dissecting android malware characterization and evolution
play

Dissecting Android Malware: Characterization and Evolution 1 - PowerPoint PPT Presentation

Jan 16, 2023 •286 likes •648 views

Dissecting Android Malware: Characterization and Evolution 1 Problems to solve 18 Requirement 1: Sufficient Malware data set Anti Virus Communities or Researchers are hampered by the lack of malware data set. Req equires a a suf

  1. Dissecting Android Malware: Characterization and Evolution 1

  2. Problems to solve 18

  3. Requirement 1: Sufficient Malware data set Anti Virus Communities or Researchers are hampered by the lack of malware data set. Req equires a a suf ufficient Andr droid malware da dataset. 19

  4. Requirement 2: Current Malware Detection Rate How good are top anti-virus software against latest Android malware? Evaluating effectiveness of current Anti-virus software 20

  5. Related work • Felt et al. “A survey of mobile malware in the wild” – Survey 46 malware samples on iOS, Android and Symbian – Choice of breadth over depth – No mention of advanced trojans in the wild 21

  6. Related work What was missing? • In-depth look at Android malware – A technical analysis of advanced attacks • Large pool of malware – Perhaps A/V companies missed stuff? E.g. Malware in third-party markets • Evolution of malware and evaluation of defense 22

  7. Contribution • Large malware dataset presented – 1260 different samples in all – 49 different families each with many variants – More info: http://www.malgenomeproject.org/ 23

  8. Malware dataset How was it collected? 24

  9. Malware dataset Q. How was it collected? A. Crawl app stores! Search for android id mark rketplace cra rawler 25

  10. Contribution • Large malware dataset presented • Analysis of malware samples – Provenance, Design, Harm Installatio Inst ion Ac Activ ivatio ion Cha Characteris isatio ion 26

  11. Malware: Provenance • Official Android market • Alternate android markets ‡ – Eoemarket – Gfan ‡ http://thedroidguy.com/2012/04/android - market-share-doubles-in-china-even-symbian- is-ahead-of-ios/ 27

  12. Malware: Provenance Month of the year Third-party store only Official store only Number of new malware families discovered 28

  13. Malware: Installation How to lure users into installing malware you have written? OR How do bad things happen to good people? 29

  14. Repackaging Third-party Monkey market Bowl App developer (Good guy) End-user • Steal info • Hijack phone • Defraud Repackage Meister (bad guy) Official Android market 30

  15. Repackaging 86% of malware samples repackage! 31

  16. Repackaging ⁼ ⁺ 32

  17. Update attack FinanceAccount.apk Google SSearch Payload DroidKungFu Source: https://www.mylookout.com/mobile- threat-report 33

  18. Update attack Encrypted blog entry: blog.sina.com.cn Original Benign app Payload AnserverBot 34

  19. Drive-by download • “Benign” game with a malvertisement In-app ad pop-up Source: https://www.mylookout.com/mobile- threat-report 35

  20. Malware: Activation When do bad things happen? • Standard Android event notifications – Phone boots up • BOOT_COMPLETED (83.3%) – SMS is received • SMS_RECEIVED – Host app is started • ACTION_MAIN 36

  21. Malware: Purpose What do they do? Source: http://www.textspyware.com/android/android-spyware-software/ 37

  22. Malware: Purpose • Harvesting user information (51.1%) SndApp • What is sent? – Device ID – Phone number/operator – User’s email addresses http://www.fortiguard.com/av/VID3148366 38

  23. Malware: Purpose • SMS to premium numbers (45.3%) FakeRegSMS.B http://www.f-secure.com/weblog/archives/00002305.html 39

  24. Malware: Design • Social engineering • Phones as bots controlled from C&C server (93%) • Privilege escalation (36.7%) – Exploit security flaws in kernel code 40

  25. Malware: Permission use Frequency of top 20 permissions Malware Benign app 688=5.02x 553=12.8x 457=6.43x 424=3.72x 398=11.7x 333=10.1x 137 114 71 43 34 33 41

  26. Malware: Permission use • Summary – Avg. no. of permissions per app • Malware: 11 | Benign apps: 4 – Avg. no. of top 20 permissions per app • Malware: 9 | Benign apps: 3 42

  27. Contribution • Large malware dataset presented • Analysis of malware samples • Evolution of malware – Advanced techniques to beat defense • How good is defense? 43

