Presentation is loading. Please wait.

Presentation is loading. Please wait.

Android Security Corrado Aaron Visaggio PhD, docente del Corso di Sicurezza delle Reti e dei Sistemi Software Università degli.

Published byJanice Phelps Modified over 8 years ago

Similar presentations

Presentation on theme: "Android Security Corrado Aaron Visaggio PhD, docente del Corso di Sicurezza delle Reti e dei Sistemi Software Università degli."— Presentation transcript:

1 Android Security Corrado Aaron Visaggio (visaggio@unisannio.it) PhD, docente del Corso di Sicurezza delle Reti e dei Sistemi Software Università degli Studi del Sannio “Things are not always what they seem; the first appearance deceives many; the intelligence of a few perceives what has been carefully hidden.” Phaedrus Corrado Aaron Visaggio - Android Security1

2 2

3 Malware Evolution Corrado Aaron Visaggio - Android Security3

4 4

5 5

6 6

7 7

8 8

9 at the start of 2013 we collected just over 50,000 samples per day. We finished 2013 collecting around 450,000 on a daily basis. Corrado Aaron Visaggio - Android Security9

10 Growth of new malware Corrado Aaron Visaggio - Android Security10 Yajin Zhou, Xuxian Jiang Dissecting Android Malware: Characterization and Evolution, 2012 IEEE Symposium on Security and Privacy.

11 Android Security Overview Apps run in virtual env/sandbox Privilege Separation Each app with own UID and GID Corrado Aaron Visaggio - Android Security11

12 Android’s security ? Android’s Security is supported by encryption, signature, Isolation, and access control security protection Strategies. However there still are vulnerabilities for Android mobile devices. The Android app signature system is to ensure that the app’s logic is not tampered with, enforce a user to recognize the identity of the app’s author. Although Android will only install and run a signed app, a certificate is not required by Google. Hackers can still use anonymous digital certificates to sign their malware and distribute them without any certification by Google (which is required by Apple). Corrado Aaron Visaggio - Android Security12

13 Kind of attacks To infect mobile users, malicious apps typically lure users into downloading and installing them. Repackaging: downloading popular benign apps, repackaging them with additional malicious payloads, and then uploading repackaged ones to various Android marketplaces. Update attack : the malicious payloads are disguised as the “updated” version of legitimate apps. Drive-by download: redirect users to download malware, e.g., by using aggressive in-app advertisement or malicious QR code. Ransomware: the smartphone is blocked till the victim pay a ransom to the attacker. Corrado Aaron Visaggio - Android Security13

14 Repackaging Malware authors may locate and download popular apps, disassemble them, enclose malicious payloads, re-assemble and then submit the new apps to official and/or alternative Android markets. malware authors tend to use the class-file names which look legitimate and benign. For example, the first version of DroidKungFu chooses to use com.google.ssearch (com.google.update) Corrado Aaron Visaggio - Android Security14

15 Update Attack it only includes an update component that will fetch or download the malicious payloads at runtime. As a result, static scanning of host apps may fail to capture the malicious payloads. a BaseBridge-infected app runs, it will check whether an update dialogue needs to be displayed. If yes, by essentially saying that a new version is available, the user will be offered to install the updated version. If the user accepts, an “updated” version with the malicious payload will then be installed. Corrado Aaron Visaggio - Android Security15

16 Drive by download Though they are not directly exploiting mobile browser vulnerabilities, they are essentially enticing users to download “interesting” or “feature-rich” apps (GGTracker, Jifake, Spitmo and ZitMo) The GGTracker malware starts from in-app advertisements. In particular, when a user clicks a special advertisement link, it will redirect the user to a malicious website. Corrado Aaron Visaggio - Android Security16

17 FakeAV Corrado Aaron Visaggio - Android Security17

18 Ransomware Chypers users’ information stored in the smartphone. Block the access Penetration: Phishing e-mail Access to malicious website Payment methods: Fake messages of applications without lincense Fake declarations of illegal content in the smartphone. In June 2013, Sophos researcher Rowland Yu discovered the first ransomware attack against Android devices. called Android Defender, this hybrid fake antivirus/ransomware app demands a $99.99 payment to restore access to your Android device Corrado Aaron Visaggio - Android Security18

19 Corrado Aaron Visaggio - Android Security19

20 Android Botnet… A mobile botnet called MisoSMS is wreaking havoc on the Android platform, stealing personal SMS messages and exfiltrating them to attackers in China. Finding the culprit on "thousands of cell phones", Intelcrawler said the intent of the malicious code is to gather credentials and information about WiFi networks, including: the SSID of a wireless network, frequency, model of phone, type of encryption, password and system time of the device to acquire understanding about when information was received, including GPS coordinates of a found hotspot. temperature, the type of battery, present voltage, battery status and if it is connected to USB or not, GSM cell location and cellular operator. Corrado Aaron Visaggio - Android Security20

