Vaibhav Rastogi, Yan Chen, and Xuxian Jiang

Slides:



Advertisements
Similar presentations
Win the Cyberwar on Mobile Banking and Payments
Advertisements

©2014 Bit9. All Rights Reserved The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain Mary Ann Fitzsimmons Regional.
Dissecting Android Malware : Characterization and Evolution
Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.
Northwestern University, IL, US,
1 Yinzhi Cao, Zhichun Li *, Vaibhav Rastogi, Yan Chen, and Xitao Wen Labs of Internet Security and Technology Northwestern University * NEC Labs America.
PAGE 1 | Gradient colors RGBRGB Diagrams RGBRGB RGBRGB 166.
Towards a Trustworthy Android Ecosystem 1 Yan Chen Lab of Internet and Security Technology Northwestern University.
Policy Weaving for Mobile Devices Drew Davidson. Smartphone security is critical – 1200 to 1400 US Army troops to be equipped with Android smartphones.
©2014 Bit9. All Rights Reserved The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain Chris Berninger, Sr. Solutions.
Android Malware Characterisaion. Android Under Attack Android Malware is on the rise In 2012 malware presence has increased by 580% compared to the same.
JShield: Towards Real-time and Vulnerability-based Detection of Polluted Drive-by Download Attacks Yinzhi Cao*, Xiang Pan**, Yan Chen** and Jianwei Zhuge***
David Flournoy Bit9 Mid-Atlantic Regional Manager
Aurasium: Practical Policy Enforcement for Android Applications R. Xu, H. Saidi and R. Anderson Presented By: Rajat Khandelwal – 2009CS10209 Parikshit.
Towards a Trustworthy Android Ecosystem 1 Yan Chen Lab of Internet and Security Technology Northwestern University.
Yan Chen Northwestern Lab for Internet and Security Technology (LIST) Dept. of Electrical Engineering and Computer Science Northwestern University
Security in By: Abdulelah Algosaibi Supervised by: Prof. Michael Rothstein Summer II 2010: CS 6/79995 Operating System Security.
Rage Against The Virtual Machine: Hindering Dynamic Analysis of Android Malware Thanasis Petsas, Giannis Voyatzis, Elias Athanasopoulos, Sotiris Ioannidis,
Unconstrained Endpoint Profiling (Googling the Internet)‏ Ionut Trestian Supranamaya Ranjan Aleksandar Kuzmanovic Antonio Nucci Northwestern University.
Access · convergence · management security · performance Margins in Mobility – Ian Kilpatrick, Wick Hill.
Jarhead Analysis and Detection of Malicious Java Applets Johannes Schlumberger, Christopher Kruegel, Giovanni Vigna University of California Annual Computer.
Introduction to Mobile Malware
MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.
VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw.
DroidKungFu and AnserverBot
Mobile Operating System Security A PRESENTATION BY DANIEL ADAMS CSC 345 DR. BOX.
Lei Wu, Michael Grace, Yajin Zhou, Chiachih Wu, Xuxian Jiang Department of Computer Science North Carolina State University CCS 2013.
PrivacyShield: Real-time Monitoring and Detection of Android Privacy Leakage Review and Discussion Yan Chen Lab of Internet and Security Technology Northwestern.
Harvesting Developer Credentials in Android Apps
RiskRanker: Scalable and Accurate Zero‐day Android Malware Detection.
Toward a Trustworthy Android Ecosystem 1 Yan Chen ( 陈焰) Lab of Internet and Security Technology (LIST) Northwestern University, USA Zhejiang University,
Behavior-based Spyware Detection By Engin Kirda and Christopher Kruegel Secure Systems Lab Technical University Vienna Greg Banks, Giovanni Vigna, and.
Click to edit Master title style Click to edit Master text styles –Second level Third level –Fourth level »Fifth level June 10 th, 2009Event details (title,
