Introduction Datasets Designing an experiment Malware analysis Next upcoming challenges Conclusion Android Malware Analysis: from technical difficulties to scientific challenges Jean-François Lalande Keynote – SecITC 2018 Bucharest, Romania November 8th 2018
55
Embed
Android Malware Analysis: from technical difficulties to ...people.rennes.inria.fr/Jean-Francois.Lalande/talks/... · Papers with Android malware experiments: use extracts of reference
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Introduction Datasets Designing an experiment Malware analysis Next upcoming challenges Conclusion
1Approved by Inria’s Operational Legal and Ethical Risk AssessmentCommittee: We warn the readers that these samples have to be used forresearch purpose only. We also advise to carefully check the SHA256 hashof the studied malware samples and to manipulate them in a sandboxedenvironment. In particular, the manipulation of these malware impose tofollow safety rules of your Institutional Review Boards.
10 / 47
Introduction Datasets Designing an experiment Malware analysis Next upcoming challenges Conclusion
Remote admin Tools
Install malicious apps:
Badnews: Obeys to a remote server + delays attackTriggering: Patch the bytecode + Build a fake server
DroidKungFu1 (well known): Delays attackTriggering: Modify ’start’ to 1 in sstimestamp.xml andreboot the device
11 / 47
Introduction Datasets Designing an experiment Malware analysis Next upcoming challenges Conclusion
Blocker / Eraser
Wipes of the SD card and block social apps:
WipeLocker: Delayed AttackTriggering: Launch the app and reboot the device
12 / 47
Introduction Datasets Designing an experiment Malware analysis Next upcoming challenges Conclusion
Adware
Displays adds after some days:MobiDash: Delayed AttackTriggering: Launch the application, reboot the device andmodify com.cardgame.durak_preferences.xml
13 / 47
Introduction Datasets Designing an experiment Malware analysis Next upcoming challenges Conclusion
Spyware
Steals contacts, sms, IMEI, . . .SaveMe: Verifies the Internet accessTriggering: Enable Internet access and lauch the app
Cajino: Obeys a Baidu remote serverTriggering: Simulate a server command with an Intent
14 / 47
Introduction Datasets Designing an experiment Malware analysis Next upcoming challenges Conclusion
Ransomware
Encrypts user’s files and asks for paying:
SimpleLockerWaits the reboot of the deviceTriggering: send a BOOT_COMPLETED intent
More details about SimpleLocker...
15 / 47
Introduction Datasets Designing an experiment Malware analysis Next upcoming challenges Conclusion
final AesCrypt aesCrypt = new AesCrypt("jndlasf074hr");
for (final String s : this.filesToEncrypt) {aesCrypt.encrypt(s, String.valueOf(s) + ".enc");new File(s).delete();
}
16 / 47
Introduction Datasets Designing an experiment Malware analysis Next upcoming challenges Conclusion
Dataset overview
Type Name Protection against dynamic Analysis→ Remediation
RAT BadnewsObeys to a remote server and delays the attack
→ Modify the apk→ Build a fake server
Ransomware SimpleLocker Waits the reboot of the device→ send a BOOT_COMPLETED intent
RAT DroidKungFu Delayed Attack→ Modify the value start to 1 in sstimestamp.xml
Adware MobiDashDelayed Attack
→ Launch the infected application, reboot the deviceand modify com.cardgame.durak_preferences.xml
Spyware SaveMe Verifies the Internet access→ Enable Internet access and launch the application
Eraser+LK WipeLocker Delayed Attack→ Press the icon launcher and reboot the device
Spyware Cajino Obeys to a remote server→ Simulate the remote server by sending an intent
17 / 47
Introduction Datasets Designing an experiment Malware analysis Next upcoming challenges Conclusion
New recent datasets
AndroZoo [Allix et al. 2016]3 million appsWith pairs of applications (repackaged ?)
The AMD dataset [Wei et al. 2017]24,650 samplesWith contextual informations (classes, actions, . . . )
We need more contextual information !Where is the payload ?How to trigger the payload ?Which device do I need ?
18 / 47
Introduction Datasets Designing an experiment Malware analysis Next upcoming challenges Conclusion
1 Introduction
2 Datasets
3 Designing an experiment
4 Malware analysis
5 Next upcoming challenges
6 Conclusion
19 / 47
Introduction Datasets Designing an experiment Malware analysis Next upcoming challenges Conclusion
Designing an experiment from scratch
Manualdecompilation
APK
Monitoringactions
Execution
Results
Collect samples
Check thatthey are malware
Find thepayload
Staticanalysis
helphelp
We have not time for these folks!We want an automatic process. . .
