGVGEVKQP�CPF�TGOQXCN�QH�VJGUG�CRRU��9G�GZRGEV�ENKEM�HTCWF�VQ�TGOCKP�C�RTQƒVCDNG�HTCWF�XGEVQT��DWV�CV�C�NQYGT�UECNG�VJCP�KP������
.CUV�[GCT��ENKEM�HTCWF�CRRU�YGTG�OCKPN[�VCTIGVKPI�VJG�75#��$TC\KN��CPF�/GZKEQ�
9JKNG�UWEJ�CRRU�FQ�GZKUV��KV�KU�JCTF�VQ�UECNG�WR�CPF�OCMG�OQPG[�VJCV�YC[��+PUVGCF��VJGUG�CRRU�CRRGCT�VQ�JCXG�FGUKTCDNG�HGCVWTGU�UWEJ�CU�OWUKE�QT�ICOKPI��DWV�CP�GODGFFGF�5&-�KU�GZGEWVKPI�ENKEM�HTCWF�KP�VJG�DCEMITQWPF��QHVGP�YKVJQWV�VJG�MPQYNGFIG�QH�VJG�CRR�FGXGNQRGTU�VJGOUGNXGU��&KUVTKDWVKPI�ENKEM�HTCWF�EQFG�KP�VJKU�YC[�KU�GCUKN[�UECNCDNG�CPF�OCMGU�KV�GCU[�HQT�ENKEM�HTCWF�5&-�FGXGNQRGTU�VQ�DG�RTGUGPV�KP�VJG�CRRU�QH�JWPFTGFU�QT�GXGP�VJQWUCPFU�QH�FGXGNQRGTU�
![Page 12: Secure Programming Lecture 17: Malware Analysis for ... · Android Architecture Java API Framework: É Components: Activity, Service, Receiver, Content Provider, etc. É Lifecycle:](https://reader033.fdocuments.net/reader033/viewer/2022053005/5f0982647e708231d4272a13/html5/thumbnails/12.jpg)
Android malware & families
How could we know what happensin a malware instance?
![Page 13: Secure Programming Lecture 17: Malware Analysis for ... · Android Architecture Java API Framework: É Components: Activity, Service, Receiver, Content Provider, etc. É Lifecycle:](https://reader033.fdocuments.net/reader033/viewer/2022053005/5f0982647e708231d4272a13/html5/thumbnails/13.jpg)
Context matters
Send SMS
NORMAL WEIRD
![Page 14: Secure Programming Lecture 17: Malware Analysis for ... · Android Architecture Java API Framework: É Components: Activity, Service, Receiver, Content Provider, etc. É Lifecycle:](https://reader033.fdocuments.net/reader033/viewer/2022053005/5f0982647e708231d4272a13/html5/thumbnails/14.jpg)
Context matters
Access Location
NORMAL WEIRD
![Page 15: Secure Programming Lecture 17: Malware Analysis for ... · Android Architecture Java API Framework: É Components: Activity, Service, Receiver, Content Provider, etc. É Lifecycle:](https://reader033.fdocuments.net/reader033/viewer/2022053005/5f0982647e708231d4272a13/html5/thumbnails/15.jpg)
Flashlight Application
V.S.
SUSPICIOUS NORMAL
This flashlight application contains some unreasonablebehaviours compared with its fellow applications. It willgrab your location, phone number, device number andaccess your storage.
![Page 16: Secure Programming Lecture 17: Malware Analysis for ... · Android Architecture Java API Framework: É Components: Activity, Service, Receiver, Content Provider, etc. É Lifecycle:](https://reader033.fdocuments.net/reader033/viewer/2022053005/5f0982647e708231d4272a13/html5/thumbnails/16.jpg)
Outline
É Background: Android apps and malwareÉ Introduction: malware analysis in generalÉ Example: construct behavioural models for appsÉ Example: classifiers for detecting malwareÉ Reflection: lessons for secure programming
![Page 17: Secure Programming Lecture 17: Malware Analysis for ... · Android Architecture Java API Framework: É Components: Activity, Service, Receiver, Content Provider, etc. É Lifecycle:](https://reader033.fdocuments.net/reader033/viewer/2022053005/5f0982647e708231d4272a13/html5/thumbnails/17.jpg)
Malware analysis
Malware: any software that is harmful to people,computers, networks, systems, etc., including: Trojanhorses, worms, spyware, adware, ransomware, etc.