Ether: Malware Analysis via Hardware Virtualization Extensions Author: Artem Dinaburg, Paul Royal, Monirul Sharif, Wenke Lee Presenter: Yi Yang Presenter:
AppShield: A Virtual File System in Enterprise Mobility Management Zhengyang Qu 1 Northwestern University, IL, US,
ANTIVIRUS SOFTWARE.  Antivirus software is the most widespread mechanism for defending individual hosts against threats associated with malicious software,
Click to edit Master title style Click to edit Master text styles –Second level Third level –Fourth level »Fifth level June 10 th, 2009Event details (title,
The Changing World of Endpoint Protection
HIPS Host-Based Intrusion Prevention System By Ali Adlavaran & Mahdi Mohamad Pour (M.A. Team) Life’s Live in Code Life.
1 Company Proprietary and ConfidentialThe document name can go here Android OS Security Omar Alaql July 8, 2013 Kent State University Android OS Security.
Android Security Auditing Slides and projects at samsclass.info.
November 19, 2008 CSC 682 Use of Virtualization to Thwart Malware Written by: Ryan Lehan Presented by: Ryan Lehan Directed By: Ryan Lehan Produced By:
Antivirus software.
ON THE SECURITY OF ANDROID COMMUNICATION APPS September 2015 By Shasi Pokharel Bachelor Of Information Technology (Honours) Supervisors: Dr. Raymond Choo,
 Android OS: Java  iOS: Objective C NSArray * foo = [[NSArray alloc]
Slides and projects at samsclass.info. Adding Trojans to Apps Slides and projects at samsclass.info.
Title of Presentation DD/MM/YYYY © 2015 Skycure Why Are Hackers Winning the Mobile Malware Battle.
nd Joint Workshop between Security Research Labs in JAPAN and KOREA Polymorphic Worm Detection by Instruction Distribution Kihun Lee HPC Lab., Postech.
Introduction Program File Authorization Security Theorem Active Code Authorization Authorization Logic Implementation considerations Conclusion.
Global Mobile Anti-malware Market WEBSITE Single User License: US$ 2500 No of Pages: 55 Corporate User License: US$
Kaspersky Small Office Security INTRODUCING New for 2014!
©2015 Check Point Software Technologies Ltd. 1 [Restricted] ONLY for designated groups and individuals CHECK POINT MOBILE THREAT PREVENTION.
Android’s Malware Attack, Stealthiness and Defense: An Improvement Mohammad Ali, Humayun Ali and Zahid Anwar 2011 Frontiers of Information Technology.
Global (North America, Europe and Asia-Pacific, South America, Middle East and Africa) Antivirus Software Market 2017 Forecast to 2022.
Sophos Intercept X Matt Cooke – Senior Product Marketing Manager.
Shellcode COSC 480 Presentation Alison Buben.
More Security and Programming Language Work on SmartPhones
2017 Products with Multi-Device Licensing
Harvesting Runtime Values in Android Applications That Feature Anti-Analysis Techniques Presented by Vikraman Mohan.
TaintART: A Practical Multi-level Information-Flow Tracking System for Android RunTime Sadiq Basha.
AppShield: Enabling Multi-entity Access Control Cross Platforms for Mobile App Management Zhengyang Qu1, Guanyu Guo2, Zhengyue Shao2, Vaibhav Rastogi3,
Computer Virus and Antivirus
Techniques, Tools, and Research Issues
TriggerScope Towards Detecting Logic Bombs in Android Applications
Part 1: Basic Analysis Chapter 1: Basic Static Techniques
 Security is a must today. If your device is not secure with updated antivirus then it is surely vulnerable to the attacks of dangerous viruses, spyware.
SPRING DRAGON APT - A CASE STUDY OF TARGETED ATTACKS IN APAC COUNTRIES
Mobile App Advertisements
Unconstrained Endpoint Profiling (Googling the Internet)‏
Emerging Mobile Threats and Our Defense
Presentation transcript:

