Introduction Malware analysis Visualization Conclusion GroDDViewer: Dynamic dual view of Android malware Jean-François Lalande Mathieu Simon Valérie Viet Triem Tong GraMSec 2020 CIDRE team June 22th 2020
Introduction Malware analysis Visualization Conclusion Introduction 2 / 16
Introduction Malware analysis Visualization Conclusion Android malware analysis Android malware analysis static analysis: (byte)code parsing + Control Flow Graph analysis dynamic analysis: execution (smartphone, cuckoo sandbox) 3 / 16
Introduction Malware analysis Visualization Conclusion Android malware analysis Android malware analysis static analysis: (byte)code parsing + Control Flow Graph analysis dynamic analysis: execution (smartphone, cuckoo sandbox) Reverse engineering: go deep into the bytecode observe what happens when executed By Con-struct + replicant community [CC BY-SA 3.0] 3 / 16
Introduction Malware analysis Visualization Conclusion Tools for helping the reverser Dynamic analysis tools for Android apps: focus on the quality of outputs do not focus on visualizing We believe that a good vizualisation tool should: represents what happens at OS level 1 represents what is inside the bytecode 2 help the investigator to understand a malware 3 4 / 16
Introduction Malware analysis Visualization Conclusion Malware analysis 5 / 16
Introduction Malware analysis Visualization Conclusion Examples Remote Admin Tools: Badnews : Obeys to a remote server + delays attack DroidKungFu1 (well known): Delays attack Mazar : RAT + Spyware Blocker / Eraser: WipeLocker : Wipes of the SD card 6 / 16
Introduction Malware analysis Visualization Conclusion Ransomware SimpleLocker: Encrypts user’s files and asks for paying 7 / 16
Introduction Malware analysis Visualization Conclusion Ransomware SimpleLocker: Encrypts user’s files and asks for paying ⇒ We would like to see : the encrypted files the part of the bytecode involved 7 / 16
Introduction Malware analysis Visualization Conclusion Visualization needs Observe what happens in the system (files, sockets) Identify the involved parts of the code Observe malware over time 8 / 16
Introduction Malware analysis Visualization Conclusion Visualization needs Observe what happens in the system (files, sockets) Identify the involved parts of the code Observe malware over time ⇒ We created GroDDViewer for answering these problems ! Grodd: the intelligent monkey of Marvel’s comics D: Dynamic (replay an experiment) D: Dual view (OS + Code) 8 / 16
Introduction Malware analysis Visualization Conclusion Our analysis framework: GroddDroid APK 9 / 16
Introduction Malware analysis Visualization Conclusion Our analysis framework: GroddDroid Payload Location Static Analysis API usage, etc. APK CFG 9 / 16
Introduction Malware analysis Visualization Conclusion Our analysis framework: GroddDroid Payload Location Static Analysis API usage, etc. APK CFG Control Flow Tracer Targeting One Payload 9 / 16
Introduction Malware analysis Visualization Conclusion Our analysis framework: GroddDroid Payload Location Static Analysis API usage, etc. Real smartphone controls GroddDroid APK CFG Runner New APK Reference Control Flow Tracer Execution Targeting BLARE One Payload Log Collector 9 / 16
Introduction Malware analysis Visualization Conclusion Our analysis framework: GroddDroid Payload Location Static Analysis API usage, etc. Real smartphone controls GroddDroid APK CFG Runner New APK Reference Control Flow Tracer Execution Targeting BLARE Code One Payload Coverage Log Collector Malicious Code Trigering Coverage 9 / 16
Introduction Malware analysis Visualization Conclusion Our analysis framework: GroddDroid Payload Location Static Analysis API usage, etc. Real smartphone controls GroddDroid APK CFG Runner New APK Reference Control Flow Tracer Execution Targeting BLARE Code One Payload Coverage Log Collector Malicious Code Trigering Coverage Visualization 9 / 16
Introduction Malware analysis Visualization Conclusion Blare monitoring: principle Marks files with a mark 1 Observes propagation of flows 2 File 1 File 2 File 3 cp cat xx 10 / 16
Introduction Malware analysis Visualization Conclusion Blare monitoring: principle Marks files with a mark 1 Observes propagation of flows 2 File 1 File 2 File 3 cp cat xx 10 / 16
Introduction Malware analysis Visualization Conclusion Blare monitoring: principle Marks files with a mark 1 Observes propagation of flows 2 File 1 File 2 File 3 cp cat xx 10 / 16
Introduction Malware analysis Visualization Conclusion Blare monitoring: principle Marks files with a mark 1 Observes propagation of flows 2 File 1 File 2 File 3 cp cat xx 10 / 16
Introduction Malware analysis Visualization Conclusion Blare monitoring: principle Marks files with a mark 1 Observes propagation of flows 2 File 1 File 2 File 3 cp cat xx 10 / 16
Introduction Malware analysis Visualization Conclusion Visualization 11 / 16
Introduction Malware analysis Visualization Conclusion GroddViewer example: simplelocker 12 / 16
Introduction Malware analysis Visualization Conclusion GroddViewer demo 13 / 16
Introduction Malware analysis Visualization Conclusion Conclusion 14 / 16
Introduction Malware analysis Visualization Conclusion Future works Not solved problems for dynamic observation Native code Obfuscation Remote servers New vizualisation problems Enhance the navigation into the code Deal with the visualization of protocols 15 / 16
Questions ? c � Inria / C. Morel
Recommend
More recommend