Presentation is loading. Please wait.

Presentation is loading. Please wait.

GroddDroid A Gorilla for Triggering Malicious Behavior 10th Int. Conference on Malicious and Unwanted Software October 20-23rd 2015  Abraham, R. Andriatsimandefitra,

Published byApril Patterson Modified over 8 years ago

Similar presentations

Presentation on theme: "GroddDroid A Gorilla for Triggering Malicious Behavior 10th Int. Conference on Malicious and Unwanted Software October 20-23rd 2015  Abraham, R. Andriatsimandefitra,"— Presentation transcript:

1 GroddDroid A Gorilla for Triggering Malicious Behavior 10th Int. Conference on Malicious and Unwanted Software October 20-23rd 2015  Abraham, R. Andriatsimandefitra, A. Brunelat Jean-François Lalande, Valérie Viet Triem Tong

2 Executing Android Malware is necessary To observe their behavior To understand them To test the robustness of a protection 2  But malware do not run on demand starts when the phone is unlocked starts after a reboot sleeps a week long detects emulators waits for a message of their master starts immediately …

3 Existing approaches: Monkey, PuppetDroid and A 3 E The Monkey hits randomly the graphical interface and can be combined with a random sequence of events (SMS, phone call, reboot…) PuppetDroid Re-execute recorded interactions and reproduces the typical UI-interaction of a potential victim of the malware. A 3 E extracts GUI elements and generates related events handlers to mimicking a real user. BUT Remain inefficient to trigger delayed attack or commanded by a remote server Is not able to recreate the same scenario twice (Monkey) 3

4 Our proposition: identification and forcing of malicious behaviors 4 GroddDroid: 1.Identifies suspicious part of the bytecode 2.Plays with the app as Grodd 3.Forces the malicious code if needed 4.Is freely available on http://kharon.gforge.inria.fr/

5 1 st Step: Suspicious code targeting For each method in the bytecode computes a risk score. The more the method uses sensitive APIs, the higher is the score. Example of scoring : Android.telephony.SmsManager +50 Android.telephony.TelephonyManager +20 Java.lang.Process +10 Java.net.UrlConnection +3 5

6 Is our scoring function well-adapted to malware ? 6 We verify that the pointed out APIs are really used by malware (on a dataset of 100 malware)

7 Did we succeed to target malicious bytecode ? We have test the scoring function on a dataset of well studied malware : Kharon15 MalwareHigh score Malicious or not ? Most scored method BadNews 80 ✓ gathers user’s information Cajino 200 ✓ Sends SMS DroidKungFu 50 ✓ Run a binary exploit MobiDash 147 WRONGgathers user’s information for legitimate use SaveME 100 ✓ Sends SMS SimpleLocker - CRASH WipeLocker 150 ✓ Sends SMS

8 2 nd Step: Running the app as a Gorilla ① Collects graphical elements ② Explores the app by clicking on the buttons ③ Can go back ④ Can launch the app again ⑤ Detects loops ⑥ Until he has explored all the different activities 8

9 Is our Gorilla better than Monkey and A 3 E ? We compare the code coverage on 100 tested malware Always better than A 3 E (cannot handle properly recent Android apps) Slightly better than Monkey 23 crashs Serves a reference execution path 9 GroddDroid forces the execution path direct to the most ranked method.

10 3 step : Running the app as GroddDroid GroddDroid ① modifies the bytecode and cancels the conditional jumps that could drive away from the malicious code ② Recomputes an execution path reachable by a gorilla to execute the most scored unit of code 10 Let us have an example

11 3 step : Running the app as GroddDroid ① modifies the bytecode and cancels the conditional jumps that could drive away from the malicious code 11 The source code of a simple protection if (isOnEmulator()) return; // Branch 1 else manager = SmsManager.getDefault(); // Branch 2

12 3 step : Running the app as GroddDroid ① modifies the bytecode and cancels the conditional jumps that could drive away from the malicious code 12 Same code in Jimple (intermediate representation of bytecode) $z0 = staticinvoke (); if $z0 != 0 goto label3; return; // Branch 1 label3: // Branch 2 $r6 = staticinvoke ();

13 3 step : Running the app as GroddDroid ① modifies the bytecode and cancels the conditional jumps that could drive away from the malicious code 13 Forced code: the conditional jump is modified $z0 = staticinvoke (); goto label3 ; // Forced branch 2 return; // Branch 1 is now unreachable label3: // Branch 2 is always executed $r6 = staticinvoke ();

14 3 step : Running the app as GroddDroid ② The process is repeated to exhibit an execution path 14

15 3 step : Running the app as GroddDroid ② The process is repeated to exhibit an execution path 15

