AndRadar: Fast Discovery of Android Applications in Alternative - PowerPoint PPT Presentation


 AndRadar: 
 Fast Discovery of Android Applications 
 in Alternative Markets 
 � Martina Lindorfer, Stamatis Volanis, Alessandro Sisto � Matthias Neugschwandtner, Elias Athanasopoulos, Federico Maggi � Christian Platzer, Sotiris Ioannidis, Stefano Zanero � � Vienna University of Technology � Foundation for Research & Technology – Hellas � Politecnico di Milano �

���� ���������������� ������������������� ����������������������� Low infection rates? � �������������������������� ���� ��� ���������������� ���� �������������� ����������� ���������������� ����������� ����� ��������������������� �������������������� ��������������������� ������ ���������������� ������������������ ��������������������� ������� ���������������������� ��������������� ������������������ ����������������� ���������������� ��� ��������������������� ���������������� Google: Android Security From The Ground Up (VirusBulletin 2013) � • The Core of the Matter (NDSS13) � 0.0009% � • The Company You Keep (WWW14) � 0.28% � Detection of Intrusions and Malware & Vulnerability Assessment, July 2014 � 1 �

AV vendors paint a different picture… � TrendMicro TrendLabs 1Q 2014 Security Roundup � Fortinet 2014 Threat Landscape Report � McAfee Labs Threats Report June 2014 � Detection of Intrusions and Malware & Vulnerability Assessment, July 2014 � 2 �

Motivation � • How are malicious apps distributed? � - Official Google Play Store � - Torrents, One-Click Hosters � - Websites, Blogs, … � - Alternative App Markets � � • How wide-spread are malicious apps, how often are they downloaded? � • Do alternative markets employ security measures? � • Collect metadata for malware analysis � - Andrubis, AndroTotal � Detection of Intrusions and Malware & Vulnerability Assessment, July 2014 � 3 �

Market Metadata: Google Play � Detection of Intrusions and Malware & Vulnerability Assessment, July 2014 � 4 �

Market Metadata: Google Play � Detection of Intrusions and Malware & Vulnerability Assessment, July 2014 � 5 �

Outline � • Market Characterization � • Android Market Radar (AndRadar) � • Evaluation and Case Study � • Future Work and Conclusion � Detection of Intrusions and Malware & Vulnerability Assessment, July 2014 � 6 �

Market Characterization � • Alternative markets are popular because of … � - Country gaps (e.g. no paid apps in Google Play China) � - Promotion � - Specific needs and specialization � • Preliminary study on 8 alternative marketplaces � - Crawled them entirely between July and Nov 2013 � - Downloaded 318,515 apps � Detection of Intrusions and Malware & Vulnerability Assessment, July 2014 � 7 �

(1) Distribution of Unwanted Apps � Do markets distribute known, unwanted apps? � • Yes, they do! � • 5-8% malicious apps in whole dataset 
 10+ AV detections, excluding adware � • Some markets specialize in adware/”madware” 
 � Percentage of ad − /malware on market 8 Percentage of malware on market opera opera 60 andapponline andapponline camangi camangi 6 slideme slideme fdroid fdroid 40 blackmart blackmart getjar getjar 4 pandapp pandapp 20 2 0 0 10 20 30 10 20 30 Number of positive AV detections Number of positive AV detections Detection of Intrusions and Malware & Vulnerability Assessment, July 2014 � 8 �

(2) Publication of malicious apps � Do markets allow the publication of malicious apps? � • Yes, they do! � andapponline camangi opera pandaapp slideme • Ranking based on number 
 Malware Goodware 150 of published apps � • Well visible and known to 
 market operators � Number of apps published • Top authors publish both 
 100 benign and malicious apps � 50 0 1 2 3 4 5 1 2 3 4 5 1 2 3 4 5 1 2 3 4 5 1 2 3 4 5 Top 5 authors per market Detection of Intrusions and Malware & Vulnerability Assessment, July 2014 � 9 �

(3) Distinctive metadata � Do malicious apps have distinctive metadata? � • Yes, they do! � • Malicious apps slightly larger than goodware 
 à Additional malicious code in repackaged apps � • Malicious apps are downloaded more often 
 à Inflation of ranking with app rank boosting services � � Detection of Intrusions and Malware & Vulnerability Assessment, July 2014 � 10 �

������������ ������� ����� ������ ��������� �������� ������� ������ (4) Market Overlap � How are markets related to each other? � • Markets share up to 47% MD5s, 75% package names � ��������� ��������� 16% 16% 12% 12% ������ ������ 15% 15% ������������ ������������ 75% 75% ��� ��� 36% 36% 38% 38% ��� ��� 59% 59% 22% 22% 26% 26% 12% 12% 26% 26% 63% 63% ��� ��� 21% 21% 31% 31% ������ ������ 15% 15% ����� ����� 41% 41% 12% 12% 16% 16% 19% 19% ��� ��� 13% 13% 32% 32% ��� ��� ������� ������� �������� �������� 22% 22% ������� ������� Intersection by MD5 � Intersection by package name � Detection of Intrusions and Malware & Vulnerability Assessment, July 2014 � 11 �

Outline � • Market Characterization � • Android Market Radar (AndRadar) � • Evaluation and Case Study � • Future Work and Conclusion � Detection of Intrusions and Malware & Vulnerability Assessment, July 2014 � 12 �

AndRadar Design Goals � • Discover apps in markets in real-time � • Distribution of apps across markets � • Increasing space and time requirements � • Meta information dynamic à regular crawling of apps � • Crawling of complete markets becomes infeasible � - Plethora of alternative markets 
 ~ 196 in October 2011 (Vidas et al. CODASPY13) 
 ~ 500 in Juniper Threats Report March 2012/2013 
 ~ 89 in our market study in June 2013 � Detection of Intrusions and Malware & Vulnerability Assessment, July 2014 � 13 �

AndRadar Architecture � Metadata Search Scraper Seed Tracker App Downloader Metadata Market Specifications Detection of Intrusions and Malware & Vulnerability Assessment, July 2014 � 14 �

App Discovery � • Lightweight identifier to select target apps � • Package name uniquely identifies app on device � • Package name identifies app in markets � • Part of an app’s “Branding” � Detection of Intrusions and Malware & Vulnerability Assessment, July 2014 � 15 �

App Discover: AppChina � Detection of Intrusions and Malware & Vulnerability Assessment, July 2014 � 16 �

App Discovery: Appszoom � Detection of Intrusions and Malware & Vulnerability Assessment, July 2014 � 17 �

App Matching � • Match downloaded app to malicious app in seed � • Different levels of confidence based on � - Package name � - MD5 hash � - Fingerprint of developer’s certificate � - Method signatures � � a.b.c MD5 part of seed N N N fingerprint method signature MD5 match? weak match match? match? a.b.c MD5' Y Y Y from market strong match N strong match method signature perfect match different application repackaged version match? same application by same author Y very strong match different version by same author Detection of Intrusions and Malware & Vulnerability Assessment, July 2014 � 18 �

Collected Metadata � • Continuous monitoring of discovered apps � • Harvest meta information from market listing � - Upload date � - Description � - Screenshots � - Number of downloads � - User ratings � - Reviews � - Other apps by the same author � - Delete date � Detection of Intrusions and Malware & Vulnerability Assessment, July 2014 � 19 �

Outline � • Market Characterization � • Android Market Radar (AndRadar) � • Evaluation and Case Study � • Future Work and Conclusion � Detection of Intrusions and Malware & Vulnerability Assessment, July 2014 � 20 