• No results found

Android Malware Characterisation. Giovanni Russello

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Android Malware Characterisation. Giovanni Russello"

Copied!
16
0
0

Loading.... (view fulltext now)

Download now ( 16 Page )

Full text

(1)

Android Malware

Characterisation

Giovanni Russello

(2)

Analysis of Two Malware

Families

• DroidKungFu and AnserverBot represent the

most recent incarnation of malware engineering

• Since they first appearance several

improvements have been coded to increase their stealthiness

(3)

DroidKungFu

• There are 6 different known variants of

DroidKungFu

• They have appeared within a period of 6 months • They contain

– Root-kit Exploits – C&C Server comm – Shadow Payloads – Code Obfuscation

(4)

DroidKungFu – Root Exploits

• 4 variants contain root exploits

• DroidKungFu is the first to use encrypted root-kit • Root-kit are stored as assets to look like normal

data files

• Initially the asset name was ratc

(RageAgainstTheCage)

(5)

DroidKungFu – C&C Comm

• All the variants communicate with C&C servers • To evade detection, the C&C servers’ addresses

keep changing

• DroidKungFu1 uses a plaintext string in one of its

Java classes

• DroidKungFu2 the address is moved to plain-text

in native code

• DroidKungFu3 and DroidKungFu4 use encrypted

(6)

DroidKungFu – Shadow Payload

• If the root-kit is successful, then a shadow app

will be installed

• The user will not be aware of this app

• This app contains the same code as the malicious

payload included in the repackaged app

• This means that in the event the user removes

the host app, the shadow app will remain

• Variants encrypt the shadow app to evade

(7)

DroidKungFu – Code Obfuscation

• Extensive use of encryption for constant strings,

C&C servers’ addresses, native payload and shadow app

• Keys are changed very often

• Extensive use of code obfuscation

• Use of native code and JNI to make more difficult

code analysis

• DroidKungFuUpdate use the update attack to

download the actual payload and evade static code analysis

(8)

AnserverBot

• One of the most advanced malware

• It uses evasion techniques not used before by

any other Android malware

• It has been discovered in repackaged apps

available in Chinese app markets

• It seems that is an evolution of the BaseBridge

(9)

AnserverBot – Anti Analysis

• It use the repackaging attack

• However, when installed it checks whether the

hosting app has been tampered with

– It checks the signature and then it unfolds its payload

• It extensively uses code obfuscation to make it

human unreadable

• The payload is split in three different apps

(10)

AnserverBot – Anti Analysis

• The shadow apps share the same package names

– Com.sec.android.touchScreen.server

• One shadow app is loaded through the update

attack

• The other shadow app is dynamically loaded

through JVM dynamic class load method

– However it is not installed!

• AnserverBot is able to load any code retrieved

(11)

AnserverBot – AV Detection

• This malware is very aggressive

• It tries to detect if AV software is installed in the

device

• It contains the encrypted names for security apps

– such as LBE, 360 MobileSafe

• If installed, the malware uses the restartPackage

method to stop the AV and then displays an error message

(12)

AnserverBot – C&C Comm

• AnserverBot supports two types of C&C servers • One type is used for sending command

• The second one is used for retrieving encrypted

payloads

• To reach the second one, it uses a encrypted

entry posted in public blog providers - i.e. Sina and Baidu

• This entry contains the (encrypted) address of

(13)

The AVS race

• Given the rapid evolution of malware, AV

software is lagging behind

• Mainly, AVS uses a signature based approach • It relies on the content of its signature DB

– If an app signature is not there it is not a malware!

• How easy is to change the signature of an app?

(14)

The AVS race

• Interesting report from Imperva

– http://www.imperva.com/docs/HII_Assessing_the_Ef

fectiveness_of_Antivirus_Solutions.pdf

• Using unknown malware and submit to AVS • The goal is to evaluate how effective AVS

solutions are

(15)

Imperva Study Results

• Less than 5% of the malware were detected

– Most of the AVS cannot keep up with a fast changing landscape of malware families

• AVS requires up to 4 weeks to detect a new

malware

• The best of the breed: the free ones!

– Although they had a very high false positive

• Consumers spend $4.5 billion while Enterprises

$2.9 billion

– 1/3 of the total money spent on security software

(16)

Imperva Study Results

• It might be best to spend some resources on

other type of software that is not AVS

• For AVS better to use free ones • Note: this study is for PC malware

References

Download now ( PDF - 16 Page - 527.10 KB )

Related documents

Town of Newington, NH E-Newsletter December 2019

Newington Police Department as a Captain after serving as a full-time New Hampshire Police Officer for over 35 years, 30 of which, were served here in Newington.. He has been

Minireview: recent progress in gonadotropin-releasing hormone neuronal migration

Netrin-1 plays an important role in attracting a subset of VNO axons to the ventral forebrain (32, 33), but little is known about the proteins on the surface of GnRH neurons that

Teacher Certification Handbook. Independent School Authorities and Private ECS Operators. Table of Contents. Introduction page 1

Upon receipt of the request form we will forward the recommendation to the Registrar of the Teacher Certification Branch through the Teacher Workforce Information System (TWINS).

Development of Local and Global Corrosion Sensing Technique to Monitor Structural Behavior of Prestressed Concrete Structures

strands first begins to impact the global response of the beam and then local sensors (e.g. RH sensors) used to identify the regions where the corrosion damage most likely

How To Write A Structured Authoring

In a structured authoring environment, authors create documents by assembling elements and text in an order permitted by the structure definition document (Figure 8).. You might

STUDENT-INITIATED ATTENTION TO FORM IN WIKI-BASED COLLABORATIVE WRITING

To what degree will NNS EFL teacher candidates perform autonomously as they attempt to correct their own and others’ grammar errors in a long-term collaborative writing task?...

Tchoukball Geneva Indoors th 19Eh Edition

Information for the Junior U10, U12, U15 tournaments: - All games will be played at the Bois des Frères sports center - Match plans will be sent a few days before the tournament. to

Référence bibliographique. "Cabergoline in the treatment of acromegaly : a study in 64 patients."

Cabergoline was started at a dose of 1.0 mg/week and was gradually increased until normalization of plasma insulin-like growth factor I (IGF-I) levels, occurrence of