how current android malware seeks to evade automated code
play

How Current Android Malware Seeks to Evade Automated Code Analysis - PowerPoint PPT Presentation

Sep 21, 2022 •118 likes •344 views

How Current Android Malware Seeks to Evade Automated Code Analysis Siegfried Rasthofer, Irfan Asrar , Stephan Huber, Eric Bodden Technische Universitt Darmstadt, Darmstadt, Germany Fraunhofer SIT, Darmstadt, Germany Appthority, San

  1. How Current Android Malware Seeks to Evade Automated Code Analysis Siegfried Rasthofer, Irfan Asrar , Stephan Huber, Eric Bodden Technische Universität Darmstadt, Darmstadt, Germany Fraunhofer SIT, Darmstadt, Germany Appthority, San Francisco, USA SECURE SOFTWARE ENGINEERING GROUP

  2. SECURE 2 SOFTWARE ENGINEERING GROUP

  3. Intent-Fuzzing (Behavior Analysis) DroidFuzzer[MoMM’13], IntentFuzzer [WODA’14], Andrubis [BADGERS’14] Inspection of the Symbolic/Concolic Emulator - Network Sniffing Execution - SMS interception Acteve[FSE’12], Rozzle [Oakland’12] - … Dataflow Analysis APP FlowDroid [PLDI’14], Security Report TaintDroid [OSDI’10] Machine Learning CHABADA [ICSE’14], Mudflow [ICSE’15] … SECURE 3 SOFTWARE ENGINEERING GROUP

  4. Is this sufficient enough? SECURE 4 SOFTWARE ENGINEERING GROUP

  5. Is this sufficient enough? SECURE 4 SOFTWARE ENGINEERING GROUP

  6. Android/BadAccents infected >20,000 user SECURE 5 SOFTWARE ENGINEERING GROUP

  7. 1. 2. Malware Code-analysis Components Challenges SECURE 6 SOFTWARE ENGINEERING GROUP

  8. SMS E-Mail Tapjacking Activation (Un-)Install Attack Component Fake AV User User User SMS Call Interception Interception Banking Send SMS Trojan HTTP Environment SECURE 7 SOFTWARE ENGINEERING GROUP

  9. Send SMS HTTP Environment Contacts File System 1. Contact’s phone number > 5 digits 2. Contact’s phone number stored into File 3. SMS text sent via C&C server (Internet connection necessary) SECURE 8 SOFTWARE ENGINEERING GROUP

  10. SMS • Checks for incoming number Activation Component +84… or +82… • Receives SMS Call Interception Interception commands from the C&C server Environment File System SECURE 9 SOFTWARE ENGINEERING GROUP

  11. • SMS activation SMS command: ak40_1 (deactivation ak40_0) Activation • Reads E-Mail Component credentials from native code SMS Call Interception Interception • Steals incoming SMS User User User via E-Mail and HTTP Environment File System Native E-Mail HTTP SECURE 10 SOFTWARE ENGINEERING GROUP

  12. ((…( Java ((user(=(stringUser();( E-Mail ((pw(=(stringPassword();(( ((saveToFile("musername",(user);(( ((saveToFile("mpass",(pw);(( SMS ((…( Interception ((sendIncomingSMSViaMail((readFromFile("musername"),(((( ((((((((((((((((((((((((((readFromFile("mpass")); Environment Native Native jstring(Java_stringUser()({( File System ((return("attacker@malicious.com";(( }( jstring(Java_stringPassword()({( ((return("superSecurePW";(( } SECURE 11 SOFTWARE ENGINEERING GROUP

  13. Banking Trojan E-Mail User User User Environment File System Time Bomb HTTP SECURE 12 SOFTWARE ENGINEERING GROUP

  14. Banking Trojan E-Mail User User User Environment File System Time Bomb HTTP Security Alert CANCEL OK SECURE 12 SOFTWARE ENGINEERING GROUP

  15. Banking Trojan E-Mail User User User Environment File System Time Bomb HTTP (previous) (person check) (previous) (security center) (certificate password) (secure mode) (name) (secure mode) (password) (Please enter the security (social security number) card correctly) (ok) (cancel) (account number) (account password) (next) (cancel) (next) (cancel) SECURE 12 SOFTWARE ENGINEERING GROUP