Malware analysis: the art (maybe science) ofdissecting and understanding what happens inmalware, so as to eliminate malware in future.
Limitation: cannot capture unseen malicious patternswhich might cause failure to detect new malware.
![Page 18: Secure Programming Lecture 17: Malware Analysis for ... · Android Architecture Java API Framework: É Components: Activity, Service, Receiver, Content Provider, etc. É Lifecycle:](https://reader033.fdocuments.net/reader033/viewer/2022053005/5f0982647e708231d4272a13/html5/thumbnails/18.jpg)
Malware analysis techniquesReverse engineering: decompilation and manualinvestigation.
É Precise but expensive (days/weeks per app).
Static analysis: produce models and check propertieswithout running apps.
É Basic: use meta-information, API calls, hashingto identify code, compression to measuredistance. Coarse but efficient (seconds per app).É Advanced: construct call graphs and data flows,
check safety (bad things will never happen) orliveness (good things will eventually happen)properties, i.e., model checking. Expensive (hoursor days per app) and often over-approximates(cover things that never happen).
![Page 19: Secure Programming Lecture 17: Malware Analysis for ... · Android Architecture Java API Framework: É Components: Activity, Service, Receiver, Content Provider, etc. É Lifecycle:](https://reader033.fdocuments.net/reader033/viewer/2022053005/5f0982647e708231d4272a13/html5/thumbnails/19.jpg)
Malware analysis: techniquesDynamic analysis: run, emulate, or simulate (part of)an app to produce traces and check properties.
É Efficient (minutes per app) but oftenunder-approximates (miss things that willhappen) and hard to mimic user input.
Machine learning: classification or outlier detectionusing statistical models.
É Efficient (training and detecting in seconds per app)but often over-fitting to the training data (notgeneral enough to capture new behaviours) andhard to explain the reasons making a decision.
In general the goal is to build abstract models tocharacterise malicious patterns and infer by exploitingthese models.
![Page 20: Secure Programming Lecture 17: Malware Analysis for ... · Android Architecture Java API Framework: É Components: Activity, Service, Receiver, Content Provider, etc. É Lifecycle:](https://reader033.fdocuments.net/reader033/viewer/2022053005/5f0982647e708231d4272a13/html5/thumbnails/20.jpg)
Malware analysis: techniques
Precision
Efficiency
Reverse engineering
Advanced static analysisMachine learning
Dynamic analysis
Basic static analysis
Comprehension
Automation
Reverse engineering
Advanced static analysis
Machine learning
Dynamic analysis
Basic static analysis
![Page 21: Secure Programming Lecture 17: Malware Analysis for ... · Android Architecture Java API Framework: É Components: Activity, Service, Receiver, Content Provider, etc. É Lifecycle:](https://reader033.fdocuments.net/reader033/viewer/2022053005/5f0982647e708231d4272a13/html5/thumbnails/21.jpg)
Outline
É Background: Android apps and malwareÉ Introduction: malware analysis in generalÉ Example: construct behavioural models for appsÉ Example: classifiers for detecting malwareÉ Reflection: lessons for secure programming
![Page 22: Secure Programming Lecture 17: Malware Analysis for ... · Android Architecture Java API Framework: É Components: Activity, Service, Receiver, Content Provider, etc. É Lifecycle:](https://reader033.fdocuments.net/reader033/viewer/2022053005/5f0982647e708231d4272a13/html5/thumbnails/22.jpg)
Android ArchitectureJava API Framework:É Components: Activity,
Service, Receiver,Content Provider, etc.É Lifecycle: organisation
of callbacks.É Inter-procedural call:
within a procedure callanother procedure.É Multiple entries: can be
triggered by systemevents.É Inter-component
communication: start acomponent fromanother component.