  28. Malware: Evolution How are malware writers trying to evade detection? • Encryption – Payload and internal data • Running without install – DexClassLoader, Reflection • Thwart reverse engineering – Class name obfuscation 44

  29. Malware: Detection Rate 100 A few malware samples went undetected! 90 79.6% 76.7% 80 70 60 54.7% 50 40 30 20.2% 20 10 0 AVG Lookout Norton Trend Micro 45

  30. Malware: Detection Q. Any clue why some samples were NOT detected by any? A. They most likely employ signature- based detection! 46

  31. Takeaways Malware • Mostly in third-party markets/forums (~90%) • Requests more permissions on average • Is evolving and Anti-virus software needs to catch up 47

  32. Future Work How does one reduce the impact of malware? Google’s “Bouncer” 48

  33. Future work Well, Google has a kill switch at least... ...But, what about third-party markets? 49

  34. Making xkcd slightly worse: www.xkcdsw.com 50

Recommend

Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the explosive growth of mobile device market and usage, there is an increasing number of malicious mobile applications targeting these devices and

819 views • 44 slides
Android Malware Adventures Mert Can Cokuner Krat Ouzhan Aknc Android Malware

Android Malware Adventures Mert Can Cokuner Krat Ouzhan Aknc Android Malware

DeepSec IDSC Android Malware Adventures Mert Can Cokuner Krat Ouzhan Aknc Android Malware Adventures Agenda INTRODUCTION ANDROID MALWARE COMMAND & CONTROL QUESTIONS & ANSWERS 2 1 2 3 4 Android Malware

1.01k views • 64 slides
StormDroid: A streaminglized Machine Learning-Based System for Detecting Android Malware Sen

StormDroid: A streaminglized Machine Learning-Based System for Detecting Android Malware Sen

StormDroid: A streaminglized Machine Learning-Based System for Detecting Android Malware Sen Chen, Minhui Xue, Zhushou Tang, Lihua Xu, Haojin Zhu Malware Detection in Android 1.6 million apps in Google Play Store in July 2015

441 views • 22 slides
ANDROID MALWARE https://www.cnet.com/android-update/ Rafael Estrada Department of Mathematics

ANDROID MALWARE https://www.cnet.com/android-update/ Rafael Estrada Department of Mathematics

DATA ANALYSIS OF ANDROID MALWARE https://www.cnet.com/android-update/ Rafael Estrada Department of Mathematics New Mexico Tech Mentor: Dr. Golden G. Richard III Postdoctoral Researcher: Aisha Ali-Gombe July 26 th 2017 CCT REU 2017 ANDROID

347 views • 10 slides
Inside a BBB Malware Scheme: Mapping and Dissecting Attacker Infrastructure Prepared for FIRST

Inside a BBB Malware Scheme: Mapping and Dissecting Attacker Infrastructure Prepared for FIRST

Inside a BBB Malware Scheme: Mapping and Dissecting Attacker Infrastructure Prepared for FIRST 2008 Michael La Pilla VeriSign iDefense Malicious Code Operations Team June 26, 2008 Why Should Incident Responders Care? + US Commercial Accounts

458 views • 19 slides
Evolution of Malware and the Next Generation Endpoint Protection against Targeted Attacks Index

Evolution of Malware and the Next Generation Endpoint Protection against Targeted Attacks Index

Evolution of Malware and the Next Generation Endpoint Protection against Targeted Attacks Index 1. Malware volume evolution 2. Malware Eras 3. Panda Adaptive Defense 1. What is it 2. Features & Benefits 3. How does it work 4.

661 views • 47 slides
Apposcopy: Semantics- Based Detection of Android Malware through Static Analysis By Feng et al

Apposcopy: Semantics- Based Detection of Android Malware through Static Analysis By Feng et al

Apposcopy: Semantics- Based Detection of Android Malware through Static Analysis By Feng et al [FSE 14] Presented by Maaz Ahmad The Malware Problem (Feb, 2015) Motive Security Labs estimates 16 million infected mobile devices. [1]

828 views • 30 slides
Android malware that wont make you fall asleep ukasz Siewierski lukasz.siewierski@cert.pl

Android malware that wont make you fall asleep ukasz Siewierski lukasz.siewierski@cert.pl

