Presentation is loading. Please wait.

Presentation is loading. Please wait.

Detecting Hidden Attacks through the Mobile App-Web Interfaces

Published bySilvia Cobb Modified over 7 years ago

Similar presentations

Presentation on theme: "Detecting Hidden Attacks through the Mobile App-Web Interfaces"— Presentation transcript:

1 Detecting Hidden Attacks through the Mobile App-Web Interfaces
Yan Chen Lab of Internet and Security Technology (LIST) Northwestern University, USA

2 Downloaded phishing app
Motivation Downloaded phishing app Click on the buttons Scan Automatically

3 Motivation Vast effort has been spent analyzing the malicious apps themselves For both industry and academia An important, yet unexplored vector of malware propagation is benign, legitimate apps that lead users to websites hosting malicious apps We call this hidden attacks though the app-web interface D.Arp,M.Spreitzenbarth,M.Hubner,H.Gascon,andK.Rieck,“Drebin:Effective and explainable detection of android malware in your pocket,”NDSS), 2014. 3

4 Contributions Develop a framework for analyzing the app-web interfaces in Android applications Develop a novel technique to interact with UI widgets to trigger app-web interface Conduct a systematic study to associate ad networks with ad library packages Detect hidden attacks Tested 600,000 apps in two months Found several unknown attacks: a rogue antivirus scam, free iPad and iPhone scams, and ads propagating SMS trojans

5 Outline Background on mobile advertising System Design
Detection Results Case study

6 Advertising Overview 6

7 Publishers and Advertisers
Publishers – show ads to users Advertisers – the brand owners that wish to advertise 7

8 Ad networks Also called aggregators Link advertisers to publishers
Buy ad space from publishers; sell to advertisers Sophisticated algorithms for Targeting Inventory management 8

9 Ad networks Ad networks may interface with each other Syndication
One ad network asks another to fill ad space Ad exchange Real time auction of ad inventory Bidding from many ad networks for many ad spaces

10 Mobile In-app Advertising
Ad networks provide glue code that apps can embed and communicate with ad servers Ad libraries, which identify ad networks Web links embedded directly in apps Malicious links are visited via the landing pages of ads coming from ad networks Though the apps themselves are benign

11 Outline Background on mobile advertising System Design
Detection Results Case study

12 Overview of Detection Methodology
Trigger App-web interfaces URL scanning Redirection Chains Dynamic App Analysis App DataSet Malware and scan report Downloaded Files <CODE> WEBSITE </CODE> File scanning Landing Pages Dynamic webpage analysis

13 Components Triggering Detection Provenance
Interact with the app to launch web links Detection Include the various processes to detect malicious and benig that may occur as a result of triggering Provenance Understand the cause or origin of a detected malicious activity, and attribute events to a specific domain or an ad library

14 Triggering App-Web interfaces
Application UI Exploration Use the heuristics and algorithms developed in AppsPlayground [Codaspy2013] Handling Webviews Develop based on Selendroid to interact with Webviews Apply computer vision techniques Add an example for 14

15 UI Exploration of AppsPlayground
Add an example for 15

16 Examples of Handling Webviews
Bounding boxes are depicted as red rectangles. The top two figures contain the whole screen while the bottom figure is just an ad. Note the detection of buttons. Add an example for 16

17 Detection Redirection chains Landing pages File and URL scanning
In a browser configured with a realistic user agent and window size Download any files that can be downloaded File and URL scanning VirusTotal URL blacklists Google Safebrowsing, Websense, … VirusTotal antivirus engines Symantec, Dr. Web, Kaspersky, Eset, …

18 Provenance Understand the cause and origins of attacks
Approach 1: through redirection chains Identify the parties owning the URLs leading up to the landing URL Approach 2: attribute code-level elements to locate it: at app or ad libraries? log specific intents that are indicative of URL launches together with which part of the code (the Java class within which the launching code lies) that submitted the intent 18

