25
DAVID WALKIEWICZ, MAIK MORGENSTERN AVAR 2016 Anti Virus Industry‘s Future Challenge: PUA 08.05.2017 1 AV Future Challenge: PUA
DAVID WALKIEWICZ, MAIK MORGENSTERN
AVAR 2016
Anti Virus Industry‘sFuture Challenge:
PUA
08.05.2017 1AV Future Challenge: PUA
The AV-TEST Institute in Magdeburg
AV Future Challenge: PUA 208.05.2017
ABOUT AV-TEST
PUA STANDS FOR …
Advertisement
Expectations
Reality
AV Future Challenge: PUA08.05.2017 3
SECURITY ISSUES ARISING
PUA and SecurityWikipedia …
Security
• Install root certificate
• Provide an entry door for malware (through exploits)
• Causing issues on the system – leading the user to remove
/change the AV Software
• Keylogger/KeyGenerator/PasswordReader etc…
• ….
Basically is a potentially dangerous nuisance for the user and those
poor admins fixing their parents device every weekend
408.05.2017 AV Future Challenge: PUA
Monetization Non-objectionable means
Share/Trialware
SAAS or plain buying
Advertisement on product webpage (Help, Forum etc.)
Advertisement in products (App Stores apps)
Non aggressive bundling
508.05.2017
EVERYBODY’S GOT TO EAT
Questionable means
Distribution through bundlers
Information Harvesting
Aggressive Advertisement
AV Future Challenge: PUA
SOME PRETTY PICTURES – PUA BEHAVIOR
608.05.2017
Sources
* http://www.cracksfiles.com/2015/01/universal-keygen-generator-2015-software/
* http://www.nirsoft.net/utils/mailpv.html
* http://deletemalware.blogspot.de/2012/01/pupcnetadwarebundle-uninstall-guide.html
* http://www.focus.de/digital/internet/anleitung-fuer-alle-browser-toolbar-ausversehen-installiert-so-werden-sie-die-leiste-wieder-los_id_4143166.html
AV Future Challenge: PUA
DISTRIBUTION COMPARED TO MALWARE
708.05.2017
Malware vs. PUA
10 million unique
Files/Month
Windows, Linux,
Android and Mac 0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Malware PUA
AV Future Challenge: PUA
“IN THE WILD” PUA VS BENIGN APPS, WINDOWS
808.05.2017
Benign vs. PUA
14.000 unique
Installer/Month
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
PUA Benign
AV Future Challenge: PUA
“IN THE WILD” PUA VS BENIGN APPS, ANDROID
908.05.2017
Benign vs. PUA
including Malware
20.000 unique
APKs/Month
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Benign Malware PUA
AV Future Challenge: PUA
ISSUES WITH MONETIZATION STRATEGIES
1008.05.2017 AV Future Challenge: PUA
08.05.2017
PERMISSION REQUESTS ON ANDROID
1108.05.2017
1.000 Malware,
600 PUA and
600 Benign
unique samples 163
265
324
119,12
55,71
14,38
0
50
100
150
200
250
300
350
Malware PUA Benign
Sum of unique permission requests Average permissions requested per App
AV Future Challenge: PUA
July 2016
PERMISSION REQUESTS ON ANDROID
1208.05.2017
1.000 Malware,
600 PUA and
600 Benign
unique samples
AV Future Challenge: PUA
July 2016
7,8424,16 17,54
396
270
161
0
50
100
150
200
250
300
350
400
450
Benign PUA Malware
Average permission requested per App Sum unique permission requests
0,00%
5,00%
10,00%
15,00%
20,00%
25,00%
30,00%
35,00%
40,00%
45,00%
50,00%
Malware PUA Benign
Signature (SystemOrSignature) No classification Dangerous Normal Unknown
CLASSIFICATION OF REQUESTED PERMISSIONS
1308.05.2017
Permission
classification
provided by
Google and
Permissions set in
Manifest
AV Future Challenge: PUA
July 2016
0,00%
10,00%
20,00%
30,00%
40,00%
50,00%
60,00%
Benign PUA Malware
signatureOrSystem None Dangerous Normal Signature None Provided -
CLASSIFICATION OF REQUESTED PERMISSIONS
1408.05.2017
Permission
classification
provided by
Google and
Permissions set in
Manifest
AV Future Challenge: PUA
July 2016
CLASSIFICATION OF REQUESTED PERMISSIONS CONT.
