hey you get off
play

Hey, You, Get Off of My Market: RAFAEL MICHAEL CS 682- ADVANCED - PowerPoint PPT Presentation

Apr 14, 2023 •15 likes •385 views

Hey, You, Get Off of My Market: RAFAEL MICHAEL CS 682- ADVANCED SECURITY TOPICS Smartphone users over the years Leading app stores 2019 Smartphones are becoming increasingly ubiquitous With great popularity Comes great

  1. Hey, You, Get Off of My Market: RAFAEL MICHAEL CS 682- ADVANCED SECURITY TOPICS

  2. Smartphone users over the years

  3. Leading app stores 2019  Smartphones are becoming increasingly ubiquitous

  4. With great popularity…  Comes great malicious activity:  Malware authors  Malicious apps (DroidDream)  Use of the market’s validity and trust to exploit unaware users.  Dangers:  Root access to mobile devices  Gain permissions to sensitive mobile information  Market loses validity and becomes unreliable

  5. Motivation  Android is a natural target for malware, due to its openness/customizability.  It is important to respond by assessing the overall health of the marketplaces in terms of the malware present

  6. Who’s going to save the world?  Studies to understand the overall ‘ Health ’ of Android Markets  Malware detection on both official and unofficial (3 rd party) markets (e.g Amazon Appstore, Aptoide)  How it was done?  Web crawler to collect all possible (free) apps we can obtain  Five representative marketplaces  2 months period  Large-scale analysis is needed to obtain a better understanding of the global Android malware status

  7. Approach design considerations  Design goals:  Accuracy:  Effectively detect malicious apps in current marketplaces with low false positives and negatives  Scalability and efficiency: too many apps, so little time  Α t 6 seconds per sample, a collection of 200K apps would take over two weeks to fully analyze, so speed is very important  Filter apps which are unlikely to be malware, leaving only a small core to analyze. (Permission-based behavorial footprinting)

  8. DroidRanger  The first systematic study on the overall Health of Markets: The stores are dark and full  Focusing on detecting malicious apps of terrors...  204 040 app samples (~75% from Google marketplace)  DroidRanger has two main functions  Detecting known malware via permission-based behavioral footprinting  Detecting unknown malware via heuristics-based filtering  DroidRanger successfully detected:  171 infected apps (21 from google marketplace)  2 unkown zero-day malware

  9. DroidRanger System Architecture  Five app marketplaces are crawled: Android Market (Google), eoeMarket, alcatelclub, gfan, mmoovv  Over 200K Apps are loaded into a database and sent to the two DroidRanger modules (higlighted)

  10. Diving in depth… DroidRanger performs the following tasks:  Detecting known malware via permission-based behavioral footprinting:  Filters based on permissions, then analyzes based on behaviour Uses a set of 10 known malware families as footprints   Detecting unknown malware via heuristics-based filtering  Filtering based on dynamic code loading/execution and native code use  Analysis based on dynamic monitoring of the execution  Confirmed malware are fed back to step 1

  11. Detecting known malware(1/3)  Step I. Permission-based filtering  Exclude unrelated applications  Matching each app’s manifest permissions against permissions requested by known malware  Only applications which need these “malware - friendly” permissions are included in the malware analysis For example, Zsone malware asks for RECEIVE SMS and SEND SMS, and DroidRanger focuses in on apps which request these two permissions...

  12. Detecting known malware(2/3)  DroidRanger’s first component filtering is reducing the analysis work significantly: Permission RECEIVE_SMS SEND_SMS (both permissions) Apps 5,214 8,235 3,204 Percentage 2.85% 4.50% 1.75% Note: it’s important to select the distinguishing permissions, otherwise we can get many false negatives/positives

  13. Detecting known malware(3/3)  Step II. Behavioral analysis  After the filtering, there are potentially still thousands of apps left to analyse  An attempt to run off-the-shelf mobile antivirus at this point missed 23.52% of malware, probably due to signature polymorphism  Instead, DroidRanger analyzes app behaviour through:  App Manifest info (e.g. receivers)  App bytecode info (e.g. calls to send SMS)  Hierarchical structure of decompiled code

