Lookout security analyst Jing Xie presented her research at the Grace Hopper Celebration of Women in Computing on October 9, 2014. She explains the Android app landscape, how malicious apps make it onto the marketplace, and how intelligent research can sniff out the evil apps.
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
When Android Apps Go Evil
1. When Android Apps
Go Evil
Jing Xie
jing.xie@lookout.com
Lookout Inc.
2014
2014
#GHC14
2014
2. Evil Outline
Android OS & App Development
Malware Landscape
Reverse Engineering
Analysis Insights & Challenges
2014
3. Android OS
2014
Linux based
Open sourced
Java for app dev
Dalvik VM
(ART since 4.4)
Security & Privacy
Sandboxing
Permissions
Secure IPC
Cryptography
9. Agile Malware Development
2014
SMSActor
distribution
SMS Toll Fraud:
sending
premium text
messages
without consent
April 2012
April 2014
SMSActor: Russian Toll Fraud
Variant Life Span:
• Activated
• Deactivated
• Decommissioned
10. Incentive and Feasibility
A HUGE NUMBER OF Apps
Not in Google Play Store
http://www.onepf.org/appstores/
http://www.techinasia.com/10-android-app-stores-china-2014-edition/
2014
• Anzhi
• AppChina
• D.cn Games Center
• gFan
• HiAPK
• Aptoide
• Panda App
• Taobao App Market
• Tencent App Gem
• Xiaomi
• Mumayi
SK T-Store
Naver NStore
APPZIL
olleh Market
o Yandex.Store
SlideMe.org
AppBrain
1MobileMarket
Mobile9
Mobango
Barzaar
Amazon appstore
AppZoom
AppsLib
11. Incentive and Feasibility
2014
http://www.theguardian.com/technology/2014/aug/22/android-fragmented-developers-opensignal
14. Scents of Android Malware
(UN)
Disingenuous advertisement
• Facebook icon && titled facebook;
package name: com.facebook.sms
2014
• com.facebook.katana
More than advertised
• Irrelevant code package
• Payment SDK with no pay button (UI)
Cost money APIs in unexpected context
• A system utility app sends SMS or make phone calls
• Free game that requires costs money permission
Unnecessary outbound communications
• A battery saving app talks to a remote server
• Calculator that downloads stuff
15. Scents of Android Malware
(DEUX)
Interesting Log Statements
• IsFuckSendIsLuckReceiverIsLuckReceiver的finally已经开始加锁
• ** WHELCOME TO HELL *********
Interesting File Assets
• /assets/libremotecontrol.so
• PNG is actually dex file
System Level Operations
• Checks the root as a game app
Peer Information Exhange
• Virus Total says apps is malicious
2014
17. When Android Apps Go
2014
Evil
Jing Xie
jing.xie@lookout.com
Lookout Inc.
2014
#GHC14
2014
Thank You!
Thanks to security team + designer @ lookout
Notes de l'éditeur
We are talking about Android malware… but what qualifies an app as a malware. There’s a lot misconceptions in the public because the media just picks whatever’s convenient in terms of terminologies, and there’s also PC legacy that’s not caught up to the mobile sphere. So I just want us to be on the same page, @Lookout, we define malware as>>>
Android applications that
intentionally interrupt the availability of the device, and other applications: ransomware, bitcoin mining, aggressive adware (ad wall)
intentionally cause money loss: sending premium SMS, chargeware
intentionally cause data leaking: forwarding SMS, steal the banking authentication.
intentionally violate the device owners’ privacy: contacts, pictures, location
This is not set in stone. Malicious behavior largely depends on people’s perceptions and values in the society, the perceptions and values change… what we deem as acceptable behavior now might not be acceptable in the future. Also, new app behavior might emerge in the future that is perceived to be not acceptable … so we are open to new behaviors.
We just saw that the distribution is different across the world in terms of quantity. You might wonder, are all malware distributed across all origins share the same nature, are of the same type? I wondered that too. I don’t know since there’s no research done to answer that question. But… according to my observation:
Malicious apps do have different characteristics depending on their origins:
Sophisticated trojans: China… Oldboot (Mouabad)/DroidDream/Geinimi/Gamex/DeathRing/Imogui
SMS toll fraud: Russia (AlphaSMS, SMSActor, depositmobi, badnews, also scareware: scarepakage)
Porn Chargeware: Spain & France (few families are big enough to earn any fame)
Porn/Game chargeware: Vietnam (DonLoss, VChargelet, HotClipSms, SixPointSixSms, Duchm, SMSCapers)
Trojans, Adware, Surveillanceware: US (AndroRAT, MobiStealth, SMSTracker from gizmoquip, KillerMobile)
Surveillanceware: India (surging): WrongPath, SkyProductivityTracker
Lookout had a project code named “dragon Lady” to investigate the underground malware distribution and it uncovered the Android malware industry in Russia. Here’s the economic model:
Malware HQs handle business logistics, management of SMS shortcodes, platform and promotion programs.
Affiliated marketers is in charge of distributing through channels like twitter and websites
With that, you have a business that’s driven by huge economic gain.
Let’s back it up with some data:
This shows the life spans of each variant of the family.
Continuous release of different versions/variants throughout the year, much like the release cycle of legit software.
The foremost variant in the graph got pushed into the wild in May 2012 and it was active until August 2012. It then went through a long silent period until it got activated again in July 2013 and it got eventually decommissioned in Nov 2013.
And in many countries, the supply chain is loosely regulated or outright unregulated:
Decentralized control of manufacturing
Fragmented Android versions (slow patching/upgrade)
Loose regulation on app developer practices (e.g. adware)
Cultural perception towards privacy
Piracy leads to less reputable sources (Russia + RuPaidMarket)
Let the virtual me do the job for a little while.
Whether what is advertised by the app is provided by the app; (e.g. the icon, the package name, the class names, the app name).
Whether the app does more than what is advertised, a.k.a, code injection.
Whether the app uses APIs that may cost users money (e.g. sending SMS).
Whether the app communicates with remote servers through HTTP.
Whether the app’s source code has interesting log statements. (e.g. typos, misspellings, incorrect grammar).
Whether the app has interesting files in the assets. (e.g. encrypted data files, dex files, APK files).
Whether other vendors think it is potentially bad.
Whether the app performs system level operations.
Ever evolving analysis evasion techniques
Apps can be really complicated
Limited processing power on devices
Sheer volume of malicious and legit apps from all over the world
Context and interpretation is nuanced (adware)
Reversing is a puzzle and puzzles have varying levels (many pieces are involved)
Getting the core purpose of a malware family
SO by now, I hope I have convinced you that … malware is real, not because of public media sensations. Reverse engineering is fun and has a low bar, there’s a lot of help if you are interested. There’s a lot of challenges and room to grow. We need talents like you, to protect our users, to protect our world. Hop on the ship, ‘cause we are sailing.