19 Discovering Ad Networks
First systematic step towards understanding malvertising Finding ad libraries Typically have their own Java packages, e.g., com.google.ads Disassemble the app and get Java packages

20 Approach 1 Find frequent packages
Ad networks included in many apps so their packages will be frequent So are some other packages, e.g., Apache libs, game development libs,… Have to manually filter them

21 Approach 2 Observation: Ad functionality is different from the main app functionality Three steps Get all android APIs Decouple: Break the app into different modules based on code characteristics Inheritance, function calls, field relationships Cluster: cluster modules from multiple apps together based on their API call similarity Frequent libs such as Apache, game libs ad libraries

22 Approach 2 Cluster 1 Cluster 2 APP1 APP2 APPn Cluster m Decoupling
Clustering Google ads libs Module Cluster 1 APP1 Module Module Apache libs Module APP2 Cluster 2 Module Module Module Game libs APPn Module Cluster m Module

23 Discovering Ad Networks: Results
Dataset 492,534 apps from Google Play 422,505 apps from four Chinese stores: 91, Anzhi (安智), AppChina(应用汇), Mumayi (木蚂蚁) Discovered a total of 201 ad networks The most reported ad networks so far

24 Outline Background on mobile advertising System Design
Detection Results Case study

25 Overall Detection Findings
Google Play Chinese Markets App-to-web links 1,000,000 415,000 Malicious URLs 948 1475 Downloaded Files 468 1097 Malicious Downloaded Files 271 435 Run 492,534 apps from Google Play and 200,000 apps from Chinese markets, having ad libraries

26 Which Ad Libraries Have Attacks
Google Play Chinese market Malicious files downloaded through ad libraries and other links. Tapcontext malware has the most malicious file download, but we exclude them here for better viewing

27 Comparison on Redirection Chains
Google Play Chinese market As the length of the chains increase, the two curves come closer We have a greater fraction of malicious chains when they are longer

28 Outline Background on mobile advertising System Design
Detection Results Case study

29 Case Study:Fake AV scam
Campaign found in multiple apps, one network: Tapcontext (244 instances in America and 102 in China) Website design mimics Android dialog box We detected this campaign 20 days before the site was flagged as phishing by Google and others

30 Case Study:Free iPad scam
Landing Page Phishing: asked to give some very personal information without getting anything in return After that, receiving spam on our address registered with this ad Click on the button

31 Case Study:Free iPad scam
The scam originates not through an ad in the app, but through a link statically embedded in the app.

32 Case Study: Downloaded Player
Download player Ad library name: jp.co.nobot It leads to download a video player The purported video player is actually an SMS trojan Automatically send out paid SMS? Click on the ad

33 Case Study: SMS Trojan When opening the app, it will try to send a message directly Once click on the "send" button, it will send message to (a charged SMS service) Receive warning on a Xiaomi phone 12/7/2017

34 Case Study: Porn Phishing
It also asks you to pay 15 RMB to register a member to see porn content 12/7/2017

35 Case Study: 禁播视频 Get your location Send SMS to 12114
Download several malicious apps directly Some get installed directly without prompt 12/7/2017

36 Conclusions Explored the app-web interface, wherein a user may go from an app to a Web destination via ad or web links embedded in the app Tested 600,000 applications in two months Identified several malware and scam campaigns propagating through both ads and web links in apps. We are working with CNCERT to protect Android users by screening out offending apps that embed links leading to malicious content by making ad networks more accountable for their ad content

37 Thank you ! Questions ?

38 Android Ecosystem

39 Button Detection Algorithm
Perform edge detection on the view’s image Find contours in the image Ignore the non-convex contours or those with very small area Compute the bounding boxes of all remaining contours Add an example for 39

40 Case Study:Downloaded App
Malicious apps downloaded from Baidu ads Sent message directly to 12114

Download ppt "Detecting Hidden Attacks through the Mobile App-Web Interfaces"

Similar presentations

Providing protection from potential security threats that exist for any internet-connected computer is termed e- security. It is important to be able to.

