Android Security

“Things are not always what they seem; the first appearance deceives many;

the intelligence of a few perceives what has been carefully hidden.”

Phaedrus

Francesco Mercaldo, PhD

Post-Doctoral researcher

Sicurezza delle Reti e dei Sistemi Software

Corso di Laurea Magistrale in Ingegneria Informatica

Università degli Studi del Sannio

(fmercaldo@unisannio.it)

A matter of fact

Symantec: “Gli antivirus sono morti, non sono più

sufficienti a proteggere i nostri computer”

“Attualmente il miglior antivirus al mondo si chiama

Linux” (Brian Dye, vicepresidente di Symantec,

2014)

1988: Dr. Solomon’s Anti-Virus Toolkit , AIDSTEST

(Sophos), AntiVir

Mailing list VIRUS-L (tra i membri comparivano John

McAfee e Eugene Kaspersky)

A matter of fact

LaRepubblica, 2014-05-07

98% of mobile malware targets

Android platform

Android Antimalware it is very easy for malware to evade detection by

most antivirus (Fraunhofer Research Institution,

2013)

with the only trivial alteration to the package

files of a trusted application

Android does not allow an application to monitor

the file system

any application can only access its own disk

space

resource sharing is allowed only if expressly

provided by the developer of the application.

Signature-based detection Antivirus software heavily relied upon signatures to

identify malware.

when a malware arrives in the hands of an antivirus

firm, it is analysed by malware researchers or by

dynamic analysis systems.

once it is sure it is actually a malware, a proper

signature of the file is extracted and added to the

signatures database of the antivirus software

When a particular file has to be scanned, the

antivirus engine compares the content of the file

with all the malware signatures in the signatures

database.

If the file matches one signature, then the engine is

able to know which malware.

Signature-based detection A technique very effective

But cannot defend against malware unless some

of its samples have already been obtained

a proper signatures generated

the antivirus product updated

Signature-based detection system rely on the

consideration that, generally speaking, the

more infective a malware is the faster arrives

in the hands of security researchers.

…and zero-day attack?

Kind of attacks

To infect mobile users, malicious apps typically

lure users into downloading and installing them.

Repackaging: downloading popular benign apps, repackaging them with

additional malicious payloads, and then uploading repackaged ones to

various Android marketplaces.

Update attack : the malicious payloads are disguised as the “updated”

version of legitimate apps.

Drive-by download: redirect users to download malware, e.g., by using

aggressive in-app advertisement or malicious QR code.

Rogueware: it pretends to be a well-known application (e.g., an

antimalware), in order to steal confidential data or receive money.

Android Defender first detected mobile Rogueware, 2013

this hybrid fake antivirus/ransomware app demands a $99.99

payment to restore access to your Android device.

uses a variety of social engineering tactics

can restrict access to all other applications, making it impossible to

make calls, change settings, kill tasks, uninstall apps, or even perform

a factory reset. It presents a warning message about infection that is

visible on screen, no matter what a user is doing

Bank account theft, delivered via smartphone

Do you remember the “Guardia di Finanza” virus ?

11

FakeAV

12

Fast growing families

Families engaged in premium-SMS

messages sending saw the greatest rate of

development, as their operators ramps up

operations and chum out more variants in

the last six months

Limits of the Existing Antimalware

Strategies

Goal: evaluate the effectiveness of current

antimalware:

a real world Android malware dataset

more than 50 antimalware

Free and commercial

A set of code transformations

The transformations

Disassembling & Reassembling

Changing package name

Changing package/ class

name

Data encoding

Call indirections

Junk code insertion

Type I: nop instructions at the beginning of

each method

Type II: nop instructions and unconditional

jumps

Type III: allocation of three additional

registers performing garbage operations

The evaluated antimalware

Antimalware evaluation

Antimalware that correctly detected at least

90% of original and transformed samples

Original malware set: 47%

Transformed malware set: 7%

Antimalware evaluation

Applications identified as trusted

Original malware set: 5%

Transformed malware set: 81%

Reverse Engineering

Definition:

Refers to the process of analyzing a system to

identify its components and their

interrelationships, and create representations of

the system in another form or a higher level of

abstraction.

Objectives:

The purpose of reverse engineering is not to

make changes or to replicate the system under

analysis, but to understand how it was build.

Application analysis workflow

Application analysis workflow

Static Analysis Tool

Other (necessary) tools

Malware

Malware definition

Malware is a piece of code which changes the

behaviour of either the operating system kernel or

some security sensitive applications, without a user

consent and in such a way that it is then impossible to

detect those changes using a documented features of

the operating system or the application.

