DETECTING LOGIC BOMBS IN ANDROID APPLICATIONS TRIGGER SCOPE DETECTING LOGIC BOMBS IN ANDROID APPLICATIONS

Possible Implementation of a Logic Bomb

Logic Bomb: - Subtly modifies the program output - is only triggered under certain narrow circumstances.

Logic Bomb It is a powerful mechanism that is commonly employed by targeted malware, often used as part of APT(Advanced Persistent Threat) and state sponsored attacks. Eg: Hacking Team’s Android RCS- It was used for targeted attacks on the activists. It was able to capture screenshot, track GPS location.

Key Idea: Focus is on triggers, not the triggered behaviour. Isn’t it weird?? Key Idea: Focus is on triggers, not the triggered behaviour.

Logic Bombs are detected using TRIGGER ANALYSIS TriggerScope: Detects Logic Bombs by precisely analysing and characterizing the checks that guard a given behaviour. Logic Bombs are detected using TRIGGER ANALYSIS

Trigger Analysis Static Program Analysis technique used to identify triggers. - Input: Android App’s Dalvik Bytecode - Output: Suspicious Triggers and Triggered Behaviours Four main Analysis steps.:- - The analysis combines symbolic execution, path predicate reconstruction and minimization, and inter-procedural control dependency analysis to enable the precise detection of the triggers.

SUSPICIOUS??? 1.method public f()V 2 // Date now = new Date(); 3 new-instance v0, Ljava/util/Date; 4 invoke-direct {v0}, \ 5 Ljava/util/Date;-><init>()V 6 7 // Date target = new Date(12,22,2016); 8 new-instance v1, Ljava/util/Date; 9 const/16 v2, 0xc 10 const/16 v3, 0x16 11 const/16 v4, 0x7e0 12 invoke-direct {v1, v2, v3, v4}, \ 13 Ljava/util/Date;-><init>(III)V 14 15 // if (now.after(target)) {...} 16 invoke-virtual {v0, v1}, \ 17 Ljava/util/Date;-> \ 18 after(Ljava/util/Date;)Z 19 move-result v2 20 21 // suspicious check! 22 if-eqz v2, :cond_0 23 24 // g(); 25 invoke-virtual {p0}, LApp;->g()V 26 goto :goto_0 27 28 :cond_0 29 // h(); 30 invoke-virtual {p0}, LApp;->h()V 31 32 :goto_0 33 return-void 34 35.end method SUSPICIOUS???

ANALYSIS STEPS:

1. Symbolic Execution Forward Symbolic Execution - Time, SMS, Location - Strings, Intents, Bundles A symbolic value is introduced whenever a relevant object is created. The analysis records operations on relevant objects.

1. Symbolic Execution- example

Expression Tree if-eqz v2, : cond_0 Date.after(Date) # now 10/10/2017

2. Predicate Extraction Each block is annotated with its block predicate. This step recovers intra procedural path predicates..

Counter Flow Graph

3. Predicate Characterization This step gauges how suspicious a predicate is. Our current policy: - Ordering comparison between symbolic time and constant - Bound checks on symbolic location - Matching constant values against SMS body or sender.

if-eqz v2, : cond_0 Date.after(Date) # now 10/10/2017

if-eqz v2, : cond_0 Date.after(Date) # now 10/10/2017 SUSPICIOUS!!!

Control Dependencies Identify control dependencies between suspicious predicates and invocations of sensitive Android API methods. The definition of sensitivity can be specified through a user-defined policy. A list of potentially sensitive operations were compiled by considering all Android API’s protected by a permission and by augmenting it with operations that involve the file system. Forward traversal of the sCFG starting from each suspicious predicate. This step is inter-procedural.

4. Post Filter Steps Filter out cases that match the definition of suspiciousness, but are actuall clearly benign. - Null Checks - Checks against the constant ‘0’ or ‘-1’ - “Is this field already set with a valid timestamp?”

