cs155: android malware
TRANSCRIPT
![Page 1: CS155: Android Malware](https://reader034.vdocuments.site/reader034/viewer/2022042600/586a0e251a28ab3d018bb012/html5/thumbnails/1.jpg)
CS155: Android Malware
Jason Franklin Ph.D.Research Associate and Visiting Lecturer
![Page 2: CS155: Android Malware](https://reader034.vdocuments.site/reader034/viewer/2022042600/586a0e251a28ab3d018bb012/html5/thumbnails/2.jpg)
Save the Dalai Lama!
Start
![Page 3: CS155: Android Malware](https://reader034.vdocuments.site/reader034/viewer/2022042600/586a0e251a28ab3d018bb012/html5/thumbnails/3.jpg)
It's March 24th, 2013...
You're a Tibetan activist named Alice
A
![Page 4: CS155: Android Malware](https://reader034.vdocuments.site/reader034/viewer/2022042600/586a0e251a28ab3d018bb012/html5/thumbnails/4.jpg)
You receive an email from a fellow activist, BobImage: Kaspersky Labs, https://www.securelist.com/en/blog/208194186/Android_Trojan_Found_in_Targeted_Attack, March 26th, 2013
B
![Page 5: CS155: Android Malware](https://reader034.vdocuments.site/reader034/viewer/2022042600/586a0e251a28ab3d018bb012/html5/thumbnails/5.jpg)
Attached to the email is an Android applicationImage: Kaspersky Labs, https://www.securelist.com/en/blog/208194186/Android_Trojan_Found_in_Targeted_Attack, March 26th, 2013
B
![Page 6: CS155: Android Malware](https://reader034.vdocuments.site/reader034/viewer/2022042600/586a0e251a28ab3d018bb012/html5/thumbnails/6.jpg)
You install the android app...
Now it's running on your android deviceImage: Kaspersky Labs, https://www.securelist.com/en/blog/208194186/Android_Trojan_Found_in_Targeted_Attack, March 26th, 2013
![Page 7: CS155: Android Malware](https://reader034.vdocuments.site/reader034/viewer/2022042600/586a0e251a28ab3d018bb012/html5/thumbnails/7.jpg)
Everything seems fine...
However, things are not as they appearImage: Kaspersky Labs, https://www.securelist.com/en/blog/208194186/Android_Trojan_Found_in_Targeted_Attack, March 26th, 2013
![Page 8: CS155: Android Malware](https://reader034.vdocuments.site/reader034/viewer/2022042600/586a0e251a28ab3d018bb012/html5/thumbnails/8.jpg)
Background behaviors
Malware's behaviors triggered by C&C server (chuli)Image: Kaspersky Labs, https://www.securelist.com/en/blog/208194186/Android_Trojan_Found_in_Targeted_Attack, March 26th, 2013
C&C Server
Location
Data
Contacts
Call Log
SMS Msg
Command
![Page 9: CS155: Android Malware](https://reader034.vdocuments.site/reader034/viewer/2022042600/586a0e251a28ab3d018bb012/html5/thumbnails/9.jpg)
Save the Dalai Lama!
GAME OVER
![Page 10: CS155: Android Malware](https://reader034.vdocuments.site/reader034/viewer/2022042600/586a0e251a28ab3d018bb012/html5/thumbnails/10.jpg)
Save the Dalai Lama!
First, study Android!
Play Again?
