• No results found

Evading Android Emulator

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Evading Android Emulator"

Copied!
34
0
0

Loading.... (view fulltext now)

Download now ( 34 Page )

Full text

(1)

Thanasis Petsas

[email protected]

(2)

What is a Virtual Machine?

A software based computer that functions like a

physical machine

A VM typically has two components

Host OS: The host server that provides computing

resources

(3)
(4)
(5)

Why to Use a Virtual Machine ?

Application isolation

Consolidation

Better use of the Hardware

Reduced energy consumption

Portability

Quick image cloning, running a new instance

(6)

Android Emulator

(7)

Why to Use an Android Emulator

Develop Android apps without using a device

Test apps across multiple Android versions fast

Automation

Perform dynamic analysis of suspicious apps

Isolation – controlled environment

Fast reversion of the environment to a clean state

(8)

Can a Program Evade Dynamic Analysis?

Evasive malware

Can understand if it is running on a VM or a physical system

Hides its malicious behavior when running on a VM

Pieces of code used to evade dynamic analysis

Red Pill

– able to detect a VM by detecting the hypervisor

Blue Pill – can shift an OS from the physical computer to a

(9)

Evading Dynamic Analysis in Android

Category

Type

Examples

Static

Pre-installed static information

IMEI has a fixed value

Dynamic

Dynamic information does not change Sensors produce always the same

value

(10)

Static Heuristics

Device ID (IdH)

IMEI, IMSI

Current build (buildH)

Fields:

PRODUCT

,

MODEL

,

DEVICE

Routing table (netH)

(11)

Static Heuristics

Device ID (IdH)

IMEI, IMSI

Current build (buildH)

Fields:

PRODUCT

,

MODEL

,

DEVICE

Routing table (netH)

virtual router

(12)

Static Heuristics

Device ID (IdH)

IMEI, IMSI

Current build (buildH)

Fields:

PRODUCT

,

MODEL

,

DEVICE

Routing table (netH)

virtual router

123456789012347

null

(13)

Static Heuristics

Device ID (IdH)

IMEI, IMSI

Current build (buildH)

Fields:

PRODUCT

,

MODEL

,

DEVICE

Routing table (netH)

virtual router

address space: 10.0.2/24

123456789012347

null

(14)

Static Heuristics

Device ID (IdH)

IMEI, IMSI

Current build (buildH)

Fields:

PRODUCT

,

MODEL

,

DEVICE

Routing table (netH)

virtual router

123456789012347

null

IMEI

(15)

Static Heuristics

Device ID (IdH)

IMEI, IMSI

Current build (buildH)

Fields:

PRODUCT

,

MODEL

,

DEVICE

Routing table (netH)

virtual router

address space: 10.0.2/24

123456789012347

null

IMEI

(16)

Static Heuristics

Device ID (IdH)

IMEI, IMSI

Current build (buildH)

Fields:

PRODUCT

,

MODEL

,

DEVICE

Routing table (netH)

virtual router

123456789012347

null

IMEI

/proc/

net/tcp

Ordinary

network

Emulated

network

(17)

Sensors:

A key difference between mobile & conventional

systems

new opportunities for mobile devices identification

Dynamic Heuristics (1/2)

Accelerometer Gyroscope

GPS

Gravity Sensor

Proximity Sensor

(18)

Sensor-based heuristics

Android Activity that monitors

sensors’ output values

We implemented this algorithm

for a variety of sensors

Accelerometer (accelH)

magnetic field (magnFH)

rotation vector (rotVecH),

(19)

Hypervisor Heuristics

Try to identify the virtual machine monitor

Android Emulator is based on QEMU

Heuristics

Based on QEMU’s incomplete emulation of the actual

hardware

(20)

Identify QEMU Scheduling (1/2)

Virtual PC in QEMU

is updated only after the execution of a basic block

(

branch

)

OS scheduling does not occur during a basic block

QEMU Binary Translation (BT) Detection

Monitor scheduling addresses of a thread

o

Real Device: Various scheduling points

(21)
(22)