20 / 47
Introduction Datasets Designing an experiment Malware analysis Next upcoming challenges Conclusion
Difficulties
1 Is this apk a malware?
2 Where is the payload?locating the payload 6= classifying a malware/goodwarewhat does the payload?
3 Is the static analysis possible?What is the nature of the code?Is there any countermeasure?
4 How to execute automatically the malware?How to handle the GUI?How to find entry points?How to monitor the execution?
20 / 47
Introduction Datasets Designing an experiment Malware analysis Next upcoming challenges Conclusion
Difficulties
1 Is this apk a malware?Is this apk a malware?
2 Where is the payload?locating the payload 6= classifying a malware/goodwarewhat does the payload?
3 Is the static analysis possible?What is the nature of the code?Is there any countermeasure?
4 How to execute automatically the malware?How to handle the GUI?How to find entry points?How to monitor the execution?
Is this apk a malware?
21 / 47
Introduction Datasets Designing an experiment Malware analysis Next upcoming challenges Conclusion
Check that a sample is a malware?
Manually. . . for 10 samples ok, but for more ?
Ask VirusTotal!
∼45 antiviruses softwareUse a threshold to decide (e.g. 20 antiviruses)Free upload API (few samples / day)Used by others in papers
Is it a good idea?
22 / 47
Introduction Datasets Designing an experiment Malware analysis Next upcoming challenges Conclusion
An experiment with 683 fresh samples
Threshold of x antiviruses recognizing a sample?
23 / 47
Introduction Datasets Designing an experiment Malware analysis Next upcoming challenges Conclusion
Check that a sample is a malware?
Not solved:using VirusTotalfor fresh new samples
Solved:for old well-known samplesby many learning papers (detection rate ≥ 90%)e.g. Milosevic et al.: precision of 87% with Random Forestse.g. Zhu et al.: precision of 88% with Rotation Forests
24 / 47
Introduction Datasets Designing an experiment Malware analysis Next upcoming challenges Conclusion
Difficulties
1 Is this apk a malware?
2 Where is the payload?Where is the payload?locating the payload 6= classifying a malware/goodwarewhat does the payload?
3 Is the static analysis possible?What is the nature of the code?Is there any countermeasure?
4 How to execute automatically the malware?How to handle the GUI?How to find entry points?How to monitor the execution?
Where is the payload?
25 / 47
Introduction Datasets Designing an experiment Malware analysis Next upcoming challenges Conclusion
Where is the payload?
Seminal paper: “DroidAPIMiner: Mining API-Level Features forRobust Malware Detection in Android”’ Aafer et al. (2013)⇒ Extract relevant features from API analysis.Enables to:
gives more meaning to the payloadclassifies apps with more accuracy
Results from Aafer et al. (2013):detection accuracy permission based / api based
Extracted from DroidAPIMiner: Mining API-Level Features for Robust Malware Detection in Android, Aafer et al.
26 / 47
Introduction Datasets Designing an experiment Malware analysis Next upcoming challenges Conclusion
Giving meaning to the payload
Graphical representation of malware features. . .
malware
0 10 20 30 40 50 60 70 80 90 100
sms
telephony
binary
dynamic
crypto
network
. . . with the limit that malware can be piggybacked apps!(Li li et al. 2017)
27 / 47
Introduction Datasets Designing an experiment Malware analysis Next upcoming challenges Conclusion
Difficulties
1 Is this apk a malware?
2 Where is the payload?locating the payload 6= classifying a malware/goodwarewhat does the payload?
3 Is the static analysis possible?Is the static analysis possible?What is the nature of the code?Is there any countermeasure?
4 How to execute automatically the malware?How to execute automatically the malware?How to handle the GUI?How to find entry points?How to monitor the execution?
Is the static analysis possible?
How to execute automatically the malware?
28 / 47
Introduction Datasets Designing an experiment Malware analysis Next upcoming challenges Conclusion
Analyzing malware
Main analysis methods are:
static analysis:⇒ try to recognize knowncharacteristics of malware in thecode/resources of studied applications
dynamic analysis:⇒ try to execute the malware
29 / 47
Introduction Datasets Designing an experiment Malware analysis Next upcoming challenges Conclusion
Our analysis framework: GroddDroid2
APK
StaticAnalysis
CFG
Payload Location
API usage, etc.
Control Flow Tracer
TargetingOne Payload
Real smartphone
GroddDroidRunner
ReferenceExecution
LogCollector
controls
NewAPK
Malicious CodeTrigering Coverage
CodeCoverage
Execution withBranch Forcing
controls
GroddDroid ForcesControl Flow
New APK
2Abraham et al. 2015, Leslous et al. 2017
29 / 47
Introduction Datasets Designing an experiment Malware analysis Next upcoming challenges Conclusion
Our analysis framework: GroddDroid2
APK
StaticAnalysis
CFG
Payload Location
API usage, etc.
