ANDROID MALWARE

Characterization
and Detection
By:
- Vishaka Nayak
(110CE56)
- Devyani Patil
(110CE60)
- Akshaya Sanghavi
(110CE68)

Table Of Contents
I. INTRODUCTION
II. MALWARE CHARACTERIZATION
A]

MALWARE INSTALLATION

B]

ACTIVATION

C]

MALICIOUS PAYLOADS

D]

PERMISSION USES

III. MALWARE DETECTION

IV.

CONCLUSION

I.

INTRODUCTION

Android Why???

Open Source
Free
Large number of Applications

INTRODUCTION (contd)
Android-based
malware:
Share : > 46% and
growing rapidly
400% since summer
2010

Dataset of 49 Malware
Families of Android
Aug 2010 to Sept 2011.

ANDROID SECURITY

Security
Mechanis
m

Sandboxi
ng
Permissio
ns

SANDBOXING
Isolated environment for
app execution.
Each app its own
sandbox apps data and
code.
Implementation: UNIQUE
USER ID (UID) to each app.
Runs app as a separate
process with the assigned
UID.

PERMISSIONS
Mandatory Access Control (MAC)
mechanism for protecting Application
components and Data.
Each component of an application is
assigned an ACCESS PERMISSION
LABEL
An application is assigned a collection of
Permission Labels of those components
which the application needs to access.

PERMISSIONS (contd)
APPLICATION 1
PERMISSI
ON
LABELS
l1,l3

A:

Inherits
Permissi
on

APPLICATIO
N2
PERMISSI
B: l1
ON
LABELS

C: l2

PERMISSIONS (contd)

II. MALWARE
CHARACTERIZATION

MALWARE
CHARACTERIZ
ATION

MALWARE
INSTALLAT
ION

MALWARE
ACTIVATIO
N

MALICIOUS
PAYLOADS

PERMISSIO
N USES

MALWARE INSTALLATION

Malware
Installatio
n

Repackag
ing
Update
Attack
Drive-By
Download

REPACKAGING
Most common technique used to
piggyback malicious payloads into
applications.
Malware authors:
Locate
and
Downlo
ad

Disass
emble

Enclos
e
Malicio
us
Payloa
ds

Reassem
ble
and
Submit

REPACKAGING (contd)

REPACKAGING (contd)

UPDATE ATTACK
Repackaging used No enclosing
the payload as a whole.
Instead, includes an Update
component that will fetch or
download the malicious payload at
Runtime Dynamic

UPDATE ATTACK (contd)

BaseBridg
e

DroidKung
FuUpdate

Updated
Version:
Stored in
the host
app as
resource
file

Updated
Version:
Remotely
download
ed from
network.

Plankton,
AnserverB
ot
Upgrades
certain
components
Plankton:
jar file
from remote
server.
Anserver:
fetches
malicious
payloads as

DRIVE-BY DOWNLOAD
Traditional download attacks
Entice users to download interesting
or feature-rich apps.
Malware Families:
o GGTracker
o Jifake
o Spitmo
o Zitmo

DRIVE-BY DOWNLOAD (contd)

GGTracke
r
Jifake
Spitmo
and
Zitmo

In-app
advertisement
link
Malicious QR
code
Ported versions of
neafrious PC
malware
(SpyEye,Zeus)

ACTIVATION
Key terms:
System-wide Event
Example:

BOOT_

COMPLETED

SMS_
RECEIVED

ACTION_
MAIN

ACTIVATION (contd)
Register for related system-wide event.
Launch payload.
BOOT_COMPLETED EVENT
for example-Geinimi.
SMS_RECEIVED EVENT
for example-zSone.

ACTIVATION (contd)
Intent with action ACTION_MAIN
- Hijack entry activity.
- Bootstrap service before starting
host apps
primary activity.
.original
- Example, DroidDream
replace
activity
com.codingca
veman.soloTri
al.SplashActi
vity

with
com.androi
d.root.main

MALICIOUS PAYLOAD
Payload
Malicious software payload
PAYLOAD
FUNCTIONALIT
Y

PRIVILEG
E
ESCALATI
ON

REMOTE
CONTR
OL

FINANCIAL
CHARGE

INFORMATIO
N
COLLECTION

PRIVILEGE ESCALATION
Root Exploit
-Asroot.
-Exploit.
-RATC.
36.7% malware embed at least one
root exploit.

