1 2 3 Agenda Goal & Objectives Services in the Cloud Tracker Web Portal Next Step To Do 4

Goal & Objectives Crawl and Build Android App Repository Profile Android Apps Create databases for Apps and associating data. Auto classific for Android Apps

Analytic Workflow

1 2 3 Cloud Services APK Crawler & Parser Dynamic Profile (On-line Emulator) Static Profile (Security Classifier)

Market Auto-Crawling Google Play (Eng.) SlideME (Eng.) Gfan (Chinese) GoAPK (Chinese) Mumayi (Chinese) Apps Crawler Crawler Real-life.apk Web Request Stats (GEO IP) ThreatSeeker

3rd party Parsing tools Apktool: decode resources from apk files, such as AndroidMainifest.xml, classes.dex Dex2jar: reads embedded.dex file from apk files and generates.jar file In-house scripts parsing automation database insert.APK Parser

Security Classifier Dynamic Profile – auto APK runner – Interactive emulator APK Profile

Security Classifier Objective Create a classifier for malicious android app detection A static analysis approach A machine learning approach Data training Mysql queries to retrieve raw data from AppTracker database Analytic features conversion to binary vectors The R code components Preprocessing: convert variables into factor variables or numeric variables accordingly Load R RandomForest library Prediction Import R environment Load R model, read in input (test case) and write out output (classification response)

R Module Environment for statistical data analysis, inference and visualization. Ports for Unix, Windows and MacOSX Highly extensible through user-defined functions Generic functions and conventions for standard operations like plot, predict etc. >1200 add-on packages contributed by developers from all over the world e.g. Multivariate Statistics, Machine Learning, Natural Language Processing, Bioinformatics (Bioconductor), SNA,. Interfaces to C, C++, Fortran, Java

Confidence Analytic Results

Dynamic Profile How It Works? Steps: 1.Load emulator 2.Install and run APK file 3.System output profile 4.Show on web portal

Run APK emulator -avd avdname -no-snapshot-save adb install apkfile aapt dump badging apkfile adb shell am start -n packagename/mainActivity

Auto Input adb shell input keyevent "value" 7KEYCODE_016KEYCODE_9 29KEYCODE_A54KEYCODE_Z adb shell sendevent [device] [type] [code] [value] example: adb shell sendevent /dev/input/event adb shell sendevent /dev/input/event // touch screen (x=40,y=210)

Monkey Monkey “The Monkey is a command-line tool that that you can run on any emulator instance or on a device. It sends a pseudo-random stream of user events into the system, which acts as a stress test on the application software you are developing.” adb shell monkey –p package.name -v 500

NetworkMonitoring adb shell tcpdump -v 'tcp port 80 and (((ip[2:2]-((ip[0]&0xf) >2))!=0'

SMS & Call adb logcat -b radio -s "AT:*" AT Commands PDU SMS messages Decode ' a c1b03' Suspicious number ' ' Message

Interactive InteractiveEmulator Browser-based for end users Example: 50 users have tested this app, average time 3 minutes per user suspicious SMS found no phone call made 1 active network access

App Tracker Front page to users Web portal support Top 20 profiles: Malware vs. Benign Real-time crawler status Real-time virus status report Built-in app emulation Back end in cloud ThreatSeeker service Automatic static data analysis Dynamic profile support

DemoTime Security Classifier POC Web Portal Framework

ThreatSeeker Cloud real-time analytics: Advance Detection (AR) result > Mobile Malware Triton classifications: Mobile Malware Unauthorized Mobile Marketplaces Mobile Solution

Next Step Hierarchy Viewer Automation? Robotium?

RobotiumLimitation Activity Service Broadcast Receiver Content Provider