Presentation is loading. Please wait.

Presentation is loading. Please wait.

Introduction to Mobile Malware

Similar presentations


Presentation on theme: "Introduction to Mobile Malware"— Presentation transcript:

1 Introduction to Mobile Malware

2 Outline Introduction Types of Malware Malware examples
How Malware Spreads Prevention AndroRAT Hands-on Lab

3 Introduction Mobile Security has become a fast growing issue
Nearly 100,000 new malicious programs for mobile devices were detected in 2013 (Kaspersky Lab) More than twice the number detected in 2012

4 Types of Malware In terms of functionality, there are three types:
Mobile Device Data Stealers Rooting Capable Malware Premium Service Abuser

5 Mobile Device Data Stealers
Mobile Device Data Stealers – Malware that steals personal information such as contacts, phone logs, browsing habbit, SMS and GPS data.

6 Mobile Device Data Stealer Example: NickiBot
NickiBot – a malware with client and server components Can perform (GPS-based) location monitoring, sound recording, -based uploading, as well as call log collection. After installation it will obtain the phone’s International Mobile Equipment Identity (IMEI) and runs in the background while trying to connect to a server. It only works on phones that have the ability to connect to a particular server. if the phone does not connect to the server, NickiBot will automatically terminate. NickiBot will only execute certain function when it receives commands from the server or through SMS.

7 Nickibot Permission Review
Permissions needed: android.permission.INTERNET android.permission.ACCESS_FINE_LOCATION android.permission.ACCESS_COARSE_LOCATION android.permission.READ_PHONE_STATE android.permission.READ_CONTACTS

8 NikiBot Code Example: Stealing Contacts
Pseudo code: Uri CONTENT_URI = ContactsContract.Contacts.CONTENT_URI; Cursor cursor = contentResolver.query (CONTENT_URI, null, null, null, null); // cursor points to a contact String name, num; while(cursor.next != null){ name = c.name; // get the contact name num = c.num; // get the contact phone number } Print name and num;

9 Mobile Device Data Stealer Example: Find and Call
Find and Call – a malware on iOS and Android devices When it is started on your device, it will ask you to register your device online Once registration is completed it will begin spreading to the contacts in the phone By sending SMS spam messages embedding an URL in the message It will also upload the contact book to a remote server

10 Rooting Capable Malware
Rooting capable Malware – Malware that controls a device by obtaining root access. Once malware has root access to your phone it becomes very challenging to remove it.

11 Rooting Rooting allows higher level of customization
Installing from unofficial markets System Backups Tethering- the connection of one device to another via cable or wireless Uninstalling apps However, malwares can take advantage of root commands to obtain permissions

12 Rooting Capable Malware Example 1– DroidDream
DroidDream is a high threat level malware that has rooting capability It can infect many legitimate applications. It has client and server components The application that is infected with DroidDream client can root the device and send sensitive information like the IMEI to a remote server. IMEI (International Mobile Station Equipment Identifier)

13 Rooting Capable Malware Example 2 – DroidKungFu
DroidKungFu obtains absolute control of the phone in order to access arbitrary files in the phone Has the capability to install or remove any packages which will result in certain applications not working. Some minor variants of the DroidKungFu have the ability to change the user homepage without the user knowing.

14 Premium Service Abusers
Premium Service abusers – Malware that will send SMS messages or dial premium services that will charge the device owner.

15 Premium Service Abusers Example 1 -Zsone
Zsone: found in China. Once the user runs the app on their phone, the app will send an SMS message to subscribe the user to a premium-rate SMS service.. Txtnation is an example of premium-rate SMS service It provides Bulk SMS alerts and reminders, SMS Billing for Premium Rate SMS for content services

16 Premium Service Code Example
Permissions needed: android.permission.SEND_SMS Sending SMS: public void sendSMS() { String phoneNumber = " "; String message = "Hello World!"; SmsManager smsManager = SmsManager.getDefault(); smsManager.sendTextMessage(add parameter); }

17 How mobile malware spreads
Infect via Bluetooth Malware can spread to other Bluetooth devices in surrounding areas User Download from suspicious sites Malware authors create fake websites to cause their malware being downloaded Repackage as Trojan Malware author disassemble a popular app, enclose malicious payloads, re-assemble and submit to App Store Apps automatically download updates During the update, malicious commands are downloaded to the phone

18 Mobile Malware Prevention
Google Play store's Protection against Mobile Malware Anti-virus software Best Practices for Mobile Device Users to Defend against Malware Malware Prevention and Detection Using Sandbox

19 Google Play Store’s Protection Against Mobile Malware
Google play store does not allow worms, virus, Trojan horses or malware to be updated to google play store However, the process of uploading apps does not completely prevent malware being uploaded to the Google play store Google’s bouncer software is a measure to prevent malware in Google play store

20 Google’s Bouncer Software
Bouncer is a dynamic analyzer that scans new and old malware on the play store periodically. 40% of malware was detected and removed Problems: Each time it only runs for 5 minutes on one app and only does dynamic analysis Therefore if a malware did not misbehave during the scan it will not be removed

21 Anti-virus When a new software is downloaded, anti-virus software will automatically scan When an external drive is used, the drive will be automatically scanned If no virus is found, scan will continue to its destination. If virus is found in a file The infected file can be disinfected and the scan will continue to its destination while alerting the user The infected file cannot be disinfected and will be moved to a sandbox. Popular antivirus software: AVG, Lookout, Norton and Mobile Care.

22 Best Practices for Mobile Device Users to Defend against Malware
Always look at the permissions requested by the app and check to see if the app really needs that function of the phone. Download from Reliable Sources Install updates as soon as they are released If device is infected with malware, remove as quickly as possible. Use password-based authorization on the device Install security software and antivirus Do not root device. Rooting may give malware control to the device Encrypt your data – some android devices have full encryption.

23 Malware Prevention and Detection Using Sandbox - 1
An area that is separated from critical resources of a system, in which untested code is run Static and dynamic analysis tools can be run within sandbox Mobile Sandbox (proposed by Spreitzenbarth et al.) Static analysis to check for dangerous function calls (such as connecting to premium service) Dynamic analysis to monitor whether sensitive information leaves the phone

24 Malware Prevention and Detection Using Sandbox - 2
A mechanism to identify malware that uses packing and obfuscation to avoid Antivirus (Lee et. al) The API call sequence o the malware is converted to a call graph, which is reduced to a code graph A code graph is used to uniquely identify the malware Airmid A prototype tool that automatically identifies and responds to mobile malware based on their network behavior Network sensors detect malicious traffic and alerts the device A program on the device identifies the executable code responsible and creates a plan of action to repair the device Filtering the traffic at the device, sandboxing or removing the app, patching the device, or restoring the device to its factory settings

25 AndroRAT It is a remote administration tool (RAT) for Android devices
It allows an attacker to remotely gain control over another device and steal information from it It has client and server components The client is Android APK file running on an Android device The server is java file running on a server Client can be injected into another Android application to become a Trojan by using AndroRAT APK binder

26 AndroRAT Features Retrieve call log and place a calls
Retrieve and send SMS messages Retrieve contact information Retrieve and download files from mobile device Capture and stream sound/video Get device location Open a URL in the default browser

27 AndroRat Implementation
The client side: runs on a mobile device as a simple application A button “start service” initiates the communication between the device and the server The server side: socket programming is used for client/server communication using TCP

28 AndroRat Binder Implementation


Download ppt "Introduction to Mobile Malware"

Similar presentations


Ads by Google