  14. Detecting Unknown Malware (1/2)  Step I. Heuristic-based filtering  DroidRanger takes a heuristic-based approach to detecting unknown malware  The first heuristic involves looking for dynamic loading of untrusted code (for example, use of DexClassLoader)  This type of dynamic loading is present in 1,055 apps (0.58%), mostly for ads  Discovered Plankton spyware this way

  15. Detecting Unknown Malware (2/2)  Step II. Dynamic execution monitoring  Dynamically execute the apps uncovered by step I  For example, during a call to SmsManager.sendTextMessage, the analysis can get the destination phone number and content  System calls like sys mount, a command which can be used to remount the sys partition as writeable if executed in root mode  Flagged apps are manually inspected and included in the known malware detection engine if they are genuinely malicious

  16. Evaluations of known malware (1/4)  Crawled Android markets and collected 200K free apps: Ofifcial Market Alter M1 Alter M2 Alter M3 Alter M4 No. of apps 153,002 17,229 14.943 10.385 8.481 (74.98%) (8.44%) (7.33%) (5.09%) (4.16%) Totals apps 204,040

  17. Evaluations of known malware(2/4)  Used 10 known malware families for behavorial footprints

  18. Evaluations of known malware(3/4)  1.Permission-based filtering  Extracted permissions form each of the test apps  Compares with malware permissions

  19. Evaluations of known malware(4/4)  2. Behavorial footprint analysis  Total scan time 4.5 hours (a lot less than typical analysis)

  20. Evaluations of unknown malware Uncovered plankton malware  Found in “Angry Birds Cheater” app  Uncovered 10 similar instances in Google marketplace  Google removed these 11 malicious apps on the same day 

  21. Observations  Malware can persist longer on non-google markets.  4/10 malware families have root exploits  Anti-malware mobile softwares don’t always detect threats.

  22. Detecting android malware Characterization and evolution

  23. Components Research facts I. Malware Timeline II. Malware Characterization III. IV. Malware Evolution Conclusions V.

  24. Research facts  1260 samples over 49 malware families  27 malware families were examined found to be harvesting users information (user accounts etc)  Found 1260/1083 (86%) of malware samples were repacked versions of legitimate applications with malicious payloads  400% increase in Android-based malware since 2010  Anti-virus softwares like AVG,Norton Mobile Security Lite detected only the 79% of the malicious apps.

  25. Malware timeline

  27. Malware Installation (1/2)  Repackaging: Malware authors locate and download popular apps 1. Disassemble them 2. Enclose malicious payloads 3. Re-assemble and submit the new apps to Android Markets 4.  Update Attack:  Instead of enclosing the payload as a whole, it only includes an update component that will fetch or download the malicious payloads at runtime

  28. Update attack

  29. Malware Installation (2/2)  Drive-by download  Uses small pieces of code designed to slip past simple defenses and go largely unnoticed  The code doesn't need to be highly complex because it mainly has one job: to contact another computer to introduce the rest of the code it needs to access a mobile device or computer.

  30. Malicious Payloads(1/4) Privilege escalation:  Install malware  Stay undercover  Steal another user’s privileges  Use the privileges to gain access up to super administrator  Exploit The researchers found out that 36.7% of the sample apps found to contain at least one root exploit.... (Not good)

  31. Malicious Payloads(2/4)  Remote Control:  Turn the infected phones into bots for remote control  The researchers found that 93% of the samples turned infected phones into bots for remote control  Stealthy communication between Master and server through encrypting the URLs of remote C&C servers

  32. Malicious Payloads(3/4)  Financial Charge:  The attempt of malware to execute financial exchanges  Disquised as a media player  By accessing permission to sendTextMessage in the background without user’s awareness, the device sends messages to premium -rate services. Note: Premium rate services are a form of micro-payment for paid for content, data services and value added services that are subsequently charged to your telephone bill

  33. Top 20 permissions requested by malicious samples

  34. Malicious Payloads (4/4)  Information Collection:  Malware are actively harvesting various information on the infected phones  13 malware families (138 samples) in our dataset that collect SMS messages  15 families (563 samples) gather phone numbers  3 families (43 samples) obtain and upload the information about user accounts

Recommend

More recommend