![Page 23: Secure Programming Lecture 17: Malware Analysis for ... · Android Architecture Java API Framework: É Components: Activity, Service, Receiver, Content Provider, etc. É Lifecycle:](https://reader033.fdocuments.net/reader033/viewer/2022053005/5f0982647e708231d4272a13/html5/thumbnails/23.jpg)
Example: construct behavioural models
// • MAIN //
SMS_RECEIVED��
•SEND_SMS
,,
click
��•
SEND_SMS
��
click
ll
•READ_PHONE_STATE
// •READ_PHONE_STATE
OO
É control-dependences of events and API callsÉ abstract API calls into permission-like phrasesÉ over-approximate behavioural aspects of appsÉ model inter-component communicationÉ don’t model data-flows, reflection, or obfuscation
![Page 24: Secure Programming Lecture 17: Malware Analysis for ... · Android Architecture Java API Framework: É Components: Activity, Service, Receiver, Content Provider, etc. É Lifecycle:](https://reader033.fdocuments.net/reader033/viewer/2022053005/5f0982647e708231d4272a13/html5/thumbnails/24.jpg)
Example: construct behavioural models
Manifest file:
<activity android:name="com.example.Main" ><intent-filter><action android:name="android.intent.action.MAIN" /><action android:name="com.main.intent" />
</intent-filter></activity><receiver android:name="com.example.Receiver" ><intent-filter><action android:name="android.provider.Telephony.SMS_RECEIVED" />
</intent-filter></receiver>
![Page 25: Secure Programming Lecture 17: Malware Analysis for ... · Android Architecture Java API Framework: É Components: Activity, Service, Receiver, Content Provider, etc. É Lifecycle:](https://reader033.fdocuments.net/reader033/viewer/2022053005/5f0982647e708231d4272a13/html5/thumbnails/25.jpg)
Example: construct behavioural models
Activity:public class Main extendsActivity implements View.OnClickListener {private static String info = "";protected void onCreate(Bundle savedInstanceState) {Intent intent = getIntent();info = intent.getStringExtra("DEVICE_ID");info += intent.getStringExtra("TEL_NUM");SendSMSTask task = new SendSMSTask();task.execute(); }
public void onClick (View v) {SendSMSTask task = new SendSMSTask();task.execute(); }
private class SendSMSTask extends AsyncTask<Void, Void, Void> {protected Void doInBackground(Void... params) {while (true) {SmsManager sms = SmsManager.getDefault();sms.sendTextMessage("1234", null, info, null, null); }
return null; }}}
![Page 26: Secure Programming Lecture 17: Malware Analysis for ... · Android Architecture Java API Framework: É Components: Activity, Service, Receiver, Content Provider, etc. É Lifecycle:](https://reader033.fdocuments.net/reader033/viewer/2022053005/5f0982647e708231d4272a13/html5/thumbnails/26.jpg)
Example: construct behavioural modelsActivity’s lifecycle:
// •MAIN
��
•onPause
&& •onResume
ee
onStop��
• onCreate // • onStart // •onResume
OO
click
��
•onDestroy
//
onRestart
jj •
•
onClick
EE
![Page 27: Secure Programming Lecture 17: Malware Analysis for ... · Android Architecture Java API Framework: É Components: Activity, Service, Receiver, Content Provider, etc. É Lifecycle:](https://reader033.fdocuments.net/reader033/viewer/2022053005/5f0982647e708231d4272a13/html5/thumbnails/27.jpg)
Example: construct behavioural models
Activity’s lifecycle:
// •MAIN
��
•ε
&& •ε
ee
�
• onCreate // • ε // •
ε
OO
click
��
• ε//
ε
jj •
•
onClick
EE
![Page 28: Secure Programming Lecture 17: Malware Analysis for ... · Android Architecture Java API Framework: É Components: Activity, Service, Receiver, Content Provider, etc. É Lifecycle:](https://reader033.fdocuments.net/reader033/viewer/2022053005/5f0982647e708231d4272a13/html5/thumbnails/28.jpg)