A Malware is any malicious code or piece of software

that is designed to perform functions without the

consent of the user.

Viber: the case study

Free text, calling, photo messages and

location-sharing with Viber users

Very close to WhatsApp but not obfuscated

ApkTool

It can decode resources to nearly original

form and rebuild them after making some

modifications

In most cases…

dex2jar

a tool to convert Androids classes.dex into a

.jar file

JDGui

It’s a standalone graphical utility that displays

Java source codes of “.class” files.

You can browse the reconstructed source

code

It’s for Java not for Android !

Malicious Permission

Identify a possible malicious application

App with unnecessary permission

A wallpaper that requires “SEND SMS MESSAGES”

A calculator that requires “DIRECTLY CALL PHONE

NUMBERS”

…

How to stimulate a

payload…

From Dalvik to Java Convert from Dalvik Executable to Java

classes

d2j-dex2jar.sh pipe.apk

Decompile Java classes and download

source code

jd-gui pipe-dex2jar.jar

APKInspector

• Control Flow Graph

• Static Instrumentation

• Permission Analysis

• Dalvik codes

• Smali codes

• Java codes

• APK Information

https://github.com/honeynet/apkinspector/

APKInspector

• Run "python StartQT.py“ from program directory

• Click "Setting" button to choose the analysis component you want.

• Click "New" button, choose the application you want to analysis.

• Select different pages to see CFG\Call Graph\Dalvik codes\Permissions etc

APKInspector in action

“Dexter” online service

http://dexter.dexlabs.org/

Online malware detection

services

https://www.virustotal.com/

http://virusscan.jotti.org/it

Google Bouncer

Virtual Environment to check if app is

malicious

Runs the app in a phone like environment for

around 5 mins before publishing

Detects most of the malwares

Can be bypassed easily

Android Framework for

Exploitation

https://github.com/xysec/AFE

http://afe-framework.com/

AFE’s features

Malware Creator (Creation of malware and

botnet modules. Also used to inject malicious

codes into legitimate applications)

Listener (Python listener to listen to and

show incoming data from the

phone/emulator)

Exploiter (Used to exploit various

vulnerabilities in applications and platform in

order to obtain root privileges)

AFE’s features

Stealer (To steal information from the phone

including contacts, call logs, text messages,

files from the SD Card and many more)

Crypter (To make already detected malware

samples, undetectable by the anti-malwares)

Malware Creator

responsible for creating the malicious

applications

with whatever functionality you wish for

a pre-defined template

AndroidManifest.xml

MainActivity.java

Services.java

Strings.xml

Main.xml

AFE in practice

Inject malware code as a service, and then

activating it with a broadcast receiver.

To start up AFE, type in a built-in shell

./afe.py

but AFE is also stealer, crypter,

exploiter...enjoy!

http://www.chmag.in/article/jun2013/android-

framework-exploitation

http://www.rafayhackingarticles.net/2013/01/hack-

android-with-android-exploitation.html

References…

Elliot J. Chikofsky, James H. Cross“Reverse

Engineering and Design Recovery: A

Taxonomy”. IEEE Software, Jan 1990, pg 13-17.

J. Rutkowska. “Introducing Stealth Malware

Taxanomy”. http://www.net-

security.org/dl/articles/malware-taxonomy.pdf

“Alternative markets to the Play Store”.

http://alternativeto.net/software/android-market/

“Security features provided by Android”.

http://developer.android.com/guide/topics/securit

y/permissions.html

… References…

Y. Zhoux, X. Jiang «Dissecting Android Malware:

Characterization and Evolution», Proc. Of IEEE

Symposium on Security and Privacy 2012, pg: 95-109.

Yousra Aafer, Wenliang Du, and Heng Yin,

«DroidAPIMiner: Mining API-Level Features for Robust

Malware Detection in Android» proc. Of SecurComm

2013.

H.Le Thanh “Analysis of Malware Families on Android

Mobiles: Detection Characteristics Recognizable by

Ordinary Phone Users and How to Fix It” Journal of

Information Security 2013, 4, 213-224.

…References

“Using the Android Emulator”.

http://developer.android.com/tools/devices/emul

ator.html

“Android malware database”

http://code.google.com/p/androguard/wiki/Datab

aseAndroidMalwares

«Attacking Angry Birds»

http://toorcamp.org/content12/38

http://developer.android.com/guide/components/

fundamentals.html

Any Questions ?