Contenu connexe


When Android Apps Go Evil

  1. When Android Apps Go Evil Jing Xie Lookout Inc. 2014 2014 #GHC14 2014
  2. Evil Outline Android OS & App Development Malware Landscape Reverse Engineering Analysis Insights & Challenges 2014
  3. Android OS 2014 Linux based  Open sourced Java for app dev Dalvik VM  (ART since 4.4) Security & Privacy  Sandboxing  Permissions  Secure IPC  Cryptography
  4. Making of Apps 2014
  5. Android Malware (NOT VIRUS PLZ!) 2014
  6. Threat Landscape 2014
  7. Depending on Origin USA France + Spain Russia India Vietnam China 2014 • Trojan • Toll Fraud • Spyware • Chargeware • Surveillanceware • Spam • Ransomware • RootEnabler • Exploit • Riskware
  8. Malware as a Business 2014
  9. Agile Malware Development 2014  SMSActor distribution  SMS Toll Fraud: sending premium text messages without consent April 2012 April 2014 SMSActor: Russian Toll Fraud Variant Life Span: • Activated • Deactivated • Decommissioned
  10. Incentive and Feasibility A HUGE NUMBER OF Apps Not in Google Play Store 2014 • Anzhi • AppChina • Games Center • gFan • HiAPK • Aptoide • Panda App • Taobao App Market • Tencent App Gem • Xiaomi • Mumayi  SK T-Store  Naver NStore  APPZIL  olleh Market o Yandex.Store   AppBrain  1MobileMarket  Mobile9  Mobango  Barzaar  Amazon appstore  AppZoom  AppsLib
  11. Incentive and Feasibility 2014
  12. Reverse Machinery (一) baksmali; apktool dex2jar + jd-gui/luyten; 2014 input: apk/dex Output: smali Output: pseudo Java
  13. Reverse Machinery (二) Demo Time (Click to watch video on YouTube) 2014
  14. Scents of Android Malware (UN) Disingenuous advertisement • Facebook icon && titled facebook; package name: com.facebook.sms 2014 • com.facebook.katana More than advertised • Irrelevant code package • Payment SDK with no pay button (UI) Cost money APIs in unexpected context • A system utility app sends SMS or make phone calls • Free game that requires costs money permission Unnecessary outbound communications • A battery saving app talks to a remote server • Calculator that downloads stuff
  15. Scents of Android Malware (DEUX) Interesting Log Statements • IsFuckSendIsLuckReceiverIsLuckReceiver的finally已经开始加锁 • ** WHELCOME TO HELL ********* Interesting File Assets • /assets/ • PNG is actually dex file System Level Operations • Checks the root as a game app Peer Information Exhange • Virus Total says apps is malicious 2014
  16. Analysis Challenges Technical Contextual • Evasion Techniques • Complicated Apps • Sheer Volume • Constraints on Devices 2014 • Nuanced Context • Malware Purpose • Levels of Puzzle Solving
  17. When Android Apps Go 2014 Evil Jing Xie Lookout Inc. 2014 #GHC14 2014 Thank You! Thanks to security team + designer @ lookout

Notes de l'éditeur

  1. We are talking about Android malware… but what qualifies an app as a malware. There’s a lot misconceptions in the public because the media just picks whatever’s convenient in terms of terminologies, and there’s also PC legacy that’s not caught up to the mobile sphere. So I just want us to be on the same page, @Lookout, we define malware as>>> Android applications that intentionally interrupt the availability of the device, and other applications: ransomware, bitcoin mining, aggressive adware (ad wall) intentionally cause money loss: sending premium SMS, chargeware intentionally cause data leaking: forwarding SMS, steal the banking authentication. intentionally violate the device owners’ privacy: contacts, pictures, location This is not set in stone. Malicious behavior largely depends on people’s perceptions and values in the society, the perceptions and values change… what we deem as acceptable behavior now might not be acceptable in the future. Also, new app behavior might emerge in the future that is perceived to be not acceptable … so we are open to new behaviors.
  2. We just saw that the distribution is different across the world in terms of quantity. You might wonder, are all malware distributed across all origins share the same nature, are of the same type? I wondered that too. I don’t know since there’s no research done to answer that question. But… according to my observation: Malicious apps do have different characteristics depending on their origins: Sophisticated trojans: China… Oldboot (Mouabad)/DroidDream/Geinimi/Gamex/DeathRing/Imogui SMS toll fraud: Russia (AlphaSMS, SMSActor, depositmobi, badnews, also scareware: scarepakage) Porn Chargeware: Spain & France (few families are big enough to earn any fame) Porn/Game chargeware: Vietnam (DonLoss, VChargelet, HotClipSms, SixPointSixSms, Duchm, SMSCapers) Trojans, Adware, Surveillanceware: US (AndroRAT, MobiStealth, SMSTracker from gizmoquip, KillerMobile) Surveillanceware: India (surging): WrongPath, SkyProductivityTracker
  3. Lookout had a project code named “dragon Lady” to investigate the underground malware distribution and it uncovered the Android malware industry in Russia. Here’s the economic model: Malware HQs handle business logistics, management of SMS shortcodes, platform and promotion programs. Affiliated marketers is in charge of distributing through channels like twitter and websites With that, you have a business that’s driven by huge economic gain.
  4. Let’s back it up with some data: This shows the life spans of each variant of the family. Continuous release of different versions/variants throughout the year, much like the release cycle of legit software. The foremost variant in the graph got pushed into the wild in May 2012 and it was active until August 2012. It then went through a long silent period until it got activated again in July 2013 and it got eventually decommissioned in Nov 2013.
  5. And in many countries, the supply chain is loosely regulated or outright unregulated: Decentralized control of manufacturing Fragmented Android versions (slow patching/upgrade) Loose regulation on app developer practices (e.g. adware) Cultural perception towards privacy Piracy leads to less reputable sources (Russia + RuPaidMarket)
  6. Let the virtual me do the job for a little while.
  7. Whether what is advertised by the app is provided by the app; (e.g. the icon, the package name, the class names, the app name). Whether the app does more than what is advertised, a.k.a, code injection. Whether the app uses APIs that may cost users money (e.g. sending SMS). Whether the app communicates with remote servers through HTTP.
  8. Whether the app’s source code has interesting log statements. (e.g. typos, misspellings, incorrect grammar). Whether the app has interesting files in the assets. (e.g. encrypted data files, dex files, APK files). Whether other vendors think it is potentially bad. Whether the app performs system level operations.
  9. Ever evolving analysis evasion techniques Apps can be really complicated Limited processing power on devices Sheer volume of malicious and legit apps from all over the world Context and interpretation is nuanced (adware) Reversing is a puzzle and puzzles have varying levels (many pieces are involved) Getting the core purpose of a malware family SO by now, I hope I have convinced you that … malware is real, not because of public media sensations. Reverse engineering is fun and has a low bar, there’s a lot of help if you are interested. There’s a lot of challenges and room to grow. We need talents like you, to protect our users, to protect our world. Hop on the ship, ‘cause we are sailing.
  10. The END.