Example: construct behavioural models
Activity’s behaviour automaton:
// •MAIN
��
•ε
&& •ε
ee
�
• onCreate // • ε // •
ε
OO
click
��
• ε//
ε
jj •
•
onClick
EE
// • MAIN // •
click
��sendTextMessage
,, •
sendTextMessage
��
click
ll
![Page 29: Secure Programming Lecture 17: Malware Analysis for ... · Android Architecture Java API Framework: É Components: Activity, Service, Receiver, Content Provider, etc. É Lifecycle:](https://reader033.fdocuments.net/reader033/viewer/2022053005/5f0982647e708231d4272a13/html5/thumbnails/29.jpg)
Example: construct behavioural models
Receiver:
public class Receiver extends BroadcastReceiver {public void onReceive(Context context, Intent intent) {Intent intent = new Intent();intent.setAction("com.main.intent");TelephonyManager tm = (TelephonyManager)getBaseContext().getSystemService(Context.TELEPHONY_SERVICE);intent.putExtra("DEVICE_ID", tm.getDeviceId());intent.putExtra("TEL_NUM", tm.getLine1Number());sendBroadcast(intent); }}
// •SMS_RECEIVED // •
getDeviceId // •getLine1Number // •
![Page 30: Secure Programming Lecture 17: Malware Analysis for ... · Android Architecture Java API Framework: É Components: Activity, Service, Receiver, Content Provider, etc. É Lifecycle:](https://reader033.fdocuments.net/reader033/viewer/2022053005/5f0982647e708231d4272a13/html5/thumbnails/30.jpg)
Example: construct behavioural models
// • MAIN //
SMS_RECEIVED��
•sendTextMessage
,,
click
��•
sendTextMessage
��
click
ll
•getDeviceId
// •getLine1Number
OO
// • MAIN //
SMS_RECEIVED��
•SEND_SMS
++
click
��•
SEND_SMS
��
click
kk
•READ_PHONE_STATE
// •READ_PHONE_STATE
OO
![Page 31: Secure Programming Lecture 17: Malware Analysis for ... · Android Architecture Java API Framework: É Components: Activity, Service, Receiver, Content Provider, etc. É Lifecycle:](https://reader033.fdocuments.net/reader033/viewer/2022053005/5f0982647e708231d4272a13/html5/thumbnails/31.jpg)
Example: Flashlight
The extended call graphs for Flashlight only consideringinter-procedural calls.
![Page 32: Secure Programming Lecture 17: Malware Analysis for ... · Android Architecture Java API Framework: É Components: Activity, Service, Receiver, Content Provider, etc. É Lifecycle:](https://reader033.fdocuments.net/reader033/viewer/2022053005/5f0982647e708231d4272a13/html5/thumbnails/32.jpg)
Example: Flashlight
The extended call-graph for Flashlight consideringlifecylce and inter-component communication.
![Page 33: Secure Programming Lecture 17: Malware Analysis for ... · Android Architecture Java API Framework: É Components: Activity, Service, Receiver, Content Provider, etc. É Lifecycle:](https://reader033.fdocuments.net/reader033/viewer/2022053005/5f0982647e708231d4272a13/html5/thumbnails/33.jpg)
Example: Flashlight
•
NS
��
N
$$// • MAIN // •N
//
NS
OO
L,C,W
��
click
$$
•
•
L,C,W,click
ZZ
NS
DD
N
::
•L,C,W,click
oo
VIEW, N
OO
NS
cc
N: INTERNET (connect to Internet) VIEW (display data to user)NS: ACCESS_NETWORK_STATE L: ACCESS_FINE_LOCATIONC: CAMERA (use cameras) W: WEAK_LOCK (make the device stay-on)
![Page 34: Secure Programming Lecture 17: Malware Analysis for ... · Android Architecture Java API Framework: É Components: Activity, Service, Receiver, Content Provider, etc. É Lifecycle:](https://reader033.fdocuments.net/reader033/viewer/2022053005/5f0982647e708231d4272a13/html5/thumbnails/34.jpg)
Questions and Discussion
É What do you think about the static analysisapproach?É Are there other automatic methods which can help
our understanding of malware?É Could static analysis help improve other automatic
methods?
