Académique Documents
Professionnel Documents
Culture Documents
Characterization
and Detection
By:
- Vishaka Nayak
(110CE56)
- Devyani Patil
(110CE60)
- Akshaya Sanghavi
(110CE68)
Table Of Contents
I. INTRODUCTION
II. MALWARE CHARACTERIZATION
A]
MALWARE INSTALLATION
B]
ACTIVATION
C]
MALICIOUS PAYLOADS
D]
PERMISSION USES
CONCLUSION
I.
INTRODUCTION
Android Why???
Open Source
Free
Large number of Applications
INTRODUCTION (contd)
Android-based
malware:
Share : > 46% and
growing rapidly
400% since summer
2010
Dataset of 49 Malware
Families of Android
Aug 2010 to Sept 2011.
ANDROID SECURITY
Security
Mechanis
m
Sandboxi
ng
Permissio
ns
SANDBOXING
Isolated environment for
app execution.
Each app its own
sandbox apps data and
code.
Implementation: UNIQUE
USER ID (UID) to each app.
Runs app as a separate
process with the assigned
UID.
PERMISSIONS
Mandatory Access Control (MAC)
mechanism for protecting Application
components and Data.
Each component of an application is
assigned an ACCESS PERMISSION
LABEL
An application is assigned a collection of
Permission Labels of those components
which the application needs to access.
PERMISSIONS (contd)
APPLICATION 1
PERMISSI
ON
LABELS
l1,l3
A:
Inherits
Permissi
on
APPLICATIO
N2
PERMISSI
B: l1
ON
LABELS
C: l2
PERMISSIONS (contd)
II. MALWARE
CHARACTERIZATION
MALWARE
CHARACTERIZ
ATION
MALWARE
INSTALLAT
ION
MALWARE
ACTIVATIO
N
MALICIOUS
PAYLOADS
PERMISSIO
N USES
MALWARE INSTALLATION
Malware
Installatio
n
Repackag
ing
Update
Attack
Drive-By
Download
REPACKAGING
Most common technique used to
piggyback malicious payloads into
applications.
Malware authors:
Locate
and
Downlo
ad
Disass
emble
Enclos
e
Malicio
us
Payloa
ds
Reassem
ble
and
Submit
REPACKAGING (contd)
REPACKAGING (contd)
UPDATE ATTACK
Repackaging used No enclosing
the payload as a whole.
Instead, includes an Update
component that will fetch or
download the malicious payload at
Runtime Dynamic
DroidKung
FuUpdate
Updated
Version:
Stored in
the host
app as
resource
file
Updated
Version:
Remotely
download
ed from
network.
Plankton,
AnserverB
ot
Upgrades
certain
components
Plankton:
jar file
from remote
server.
Anserver:
fetches
malicious
payloads as
DRIVE-BY DOWNLOAD
Traditional download attacks
Entice users to download interesting
or feature-rich apps.
Malware Families:
o GGTracker
o Jifake
o Spitmo
o Zitmo
GGTracke
r
Jifake
Spitmo
and
Zitmo
In-app
advertisement
link
Malicious QR
code
Ported versions of
neafrious PC
malware
(SpyEye,Zeus)
ACTIVATION
Key terms:
System-wide Event
Example:
BOOT_
COMPLETED
SMS_
RECEIVED
ACTION_
MAIN
ACTIVATION (contd)
Register for related system-wide event.
Launch payload.
BOOT_COMPLETED EVENT
for example-Geinimi.
SMS_RECEIVED EVENT
for example-zSone.
ACTIVATION (contd)
Intent with action ACTION_MAIN
- Hijack entry activity.
- Bootstrap service before starting
host apps
primary activity.
.original
- Example, DroidDream
replace
activity
com.codingca
veman.soloTri
al.SplashActi
vity
with
com.androi
d.root.main
MALICIOUS PAYLOAD
Payload
Malicious software payload
PAYLOAD
FUNCTIONALIT
Y
PRIVILEG
E
ESCALATI
ON
REMOTE
CONTR
OL
FINANCIAL
CHARGE
INFORMATIO
N
COLLECTION
PRIVILEGE ESCALATION
Root Exploit
-Asroot.
-Exploit.
-RATC.
36.7% malware embed at least one
root exploit.
com
p2
com
p1
com
p2
com
p1
com
p1
APP1
APP2
APP3
DVM
DVM
DVM
com
p2
REMOTE CONTROL
93% of malware
Turn infected phones into bots.
FINANCIAL CHARGE
Premium-rate services .
Permission guarded function
sendTextMessage.
4.4% malware from 7 different families
-send SMS messages
-premium-rate numbers hardcoded in
the infected app
INFORMATION COLLECTION
SMS messages.
Phone numbers.
User account.
For example,
.SndApp-email address.
.Spitmo-sms verification messages.
PERMISSION USES
Capabilities of apps strictly
constrained by permissions.
Exception: Android apps with root
exploits.
Comparison of permissions requested
by benign apps v/s malicious apps.
RECEIV
E_SMS
RECEIVE_B
OOT_COMP
LETED
SEN
D_S
MS
WRIT
E_SM
S
CHANGE
_WIFI_S
TATE
III.
MALWARE DETECTION
AVG
Lookout
Norton
TrendMicro
Script Created.
Apps iterated & installed.
Wait time: 30 secs.
Next app tried.
IV.
CONCLUSION
REFERENCES
1) Yajin Zhou, Xuxian Jiang Dissecting Android
Malware: Characterization and Evolution in IEEE
Symposium (2012)
2) Ariel Haneyy, Erika Chin, David Wagner, Adrienne
Porter Felt, Elizabeth Hay, Serge Egelman Android
Permissions: User Attention, Comprehension, and
Behavior.
3) Malicious Mobile Threats Report:
http://www.juniper.net/us/en/company/presscenter/press-releases/2011/pr 2011 05 10-09
00.html. (2011)
4) Repackaged application: http://enerteam.nprotect.com/2011/07/material-repackagedfastracing-game_8549.html
THANK
YOU!!!