21 … Android Botnet The botnet has been found on 23,856 compromised smartphones in all, including: the HTC Sensation and Amaze 4G, the Google Nexus, Samsung GT I9300, Galaxy Note 2, LG Motion 4G, Huawei U8665 and the Alcatel One Touch. It was determined that the compromised devices have sent more than one million access points from all over the world - which means that each 'zombie' cell phone sent in nearly 40 to 50 hotspots during the time of infection." Hotspot locations were found in Europe, China, the US, Israel, India, Singapore and Russia. Corrado Aaron Visaggio - Android Security21

22 Others Spyware Fake apps that masquearde as legitimate apps but stealthily perform malicious actions such as stealing user’s credentials or sending background SMS messages Apps that intentionally contain malicious functionality, but these apps are not fake. Apps that rely on the root privilege to function well. However, without asking the user to grant the root privilege to these apps, they leverage known root exploits to escape from the built-in security sandbox. Corrado Aaron Visaggio - Android Security22

23 Activation BOOT_COMPLETED is the most interested one to existing Android malware. The SMS_RECEIVED will be broadcasted to the whole system when a new SMS message is being received. Zsone listens to this SMS_RECEIVED event and intercepts or removes all SMS messages from particular originating numbers such as “10086” and “10010 some malware samples directly hijack the entry activity of the host apps, which will be triggered when the user clicks the app icon on the home screen or an intent with action ACTION_MAIN is received by the app. Corrado Aaron Visaggio - Android Security23

24 Malicious payload The complexity naturally introduces software vulnerabilities that can be potentially exploited for privilege escalation (90 open source libraries, includingWebKit, SQLite, and OpenSSL). The top three exploits are exploid, RATC (or RageAgainstTheCage), and Zimperlich. it is not uncommon for a malware to have two or more root exploits to maximize its chances for successful exploitations on multiple platform versions. Corrado Aaron Visaggio - Android Security24

25 Remote control most C&C servers are registered in domains controlled by attackers themselves. There are cases where the C&C servers are hosted in public clouds. For instance, the Plankton spyware dynamically fetches and runs its payload from a server hosted in the Amazon cloud. Most recently, attackers are even turning to public blog servers as their C&C servers. AnserverBot is one example that uses two popular public blog services, i.e., Sina and Baidu, as its C&C servers to retrieve the latest payloads and new C&C URLs Corrado Aaron Visaggio - Android Security25

26 Final charge One profitable way for attackers is to surreptitiously subscribe to (attacker controlled) premium-rate services, such as by sending SMS messages. some malware choose not to hard-code premium-rate numbers. Instead, they leverage the flexible remote control to push down the numbers at runtime. to sign up a premium-rate service, the user must reply to a confirming SMS message sent from the service provider to finalize or activate the service subscription Other malware may also make background phone calls.With the same remote control capability, the destination number can be provided from a remote C&C server, as shown in Geinimi. Corrado Aaron Visaggio - Android Security26

27 Permissions Android permissions such as INTERNET, READ_PHONE_STATE, ACCESS_NETWORK_STATE, and WRITE_EXTERNAL_STORAGE are widely requested in both malicious and benign apps. SMS-related permissions, such as READ_SMS, WRITE_SMS, RECEIVE_SMS, and SEND_SMS. RECEIVE_BOOT_COMPLETED permission. This number is five times of that in benign apps (137 samples). This could be due to the fact that malware is more likely to run background services without user’s intervention. CHANGE_WIFI_STATE permission, which is an order of magnitude higher than that in benign apps. That is mainly because the Exploid root exploit requires certain hot plug events such as changing the WIFI state, which is related to this permission. Corrado Aaron Visaggio - Android Security27

28 Malware vs Trusted apps permissions Corrado Aaron Visaggio - Android Security28

29 DroidKungFU… Root Exploit Some of these encrypted files are contained in the directory «assets».Variants use different encryption keys. C&C Servers the malware keeps changing the ways to store the C&C server addresses. For example, in DroidKungFu1, the C&C server is saved in plain-text in a Java class file. In DroidKungFu2, this C&C server address is moved to a native program in plaintext. Corrado Aaron Visaggio - Android Security29