![Page 35: Secure Programming Lecture 17: Malware Analysis for ... · Android Architecture Java API Framework: É Components: Activity, Service, Receiver, Content Provider, etc. É Lifecycle:](https://reader033.fdocuments.net/reader033/viewer/2022053005/5f0982647e708231d4272a13/html5/thumbnails/35.jpg)
Outline
É Introduction: malware analysis in generalÉ Background: Android apps and malwareÉ Example: construct behavioural models for appsÉ Example: classifiers for detecting malwareÉ Reflection: lessons for secure programming
![Page 36: Secure Programming Lecture 17: Malware Analysis for ... · Android Architecture Java API Framework: É Components: Activity, Service, Receiver, Content Provider, etc. É Lifecycle:](https://reader033.fdocuments.net/reader033/viewer/2022053005/5f0982647e708231d4272a13/html5/thumbnails/36.jpg)
Syntax-Based Android Malware Classifiers
Training Validation (2011-13) Testing (2014)
(2011-13) precision recall precision recall
permissions 89% 99% 55% 23%
apis 93% 98% 62% 13%
all 95% 98% 65% 15%
Robustness of these well-trained classifiers is poor.
These classifiers were trained on 3,000 pre-labelled apps usingL1-regularised linear regression. Precision is the percentage ofdetected apps that are real malware; recall the percentage realmalware detected. Ref: Chen et al. More Semantics More Robust:
Improving Android Malware Classifers, WiSec 2016.
![Page 37: Secure Programming Lecture 17: Malware Analysis for ... · Android Architecture Java API Framework: É Components: Activity, Service, Receiver, Content Provider, etc. É Lifecycle:](https://reader033.fdocuments.net/reader033/viewer/2022053005/5f0982647e708231d4272a13/html5/thumbnails/37.jpg)
Syntax-Based Features — Permissions
É over 200 permissions;É coarse and lightweight;É good on validation but
poor on testing (newmalware): precision89% 55%,recall 99% 23%;É requesting a
permission doesn’tmean it will be used.
![Page 38: Secure Programming Lecture 17: Malware Analysis for ... · Android Architecture Java API Framework: É Components: Activity, Service, Receiver, Content Provider, etc. É Lifecycle:](https://reader033.fdocuments.net/reader033/viewer/2022053005/5f0982647e708231d4272a13/html5/thumbnails/38.jpg)
Syntax-Based Features — API Calls
É over 50,000 APIs;É precise and lightweight;É good on validation but
poor on testing (newmalware): precision93% 62%,recall 98% 13%;É API calls might
appear in dead codeand most of themare trivial;É order matters in
malicious behaviour
![Page 39: Secure Programming Lecture 17: Malware Analysis for ... · Android Architecture Java API Framework: É Components: Activity, Service, Receiver, Content Provider, etc. É Lifecycle:](https://reader033.fdocuments.net/reader033/viewer/2022053005/5f0982647e708231d4272a13/html5/thumbnails/39.jpg)
Semantics-Based Features — Reachables
// • MAIN //
SMS_RECEIVED��
•SEND_SMS
,,
click
��•
SEND_SMS
��
click
ll
•READ_PHONE_STATE
// •READ_PHONE_STATE
OO
⇓
{MAIN,click,SMS_RECEIVED,SEND_SMS,READ_PHONE_STATE}
É over 300 reachables;É testing performance is improved: recall reaches
72%.É validation performance not as good as
syntax-based: precision drops to 73%.
![Page 40: Secure Programming Lecture 17: Malware Analysis for ... · Android Architecture Java API Framework: É Components: Activity, Service, Receiver, Content Provider, etc. É Lifecycle:](https://reader033.fdocuments.net/reader033/viewer/2022053005/5f0982647e708231d4272a13/html5/thumbnails/40.jpg)
Semantics-Based Features — Invoke-Befores
// • MAIN //
SMS_RECEIVED��
•SEND_SMS
,,
click
��•
SEND_SMS
��
click
ll
•READ_PHONE_STATE
// •READ_PHONE_STATE
OO
⇓
{(MAIN, SEND_SMS), (click, SEND_SMS),(SMS_RECEIVED, SEND_SMS), · · ·}
É over 2,000 invoke-befores;É testing performance improved: recall reaches 70%.É validation performance not as good as syntax:
precision drops to 68%.
