Presentation is loading. Please wait.

Presentation is loading. Please wait.

Vaibhav Rastogi, Yan Chen, and Xuxian Jiang

Published byStacy Hilyard Modified over 9 years ago

Similar presentations

Presentation on theme: "Vaibhav Rastogi, Yan Chen, and Xuxian Jiang"— Presentation transcript:

1 Vaibhav Rastogi, Yan Chen, and Xuxian Jiang
DroidChameleon: Evaluating Android Anti-malware against Transformation Attacks Vaibhav Rastogi, Yan Chen, and Xuxian Jiang Lab for Internet and Security Technology, Northwestern University †North Carolina State University

2 Android Dominance Smartphone sales already exceed PC sales
Android world-wide market share ~ 70% Android market share in US ~50% (Credit: Kantar Worldpanel ComTech)

3 Introduction Source: http://play.google.com/ | retrieved: 4/29/2013
Android malware – a real concern Many Anti-malware offerings for Android Many are very popular Source: | retrieved: 4/29/2013

4 Objective What is the resistance of Android anti-malware against malware obfuscations? Smartphone malware is evolving Encrypted exploits, encrypted C&C information, obfuscated class names, … Polymorphic attacks already seen in the wild Technique: transform known malware

5 Transformations: Three Types
Trivial No code-level changes or changes to AndroidManifest Detectable by Static Analysis - DSA Do not thwart detection by static analysis completely Not detectable by Static Analysis – NSA Capable of thwarting all static analysis based detection

6 Trivial Transformations
Repacking Unzip, rezip, re-sign Changes signing key, checksum of whole app package Reassembling Disassemble bytecode, AndroidManifest, and resources and reassemble again Changes individual files

7 DSA Transformations Changing package name Identifier renaming
Data encryption Encrypting payloads and native exploits Call indirections

8 Evaluation 10 Anti-malware products evaluated 6 Malware samples used
AVG, Symantec, Lookout, ESET, Dr. Web, Kaspersky, Trend Micro, ESTSoft (ALYac), Zoner, Webroot Mostly million-figure installs; > 10M for three All fully functional 6 Malware samples used DroidDream, Geinimi, FakePlayer, BgServ, BaseBridge, Plankton Last done in February 2013.

9 DroidDream Example AVG Symantec Lookout ESET Dr. Web Repack x
Reassemble Rename package Encrypt Exploit (EE) Rename identifiers (RI) Encrypt Data (ED) Call Indirection (CI) RI+EE EE+ED EE+Rename Files EE+CI

10 DroidDream Example Kasp. Trend M. ESTSoft Zoner Webroot Repack
Reassemble x Rename package Encrypt Exploit (EE) Rename identifiers (RI) Encrypt Data (ED) Call Indirection (CI) RI+EE EE+ED EE+Rename Files EE+CI

11 Findings All the studied tools found vulnerable to common transformations At least 43% signatures are not based on code-level artifacts 90% signatures do not require static analysis of Bytecode. Only one tool (Dr. Web) found to be using static analysis

12 Signature Evolution Study over one year (Feb 2012 – Feb 2013)
Key finding: Anti-malware tools have evolved towards content-based signatures Last year 45% of signatures were evaded by trivial transformations compared to 16% this year Content-based signatures are still not sufficient

13 Takeaways Anti-malware vendors Google and device manufacturers
Need to have semantics-based detection Google and device manufacturers Need to provide better platform support for anti-malware

14 Impact The focus of a Dark Reading article on April 29
Contacted by Lookout Director of Security Engineering regarding transformation samples and tools on May 2nd Contacted by McAfee Lab and TechNewsDaily this week …

15

16 Conclusion Developed a systematic framework for transforming malware
Evaluated latest popular Android anti-malware products All products vulnerable to malware transformations

17 Thank You!

18 Backup

19 Solutions Content-based Signatures are not sufficient
Analyze semantics of malware Need platform support for that Dynamic behavioral monitoring can help

20 Example: String Encryption

21 Example: String Encryption

22 NSA Transformations Reflection Bytecode encryption
Obfuscate method calls Subsequent encryption of method names can defeat all kinds of static analysis Bytecode encryption Encrypt the malicious bytecode load at runtime using user-defined class loader

23 Product Details

Download ppt "Vaibhav Rastogi, Yan Chen, and Xuxian Jiang"

Similar presentations

Win the Cyberwar on Mobile Banking and Payments

Win the Cyberwar on Mobile Banking and Payments
©2014 Bit9. All Rights Reserved The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain Mary Ann Fitzsimmons Regional.