16 Is GroddDroid able to force malware to execute ? We recompile the modified bytecode and run it. We test this procedure on a dataset of 100 malware. 16

17 Overview of the GroddDroid framework 17

18 Summary and Conclusion GroddDroid provides a solution to defeat protections of Android malware using: Automatic identification of malicious code Intelligent exploration of activities A forcing of the most scored unit of code 18 Can certainly be improved in taking into account other GUI elements in forcing more than one execution path

19 Visit our web site and use GroddDroid http://kharon.gforge.inria.fr/ Feel free to contact us jean-francois.lalande@insa-cvl.fr valerie.viettriemtong@centralesupelec.fr 19

Download ppt "GroddDroid A Gorilla for Triggering Malicious Behavior 10th Int. Conference on Malicious and Unwanted Software October 20-23rd 2015  Abraham, R. Andriatsimandefitra,"

Similar presentations

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
Understanding an Apps Architecture ASFA Computer Science: Principles Fall 2013.

Understanding an Apps Architecture ASFA Computer Science: Principles Fall 2013.
Social Engineering Training. Training Goals Increase Laboratory Awareness. Provide the tools required to identify, avoid and report advanced Social Engineering.

Social Engineering Training. Training Goals Increase Laboratory Awareness. Provide the tools required to identify, avoid and report advanced Social Engineering.
Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.

Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.
IBM Security Network Protection (XGS)

IBM Security Network Protection (XGS)
INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.

INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.

1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.
Presented by: Kushal Mehta University of Central Florida Michael Spreitzenbarth, Felix Freiling Friedrich-Alexander- University Erlangen, Germany michael.spreitzenbart,

Presented by: Kushal Mehta University of Central Florida Michael Spreitzenbarth, Felix Freiling Friedrich-Alexander- University Erlangen, Germany michael.spreitzenbart,
Tutorial 10 Adding Spry Elements and Database Functionality Dreamweaver CS3 Tutorial 101.

Tutorial 10 Adding Spry Elements and Database Functionality Dreamweaver CS3 Tutorial 101.
XP New Perspectives on Browser and E-mail Basics Tutorial 1 1 Browser and E-mail Basics Tutorial 1.

XP New Perspectives on Browser and Basics Tutorial 1 1 Browser and Basics Tutorial 1.
Presented by: Tom Staley. Introduction Rising security concerns in the smartphone app community Use of private data: Passwords Financial records GPS locations.

Presented by: Tom Staley. Introduction Rising security concerns in the smartphone app community Use of private data: Passwords Financial records GPS locations.
Test-Driven Development of Graphical User Interfaces: A Pilot Evaluation Thedore D. Hellmann, Ali Hosseini-Khayat, Frank Maurer XP 2011.

Test-Driven Development of Graphical User Interfaces: A Pilot Evaluation Thedore D. Hellmann, Ali Hosseini-Khayat, Frank Maurer XP 2011.
Android Boot Camp for Developers Using Java, 3E

Android Boot Camp for Developers Using Java, 3E
1 Computer Science of Graphics and Games MONT 105S, Spring 2009 Session 20 Graphical User Interface (GUI)

1 Computer Science of Graphics and Games MONT 105S, Spring 2009 Session 20 Graphical User Interface (GUI)
Dynamic Program Analysis with Partial Execution and Summary Thomas Huining Feng CHESS, UC Berkeley May 8, 2007 CS.

Dynamic Program Analysis with Partial Execution and Summary Thomas Huining Feng CHESS, UC Berkeley May 8, 2007 CS.
By Gianluca Stringhini, Christopher Kruegel and Giovanni Vigna Presented By Awrad Mohammed Ali 1.

By Gianluca Stringhini, Christopher Kruegel and Giovanni Vigna Presented By Awrad Mohammed Ali 1.
1 Chapter Overview Defining Operators Creating Jobs Configuring Alerts Creating a Database Maintenance Plan Creating Multiserver Jobs.

1 Chapter Overview Defining Operators Creating Jobs Configuring Alerts Creating a Database Maintenance Plan Creating Multiserver Jobs.
Nexthink V5 Demo Security – Malicious Anomaly. Situation › Avoid damage resulting from the incident itself and the cost of the unplanned response › Protection.

Nexthink V5 Demo Security – Malicious Anomaly. Situation › Avoid damage resulting from the incident itself and the cost of the unplanned response › Protection.
Malicious Software.

Malicious Software.
Title of Presentation DD/MM/YYYY © 2015 Skycure 1 1 1 Why Are Hackers Winning the Mobile Malware Battle.

Title of Presentation DD/MM/YYYY © 2015 Skycure Why Are Hackers Winning the Mobile Malware Battle.

Similar presentations

Ads by Google