DroidKungFu and AnserverBot Android Malware Characterisaion part II

Analysis of Two Malware Families DroidKungFu and AnserverBot represent the most recent incarnation of malware engineering Since they first appearance several improvements have been coded to increase their stealthiness

DroidKungFu There are 6 different known variants of DroidKungFu They appeared within a period of 6 months Probably many more now They contain Root-kit Exploits C&C Server comm Shadow Payloads Code Obfuscation

DroidKungFu – Root Exploits 4 variants contain root exploits DroidKungFu is the first to use encrypted root-kit Root-kit are stored as assets to look like normal data files Initially the asset name was ratc (RageAgainstTheCage) Then it has been changed to myicon

DroidKungFu – C&C Comm All the variants communicate with C&C servers To evade detection, the C&C servers’ addresses keep changing DroidKungFu1 uses a plaintext string in one of its Java classes DroidKungFu2 the address is moved to plain-text in native code DroidKungFu3 and DroidKungFu4 use encrypted names (stored in Java class and native code)

DroidKungFu – Shadow Payload If the root-kit is successful, then a shadow app will be installed The user will not be aware of this app This app contains the same code as the malicious payload included in the repackaged app This means that in the event the user removes the host app, the shadow app will remain Variants encrypt the shadow app to evade detection and no icon is shown

DroidKungFu – Code Obfuscation Extensive use of encryption for constant strings, C&C servers’ addresses, native payload and shadow app Keys are changed very often Extensive use of code obfuscation Use of native code and JNI to make more difficult code analysis DroidKungFuUpdate use the update attack to download the actual payload and evade static code analysis

AnserverBot One of the most advanced malware It uses evasion techniques not used before by any other Android malware It has been discovered in repackaged apps available in Chinese app markets It seems that is an evolution of the BaseBridge malware family

AnserverBot – Anti Analysis It use the repackaging attack However, when installed it checks whether the hosting app has been tampered with It checks the signature and then it unfolds its payload It extensively uses code obfuscation to make it human unreadable The payload is split in three different apps The host app plus two shadow apps

AnserverBot – Anti Analysis The shadow apps share the same package names Com.sec.android.touchScreen.server One shadow app is loaded through the update attack The other shadow app is dynamically loaded through JVM dynamic class load method However it is not installed! AnserverBot is able to load any code retrieved from the C&C server

AnserverBot – AV Detection This malware is very aggressive It tries to detect if AV software is installed in the device It contains the encrypted names for security apps such as LBE, 360 MobileSafe If installed, the malware uses the restartPackage method to stop the AV and then displays an error message

AnserverBot – C&C Comm AnserverBot supports two types of C&C servers One type is used for sending command The second one is used for retrieving encrypted payloads To reach the second one, it uses a encrypted entry posted in public blog providers - i.e. Sina and Baidu This entry contains the (encrypted) address of the second C&C server

The AVS race Given the rapid evolution of malware, AV software is lagging behind Mainly, AVS uses a signature based approach It relies on the content of its signature DB If an app signature is not there it may not be malware How easy is to change the signature of an app? Very!

The AVS race Interesting report from Imperva http://www.imperva.com/docs/HII_Assessing_the_Effectiveness_of_Antivirus_Solutions.pdf Using unknown malware and submit to AVS The goal is to evaluate how effective AVS solutions are The results are really scary

Imperva Study Results Less than 5% of the malware were detected Most of the AVS cannot keep up with a fast changing landscape of malware families AVS requires up to 4 weeks to detect a new malware The best of the breed: the free ones! Although they had a very high false positive Consumers spend $4.5 billion while Enterprises $2.9 billion 1/3 of the total money spent on security software

Imperva Study Results It might be best to spend some resources on other type of software that is not AVS For AVS better to use free ones Note: this study is for PC malware Does it apply to Android Malware? We will know very soon ;-)

Questions?