30 …DroidKungFU… Shadow Payloads DroidKungFu also carries with itself an embedded app, which will be stealthily installed once the root exploit is successfully launched Embedded app code almost identical to the malicious payload of DroidKungFu The installation of this embedded app will ensure that even the repackaged app has been removed, it can continue to be functional. Moreover, in DroidKungFu1, the embedded app will show a fake Google Search icon Corrado Aaron Visaggio - Android Security30

31 DroidKungFU Obfuscation, JNI, and Others DroidKungFu instead encrypts not only those constant strings and C&C servers, but also those native payloads and the embedded app file. it rapidly changes different keys for the encryption, aggressively obfuscates the class name in the malicious payload, and exploits JNI interfaces to increase the difficulty for analysis and detection. For example, both DroidKungFu2 and DroidKungFu4 uses a native program (through JNI) to communicate with and fetch bot commands from remote servers. Corrado Aaron Visaggio - Android Security31

32 Plankton (spyware, 2011) it downloads the payload from a remote server at runtime and then leverages the dynamic loading capability of Dalvik Virtual Machine Plankton is mainly developed for the purpose of mobile advertisement Plankton includes a background service, which is invoked in the modified onCreate() method of the main activity inside the app. The background service will collect information (including permissions) and send them back to a server through a HTTP POST message Corrado Aaron Visaggio - Android Security32

33 Plankton (spyware, 2011) After receiving a specific request from a client, the Plankton server will push its payload (in the form of a JAR file) back to the client. This payload contains the code which can be dynamically loaded and executed by Plankton at runtime. Plankton becomes stealthy by making the runtime code unknown in advance. Plankton support a lot of bot-related commands that can be remotely invoked. Corrado Aaron Visaggio - Android Security33

34 AnserverBot (malware,2011) Piggybacks on legitimate apps and is distributed by third-party marketplaces. it checks the signature or the integrity of the current (repackaged) app before unfolding its payload. AnserverBot obfuscates its internal class, methods, and fields partitions the main payload into three related apps: one is the host app and the other two are embedded apps. The two embedded apps share the same name com.sec.android.touchScreen. server but with different functionality. One such app will be installed through the update attack while the other will be dynamically loaded without being actually installed (similar to Plankton). Corrado Aaron Visaggio - Android Security34

35 AnserverBot (malware,2011) supports two types of C&C servers. The first one is similar to traditional C&C servers from which to receive the command. The second one instead is used to upgrade its payload and/or the new address of the first typeC&Cserver Surprisingly, the second type is based on (encrypted) blog contents, which are maintained by popular blog service providers. In other words, AnserverBot connects to the public blog site to fetch the (encrypted) current C&C server and the new (encrypted) payload. AnserverBot can also dynamically upgrade itself when a new version is available. Corrado Aaron Visaggio - Android Security35

36 From «Dissecting Android Malware: Characterization and Evolution» Most existing Android malware (86.0%) repackage other legitimate (popular) apps Our characterization also indicates that more than one third (36.7%) of Android malware enclose platform level exploits to escalate their privilege. Our characterization shows that existing malware (45.3%) tend to subscribe to premium- rate services with background SMS messages. Corrado Aaron Visaggio - Android Security36

37 Corrado Aaron Visaggio - Android Security37

38 References… Elliot J. Chikofsky, James H. Cross“Reverse Engineering and Design Recovery: A Taxonomy”. IEEE Software, Jan 1990, pg 13-17. J. Rutkowska. “Introducing Stealth Malware Taxanomy”. http://www.net- security.org/dl/articles/malware-taxonomy.pdfhttp://www.net- security.org/dl/articles/malware-taxonomy.pdf “Alternative markets to the Play Store”. http://alternativeto.net/software/android-market/ “Security features provided by Android”. http://developer.android.com/guide/topics/securit y/permissions.html Corrado Aaron Visaggio - Android Security38

39 … References… Y. Zhoux, X. Jiang «Dissecting Android Malware: Characterization and Evolution», Proc. Of IEEE Symposium on Security and Privacy 2012, pg: 95-109. Yousra Aafer, Wenliang Du, and Heng Yin, «DroidAPIMiner: Mining API-Level Features for Robust Malware Detection in Android» proc. Of SecurComm 2013. H.Le Thanh “Analysis of Malware Families on Android Mobiles: Detection Characteristics Recognizable by Ordinary Phone Users and How to Fix It” Journal of Information Security 2013, 4, 213-224. Corrado Aaron Visaggio - Android Security39

40 …References “Using the Android Emulator”. http://developer.android.com/tools/devices/emul ator.html “Android malware database” http://code.google.com/p/androguard/wiki/Datab aseAndroidMalwares http://code.google.com/p/androguard/wiki/Datab aseAndroidMalwares «Attacking Angry Birds» http://toorcamp.org/content12/38 http://toorcamp.org/content12/38 http://developer.android.com/guide/components/ fundamentals.html http://developer.android.com/guide/components/ fundamentals.html Corrado Aaron Visaggio - Android Security40

41 Thank you Corrado Aaron Visaggio - Android Security41

42 Any Questions ? Corrado Aaron Visaggio - Android Security42

Download ppt "Android Security Corrado Aaron Visaggio PhD, docente del Corso di Sicurezza delle Reti e dei Sistemi Software Università degli."