PRIVILEGE ESCALATION (contd)

com
p2

com
p1

com
p2

com
p1

com
p1

APP1

APP2

APP3

DVM

DVM

DVM

com
p2

PRIVILEGE ESCALATION (contd)

Copy exactly same publically

available root exploit.
for example,
DriodDream.

PRIVILEGE ESCALATION (contd)

Encrypts root exploit.
Store as resources or asset file.
Dynamically uncover.
- For example,
DroidKungfu

REMOTE CONTROL
93% of malware
Turn infected phones into bots.

HTTP-based communicate with C&C servers

REMOTE CONTROL (contd)

Encryption of URLs of remote C & C
server
and their communication with C&C
server.
For example,DroidKungfu3
-AES Encryption.
-Uses key to hide their C&C servers.

FINANCIAL CHARGE
Premium-rate services .
Permission guarded function
sendTextMessage.
4.4% malware from 7 different families
-send SMS messages
-premium-rate numbers hardcoded in
the infected app

FINANCIAL CHARGE (contd)

No hard code premium-rate numbers.
Flexible remote control to push down
numbers runtime.

RougeSPPush and GGTracker

-reply y to messages in background.
-prevents billing related messages.

INFORMATION COLLECTION

SMS messages.
Phone numbers.
User account.

For example,
.SndApp-email address.
.Spitmo-sms verification messages.

PERMISSION USES
Capabilities of apps strictly
constrained by permissions.
Exception: Android apps with root
exploits.
Comparison of permissions requested
by benign apps v/s malicious apps.

PERMISSION USES (contd)

Permissions(Both benign &
malicious)INTERNET
READ_PHONE_
STATUS
ACCESS_
NETWORK_STATE
WRITE_EXTERNAL
_STORAGE

PERMISSION USES (contd)

Common malicious app permissionsREAD_S
MS

RECEIV
E_SMS

RECEIVE_B
OOT_COMP
LETED

SEN
D_S
MS

WRIT
E_SM
S

CHANGE
_WIFI_S
TATE

PERMISSION USES (contd)

Malicious apps request more permissions than benign apps.
more of SMS related permissions.

III.

MALWARE DETECTION

Rapid growth and evolution of

malware.
Existing anti-virus software.
Measure their effectiveness.

MALWARE DETECTION (contd)

AVG
Lookout
Norton
TrendMicro

MALWARE DETECTION (contd)

All apps downloaded from Google Play.
Phone chosen- Nexus One.
Android version 2.3.7
All security apps updated to the latest
version before testing.

MALWARE DETECTION (contd)

Script Created.
Apps iterated & installed.
Wait time: 30 secs.
Next app tried.

MALWARE DETECTION (contd)

If malware, pop-up alert.

Recorded by script.
Second iteration.
New wait time: 60 secs.

MALWARE DETECTION (contd)

Results
:

Low detection rate.

Same family, different detection

ratio.
Some families, undetected.

MALWARE DETECTION (contd)

Reasons:
Different design approaches.
Different implementation
approaches.
Relatively new malware.
Old signatures databases.
Unique runtime environment.
Limited resources and battery.

IV.

CONCLUSION

Large volume of new apps.

Joint effort involving all parties.
Coarse grained permission model.
Include additional context information.
Rapid development and increased sophistication.
In mobile anti-virus software,
Best case detects 79.6%, Worst case detects
20.2%
Develop better next-gen anti malware solutions.

REFERENCES
1) Yajin Zhou, Xuxian Jiang Dissecting Android
Malware: Characterization and Evolution in IEEE
Symposium (2012)
2) Ariel Haneyy, Erika Chin, David Wagner, Adrienne
Porter Felt, Elizabeth Hay, Serge Egelman Android
Permissions: User Attention, Comprehension, and
Behavior.
3) Malicious Mobile Threats Report:
http://www.juniper.net/us/en/company/presscenter/press-releases/2011/pr 2011 05 10-09
00.html. (2011)
4) Repackaged application: http://enerteam.nprotect.com/2011/07/material-repackagedfastracing-game_8549.html

THANK
YOU!!!