1508.05.2017 AV Future Challenge: PUA
0,00%
1,00%
2,00%
3,00%
4,00%
5,00%
6,00%
Malware PUA Benign
Malware PUA BenignMalware
PUA
Benign
PUAType
- D D D D D D - Non S - Nor D DNorNorNorNorClassification
July 2016
DATA TRANSMITTED, ANDROID AND WINDOWS
1608.05.2017 AV Future Challenge: PUA
Benign PUA
IMEI (International Mobile Station Equipment Identity)
0,00% 27,56%
Device id (unique device identifier) 0,00% 2,95%
Root (device rooted or not) 0,00% 3,64%
Agent (user agent of browser) 0,16% 3,29%
IP Dest (IP destination) 0,32% 2,25%
Mac (unique network adapter address) 2,23% 10,57%
Device Model 9,38% 28,25%
OS Version 7,00% 15,42%
Android
Windows Benign PUA Malware
Relevant transmitted PUA data
Computer name 0,10% 7,36% 0,14%
Country 0,66% 8,23% 0,07%
City 0,00% 1,25% 0,00%
Relevant transmitted malware data
Browser details 0,05% 1,25% 13,16%
Region 0,00% 1,37% 4,46%
July 2016
DESTINATION OF DATA TRANSMITTED, ANDROID
1708.05.2017
2%
48%
10%6%
2%
18%
14%
Benign Traffic Destination
China
United States
Germany
Netherlands
Russian Federation
Other Europe
Other
52%
25%
7%
4%2%
4%6%
PUA Traffic Destination
China
United States
Germany
Netherlands
Russian Federation
Other Europe
Other
AV Future Challenge: PUA
July 2016
77%
5%
1%1%
2%2%3%
4%5%
Benign Traffic Destination
United States
Germany
Netherlands
China
France
United Kingdom
Russian Federation
Other Europe
DESTINATION OF DATA TRANSMITTED, WINDOWS
1808.05.2017
68%
8%
6%
4%4%
2%1%4% 3%
PUA Traffic Destination
United States
Germany
Netherlands
China
France
United Kingdom
Russian Federation
Other Europe
50%
3%6%
17%
3%2%
5%6% 8%
Malware Traffic Destination
United States
Germany
Netherlands
China
France
United Kingdom
Russian Federation
Other Europe
AV Future Challenge: PUA
July 2016
THREAT TO PRIVACY AND BUSINESS SECURITY
1908.05.2017 AV Future Challenge: PUA
Protection against malware and infections
Providing additional Security features like reputation of files and
webpages, secure banking, file vaults, parental control etc.
Provide a hassle free usage of device by not slowing the computer
and being mostly invisible
Protect Privacy
…
And provide protection against disruptive software
AV AND PUA
Where AVs fit in
2008.05.2017 AV Future Challenge: PUA
PUA DETECTION
2108.05.2017
July/August 2016
AV Future Challenge: PUA
Windows Android
PUA detection choice during Setup 03/35 1/22
In-App Option change PUA Settings (activated by default)
17/35 05/22
In-App Option change PUA Settings (deactivated by default)
04/35 04/22
PUA detection present but no option to change settings
08/35 10/22
No Option to detect PUA, low detection rate
03/35 02/22
Malware Average detection rate 98,18% 99,63%
PUA Average detection rate 87,31% 93,98%
PUA VS MALWARE DETECTION RATE, WINDOWS
PUA vs. Malware
detection rate per
product
(on-demand)
2208.05.2017
August 2016
AV Future Challenge: PUA
0,00%
10,00%
20,00%
30,00%
40,00%
50,00%
60,00%
70,00%
80,00%
90,00%
100,00%
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35
PUA detection Malware detection
PUA =87.31%
Malware =98.18%
PUA VS MALWARE DETECTION RATE, ANDROID
PUA vs. Malware
detection rate per
product
2308.05.2017 AV Future Challenge: PUA
0,00%
10,00%
20,00%
30,00%
40,00%
50,00%
60,00%
70,00%
80,00%
90,00%
100,00%
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22
PUA detection Malware detection
PUA =93.98%
Malware =99.63%
July 2016
CONCLUSION
AV Future Challenge: PUA
PUA is a problem as prevalent as Malware, maybe more…
Users are more likely to ‘see’ PUA instead of Malware.
More private data saved on digital/mobile devices.
Data is targeted by everyone, governments, vendors, distributers.
Users expect AV to protect or at least warn them.
Even more focus must be put on protecting data on devices
08.05.2017 24
Thank you for your attention!
@avtestorg (English) & @avtestde (German)
Follow us on facebook.com/avtestorg
Latest test results on https://www.av-test.org
AV Future Challenge: PUA08.05.2017 25