©2014 Bit9. All Rights Reserved The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain Mary Ann Fitzsimmons Regional.
Dissecting Android Malware : Characterization and Evolution

Dissecting Android Malware : Characterization and Evolution
Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.

Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.
Northwestern University, IL, US,

Northwestern University, IL, US,
1 Yinzhi Cao, Zhichun Li *, Vaibhav Rastogi, Yan Chen, and Xitao Wen Labs of Internet Security and Technology Northwestern University * NEC Labs America.

1 Yinzhi Cao, Zhichun Li *, Vaibhav Rastogi, Yan Chen, and Xitao Wen Labs of Internet Security and Technology Northwestern University * NEC Labs America.
PAGE 1 | Gradient colors 14 149 115 0 121 91 13 137 105 RGBRGB Diagrams 142 230 0 127 205 0 137 222 0 RGBRGB 242 174 107 255 131 0 240 161 82 RGBRGB 166.

PAGE 1 | Gradient colors RGBRGB Diagrams RGBRGB RGBRGB 166.
Towards a Trustworthy Android Ecosystem 1 Yan Chen Lab of Internet and Security Technology Northwestern University.

Towards a Trustworthy Android Ecosystem 1 Yan Chen Lab of Internet and Security Technology Northwestern University.
Policy Weaving for Mobile Devices Drew Davidson. Smartphone security is critical – 1200 to 1400 US Army troops to be equipped with Android smartphones.

Policy Weaving for Mobile Devices Drew Davidson. Smartphone security is critical – 1200 to 1400 US Army troops to be equipped with Android smartphones.
©2014 Bit9. All Rights Reserved The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain Chris Berninger, Sr. Solutions.

©2014 Bit9. All Rights Reserved The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain Chris Berninger, Sr. Solutions.
Android Malware Characterisaion. Android Under Attack Android Malware is on the rise In 2012 malware presence has increased by 580% compared to the same.

Android Malware Characterisaion. Android Under Attack Android Malware is on the rise In 2012 malware presence has increased by 580% compared to the same.
JShield: Towards Real-time and Vulnerability-based Detection of Polluted Drive-by Download Attacks Yinzhi Cao*, Xiang Pan**, Yan Chen** and Jianwei Zhuge***

JShield: Towards Real-time and Vulnerability-based Detection of Polluted Drive-by Download Attacks Yinzhi Cao*, Xiang Pan**, Yan Chen** and Jianwei Zhuge***
David Flournoy Bit9 Mid-Atlantic Regional Manager

David Flournoy Bit9 Mid-Atlantic Regional Manager
Aurasium: Practical Policy Enforcement for Android Applications R. Xu, H. Saidi and R. Anderson Presented By: Rajat Khandelwal – 2009CS10209 Parikshit.

Aurasium: Practical Policy Enforcement for Android Applications R. Xu, H. Saidi and R. Anderson Presented By: Rajat Khandelwal – 2009CS10209 Parikshit.
Towards a Trustworthy Android Ecosystem 1 Yan Chen Lab of Internet and Security Technology Northwestern University.

Towards a Trustworthy Android Ecosystem 1 Yan Chen Lab of Internet and Security Technology Northwestern University.
Yan Chen Northwestern Lab for Internet and Security Technology (LIST) Dept. of Electrical Engineering and Computer Science Northwestern University

Yan Chen Northwestern Lab for Internet and Security Technology (LIST) Dept. of Electrical Engineering and Computer Science Northwestern University
Security in By: Abdulelah Algosaibi Supervised by: Prof. Michael Rothstein Summer II 2010: CS 6/79995 Operating System Security.

Security in By: Abdulelah Algosaibi Supervised by: Prof. Michael Rothstein Summer II 2010: CS 6/79995 Operating System Security.
Rage Against The Virtual Machine: Hindering Dynamic Analysis of Android Malware Thanasis Petsas, Giannis Voyatzis, Elias Athanasopoulos, Sotiris Ioannidis,

Rage Against The Virtual Machine: Hindering Dynamic Analysis of Android Malware Thanasis Petsas, Giannis Voyatzis, Elias Athanasopoulos, Sotiris Ioannidis,
Unconstrained Endpoint Profiling (Googling the Internet)‏ Ionut Trestian Supranamaya Ranjan Aleksandar Kuzmanovic Antonio Nucci Northwestern University.

Unconstrained Endpoint Profiling (Googling the Internet)‏ Ionut Trestian Supranamaya Ranjan Aleksandar Kuzmanovic Antonio Nucci Northwestern University.
Access · convergence · management security · performance Margins in Mobility – Ian Kilpatrick, Wick Hill.

Access · convergence · management security · performance Margins in Mobility – Ian Kilpatrick, Wick Hill.

Similar presentations

Ads by Google