andrubis 1 000 000 apps later
play

Andrubis 1,000,000 Apps Later A View on Current Android Malware - PowerPoint PPT Presentation

Jun 08, 2023 •103 likes •425 views

Andrubis 1,000,000 Apps Later A View on Current Android Malware Behaviors Martina Lindorfer, Matthias Neugschwandtner, Lukas Weichselbaum, Yanick Fratantonio, Victor van der Veen, Christian Platzer Vienna University of

  1. Andrubis – 1,000,000 Apps Later 
 A View on Current Android Malware Behaviors � Martina Lindorfer, Matthias Neugschwandtner, Lukas Weichselbaum, � Yanick Fratantonio, Victor van der Veen, Christian Platzer � � Vienna University of Technology � University of California, Santa Barbara � VU University Amsterdam �

  2. Android Malware Pandemic? � TrendMicro: The Mobile Landscape Roundup 1H 2014 � McAfee Labs Threats Report June 2014 � Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS), September 2014 � 1 �

  3. Enter Sandbox � Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS), September 2014 � 2 �

  4. Enter Sandbox � Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS), September 2014 � 3 �

  5. Our Contributions � • Take advantage of our existing Anubis infrastructure � • Build an Android analysis sandbox that … � - is suitable for large-scale analysis � - allows us to collect a comprehensive dataset of 
 Android malware and goodware � - can be easily integrated into other tools and services � - is publicly available � § As a web service: 
 https://anubis.iseclab.org � § For batch submissions via API: 
 http://anubis.iseclab.org/Resources/submit_to_anubis.py � § As a mobile app: https://play.google.com/store/apps/details?id=org.iseclab.andrubis � Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS), September 2014 � 4 �

  6. Outline � • Andrubis System Overview � • Andrubis As A Service � • Android Malware Landscape � • Future Work and Conclusion � Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS), September 2014 � 5 �

  7. System Overview � Static Analysis APK File Dynamic Analysis Emulator Android OS Dalvik VM Auxiliary Network … Analysis Protocols Analysis Report Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS), September 2014 � 6 �

  8. Public Analysis Features � • Static Analysis � - Parse meta information from Android manifest � § Requested permissions � § Activities � § Services � § Registered Broadcast Receivers � - Extract available methods from bytecode � § Used permissions � § Use of DEX and native code loading � - Useful during stimulation � Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS), September 2014 � 7 �

  9. Public Analysis Features � • Dynamic Analysis � - Run app in QEMU-based environment � - Instrumented Dalvik VM � § Log file system, network, phone (calls & SMS), crypto and dynamic code loading activity � - Taint tracking to identify data leaks � - Stimulation � § Invoke all Activities, Services and Broadcast Receivers � § Simulate common events (e.g. SMS receipt) � § Application Exerciser Monkey � • Auxiliary Analysis � - Network capture outside QEMU � - Extraction of high-level network protocol features � Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS), September 2014 � 8 �

  10. Advanced Analysis Features � • Method Tracing � - Extension of the Dalvik VM profiler � - Outputs list of executed methods � - Use Cases: � § Basic code coverage computation � § Permissions actually used during dynamic analysis � § Behavioral signatures and classification � • System-Level Analysis � - QEMU VMI � - Outputs list of executed system calls � - Use Cases: � § Analysis of native libraries, e.g. root exploits � Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS), September 2014 � 9 �

  11. Outline � • Andrubis System Overview � • Andrubis As A Service � • Android Malware Landscape � • Future Work and Conclusion � Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS), September 2014 � 10 �

  12. Submission Statistics � • Online since June 2012 � • 1,778,997 submissions � - 95.82% from bulk submitters � • 1,034,999 unique apps � - 5% of total samples submitted to An(dr)ubis � • Throughput of 3,500 apps per day � Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS), September 2014 � 11 �

  13. Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS), September 2014 � 12 �

  14. Deployment Considerations � • OS version = trade-off between running … � - Old version to observe root exploits � - New version to analyze current apps � • Maintenance effort of constant updates � - Focus on implementing new features instead � • Andrubis supports API level ≤ 10 (Gingerbread) � • Unsupported API level mainly a concern for GW: � - 2.11% of benign apps with API level > 10 � - 0.10% of malicious apps of API level > 10 � - Maximize potential “user base” of malware � Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS), September 2014 � 13 �

  15. Our Dataset � • Samples from a variety of sources � - Google Play and alternative market crawls (AndRadar) � § Main distribution vector for Android apps � - Torrents & Direct Downloads � - Sample exchange with other researchers � - VirusTotal � - Malware Corpora � • Genome Project, Contagio, Drebin � - Anonymous submissions � � • Comparison to other tools � - Based on public malware corpora (mostly outdated) � - (Subset of) our dataset � Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS), September 2014 � 14 �

  16. Sample Age by Source � Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS), September 2014 � 15 �

  17. Outline � • Andrubis System Overview � • Andrubis As A Service � • Android Malware Landscape � • Future Work and Conclusion � Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS), September 2014 � 16 �

  18. Dataset Classification � • No ground truth for majority of samples � - Besides public malware corpora � • Andrubis itself performs no classification � - Although we are experimenting with machine-learning approaches � • We rely on AV labels for this evaluation � - Goodware: � 27.90% � - Malware: � 41.15% � - Unlabeled: � 30.95% � • Unlabeled set contains mainly adware � - Also possible false positives � • Very inconsistent AV labeling � - Found even Google app labeled as MW by AVs � Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS), September 2014 � 17 �

  19. Dataset by Release Date � • Based on four dates: � - Last modification date of the APK file (ZIP header) � - Release date of the minimum required SDK � - Publication date in alternative markets/Google Play � - First submission date to Andrubis � Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS), September 2014 � 18 �

  20. Key Observations � • Trends in MW/GW development from 2010-2014 � • Static analysis alone becomes increasingly difficult � - Ubiquitous use of reflection, especially in GW � - Increasing use of dynamic code loading � • Common assumptions about MW/GW: � - Malicious apps request more permissions than benign apps, but use less of them � - Dynamic code loading is an indicator for malware � Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS), September 2014 � 19 �

  21. Requested/Used Permissions � • MW requests 12.99 permissions, uses 5.31 of them � • GW requests 5.85 permissions, uses 4.50 of them � • Requested permissions increased for both � • Decreased permission usage ratio � - Only 13.38% in GW in 2014 � - Side-effect of dynamic code loading � - Bad development practices � • Numbers based on static extraction of used permissions � - Permissions used during dynamic analysis from method tracer logs � Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS), September 2014 � 20 �

  22. App Interdependencies � • Apps can share their UID � - Share data, run in the same process and inherit permissions � • Allows collusion attack � - Spread malicious payload over benign looking apps � • Allows privilege escalation by taking advantage of already installed benign apps � - Circumvent signature system with Master Key vulnerability � - Use publicly available test keys � - Even gain system privileges with android.uid.system UID � • Only used in few GW (1.14%) and MW (0.29%) app � Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS), September 2014 � 21 �

  23. Other Findings from Static Analysis � • Application names � - MW often uses legitimate looking package names � § Repackaging/posing as popular benign apps � § Generic names (e.g, com.app.android) � - “Random” names (e.g.; rpyhwytfysl.uikbvktgwp) reused amongst thousands of apps � • Decreasing use of public test keys to sign apps � - Should not be used by legitimate developers � - 8.92% of MW (down from 65.29% in 2010), 2.26% of GW � • Master Key vulnerabilities not widely exploited � - Only ~1.500 MW samples � Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS), September 2014 � 22 �

Recommend

Small Business Apps WHAT ARE MOBI LE APPS ? W h a t are mob i le apps ? A little bit of

Small Business Apps WHAT ARE MOBI LE APPS ? W h a t are mob i le apps ? A little bit of

WELCOME Small Business Apps WHAT ARE MOBI LE APPS ? W h a t are mob i le apps ? A little bit of information An App is a piece of so ware (a program) that needs to be installed on Mobile Apps are device specific, meaning that an App that runs

268 views • 12 slides
Boxing them in Buggy apps can crash other apps The Kernel App 1 App 2 App 3 Buggy apps can

Boxing them in Buggy apps can crash other apps The Kernel App 1 App 2 App 3 Buggy apps can

Boxing them in Buggy apps can crash other apps The Kernel App 1 App 2 App 3 Buggy apps can crash OS wants to be your friend Buggy apps can hog all resources Operating System Malicious apps can violate Reading and writing memory, privacy

548 views • 17 slides
F ROM WEBSITES TO APPS , AND NOW FROM APPS TO CHATBOTS ? A NTNIO B RANCO FROM APPS TO CHATBOTS

F ROM WEBSITES TO APPS , AND NOW FROM APPS TO CHATBOTS ? A NTNIO B RANCO FROM APPS TO CHATBOTS

F ROM WEBSITES TO APPS , AND NOW FROM APPS TO CHATBOTS ? A NTNIO B RANCO FROM APPS TO CHATBOTS CEO of large social network in annual development conference 2 months ago Shared vision for next 2 decades: past : with advent of PCs, companies

