1. 2014 When Android Apps Go Evil Jing Xie jing.xie@lookout.com Lookout Inc. 2014 #GHC14 2014

2. Evil Outline Android OS & App Development Malware Landscape Reverse Engineering Analysis Insights & Challenges

3. 2014 Android OS  Linux based  Open sourced  Java for app dev  Dalvik VM  (ART since 4.4)  Security & Privacy  Sandboxing  Permissions  Secure IPC  Cryptography

4. 2014 Making of Apps

5. 2014 Android Malware (NOT VIRUS PLZ!)

6. 2014 Threat Landscape

7. 2014 Depending on Origin USAFrance + SpainRussiaIndiaChina Vietnam Trojan Toll Fraud Spyware Chargeware Surveillanceware Spam Ransomware RootEnabler Exploit Riskware

8. 2014 Malware as a Business

9. 2014 Agile Malware Development  SMSActor distribution  SMS Toll Fraud: sending premium text messages without consent April 2012 April 2014 SMSActor: Russian Toll Fraud Variant Life Span: Activated Deactivated Decommissioned

10. 2014 Incentive and Feasibility http://www.onepf.org/appstores/ http://www.techinasia.com/10-android-app-stores-china-2014-edition/ Anzhi AppChina D.cn Games Center gFan HiAPK Aptoide Panda App Taobao App Market Tencent App Gem Xiaomi Mumayi  SK T-Store  Naver NStore  APPZIL  olleh Market o Yandex.Store A HUGE NUMBER OF Apps Not in Google Play Store  SlideMe.org  AppBrain  1MobileMarket  Mobile9  Mobango  Barzaar  Amazon appstore  AppZoom  AppsLib

11. 2014 Incentive and Feasibility http://www.theguardian.com/technology/2014/aug/22/android-fragmented-developers-opensignal

12. 2014 Reverse Machinery ( 一 ) baksmali; apktool dex2jar + jd-gui/luyten; input: apk/dex Output: smali Output: pseudo Java

13. 2014 Reverse Machinery ( 二 ) Demo Time

14. 2014 Scents of Android Malware (UN) Disingenuous advertisement Facebook icon && titled facebook; package name: com.facebook.sms com.facebook.katana More than advertised Irrelevant code package Payment SDK with no pay button (UI) Cost money APIs in unexpected context A system utility app sends SMS or make phone calls Free game that requires costs money permission Unnecessary outbound communications A battery saving app talks to a remote server Calculator that downloads stuff

15. 2014 Scents of Android Malware (DEUX) Interesting log statements IsFuckSendIsLuckReceiverIsLuckReceiver 的 finally 已经 开始加锁 ** WHELCOME TO HELL ********* Interesting file assets /assets/libremotecontrol.so PNG is actually dex file System level operations Checks the root as a game app Peer information exchange Virus total says the app is malicious Interesting Log Statements IsFuckSendIsLuckReceiverIsLuckReceiver 的 finally 已经开始加锁 ** WHELCOME TO HELL ********* Interesting File Assets /assets/libremotecontrol.so PNG is actually dex file System Level Operations Checks the root as a game app Peer Information Exhange Virus Total says apps is malicious

16. 2014 Analysis Challenges Technical Contextual Evasion Techniques Complicated Apps Sheer Volume Constraints on Devices Nuanced Context Malware Purpose Levels of Puzzle Solving

17. 2014 When Android Apps Go Evil Jing Xie jing.xie@lookout.com Lookout Inc. 2014 #GHC14 2014 Thank You! Thanks to security team + designer @ lookout