Android Security
“Things are not always what they seem; the first appearance deceives many;
the intelligence of a few perceives what has been carefully hidden.”
Phaedrus
Francesco Mercaldo, PhD
Post-Doctoral researcher
Sicurezza delle Reti e dei Sistemi Software
Corso di Laurea Magistrale in Ingegneria Informatica
Università degli Studi del Sannio
A matter of fact
Symantec: “Gli antivirus sono morti, non sono più
sufficienti a proteggere i nostri computer”
“Attualmente il miglior antivirus al mondo si chiama
Linux” (Brian Dye, vicepresidente di Symantec,
2014)
1988: Dr. Solomon’s Anti-Virus Toolkit , AIDSTEST
(Sophos), AntiVir
Mailing list VIRUS-L (tra i membri comparivano John
McAfee e Eugene Kaspersky)
A matter of fact
LaRepubblica, 2014-05-07
98% of mobile malware targets
Android platform
Android Antimalware it is very easy for malware to evade detection by
most antivirus (Fraunhofer Research Institution,
2013)
with the only trivial alteration to the package
files of a trusted application
Android does not allow an application to monitor
the file system
any application can only access its own disk
space
resource sharing is allowed only if expressly
provided by the developer of the application.
Signature-based detection Antivirus software heavily relied upon signatures to
identify malware.
when a malware arrives in the hands of an antivirus
firm, it is analysed by malware researchers or by
dynamic analysis systems.
once it is sure it is actually a malware, a proper
signature of the file is extracted and added to the
signatures database of the antivirus software
When a particular file has to be scanned, the
antivirus engine compares the content of the file
with all the malware signatures in the signatures
database.
If the file matches one signature, then the engine is
able to know which malware.
Signature-based detection A technique very effective
But cannot defend against malware unless some
of its samples have already been obtained
a proper signatures generated
the antivirus product updated
Signature-based detection system rely on the
consideration that, generally speaking, the
more infective a malware is the faster arrives
in the hands of security researchers.
…and zero-day attack?
Kind of attacks
To infect mobile users, malicious apps typically
lure users into downloading and installing them.
Repackaging: downloading popular benign apps, repackaging them with
additional malicious payloads, and then uploading repackaged ones to
various Android marketplaces.
Update attack : the malicious payloads are disguised as the “updated”
version of legitimate apps.
Drive-by download: redirect users to download malware, e.g., by using
aggressive in-app advertisement or malicious QR code.
Rogueware: it pretends to be a well-known application (e.g., an
antimalware), in order to steal confidential data or receive money.
Android Defender first detected mobile Rogueware, 2013
this hybrid fake antivirus/ransomware app demands a $99.99
payment to restore access to your Android device.
uses a variety of social engineering tactics
can restrict access to all other applications, making it impossible to
make calls, change settings, kill tasks, uninstall apps, or even perform
a factory reset. It presents a warning message about infection that is
visible on screen, no matter what a user is doing
Bank account theft, delivered via smartphone
Do you remember the “Guardia di Finanza” virus ?
11
FakeAV
12
Fast growing families
Families engaged in premium-SMS
messages sending saw the greatest rate of
development, as their operators ramps up
operations and chum out more variants in
the last six months
Limits of the Existing Antimalware
Strategies
Goal: evaluate the effectiveness of current
antimalware:
a real world Android malware dataset
more than 50 antimalware
Free and commercial
A set of code transformations
The transformations
Disassembling & Reassembling
Changing package name
Changing package/ class
name
Data encoding
Call indirections
Junk code insertion
Type I: nop instructions at the beginning of
each method
Type II: nop instructions and unconditional
jumps
Type III: allocation of three additional
registers performing garbage operations
The evaluated antimalware
Antimalware evaluation
Antimalware that correctly detected at least
90% of original and transformed samples
Original malware set: 47%
Transformed malware set: 7%
Antimalware evaluation
Applications identified as trusted
Original malware set: 5%
Transformed malware set: 81%
Reverse Engineering
Definition:
Refers to the process of analyzing a system to
identify its components and their
interrelationships, and create representations of
the system in another form or a higher level of
abstraction.
Objectives:
The purpose of reverse engineering is not to
make changes or to replicate the system under
analysis, but to understand how it was build.
Application analysis workflow
Application analysis workflow
Static Analysis Tool
Other (necessary) tools
Malware
Malware definition
Malware is a piece of code which changes the
behaviour of either the operating system kernel or
some security sensitive applications, without a user
consent and in such a way that it is then impossible to
detect those changes using a documented features of
the operating system or the application.