  16. Banking Trojan E-Mail User User User Environment File System Time Bomb HTTP (previous) (person check) (previous) (security center) (certificate password) • Waiting time: 30 minutes (secure mode) (name) (secure mode) (password) (Please enter the security • DER-formated certificates on file system (social security number) card correctly) (ok) (cancel) • Installed korean banking applications (account number) (account password) (next) (cancel) (next) (cancel) SECURE 12 SOFTWARE ENGINEERING GROUP

  17. Code Analysis Challenges RQ1: Can we automatically trigger malicious behavior (dynamically)? RQ2: Can we automatically extract the E-mail credentials (statically)? SECURE 13 SOFTWARE ENGINEERING GROUP

  18. RQ1 - Dynamic-Challenge: Generate Proper External Events • Specific events need to be sent SMS • Ordering of events is important Activation Component • Simple fuzzing approaches not SMS sufficient Interception SECURE 14 SOFTWARE ENGINEERING GROUP

  19. RQ1 - Dynamic-Challenge: Correct Environment Setup For a single App: Environment Specific Apps Specific Files Specific Contacts Timing Bomb … SECURE 15 SOFTWARE ENGINEERING GROUP

  20. RQ2 - Static-Challenge: Inter-Language Dataflows Java Native user(=(stringUser();( jstring(Java_stringUser()({( pw(=(stringPassword();(( ((return("attacker@malicious.com";(( saveToFile("musername",(user);(( }( saveToFile("mpass",(pw);(( …( jstring(Java_stringPassword()({( sendIncomingSMSViaMail((( ((return("superSecurePW";(( (((readFromFile("musername"),(((((((((((((((((((((((( } (((readFromFile("mpass")( ); SECURE 16 SOFTWARE ENGINEERING GROUP

  21. RQ2 - Static-Challenge: Inter-Language Dataflows Java Native user(=(stringUser();( jstring(Java_stringUser()({( pw(=(stringPassword();(( ((return("attacker@malicious.com";(( saveToFile("musername",(user);(( }( saveToFile("mpass",(pw);(( …( jstring(Java_stringPassword()({( sendIncomingSMSViaMail((( ((return("superSecurePW";(( (((readFromFile("musername"),(((((((((((((((((((((((( } (((readFromFile("mpass")( ); SECURE 16 SOFTWARE ENGINEERING GROUP

  22. APP Code Analysis Challenges Siegfried Rasthofer Secure Software Engineering Group (EC-SPRIDE) Email: siegfried.rasthofer@cased.de Blog: http://sse-blog.ec-spride.de Website: http://sse.ec-spride.de SECURE 17 SOFTWARE ENGINEERING GROUP

Recommend

Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the explosive growth of mobile device market and usage, there is an increasing number of malicious mobile applications targeting these devices and

819 views • 44 slides
Android Malware Adventures Mert Can Cokuner Krat Ouzhan Aknc Android Malware

Android Malware Adventures Mert Can Cokuner Krat Ouzhan Aknc Android Malware

DeepSec IDSC Android Malware Adventures Mert Can Cokuner Krat Ouzhan Aknc Android Malware Adventures Agenda INTRODUCTION ANDROID MALWARE COMMAND & CONTROL QUESTIONS & ANSWERS 2 1 2 3 4 Android Malware

1.01k views • 64 slides
Andrubis 1,000,000 Apps Later A View on Current Android Malware Behaviors Martina

Andrubis 1,000,000 Apps Later A View on Current Android Malware Behaviors Martina

Andrubis 1,000,000 Apps Later A View on Current Android Malware Behaviors Martina Lindorfer, Matthias Neugschwandtner, Lukas Weichselbaum, Yanick Fratantonio, Victor van der Veen, Christian Platzer Vienna University of

425 views • 31 slides
StormDroid: A streaminglized Machine Learning-Based System for Detecting Android Malware Sen

StormDroid: A streaminglized Machine Learning-Based System for Detecting Android Malware Sen

StormDroid: A streaminglized Machine Learning-Based System for Detecting Android Malware Sen Chen, Minhui Xue, Zhushou Tang, Lihua Xu, Haojin Zhu Malware Detection in Android 1.6 million apps in Google Play Store in July 2015

441 views • 22 slides
Impeding Automated Malware Analysis with Environment-sensitive Malware Chengyu Song , Paul Royal

Impeding Automated Malware Analysis with Environment-sensitive Malware Chengyu Song , Paul Royal

Impeding Automated Malware Analysis with Environment-sensitive Malware Chengyu Song , Paul Royal and Wenke Lee College of Computing Georgia Institute of Technology Agenda l Background l Defeating Automated Malware Analysis Host