498 views • 14 slides
The Kernel wants to be your friend Boxing them in Buggy apps can crash other apps App 1 App 2

The Kernel wants to be your friend Boxing them in Buggy apps can crash other apps App 1 App 2

The Kernel wants to be your friend Boxing them in Buggy apps can crash other apps App 1 App 2 App 3 Buggy apps can crash OS Buggy apps can hog all resources Operating System Malicious apps can violate Reading and writing memory, privacy

1.15k views • 67 slides
By: Taylor Thomas & Ashley Fischer There are apps for just about EVERYTHING! There are

By: Taylor Thomas & Ashley Fischer There are apps for just about EVERYTHING! There are

By: Taylor Thomas & Ashley Fischer There are apps for just about EVERYTHING! There are new apps being developed and posted everyday. Some of the best apps you will ever find are FREE! There are two ways to download apps for

606 views • 38 slides
Adaptive Progressive Web Apps PWA Progressive Web Apps are just great websites that can behave

Adaptive Progressive Web Apps PWA Progressive Web Apps are just great websites that can behave

Adaptive Progressive Web Apps PWA Progressive Web Apps are just great websites that can behave like native apps Progressive Web Apps are just great apps, powered by Web technologies and delivered with Web infrastructure.

454 views • 32 slides
2015-16 Results: Thank You! Goal = 415,000 apps Actual = 427,695 apps $30,000 in

2015-16 Results: Thank You! Goal = 415,000 apps Actual = 427,695 apps $30,000 in

More Than a Meal Campaign 2016-17 Two applications, one deadline, many student resources 2015-16 Results: Thank You! Goal = 415,000 apps Actual = 427,695 apps $30,000 in recognition awards $60M/3 yrs in new revenue to the

345 views • 10 slides
All About Apps Well cover... Whats an app? What are app permissions? What do

All About Apps Well cover... Whats an app? What are app permissions? What do

All About Apps Well cover... Whats an app? What are app permissions? What do companies gain by getting your permission? Typical permissions requested by apps How to check up on apps already on your phone App safety

134 views • 11 slides
in Android apps Shin Hwei Zhen Xiang Abhik Tan Dong Gao Roychoudhury 2 Prevalence of

in Android apps Shin Hwei Zhen Xiang Abhik Tan Dong Gao Roychoudhury 2 Prevalence of

Repairing crashes in Android apps Shin Hwei Zhen Xiang Abhik Tan Dong Gao Roychoudhury 2 Prevalence of Mobile Apps App Store Google Play Launched with 500 apps. 3.5 millions apps By July 17, 10 millions available for download apps

518 views • 22 slides
On the Road: Websites and Apps for Travel Loading the Right Apps Lets you get the most out

On the Road: Websites and Apps for Travel Loading the Right Apps Lets you get the most out

On the Road: Websites and Apps for Travel Loading the Right Apps Lets you get the most out of your vacation Helps you avoid missing important sites Eliminates confusion while travelling Keeps you connected to home Tips for

971 views • 39 slides
Mobile Apps INFM 603 Week 10 Agenda Questions Mobile Apps HCI Project

Mobile Apps INFM 603 Week 10 Agenda Questions Mobile Apps HCI Project

Mobile Apps INFM 603 Week 10 Agenda Questions Mobile Apps HCI Project discussions Native Apps Live on device Access to all device features GPS, accelerometer, compass, list of contacts Written for specific

654 views • 38 slides
Build beautiful native apps in record time with flutter Eduardo Telaya - CTO / Software

Build beautiful native apps in record time with flutter Eduardo Telaya - CTO / Software

Build beautiful native apps in record time with flutter Eduardo Telaya - CTO / Software Architect / Drupal Developer Agenda Context about Apps Native apps Web apps Hybrid apps Whats flutter? Whos

2.59k views • 42 slides
Educational Mobile Apps Dr. Agnieszka (Aga) Palalas October 2013 1 Educational Mobile Apps

Educational Mobile Apps Dr. Agnieszka (Aga) Palalas October 2013 1 Educational Mobile Apps

Educational Mobile Apps Dr. Agnieszka (Aga) Palalas October 2013 1 Educational Mobile Apps Outcome : To determine the key benefits and uses of mobile apps inside and outside the classroom. To identify the main issues to be considered when

620 views • 14 slides
THE ROAD TO ANGULAR 2.0 ABOUT ME Angular 1.x apps iOS apps REST API's in Java