Identify QEMU Scheduling (2/2)

Emulator:

A specific

scheduling

(23)

Identify QEMU Caching Behavior (1/2)

Memory

Memory

I-Cache

D-Cache

ARM

x86

(24)

Execute instruction

at address A

Identify QEMU Caching Behavior (2/2)

(25)

Execute instruction

at address A

Instr. is written to I-Cache

Instr. is written to Cache

Identify QEMU Caching Behavior (2/2)

(26)

Execute instruction

at address A

Instr. is written to I-Cache

Instr. is written to Cache

Write new instruction

at address A

Identify QEMU Caching Behavior (2/2)

1

(27)

Execute instruction

at address A

Instr. is written to I-Cache

Instr. is written to Cache

Write new instruction

at address A

Instr. is written to D-Cache

Instr. is written to Cache

Identify QEMU Caching Behavior (2/2)

1

(28)

Execute instruction

at address A

Instr. is written to I-Cache

Instr. is written to Cache

Write new instruction

at address A

Instr. is written to D-Cache

Instr. is written to Cache

Execute new instruction

at address A

Identify QEMU Caching Behavior (2/2)

1

2

(29)

Execute instruction

at address A

Instr. is written to I-Cache

Instr. is written to Cache

Write new instruction

at address A

Instr. is written to D-Cache

Instr. is written to Cache

Execute new instruction

at address A

Identify QEMU Caching Behavior (2/2)

1

2

(30)

Execute instruction

at address A

Instr. is written to I-Cache

Instr. is written to Cache

Write new instruction

at address A

Instr. is written to D-Cache

Instr. is written to Cache

Execute new instruction

at address A

Identify QEMU Caching Behavior (2/2)

1

2

(31)
(32)

Countermeasures

Static heuristics

Emulator modifications

Dynamic heuristics

Realistic sensor event simulation

Hypervisor heuristics

(33)

More about Emulation Evasion

Check the papers

Rage Against the Virtual Machine: Hindering

Dynamic Analysis of Android Malware (Eurosec 2014)

Evading Android Runtime Analysis via Sandbox

(34)

Next

How can we enhance an Android malware with

Emulation Evasion capabilities without haven’t

access to the source code?

www.syssec-project.eu

References

Download now ( PDF - 34 Page - 2.29 MB )

Related documents

Rethinking Enlightenment Improvement: British Travellers along the Great Syrian Desert Route

In this chapter, we saw how Parsons was not travelling in the area imagined by the Scottish Enlightenment thinkers as nomadic, barbarian, rude and beyond the civilising stage

Forecasting Cycles in the Transportation Sector

index closely matches the swings in inventory change and hence is a leading indicator of business cycles; the PMI-all index matches every business cycle with an

Understanding limit order book depth: conditioning on trade informativeness

The main objective of this paper is to investigate to which extent limit order books react to changes in expected trade informativeness. Therefore, we are interested in the shape of

Panel Estimations of PPP and Relative Price Models for CEECs: Lessons for Real Exchange Rate Modelling

First, the clear appreciation trend in the real exchange rates against the euro deflated with tradables prices in many CEECs proves that approximation of real exchange rates (in

Impact of working capital on the profitability of South African firms listed on the Johannesburg Stock Exchange

In addition, the seventh (7) explanatory variable to be explored by the study is capital structure (whose proxy in this study is debt to equity ratio) and the eighth (8)

Performa Porting to the JVM

Originally designed for Scheme, Kawa’s IR has been generalized to support basic generic features that are common in many very high level languages.. In addition, Kawa has

Performance Comparison Of Two Data Mining Algorithms On Big Data Platforms

Figure 4.1: Comparison of running time of K-means algorithm on five different inds of platforms (including single core machine) with varying number of clusters k and number of

WHAT VOLUNTEER COORDINATORS NEED TO KNOW VOLUNTEER LIABILITY IN MAINE. Maine Commission for Community Service, State Planning Office Page 1

Nonetheless, it is likely that any group using the services of youth volunteers who would other- wise be subject to regulation if they were being paid would run a serious risk