Android malware that wont make you fall asleep ukasz Siewierski lukasz.siewierski@cert.pl @maldr0id Hackito Ergo Sum 2015 Android malware is boring! ukasz Siewierski (@maldr0id) Android malware that wont make you fall asleep 2 / 24

535 views • 34 slides
MaMaDroid: Detecting Android Malware by Building Markov Chains of Behavioral Models Enrico

MaMaDroid: Detecting Android Malware by Building Markov Chains of Behavioral Models Enrico

MaMaDroid: Detecting Android Malware by Building Markov Chains of Behavioral Models Enrico Mariconti , Lucky Onwuzurike, Panagiotis Andriotis, Emiliano De Cristofaro, Gordon Ross, Gianluca Stringhini. NDSS 2017, 28-02-2017 Motivation: Android

1.21k views • 37 slides
GroDDViewer: Dynamic dual view of Android malware Jean-Franois Lalande Mathieu Simon Valrie

GroDDViewer: Dynamic dual view of Android malware Jean-Franois Lalande Mathieu Simon Valrie

Introduction Malware analysis Visualization Conclusion GroDDViewer: Dynamic dual view of Android malware Jean-Franois Lalande Mathieu Simon Valrie Viet Triem Tong GraMSec 2020 CIDRE team June 22th 2020 Introduction Malware analysis

530 views • 28 slides
Andrubis 1,000,000 Apps Later A View on Current Android Malware Behaviors Martina

Andrubis 1,000,000 Apps Later A View on Current Android Malware Behaviors Martina

Andrubis 1,000,000 Apps Later A View on Current Android Malware Behaviors Martina Lindorfer, Matthias Neugschwandtner, Lukas Weichselbaum, Yanick Fratantonio, Victor van der Veen, Christian Platzer Vienna University of

425 views • 31 slides
SigPID: Significant Permission Identification for Android Malware Detection Authors: Lichao Sun,

SigPID: Significant Permission Identification for Android Malware Detection Authors: Lichao Sun,

SigPID: Significant Permission Identification for Android Malware Detection Authors: Lichao Sun, Zhiqiang Li, Qiben Yan, Witawas Srisa-an and Yu Pan Department of Computer Science and Engineering University of Nebraska Lincoln Presenters: Yu

999 views • 24 slides
Obfuscated Financial Fraud Android Malware : Detection and Behavior Tracking In Seung, Yang

Obfuscated Financial Fraud Android Malware : Detection and Behavior Tracking In Seung, Yang

Obfuscated Financial Fraud Android Malware : Detection and Behavior Tracking In Seung, Yang (KrCERT/CC, KISA) DeepSEC IDSC 2016 Friday, 11 November 2016 Analysis Team at KrCERT/CC, KISA Mobile malware analyst In Seung, Yang Who am I

1.59k views • 72 slides
AppSpear: Bytecode Decryp0ng and DEX Reassembling for Packed Android Malware Yang Wenbo, Zhang

AppSpear: Bytecode Decryp0ng and DEX Reassembling for Packed Android Malware Yang Wenbo, Zhang

AppSpear: Bytecode Decryp0ng and DEX Reassembling for Packed Android Malware Yang Wenbo, Zhang Yuanyuan, Li Juanru, Shu Junliang, Li Bodong, Hu Wenjun, Gu Dawu Sudeep Nanjappa Jayakumar Agenda Introduc0on AppSpear Goals,

322 views • 19 slides
DroidScribe Classifying Android Malware Based on Runtime Behavior Santanu Kumar Dash, Guillermo

DroidScribe Classifying Android Malware Based on Runtime Behavior Santanu Kumar Dash, Guillermo

DroidScribe Classifying Android Malware Based on Runtime Behavior Santanu Kumar Dash, Guillermo Suarez-Tangil , Salahuddin Khan, Kimberly Tam, Mansour Ahmadi, Johannes Kinder, and Lorenzo Cavallaro Royal Holloway, University of London

352 views • 33 slides
AVPASS: Automatically Bypassing Android Malware Detection System Jinho Jung, Chanil Jeon, Max

AVPASS: Automatically Bypassing Android Malware Detection System Jinho Jung, Chanil Jeon, Max