![Page 11: CS155: Android Malware](https://reader034.vdocuments.site/reader034/viewer/2022042600/586a0e251a28ab3d018bb012/html5/thumbnails/11.jpg)
Android Market Share (1Q12/1Q13)
Image: IDC
![Page 12: CS155: Android Malware](https://reader034.vdocuments.site/reader034/viewer/2022042600/586a0e251a28ab3d018bb012/html5/thumbnails/12.jpg)
Enterprise Adoption
Source: Citrix
![Page 13: CS155: Android Malware](https://reader034.vdocuments.site/reader034/viewer/2022042600/586a0e251a28ab3d018bb012/html5/thumbnails/13.jpg)
Centralized Application Distribution
# of apps: 800,000 as of Feb 2013 [1]
# of apps: 50,000+ as of Oct 2012 [2]
[1]. http://en.wikipedia.org/wiki/Google_Play[2]. http://www.theverge.com/2012/9/6/3296612/amazon-appstore-for-android-50000-app-count-september-2012
![Page 14: CS155: Android Malware](https://reader034.vdocuments.site/reader034/viewer/2022042600/586a0e251a28ab3d018bb012/html5/thumbnails/14.jpg)
App Stores Enable Curation ● Google removes 60,000 apps
○ non-compliant, malicious, low quality, spammy
[1]. http://techcrunch.com/2013/04/08/nearly-60k-low-quality-apps-booted-from-google-play-store-in-february-points-to-increased-spam-fighting/
![Page 15: CS155: Android Malware](https://reader034.vdocuments.site/reader034/viewer/2022042600/586a0e251a28ab3d018bb012/html5/thumbnails/15.jpg)
App Store Promise
Centralization + Curation = Safety
!?
??
?
!
?
![Page 16: CS155: Android Malware](https://reader034.vdocuments.site/reader034/viewer/2022042600/586a0e251a28ab3d018bb012/html5/thumbnails/16.jpg)
Reality
Source: McAfee, Feb. 2013http://www.mcafee.com/us/security-awareness/articles/mobile-malware-growth-continuing-2013.aspx
● Android has permission based security model
○ E.g., Reading user data, sending to internet, writing to a file all require perms
● Permissions displayed in app store and before install
● User expected to remain vigilant○ Common failure point
![Page 17: CS155: Android Malware](https://reader034.vdocuments.site/reader034/viewer/2022042600/586a0e251a28ab3d018bb012/html5/thumbnails/17.jpg)
Malware Trends
● Q1 2012: 5,000 malicious apps detected
● Q2 2012: 10,000 malicious apps detected○ In 1 month
● 17 malicious apps downloaded 700k times
[1]. http://blog.trendmicro.com/trendlabs-security-intelligence/infographic-behind-the-android-menace-malicious-apps/
![Page 18: CS155: Android Malware](https://reader034.vdocuments.site/reader034/viewer/2022042600/586a0e251a28ab3d018bb012/html5/thumbnails/18.jpg)
Malware Author's Goals - $$$
● Immediate monetization ○ Abuse premium-service (48% )
■ Send premium SMS in background○ Display Ads (22%)○ Data Theft (21%)○ Click Fraud (7%)
● Investment in platform○ Remote control (19%)○ Root exploit (11%)
[1]. http://blog.trendmicro.com/trendlabs-security-intelligence/infographic-behind-the-android-menace-malicious-apps/
![Page 19: CS155: Android Malware](https://reader034.vdocuments.site/reader034/viewer/2022042600/586a0e251a28ab3d018bb012/html5/thumbnails/19.jpg)
Noteworthy Malware - DroidDream
C&C ServerData
IMEI
Code
Roo
t Exp
loits
OS
● Malware hidden in repackaged apps (in Google Play)○ App functionality drives downloads
● Malware may require additional permissions● Users unknowingly install app despite permissions● After install, app can leak data in background
○ Android security model requires user vigilance
![Page 20: CS155: Android Malware](https://reader034.vdocuments.site/reader034/viewer/2022042600/586a0e251a28ab3d018bb012/html5/thumbnails/20.jpg)
Honest Developers Break Rules Too
"Permissions changed in the latest update to read my phone number. Totally unacceptable for a puzzle game. Uninstalling." [1]
[1] Oh, My Brain! Block Buzzle by mToy, https://play.google.com/store/apps/details?id=biz.mtoy.blockpuzzle&feature=related_apps#?t=W251bGwsMSwxLDEwOSwiYml6Lm10b3kuYmxvY2twdXp6bGUiXQ..
"Uninstalling due to the added permissions." [1]
"Simple and challenging game but with new update there is too many Permissions for a simple game, will not be updating and once completed all levels I will be deleting it." [1]
"Why suddenly Read phone state
permission?" [1]
![Page 21: CS155: Android Malware](https://reader034.vdocuments.site/reader034/viewer/2022042600/586a0e251a28ab3d018bb012/html5/thumbnails/21.jpg)
Save the Dalai Lama!