A Malware is any malicious code or piece of software
that is designed to perform functions without the
consent of the user.
Viber: the case study
Free text, calling, photo messages and
location-sharing with Viber users
Very close to WhatsApp but not obfuscated
ApkTool
It can decode resources to nearly original
form and rebuild them after making some
modifications
In most cases…
dex2jar
a tool to convert Androids classes.dex into a
.jar file
JDGui
It’s a standalone graphical utility that displays
Java source codes of “.class” files.
You can browse the reconstructed source
code
It’s for Java not for Android !
Malicious Permission
Identify a possible malicious application
App with unnecessary permission
A wallpaper that requires “SEND SMS MESSAGES”
A calculator that requires “DIRECTLY CALL PHONE
NUMBERS”
…
How to stimulate a
payload…
From Dalvik to Java Convert from Dalvik Executable to Java
classes
d2j-dex2jar.sh pipe.apk
Decompile Java classes and download
source code
jd-gui pipe-dex2jar.jar
APKInspector
• Control Flow Graph
• Static Instrumentation
• Permission Analysis
• Dalvik codes
• Smali codes
• Java codes
• APK Information
https://github.com/honeynet/apkinspector/
APKInspector
• Run "python StartQT.py“ from program directory
• Click "Setting" button to choose the analysis component you want.
• Click "New" button, choose the application you want to analysis.
• Select different pages to see CFG\Call Graph\Dalvik codes\Permissions etc
APKInspector in action
“Dexter” online service
http://dexter.dexlabs.org/
Online malware detection
services
https://www.virustotal.com/
http://virusscan.jotti.org/it
Google Bouncer
Virtual Environment to check if app is
malicious
Runs the app in a phone like environment for
around 5 mins before publishing
Detects most of the malwares
Can be bypassed easily
Android Framework for
Exploitation
https://github.com/xysec/AFE
http://afe-framework.com/
AFE’s features
Malware Creator (Creation of malware and
botnet modules. Also used to inject malicious
codes into legitimate applications)
Listener (Python listener to listen to and
show incoming data from the
phone/emulator)
Exploiter (Used to exploit various
vulnerabilities in applications and platform in
order to obtain root privileges)
AFE’s features
Stealer (To steal information from the phone
including contacts, call logs, text messages,
files from the SD Card and many more)
Crypter (To make already detected malware
samples, undetectable by the anti-malwares)
Malware Creator
responsible for creating the malicious
applications
with whatever functionality you wish for
a pre-defined template
AndroidManifest.xml
MainActivity.java
Services.java
Strings.xml
Main.xml
AFE in practice
Inject malware code as a service, and then
activating it with a broadcast receiver.
To start up AFE, type in a built-in shell
./afe.py
but AFE is also stealer, crypter,
exploiter...enjoy!
http://www.chmag.in/article/jun2013/android-
framework-exploitation
http://www.rafayhackingarticles.net/2013/01/hack-
android-with-android-exploitation.html
References…
Elliot J. Chikofsky, James H. Cross“Reverse
Engineering and Design Recovery: A
Taxonomy”. IEEE Software, Jan 1990, pg 13-17.
J. Rutkowska. “Introducing Stealth Malware
Taxanomy”. http://www.net-
security.org/dl/articles/malware-taxonomy.pdf
“Alternative markets to the Play Store”.
http://alternativeto.net/software/android-market/
“Security features provided by Android”.
http://developer.android.com/guide/topics/securit
y/permissions.html
… References…
Y. Zhoux, X. Jiang «Dissecting Android Malware:
Characterization and Evolution», Proc. Of IEEE
Symposium on Security and Privacy 2012, pg: 95-109.
Yousra Aafer, Wenliang Du, and Heng Yin,
«DroidAPIMiner: Mining API-Level Features for Robust
Malware Detection in Android» proc. Of SecurComm
2013.
H.Le Thanh “Analysis of Malware Families on Android
Mobiles: Detection Characteristics Recognizable by
Ordinary Phone Users and How to Fix It” Journal of
Information Security 2013, 4, 213-224.
…References
“Using the Android Emulator”.
http://developer.android.com/tools/devices/emul
ator.html
“Android malware database”
http://code.google.com/p/androguard/wiki/Datab
aseAndroidMalwares
«Attacking Angry Birds»
http://toorcamp.org/content12/38
http://developer.android.com/guide/components/
fundamentals.html
Any Questions ?