![Page 41: Secure Programming Lecture 17: Malware Analysis for ... · Android Architecture Java API Framework: É Components: Activity, Service, Receiver, Content Provider, etc. É Lifecycle:](https://reader033.fdocuments.net/reader033/viewer/2022053005/5f0982647e708231d4272a13/html5/thumbnails/41.jpg)
Semantics-Based — Unwanted Behaviour
•
SEND_SMS,N
��
M0 : // •
SMS_RECEIVED
OO
MAIN��
B,V // •
•R// •
R
ZZ
C
OO
M1 : // •
MAIN��
SMS_RECEIVED // •
SEND_SMS��
•
R
ZZ •
B0 : // • MAIN // •
R
��B1 : // •
SMS_RECEIVED // •
READ_SMS
��
N: INTERNET (connect to Internet) V: VIEW (display data to user)B: BOOT_COMPLETED R: READ_PHONE_STATEC: CHANGE_WIFI_STATE (when WIFI state changes)
![Page 42: Secure Programming Lecture 17: Malware Analysis for ... · Android Architecture Java API Framework: É Components: Activity, Service, Receiver, Content Provider, etc. É Lifecycle:](https://reader033.fdocuments.net/reader033/viewer/2022053005/5f0982647e708231d4272a13/html5/thumbnails/42.jpg)
Semantics-Based — Unwanted Behaviour
F0 : // ◦ MAIN // •
R
��F1 : // ◦
SMS_RECEIVED // •
F2 : // ◦SMS_RECEIVED // ◦
SEND_SMS // • F3 : // •
F4 : // ◦SMS_RECEIVED // •
READ_SMS
��
◦SEND_SMS //
N
��
◦
SEND_SMS, N��
F5 : // ◦
SMS_RECEIVED
OO
MAIN��
B,V // • •
SEND_SMS, N
ZZ
◦R// ◦
R
ZZ
C
OO
F0 = (M0 ∩M1 ∩ B0)− B1F1 = (M0 ∩M1 ∩ B1)− B0F2 = ((M0 ∩M1)− B0)− B1F3 = M0 ∩M1 ∩ B0 ∩ B1F4 = B1 − ((M0 ∩M1)− B0)F5 = ((M0 − M1)− B0)− B1
![Page 43: Secure Programming Lecture 17: Malware Analysis for ... · Android Architecture Java API Framework: É Components: Activity, Service, Receiver, Content Provider, etc. É Lifecycle:](https://reader033.fdocuments.net/reader033/viewer/2022053005/5f0982647e708231d4272a13/html5/thumbnails/43.jpg)
Syntax-Based vs. Semantics-Based Features
Sign-A: permissions; Sign-B: actions; Sign-C: API callsPolicy-A: reachables; Policy-B: invoke-befores; Policy-C: unwanted behaviour
![Page 44: Secure Programming Lecture 17: Malware Analysis for ... · Android Architecture Java API Framework: É Components: Activity, Service, Receiver, Content Provider, etc. É Lifecycle:](https://reader033.fdocuments.net/reader033/viewer/2022053005/5f0982647e708231d4272a13/html5/thumbnails/44.jpg)
Evaluation — Most Robust General Classifiers
Training Trainingρ1 ρ0.5 ↓method feature
NB actions 76 71L1LR reachables Ø 74 70NB reachables Ø 72 70
L1LR unwanted Ø 71 70NB happen-befores Ø 70 67
SVM keywords 73 66DT happen-befores Ø 70 65
AdaBoost keywords 71 64KNN keywords 71 64NB permissions 71 64
L1LR happen-befores Ø 69 64RF happen-befores Ø 69 64
SEMI happen-befores Ø 68 63NB keywords 68 59
![Page 45: Secure Programming Lecture 17: Malware Analysis for ... · Android Architecture Java API Framework: É Components: Activity, Service, Receiver, Content Provider, etc. É Lifecycle:](https://reader033.fdocuments.net/reader033/viewer/2022053005/5f0982647e708231d4272a13/html5/thumbnails/45.jpg)
Evaluation — Least Robust General Classifiers
Training Trainingρ1 ρ0.5 ↑method feature
SEMI API calls 14 9RF API calls 14 9NB API calls 19 13
SVM actions 19 13L1LR actions 21 14
AdaBoost actions 21 15DT API calls 25 17
SVM API calls 26 18KNN actions 27 19
AdaBoost API calls 27 19RF actions 29 20
SEMI actions 31 22DT actions 33 23
L1LR API calls 35 25