Focus on the App Store!
![Page 22: CS155: Android Malware](https://reader034.vdocuments.site/reader034/viewer/2022042600/586a0e251a28ab3d018bb012/html5/thumbnails/22.jpg)
Architecture of an App Store
Submit Accept
Reject
Distribute
Apps AdmissionSystem
Storage Users
! ??
![Page 23: CS155: Android Malware](https://reader034.vdocuments.site/reader034/viewer/2022042600/586a0e251a28ab3d018bb012/html5/thumbnails/23.jpg)
Admission System - Google Bouncer
![Page 24: CS155: Android Malware](https://reader034.vdocuments.site/reader034/viewer/2022042600/586a0e251a28ab3d018bb012/html5/thumbnails/24.jpg)
Inside Google Bouncer (Unofficial)
● Performs set of analyses on new app○ Analysis details not provided
● Run app for 5 minutes in emulator○ Dynamic analysis
● Simulate how app will run on Android device○ Input generation problem
● Look for hidden, malicious behavior○ Apply set of (undefined) heuristics + policies
● Few official statements, details sparse○ Why? Prevent circumvention? Competitive reasons?○ Risk/reward to openness
![Page 25: CS155: Android Malware](https://reader034.vdocuments.site/reader034/viewer/2022042600/586a0e251a28ab3d018bb012/html5/thumbnails/25.jpg)
Save the Dalai Lama!The
admission system is the
key!
![Page 26: CS155: Android Malware](https://reader034.vdocuments.site/reader034/viewer/2022042600/586a0e251a28ab3d018bb012/html5/thumbnails/26.jpg)
Malware detection game
Defender's Goal: Correctly classify programs
Adversary
AdmissionSystem
Policy?
??
??
!!
! !
?
![Page 27: CS155: Android Malware](https://reader034.vdocuments.site/reader034/viewer/2022042600/586a0e251a28ab3d018bb012/html5/thumbnails/27.jpg)
Adversary
Adversary's Goal: Violate policy in undetectable way
Adversary
AdmissionSystem
Policy?
??
??
!!
! !
!
![Page 28: CS155: Android Malware](https://reader034.vdocuments.site/reader034/viewer/2022042600/586a0e251a28ab3d018bb012/html5/thumbnails/28.jpg)
● State acceptable/unacceptable behaviors○ Data Theft: What personal data can leave device?
■ User impact: Data privacy (data-out)○ Device Control: Exploit OS etc.
■ User impact: device integrity (data-in)○ Service Misuse: Premium SMS
■ User impact: $○ Spam: How many/which type of ads?
■ User impact: time○ Others
■ No comprehensive taxonomy
Policies
![Page 29: CS155: Android Malware](https://reader034.vdocuments.site/reader034/viewer/2022042600/586a0e251a28ab3d018bb012/html5/thumbnails/29.jpg)
Admission System
Static
Dynamic
STAMP
Static Analysis
More behaviors, fewer details
Dynamic (Runtime) Analysis
Fewer behaviors, more details
![Page 30: CS155: Android Malware](https://reader034.vdocuments.site/reader034/viewer/2022042600/586a0e251a28ab3d018bb012/html5/thumbnails/30.jpg)
Static and Dynamic Analysis
● Static analysis ○ No code execution○ Benefit: Can certify programs (100% coverage)○ Challenge: Scalability and false positives
● Dynamic analysis○ Monitor program execution at runtime○ Benefit: No false positives○ Challenge: Input generation to achieve coverage
(false negatives)
![Page 31: CS155: Android Malware](https://reader034.vdocuments.site/reader034/viewer/2022042600/586a0e251a28ab3d018bb012/html5/thumbnails/31.jpg)
Flow Policies
● Injection vulnerabilities
Privacy PolicyThis app collects your:ContactsPhone NumberAddress
Contacts Send Internet
Source: Contacts Sink: Internet
Web Source: Untrusted_Data SQL Stmt Sink: SQL
● Data theft
● Privacy policies○ Avoid liability, protect consumer privacy
![Page 32: CS155: Android Malware](https://reader034.vdocuments.site/reader034/viewer/2022042600/586a0e251a28ab3d018bb012/html5/thumbnails/32.jpg)
Static Data Flow Analysis
getLoc() sendSMS()
sendInet()
Source: Location Sink: SMS
Sink: Internet
● Identify source-to-sink flows (a.k.a. data theft)○ Sources: Location, Calendar, Contacts, Device ID etc.○ Sinks: Internet, SMS, Disk, etc.