THE ROAD TO ANGULAR 2.0 ABOUT ME Angular 1.x apps iOS apps REST API's in Java

THE ROAD TO ANGULAR 2.0 ABOUT ME Angular 1.x apps iOS apps REST API's in Java Maarten Hus, Developer @ WHY THIS TALK? WAIT WHAT?! GRAVEYARD WHY? DISCLAIMER THE ROAD 1.x T emplate Syntax 2.0 T ypes Bindings ES6

969 views • 70 slides
LAKC - 9th Annual IP CLE: US TM Apps and Registrations based on Foreign Apps and Registrations

LAKC - 9th Annual IP CLE: US TM Apps and Registrations based on Foreign Apps and Registrations

2/23/2017 LAKC - 9th Annual IP CLE: US TM Apps and Registrations based on Foreign Apps and Registrations A Review of Issues associated with Identifications and Use Kent Erickson and Timothy Feathers Two Filing Bases for US Owners A US

426 views • 13 slides
social media apps of concern As we make our way through the jungle of applications (apps)

social media apps of concern As we make our way through the jungle of applications (apps)

social media apps of concern As we make our way through the jungle of applications (apps) available on the various markets, there are some that have risen to the top in regards to inappropriate behavior and dangerous activity for children, teens,

614 views • 6 slides
Apps & Apps & Marketplace Introductions Who has used Libby at least once? More

Apps & Apps & Marketplace Introductions Who has used Libby at least once? More

MontanaLibrary2Go: Apps & Apps & Marketplace Introductions Who has used Libby at least once? More than 5 times? At least monthly? At least weekly? Who has used the Overdrive App at least once? More than 5 times?

731 views • 33 slides
An introduction to the EU BULLY apps A blended approach to changing bullying behaviour 2 apps

An introduction to the EU BULLY apps A blended approach to changing bullying behaviour 2 apps

An introduction to the EU BULLY apps A blended approach to changing bullying behaviour 2 apps developed as resources to support anti-bullying programmes with young people in school and at home: 1. A multiple choice quiz 2. An online survey

257 views • 12 slides
Nifty web apps on an OpenResty Nifty web apps on an OpenResty agentzh@gmail.com

Nifty web apps on an OpenResty Nifty web apps on an OpenResty agentzh@gmail.com

Nifty web apps on an OpenResty Nifty web apps on an OpenResty agentzh@gmail.com 2008.4 The history of the web... The history of the web... Web 1.0 Benefits Server code is easy to write. Browsers are easty to build

930 views • 53 slides
Building Beautiful Apps Ahmed Abu Eldahab GDE Flutuer & Daru @dahabdev Tell me about you?

Building Beautiful Apps Ahmed Abu Eldahab GDE Flutuer & Daru @dahabdev Tell me about you?

Building Beautiful Apps Ahmed Abu Eldahab GDE Flutuer & Daru @dahabdev Tell me about you? Developers , Designers , Mac , Linux , Windows , Web , Mobile , Android , ios ? @dahabdev Agenda Context about Apps Native apps

693 views • 53 slides
Contextual apps for Tizen Shashwat Pradhan (Emberify) ( )

Contextual apps for Tizen Shashwat Pradhan (Emberify) ( )

Contextual apps for Tizen Shashwat Pradhan (Emberify) ( ) Introduction to Contextual apps What is context? Context refers to information that characterizes a situation, between: Apps People

830 views • 34 slides
Smartphone Apps in Newborn Health Department of Pediatrics All India Institute of Medical

Smartphone Apps in Newborn Health Department of Pediatrics All India Institute of Medical

Conflict of interest-None Smartphone Apps in Newborn Health Department of Pediatrics All India Institute of Medical Sciences WHO-CC for Training & Research in Newborn Care Smart phone Apps Idea about Apps Development Principle

1.38k views • 52 slides
apps with QML! Jen Trieu Esri, Inc Agenda Agenda Location in your apps. Determine your

apps with QML! Jen Trieu Esri, Inc Agenda Agenda Location in your apps. Determine your

Developing great location-based apps with QML! Jen Trieu Esri, Inc Agenda Agenda Location in your apps. Determine your app/map pattern Location and Mapping SDK for QML developers Examples QA Why is location important?

467 views • 17 slides
Achieving h APP iness on your mobile device mHealth apps for EDs Kirsty Short, Advanced Trainee

Achieving h APP iness on your mobile device mHealth apps for EDs Kirsty Short, Advanced Trainee

Achieving h APP iness on your mobile device mHealth apps for EDs Kirsty Short, Advanced Trainee in Emergency Medicine (ECI) Apps for Clinicians Improving Patient Experience Translation apps Procedure explanations Departmental

550 views • 31 slides

More recommend