1.28k views • 28 slides
ANDROID MALWARE https://www.cnet.com/android-update/ Rafael Estrada Department of Mathematics

ANDROID MALWARE https://www.cnet.com/android-update/ Rafael Estrada Department of Mathematics

DATA ANALYSIS OF ANDROID MALWARE https://www.cnet.com/android-update/ Rafael Estrada Department of Mathematics New Mexico Tech Mentor: Dr. Golden G. Richard III Postdoctoral Researcher: Aisha Ali-Gombe July 26 th 2017 CCT REU 2017 ANDROID

347 views • 10 slides
Dissecting Android Malware: Characterization and Evolution 1 Problems to solve 18 Requirement

Dissecting Android Malware: Characterization and Evolution 1 Problems to solve 18 Requirement

Dissecting Android Malware: Characterization and Evolution 1 Problems to solve 18 Requirement 1: Sufficient Malware data set Anti Virus Communities or Researchers are hampered by the lack of malware data set. Req equires a a suf

648 views • 34 slides
Apposcopy: Semantics- Based Detection of Android Malware through Static Analysis By Feng et al

Apposcopy: Semantics- Based Detection of Android Malware through Static Analysis By Feng et al

Apposcopy: Semantics- Based Detection of Android Malware through Static Analysis By Feng et al [FSE 14] Presented by Maaz Ahmad The Malware Problem (Feb, 2015) Motive Security Labs estimates 16 million infected mobile devices. [1]

828 views • 30 slides
CuriousDroid: Automated User Interface Interaction for Android Application Analysis

CuriousDroid: Automated User Interface Interaction for Android Application Analysis

CuriousDroid: Automated User Interface Interaction for Android Application Analysis Sandboxes Patrick Carter, Collin Mulliner, Martina Lindorfer, William Robertson, Engin Kirda 02/23/2016 Android 2015 Q3 Market Share Android iOS

774 views • 26 slides
Shallow Security: on the Creation of Adversarial Variants to Evade Machine Learning-Based

Shallow Security: on the Creation of Adversarial Variants to Evade Machine Learning-Based

REVERSING AND OFFENSIVE-ORIENTED TRENDS SYMPOSIUM 2019 (ROOTS) 28TH TO 29TH NOVEMBER 2019, VIENNA, AUSTRIA Shallow Security: on the Creation of Adversarial Variants to Evade Machine Learning-Based Malware Detectors Fabrcio Ceschin Marcus

1.12k views • 59 slides
A Survey On Automated Dynamic Malware Analysis Evasion and Counter-Evasion: PC, Mobile, and Web

A Survey On Automated Dynamic Malware Analysis Evasion and Counter-Evasion: PC, Mobile, and Web

A Survey On Automated Dynamic Malware Analysis Evasion and Counter-Evasion: PC, Mobile, and Web Alexei Bulazel & Blent Yener River Loop Security Rensselaer Polytechnic Institute (RPI) Introduction Automated dynamic malware analysis is

684 views • 33 slides
Android malware that wont make you fall asleep ukasz Siewierski lukasz.siewierski@cert.pl

Android malware that wont make you fall asleep ukasz Siewierski lukasz.siewierski@cert.pl

Android malware that wont make you fall asleep ukasz Siewierski lukasz.siewierski@cert.pl @maldr0id Hackito Ergo Sum 2015 Android malware is boring! ukasz Siewierski (@maldr0id) Android malware that wont make you fall asleep 2 / 24

535 views • 34 slides
ANDROID PROGRAMMING - INTRODUCTION Roberto Beraldi Web resources (android) Code

ANDROID PROGRAMMING - INTRODUCTION Roberto Beraldi Web resources (android) Code

ANDROID PROGRAMMING - INTRODUCTION Roberto Beraldi Web resources (android) Code https://developer.android.com/guide/index.html http://www.vogella.com/tutorials/android.html

1.49k views • 60 slides
MaMaDroid: Detecting Android Malware by Building Markov Chains of Behavioral Models Enrico

MaMaDroid: Detecting Android Malware by Building Markov Chains of Behavioral Models Enrico

MaMaDroid: Detecting Android Malware by Building Markov Chains of Behavioral Models Enrico Mariconti , Lucky Onwuzurike, Panagiotis Andriotis, Emiliano De Cristofaro, Gordon Ross, Gianluca Stringhini. NDSS 2017, 28-02-2017 Motivation: Android