![Page 33: CS155: Android Malware](https://reader034.vdocuments.site/reader034/viewer/2022042600/586a0e251a28ab3d018bb012/html5/thumbnails/33.jpg)
Data Flow Analysis
Whether data stored in program variable p may flow to program variable q?
p = ...t = foo(p);q = t;
Code example
![Page 34: CS155: Android Malware](https://reader034.vdocuments.site/reader034/viewer/2022042600/586a0e251a28ab3d018bb012/html5/thumbnails/34.jpg)
Detection of Private-data Leak
Whether the device id may be leaked through SMS?
p = getDeviceId();t = foo(p);q = t;sendSMS(q);
Code example
![Page 35: CS155: Android Malware](https://reader034.vdocuments.site/reader034/viewer/2022042600/586a0e251a28ab3d018bb012/html5/thumbnails/35.jpg)
Detection system tradeoffs
● Reimplement Android/Java○ Add sources and sinks○ 20k methods to inspect
● Whole-program analysis○ High coverage○ Low false positive rateSTA
MP
Android
Models
App App
Too expensive!
OS
HW
![Page 36: CS155: Android Malware](https://reader034.vdocuments.site/reader034/viewer/2022042600/586a0e251a28ab3d018bb012/html5/thumbnails/36.jpg)
Save the Dalai Lama!
I’m bored.
![Page 37: CS155: Android Malware](https://reader034.vdocuments.site/reader034/viewer/2022042600/586a0e251a28ab3d018bb012/html5/thumbnails/37.jpg)
Tracking Sensitive Data
@STAMP(SRC ="$DEVICEID", SINK ="@return")
android.Telephony.TelephonyManager: String getDeviceId()
![Page 38: CS155: Android Malware](https://reader034.vdocuments.site/reader034/viewer/2022042600/586a0e251a28ab3d018bb012/html5/thumbnails/38.jpg)
Sources
● Account data● Audio● Calendar● Call log● Camera● Contacts● Device Id● Location● Photos (Geotags)● SD card data● SMS
30+ types of sensitive data
![Page 39: CS155: Android Malware](https://reader034.vdocuments.site/reader034/viewer/2022042600/586a0e251a28ab3d018bb012/html5/thumbnails/39.jpg)
Save the Dalai Lama!
zzzzzzz
![Page 40: CS155: Android Malware](https://reader034.vdocuments.site/reader034/viewer/2022042600/586a0e251a28ab3d018bb012/html5/thumbnails/40.jpg)
Sinks
● Internet (socket)● SMS● Email● System Logs● Webview/Browser● File System● Broadcast Message
10+ types of exit points
![Page 41: CS155: Android Malware](https://reader034.vdocuments.site/reader034/viewer/2022042600/586a0e251a28ab3d018bb012/html5/thumbnails/41.jpg)
Flows
Detectable Flows = Sources x Sink
396 Flow Types
![Page 42: CS155: Android Malware](https://reader034.vdocuments.site/reader034/viewer/2022042600/586a0e251a28ab3d018bb012/html5/thumbnails/42.jpg)
Save the Dalai Lama!
Start
Play again!