Similar presentations

TrustPort Net Gateway Web traffic protection. WWW.TRUSTPORT.COM Keep It Secure Contents Latest security threats spam and malware Advantages of entry point.

TrustPort Net Gateway Web traffic protection. Keep It Secure Contents Latest security threats spam and malware Advantages of entry point.
Access Control 1. Given Credit Where It Is Due Most of the lecture notes are based on slides by Dr. Daniel M. Zimmerman at CALTECH Some slides are from.

Access Control 1. Given Credit Where It Is Due Most of the lecture notes are based on slides by Dr. Daniel M. Zimmerman at CALTECH Some slides are from.
The Threat Landscape Jan 2013. 2013 Threat Report 2.

The Threat Landscape Jan Threat Report 2.
Dissecting Android Malware : Characterization and Evolution

Dissecting Android Malware : Characterization and Evolution
1 GP Confidential ©2013 1 GlobalPlatform’s Value Proposition for Mobile Point of Sale (mPOS)

1 GP Confidential © GlobalPlatform’s Value Proposition for Mobile Point of Sale (mPOS)
Android Security. N-Degree of Separation Applications can be thought as composed by Main Functionality Several Non-functional Concerns Security is a non-functional.

Android Security. N-Degree of Separation Applications can be thought as composed by Main Functionality Several Non-functional Concerns Security is a non-functional.
Automated Remote Repair for Mobile Malware Yacin Nadji, Jonathon Giffin, Patrick Traynor Georgia Institute of Technology ACSAC’ 11.

Automated Remote Repair for Mobile Malware Yacin Nadji, Jonathon Giffin, Patrick Traynor Georgia Institute of Technology ACSAC’ 11.
Android Malware Characterisaion. Android Under Attack Android Malware is on the rise In 2012 malware presence has increased by 580% compared to the same.

Android Malware Characterisaion. Android Under Attack Android Malware is on the rise In 2012 malware presence has increased by 580% compared to the same.
Building and Deploying Safe and Secure Android Apps for Enterprise Presented by Technology Consulting Group at Endeavour Software Technologies.

Building and Deploying Safe and Secure Android Apps for Enterprise Presented by Technology Consulting Group at Endeavour Software Technologies.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Aurasium: Practical Policy Enforcement for Android Applications R. Xu, H. Saidi and R. Anderson Presented By: Rajat Khandelwal – 2009CS10209 Parikshit.

Aurasium: Practical Policy Enforcement for Android Applications R. Xu, H. Saidi and R. Anderson Presented By: Rajat Khandelwal – 2009CS10209 Parikshit.
Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.

Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
ANDROID PROGRAMMING MODULE 1 – GETTING STARTED

ANDROID PROGRAMMING MODULE 1 – GETTING STARTED
Mobile App Monetization: Understanding the Advertising Ecosystem Vaibhav Rastogi.

Mobile App Monetization: Understanding the Advertising Ecosystem Vaibhav Rastogi.
Norman SecureTide Powerful cloud solution to stop spam and threats before it reaches your network.

Norman SecureTide Powerful cloud solution to stop spam and threats before it reaches your network.
IOS & Android Security, Hacking and Tweaking Workshop D.Papamartzivanos University Of the Aegean – Info Sec Lab Android Security – Cydia Substrate Dimitris.

IOS & Android Security, Hacking and Tweaking Workshop D.Papamartzivanos University Of the Aegean – Info Sec Lab Android Security – Cydia Substrate Dimitris.
Norman SecureSurf Protect your users when surfing the Internet.

Norman SecureSurf Protect your users when surfing the Internet.
Apps VS Mobile Websites Which is better?. Bizness Apps Survey Bizness Apps surveyed over 500 small business owners with both a mobile app and a mobile.

Apps VS Mobile Websites Which is better?. Bizness Apps Survey Bizness Apps surveyed over 500 small business owners with both a mobile app and a mobile.
Introduction to Mobile Malware

Introduction to Mobile Malware

Similar presentations

Ads by Google