![Page 46: Secure Programming Lecture 17: Malware Analysis for ... · Android Architecture Java API Framework: É Components: Activity, Service, Receiver, Content Provider, etc. É Lifecycle:](https://reader033.fdocuments.net/reader033/viewer/2022053005/5f0982647e708231d4272a13/html5/thumbnails/46.jpg)
Questions and Discussion
É What do you think about machine learningmethods?É How could we improve the construction of
unwanted behaviours? (on-going research)É Are there others model we can learn for malware
detection? (on-going research)
![Page 47: Secure Programming Lecture 17: Malware Analysis for ... · Android Architecture Java API Framework: É Components: Activity, Service, Receiver, Content Provider, etc. É Lifecycle:](https://reader033.fdocuments.net/reader033/viewer/2022053005/5f0982647e708231d4272a13/html5/thumbnails/47.jpg)
App Guarden project (2013-17)
Website: http://groups.inf.ed.ac.uk/security/appguarden/
![Page 48: Secure Programming Lecture 17: Malware Analysis for ... · Android Architecture Java API Framework: É Components: Activity, Service, Receiver, Content Provider, etc. É Lifecycle:](https://reader033.fdocuments.net/reader033/viewer/2022053005/5f0982647e708231d4272a13/html5/thumbnails/48.jpg)
Presbema project (2017-21)
Website:https://davidaspinall.github.io/presbema/
![Page 49: Secure Programming Lecture 17: Malware Analysis for ... · Android Architecture Java API Framework: É Components: Activity, Service, Receiver, Content Provider, etc. É Lifecycle:](https://reader033.fdocuments.net/reader033/viewer/2022053005/5f0982647e708231d4272a13/html5/thumbnails/49.jpg)
Outline
É Background: Android apps and malwareÉ Introduction: malware analysis in generalÉ Example: construct behavioural models for appsÉ Example: classifiers for detecting malwareÉ Reflection: lessons for secure programming
![Page 50: Secure Programming Lecture 17: Malware Analysis for ... · Android Architecture Java API Framework: É Components: Activity, Service, Receiver, Content Provider, etc. É Lifecycle:](https://reader033.fdocuments.net/reader033/viewer/2022053005/5f0982647e708231d4272a13/html5/thumbnails/50.jpg)
Reflection: lessons for secure programming
É Don’t request permissions you never use. Noticethat third-party libraries often request morepermissions.É Avoid using any third-party library (advertisement
library) which you think it might cause harm tousers (information leakage) or others (turn thesmart phone into a bot, Trojans, injection, etc.)É Use static analysis tools to help you understand
what happens in these libraries.É Use obfuscation tools to optimise and protect code.É Avoid using reflection and hidden libraries.É Try your best to protect personal information.É Encrypt any sensitive information.
![Page 51: Secure Programming Lecture 17: Malware Analysis for ... · Android Architecture Java API Framework: É Components: Activity, Service, Receiver, Content Provider, etc. É Lifecycle:](https://reader033.fdocuments.net/reader033/viewer/2022053005/5f0982647e708231d4272a13/html5/thumbnails/51.jpg)
Further Reading
É Chen et al. More Semantics More Robustness: ImprovingAndroid Malware Classifiers. Proc. WiSec 2016.
É Chen et al. On Robust Malware Classifiers by VerifyingUnwanted Behaviours. iFM 2016.
É Seghir et al. Certified Lightweight Contracts for Android,SecDev 2016.
É Other publications on App Guarden and Presbema projectpages (and other research projects worldwide).