Evaluation Is it fast enough to analyse real world Android apps? Does the trigger analysis find interesting triggers with low false positives on real apps?

Dataset To assess the precision of the trigger scope tool, manual analysis was performed. A dataset of applications was built including both benign and malicious samples. 21747 benign apps 5803 with time 1400 with SMS 4135 with location 11 malicious apps from DARPA red teams.

Results Analysis runs with 1hr time out Analysis terminated before timeout for - 85.30% apps with time operations (4950 out of 5803) - 82.95% apps with location operations (3430 out of 4135) - 81.29% apps with SMS operations (1138 out of 1400) 90% of the applications tested were completely analysed for triggers in under 750 seconds. Moreover, on an average, each application requires 219.21 seconds

Results 10 + 8 + 17 = 35 apps flagged as suspicious (0.38 % false positive rate)

HOW PRECISE AND ACCURATE IS OUR ANALYSIS? Accuracy Evaluation HOW PRECISE AND ACCURATE IS OUR ANALYSIS?

Accuracy Evaluation Firstly, false positive ratio was computed- which gave us the number of false alarms over the number of the considered benign samples. To assess whether TriggerScope is affected by false negatives, manual inspection of two sets of applications was done. - Firstly, all those applications, which were filtered out during the post filter steps, were manually inspected. - Second, a manual inspection on a random set of 20 applications were done but no suspicious checks were identified.

Comparison with existing approaches Kirin and DroidAPI Miner- Some of the most representative works in the area of Android Malware Analysis. Kirin – relies on permission analysis. - A logic bomb can be implemented without requesting highly- privileged permissions. - Gave a lot of false positive results.

Triggers in Benign Apps Time related triggers - Checks for licences expiration - Scheduled events

Triggers in Benign Apps if ( 37.733 < latitude < 39.208) && (139.52 < longitude < 140.64) drawText(“山形駅へようこそ”,..); “Welcome to Yamagata Station”

App that lets user locate his/her phone through SMS. MyRemotePhone App that lets user locate his/her phone through SMS.

MyRemotePhone App that lets user locate his/her phone through SMS. Output of analysis: (&& (!= (#sms / #body contains “MPS: gps”) 0) )

MyRemotePhone App that lets user locate his/her phone through SMS. Output of analysis: (&& (!= (#sms / #body contains “MPS: gps”) 0) ) When the condition is satisfied (i.e “MPS:gps”) the app sends back the device’s GPS co-ordinates!! NO AUTHENTICATION

Remote Lock App that lets user lock the phone with a user-selected password. Output of analysis: (!= (#sms/#body equals “adgbcgjsgjkkayrrwuiolkaghjkd”))0)” Whenever an SMS with this string is received, the phone unlocks.

Trigger in Malicious App- Real World Malware HACKING TEAM’S AndroidRCS Leak the victim’s private conversations, GPS location and device tracking information. Capture screenshots, collect information about online accounts, and capture real-time voice calls.

Trigger in Malicious App-Real World Malware Another example, Holy Colbert- taken from Android Malware Genome Project. TriggerScope was automatically able to discover a time-bomb. The app first retrieves the current date, converts it into a string by using SimpleDateFormat and then compares it with the hard coded string – ”05212011”.

Limitations Handles a limited number of trigger inputs- a subset of potential trigger sources covered. Also, the possibility of having false negative rate is not always excluded.

Conclusion Trigger Analysis was developed and this technique was used to identify logic bombs in Android Apps. Key Idea: focus on triggers, not on the triggered behaviour. TriggerScope is automatically able to handle several time-, location- , and SMS- related triggers. It achieves a very low false positive rate and achieves 100% detection rate on the malware set.

Reference: TriggerScope- Towards Detecting Logic Bombs in Android Applications by Yanick Fratantonio, Antonio Bianchi- UC Santa Barbara, Security & Privacy, 2016.

THANK YOU!