Control Flow Tracer
TargetingOne Payload
Real smartphone
GroddDroidRunner
ReferenceExecution
LogCollector
controls
NewAPK
Malicious CodeTrigering Coverage
CodeCoverage
Execution withBranch Forcing
controls
GroddDroid ForcesControl Flow
New APK
2Abraham et al. 2015, Leslous et al. 2017
29 / 47
Introduction Datasets Designing an experiment Malware analysis Next upcoming challenges Conclusion
Our analysis framework: GroddDroid2
APK
StaticAnalysis
CFG
Payload Location
API usage, etc.
Control Flow Tracer
TargetingOne Payload
Real smartphone
GroddDroidRunner
ReferenceExecution
LogCollector
controls
NewAPK
Malicious CodeTrigering Coverage
CodeCoverage
Execution withBranch Forcing
controls
GroddDroid ForcesControl Flow
New APK
2Abraham et al. 2015, Leslous et al. 2017
29 / 47
Introduction Datasets Designing an experiment Malware analysis Next upcoming challenges Conclusion
Our analysis framework: GroddDroid2
APK
StaticAnalysis
CFG
Payload Location
API usage, etc.
Control Flow Tracer
TargetingOne Payload
Real smartphone
GroddDroidRunner
ReferenceExecution
LogCollector
controls
NewAPK
Malicious CodeTrigering Coverage
CodeCoverage
Execution withBranch Forcing
controls
GroddDroid ForcesControl Flow
New APK
2Abraham et al. 2015, Leslous et al. 2017
29 / 47
Introduction Datasets Designing an experiment Malware analysis Next upcoming challenges Conclusion
Our analysis framework: GroddDroid2
APK
StaticAnalysis
CFG
Payload Location
API usage, etc.
Control Flow Tracer
TargetingOne Payload
Real smartphone
GroddDroidRunner
ReferenceExecution
LogCollector
controls
NewAPK
Malicious CodeTrigering Coverage
CodeCoverage
Execution withBranch Forcing
controls
GroddDroid ForcesControl Flow
New APK
2Abraham et al. 2015, Leslous et al. 2017
30 / 47
Introduction Datasets Designing an experiment Malware analysis Next upcoming challenges Conclusion
Demo
31 / 47
Introduction Datasets Designing an experiment Malware analysis Next upcoming challenges Conclusion
GroddDroid output
From logs:
CFG: static Control Flow Graphpayload locationpayload coverage (executed)screens
and with Blare (www.blare-ids.org):
IFG: Information Flow Graph (at OS level)Spawned processCorruption attempts of the systemModifications of user filesInternet connections
Introduction Datasets Designing an experiment Malware analysis Next upcoming challenges Conclusion
References
H. J. Zhu, Z. H. You, Z. X. Zhu, W. L. Shi, X. Chen, and L. Cheng, “DroidDet: Effective and robust detectionof android malware using static analysis along with rotation forest model,” Neurocomputing, vol. 272, pp.638–646, 2018.
N. Milosevic, A. Dehghantanha, and K.-K. R. Choo, “Machine learning aided Android malwareclassification,” Comput. Electr. Eng., vol. 61, pp. 266–274, Jul. 2017.
Y. Aafer, W. Du, and H. Yin, “DroidAPIMiner: Mining API-Level Features for Robust Malware Detection inAndroid,” Secur. Priv. Commun. Networks, vol. 127, pp. 86–103, 2013.
L. Li et al., “Understanding Android App Piggybacking: A Systematic Study of Malicious Code Grafting,”IEEE Trans. Inf. Forensics Secur., vol. 12, no. 6, pp. 1269–1284, Jun. 2017.
W. Yang, D. Kong, T. Xie, and C. A. Gunter, “Malware Detection in Adversarial Settings: Exploiting FeatureEvolutions and Confusions in Android Apps,” 2017, pp. 288–302.
A. Abraham, R. Andriatsimandefitra, A. Brunelat, J. F. Lalande, and V. Viet Triem Tong, “GroddDroid: Agorilla for triggering malicious behaviors,” in 2015 10th International Conference on Malicious and UnwantedSoftware, MALWARE 2015, 2016, pp. 119–127.
M. Leslous, V. Viet Triem Tong, J.-F. Lalande, and T. Genet, “GPFinder: Tracking the Invisible in AndroidMalware,” in 12th International Conference on Malicious and Unwanted Software, 2017, pp. 39–46.
K. Allix, T. F. Bissyandeé, J. Klein, and Y. Le Traon. AndroZoo: Collecting Millions of Android Apps for theResearch Community. Mining Software Repositories (MSR) 2016.