AVPASS: Automatically Bypassing Android Malware Detection System Jinho Jung, Chanil Jeon, Max Wolotsky, Insu Yun, and Taesoo Kim Georgia Institute of Technology, July 27, 2017 Ab About t Us SSLab (@GT) Focusing on s ystem and security

1.25k views • 72 slides
Kharon dataset: Android malware under a microscope Nicolas Kiss Jean-Franois Lalande Mourad

Kharon dataset: Android malware under a microscope Nicolas Kiss Jean-Franois Lalande Mourad

Kharon dataset: Android malware under a microscope Nicolas Kiss Jean-Franois Lalande Mourad Leslous Valrie Viet Triem Tong The LASER Workshop 2016 Learning from Authoritative Security Experiment Results May 26th 2016 N. Kiss & J.-F.

367 views • 18 slides
DroidScope: Seamlessly Reconstructing the OS and Dalvik Semantic Views for Dynamic Android

DroidScope: Seamlessly Reconstructing the OS and Dalvik Semantic Views for Dynamic Android

DroidScope: Seamlessly Reconstructing the OS and Dalvik Semantic Views for Dynamic Android Malware Analysis Lok Yan Heng Yin August 10, 2012 1 Android Java Components System Services Native Components Apps 2 Android Java Components

631 views • 33 slides
Analyzing Sophisticated Android Malware with CodeInspect Siegfried Rasthofer SECURE SOFTWARE

Analyzing Sophisticated Android Malware with CodeInspect Siegfried Rasthofer SECURE SOFTWARE

Analyzing Sophisticated Android Malware with CodeInspect Siegfried Rasthofer SECURE SOFTWARE ENGINEERING GROUP #whoami 3rd year PhD-Student at Secure Software Engineering Group Darmstadt, Germany (Prof. Dr. Eric Bodden)

603 views • 19 slides
Kharon dataset: Android malware under a microscope N. Kiss J.-F. Lalande EPI CIDRE INSA Centre

Kharon dataset: Android malware under a microscope N. Kiss J.-F. Lalande EPI CIDRE INSA Centre

Kharon dataset: Android malware under a microscope N. Kiss J.-F. Lalande EPI CIDRE INSA Centre Val de Loire CentraleSupelec, Inria, Univ. Rennes 1, CNRS, Univ. Orlans, LIFO EA 4022, F-35065 Rennes, France F-18020 Bourges, France M.

459 views • 12 slides
Malware Collusions Karim O. Elish, Danfeng (Daphne) Yao, and Barbara G. Ryder Department of

Malware Collusions Karim O. Elish, Danfeng (Daphne) Yao, and Barbara G. Ryder Department of

On the Need of Precise Inter-App ICC Classification for Detecting Android Malware Collusions Karim O. Elish, Danfeng (Daphne) Yao, and Barbara G. Ryder Department of Computer Science Virginia Tech May 21, 2015 Problem and Motivation Malware

139 views • 13 slides
Ubiquitous and Mobile Computing CS 528: A Survey of Mobile Malware in the Wild Alex Fortier

Ubiquitous and Mobile Computing CS 528: A Survey of Mobile Malware in the Wild Alex Fortier

Ubiquitous and Mobile Computing CS 528: A Survey of Mobile Malware in the Wild Alex Fortier Computer Science Dept. Worcester Polytechnic Institute (WPI) What is mobile malware? Targeted at Android, iOS, Symbian (discontinued), Windows Phone

507 views • 17 slides
How Current Android Malware Seeks to Evade Automated Code Analysis Siegfried Rasthofer, Irfan

How Current Android Malware Seeks to Evade Automated Code Analysis Siegfried Rasthofer, Irfan

How Current Android Malware Seeks to Evade Automated Code Analysis Siegfried Rasthofer, Irfan Asrar , Stephan Huber, Eric Bodden Technische Universitt Darmstadt, Darmstadt, Germany Fraunhofer SIT, Darmstadt, Germany Appthority, San

344 views • 22 slides
Android-x86 status update from lead developer Chih-Wei Huang Graphics stack evolution presented

Android-x86 status update from lead developer Chih-Wei Huang Graphics stack evolution presented

26-28 Sept. - A Corua Android-x86 status update from lead developer Chih-Wei Huang Graphics stack evolution presented by Mauro Rossi (maurossi) android-x86.org Agenda - Part I 26-28 Sept. - A Corua Android-x86 status update

721 views • 53 slides

More recommend