Providing protection from potential security threats that exist for any internet-connected computer is termed e- security. It is important to be able to.
By Hiranmayi Pai Neeraj Jain

By Hiranmayi Pai Neeraj Jain
Understanding and Detecting Malicious Web Advertising

Understanding and Detecting Malicious Web Advertising
Free Software Alternatives: Avast! Anti-virus

Free Software Alternatives: Avast! Anti-virus
Browser and E-mail Basics Tutorial 1. Learn about Web browser software and Web pages The Web is a collection of files that reside on computers, called.

Browser and Basics Tutorial 1. Learn about Web browser software and Web pages The Web is a collection of files that reside on computers, called.
Verma - ICISS 2014 R easoning M ining NLP Defense Rakesh M. Verma ReMiND Laboratory Catching Classical and Hijack-based Phishing Attacks.

Verma - ICISS 2014 R easoning M ining NLP Defense Rakesh M. Verma ReMiND Laboratory Catching Classical and Hijack-based Phishing Attacks.
The Internet & The World Wide Web Notes

The Internet & The World Wide Web Notes
Mobile App Monetization: Understanding the Advertising Ecosystem Vaibhav Rastogi.

Mobile App Monetization: Understanding the Advertising Ecosystem Vaibhav Rastogi.
A presentation created by David C.

A presentation created by David C.
SHASHANK MASHETTY Email security. Introduction Electronic mail most commonly referred to as email or e- mail. Electronic mail is one of the most commonly.

SHASHANK MASHETTY security. Introduction Electronic mail most commonly referred to as or e- mail. Electronic mail is one of the most commonly.
Chapter 9 Collecting Data with Forms. A form on a web page consists of form objects such as text boxes or radio buttons into which users type information.

Chapter 9 Collecting Data with Forms. A form on a web page consists of form objects such as text boxes or radio buttons into which users type information.
HTTP: cookies and advertising Concepts to cover:  web page content (including ads) from multiple site: composition at client  cookies  third-party cookies:

HTTP: cookies and advertising Concepts to cover:  web page content (including ads) from multiple site: composition at client  cookies  third-party cookies:
Presentation by Kathleen Stoeckle All Your iFRAMEs Point to Us 17th USENIX Security Symposium (Security'08), San Jose, CA, 2008 Google Technical Report.

Presentation by Kathleen Stoeckle All Your iFRAMEs Point to Us 17th USENIX Security Symposium (Security'08), San Jose, CA, 2008 Google Technical Report.
Lecturer: Ghadah Aldehim

Lecturer: Ghadah Aldehim
2010.11.22 資安新聞簡報 報告者:劉旭哲、曾家雄. Spam down, but malware up 報告者:劉旭哲.

資安新聞簡報 報告者:劉旭哲、曾家雄. Spam down, but malware up 報告者:劉旭哲.
1. 2 Windows Live Hotmail  offers access via special Outlook Connector software o provides a two-way sync for  mail  calendar  contacts o access.

1. 2 Windows Live Hotmail  offers access via special Outlook Connector software o provides a two-way sync for  mail  calendar  contacts o access.
TERMINALFOUR SiteManager Introduction January, 2014.

TERMINALFOUR SiteManager Introduction January, 2014.
1 ITGS - introduction A computer may have: a direct connection to a net (cable); or remote access (modem). Connect network to other network through: cables.

1 ITGS - introduction A computer may have: a direct connection to a net (cable); or remote access (modem). Connect network to other network through: cables.
1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),

1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),
Chapter 6 The World Wide Web. Web Pages Each page is an interactive multimedia publication It can include: text, graphics, music and videos Pages are.

Chapter 6 The World Wide Web. Web Pages Each page is an interactive multimedia publication It can include: text, graphics, music and videos Pages are.

Similar presentations

Ads by Google