1.21k views • 37 slides
GroDDViewer: Dynamic dual view of Android malware Jean-Franois Lalande Mathieu Simon Valrie

GroDDViewer: Dynamic dual view of Android malware Jean-Franois Lalande Mathieu Simon Valrie

Introduction Malware analysis Visualization Conclusion GroDDViewer: Dynamic dual view of Android malware Jean-Franois Lalande Mathieu Simon Valrie Viet Triem Tong GraMSec 2020 CIDRE team June 22th 2020 Introduction Malware analysis

530 views • 28 slides
From SOC to Analyst: bridging automated and manual analyses Practical Considerations and Issues

From SOC to Analyst: bridging automated and manual analyses Practical Considerations and Issues

From SOC to Analyst: bridging automated and manual analyses Practical Considerations and Issues July, 10th 2017 Raphal Rigo Typical (ideal) workflow of a malware sample reverser binary SOC CERT special malware malware SOC

89 views • 7 slides
Developers Google Maps Android API v2 Make your Android app pop with Google Maps Android API v2

Developers Google Maps Android API v2 Make your Android app pop with Google Maps Android API v2

Developers Google Maps Android API v2 Make your Android app pop with Google Maps Android API v2 Anthony Morris Jan-Felix Schmakeit Tech Lead, Android Maps API Android Developer Relations Code, Slides, Worksheet: http://goo.gl/MfY67 Welcome!

687 views • 49 slides
MALWARE: VIRUSES CMSC 414 FEB 08 2018 MALWARE Malicious code that is stored on and runs

MALWARE: VIRUSES CMSC 414 FEB 08 2018 MALWARE Malicious code that is stored on and runs

MALWARE: VIRUSES CMSC 414 FEB 08 2018 MALWARE Malicious code that is stored on and runs on a victims system How does it get to run? Attacks a user- or network-facing vulnerable service Backdoor: Added by a malicious

1.02k views • 81 slides
SigPID: Significant Permission Identification for Android Malware Detection Authors: Lichao Sun,

SigPID: Significant Permission Identification for Android Malware Detection Authors: Lichao Sun,

SigPID: Significant Permission Identification for Android Malware Detection Authors: Lichao Sun, Zhiqiang Li, Qiben Yan, Witawas Srisa-an and Yu Pan Department of Computer Science and Engineering University of Nebraska Lincoln Presenters: Yu

999 views • 24 slides
Static vs. Dynamic Analysis Static analysis: analyze source code or byte code Imprecise

Static vs. Dynamic Analysis Static analysis: analyze source code or byte code Imprecise

I NTELLI D ROID A Targeted Input Generator for the Dynamic Analysis of Android Malware Michelle Y. Wong and David Lie University of Toronto Department of Electrical and Computer Engineering NDSS Symposium 2016 ! ! ! B ACKGROUND Static vs.

1.02k views • 32 slides
Obfuscated Financial Fraud Android Malware : Detection and Behavior Tracking In Seung, Yang

Obfuscated Financial Fraud Android Malware : Detection and Behavior Tracking In Seung, Yang

Obfuscated Financial Fraud Android Malware : Detection and Behavior Tracking In Seung, Yang (KrCERT/CC, KISA) DeepSEC IDSC 2016 Friday, 11 November 2016 Analysis Team at KrCERT/CC, KISA Mobile malware analyst In Seung, Yang Who am I

1.59k views • 72 slides
GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI

GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI

GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS AGENDA Something about malware Malware internals Current analysis

398 views • 27 slides
AppSpear: Bytecode Decryp0ng and DEX Reassembling for Packed Android Malware Yang Wenbo, Zhang

AppSpear: Bytecode Decryp0ng and DEX Reassembling for Packed Android Malware Yang Wenbo, Zhang

AppSpear: Bytecode Decryp0ng and DEX Reassembling for Packed Android Malware Yang Wenbo, Zhang Yuanyuan, Li Juanru, Shu Junliang, Li Bodong, Hu Wenjun, Gu Dawu Sudeep Nanjappa Jayakumar Agenda Introduc0on AppSpear Goals,

322 views • 19 slides
This This This This presentation presentation presentation presentation seeks seeks seeks

This This This This presentation presentation presentation presentation seeks seeks seeks

The real benefit of pursuing business with China can only be realized once companies are able to mitigate the hidden costs in their supply chain This This This This presentation presentation presentation presentation seeks seeks

1.18k views • 19 slides

More recommend