Vaibhav Rastogi, Yan Chen, and Xuxian Jiang DroidChameleon: Evaluating Android Anti-malware against Transformation Attacks Vaibhav Rastogi, Yan Chen, and Xuxian Jiang Lab for Internet and Security Technology, Northwestern University †North Carolina State University

Android Dominance Smartphone sales already exceed PC sales Android world-wide market share ~ 70% Android market share in US ~50% (Credit: Kantar Worldpanel ComTech)

Introduction Source: http://play.google.com/ | retrieved: 4/29/2013 Android malware – a real concern Many Anti-malware offerings for Android Many are very popular Source: http://play.google.com/ | retrieved: 4/29/2013

Objective What is the resistance of Android anti-malware against malware obfuscations? Smartphone malware is evolving Encrypted exploits, encrypted C&C information, obfuscated class names, … Polymorphic attacks already seen in the wild Technique: transform known malware

Transformations: Three Types Trivial No code-level changes or changes to AndroidManifest Detectable by Static Analysis - DSA Do not thwart detection by static analysis completely Not detectable by Static Analysis – NSA Capable of thwarting all static analysis based detection

Trivial Transformations Repacking Unzip, rezip, re-sign Changes signing key, checksum of whole app package Reassembling Disassemble bytecode, AndroidManifest, and resources and reassemble again Changes individual files

DSA Transformations Changing package name Identifier renaming Data encryption Encrypting payloads and native exploits Call indirections …

Evaluation 10 Anti-malware products evaluated 6 Malware samples used AVG, Symantec, Lookout, ESET, Dr. Web, Kaspersky, Trend Micro, ESTSoft (ALYac), Zoner, Webroot Mostly million-figure installs; > 10M for three All fully functional 6 Malware samples used DroidDream, Geinimi, FakePlayer, BgServ, BaseBridge, Plankton Last done in February 2013.

DroidDream Example AVG Symantec Lookout ESET Dr. Web Repack x Reassemble Rename package Encrypt Exploit (EE) Rename identifiers (RI) Encrypt Data (ED) Call Indirection (CI) RI+EE EE+ED EE+Rename Files EE+CI

DroidDream Example Kasp. Trend M. ESTSoft Zoner Webroot Repack Reassemble x Rename package Encrypt Exploit (EE) Rename identifiers (RI) Encrypt Data (ED) Call Indirection (CI) RI+EE EE+ED EE+Rename Files EE+CI

Findings All the studied tools found vulnerable to common transformations At least 43% signatures are not based on code-level artifacts 90% signatures do not require static analysis of Bytecode. Only one tool (Dr. Web) found to be using static analysis

Signature Evolution Study over one year (Feb 2012 – Feb 2013) Key finding: Anti-malware tools have evolved towards content-based signatures Last year 45% of signatures were evaded by trivial transformations compared to 16% this year Content-based signatures are still not sufficient

Takeaways Anti-malware vendors Google and device manufacturers Need to have semantics-based detection Google and device manufacturers Need to provide better platform support for anti-malware

Impact The focus of a Dark Reading article on April 29 Contacted by Lookout Director of Security Engineering regarding transformation samples and tools on May 2nd Contacted by McAfee Lab and TechNewsDaily this week …

Conclusion Developed a systematic framework for transforming malware Evaluated latest popular Android anti-malware products All products vulnerable to malware transformations

Thank You! http://list.cs.northwestern.edu/mobile

Backup

Solutions Content-based Signatures are not sufficient Analyze semantics of malware Need platform support for that Dynamic behavioral monitoring can help

Example: String Encryption

Example: String Encryption

NSA Transformations Reflection Bytecode encryption Obfuscate method calls Subsequent encryption of method names can defeat all kinds of static analysis Bytecode encryption Encrypt the malicious bytecode load at runtime using user-defined class loader

Product Details

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.