![Page 43: CS155: Android Malware](https://reader034.vdocuments.site/reader034/viewer/2022042600/586a0e251a28ab3d018bb012/html5/thumbnails/43.jpg)
Detecting background behaviors
Sensitive data leaving device is source-to-sink flowImage: Kaspersky Labs, https://www.securelist.com/en/blog/208194186/Android_Trojan_Found_in_Targeted_Attack, March 26th, 2013
C&C Server
Location
Data
Contacts
Call Log
SMS Msg
Command
![Page 44: CS155: Android Malware](https://reader034.vdocuments.site/reader034/viewer/2022042600/586a0e251a28ab3d018bb012/html5/thumbnails/44.jpg)
Stamp Source-to-sink Flows
![Page 45: CS155: Android Malware](https://reader034.vdocuments.site/reader034/viewer/2022042600/586a0e251a28ab3d018bb012/html5/thumbnails/45.jpg)
Chuli Source-to-sink Flows
Read SMS
Send Intent
Send Internet
Source: SMS
Sink: Intent
Sink: Internet
Read Contacts
Source: Contacts
Read Intent
Source: Intent
Read Location
Source: Location
![Page 46: CS155: Android Malware](https://reader034.vdocuments.site/reader034/viewer/2022042600/586a0e251a28ab3d018bb012/html5/thumbnails/46.jpg)
You Saved the Dalai Lama!
Thanks!
![Page 47: CS155: Android Malware](https://reader034.vdocuments.site/reader034/viewer/2022042600/586a0e251a28ab3d018bb012/html5/thumbnails/47.jpg)
Save the Dalai Lama!
Start
Can you help me with
something else?
![Page 48: CS155: Android Malware](https://reader034.vdocuments.site/reader034/viewer/2022042600/586a0e251a28ab3d018bb012/html5/thumbnails/48.jpg)
Let's look at an example of a privacy-violating program
Privacy PolicyThis app collects your:
ContactsPhone NumberAddress
![Page 49: CS155: Android Malware](https://reader034.vdocuments.site/reader034/viewer/2022042600/586a0e251a28ab3d018bb012/html5/thumbnails/49.jpg)
Facebook Contact Sync
Contact Sync for Facebook (unofficial)
Description:This application allows you to synchronize your Facebook contacts on Android.
Privacy Policy: (page not found)
![Page 50: CS155: Android Malware](https://reader034.vdocuments.site/reader034/viewer/2022042600/586a0e251a28ab3d018bb012/html5/thumbnails/50.jpg)
Unknowns
Does this app have hidden behaviors?
Does it steal my Facebook data?
Does it have vulnerabilities?
Does it steal my contacts?
![Page 51: CS155: Android Malware](https://reader034.vdocuments.site/reader034/viewer/2022042600/586a0e251a28ab3d018bb012/html5/thumbnails/51.jpg)
What you get todayCategory Permission Description
Your Accounts AUTHENTICATE_ACCOUNTS Act as an account authenticator
MANAGE_ACCOUNTS Manage accounts list
USE_CREDENTIALS Use authentication credentials
Network Communication INTERNET Full Internet access
ACCESS_NETWORK_STATE View network state
Your Personal Information READ_CONTACTS Read contact data
WRITE_CONTACTS Write contact data
System Tools WRITE_SETTINGS Modify global system settings
WRITE_SYNC_SETTINGS Write sync settings (e.g. Contact sync)
READ_SYNC_SETTINGS Read whether sync is enabled
READ_SYNC_STATS Read history of syncs
Your Accounts GET_ACCOUNTS Discover known accounts
Extra/Custom WRITE_SECURE_SETTINGS Modify secure system settings
![Page 52: CS155: Android Malware](https://reader034.vdocuments.site/reader034/viewer/2022042600/586a0e251a28ab3d018bb012/html5/thumbnails/52.jpg)
Potential Flows
Sources Sinks
INTERNETREAD_CONTACTS
WRITE_SETTINGSREAD_SYNC_SETTINGS
WRITE_CONTACTSREAD_SYNC_STATS
GET_ACCOUNTS WRITE_SECURE_SETTINGS
WRITE_SETTINGSINTERNET
![Page 53: CS155: Android Malware](https://reader034.vdocuments.site/reader034/viewer/2022042600/586a0e251a28ab3d018bb012/html5/thumbnails/53.jpg)
Acceptable Flows
Sources Sinks
INTERNETREAD_CONTACTS
WRITE_SETTINGSREAD_SYNC_SETTINGS
WRITE_CONTACTSREAD_SYNC_STATS
GET_ACCOUNTS WRITE_SECURE_SETTINGS
WRITE_SETTINGSINTERNET
![Page 54: CS155: Android Malware](https://reader034.vdocuments.site/reader034/viewer/2022042600/586a0e251a28ab3d018bb012/html5/thumbnails/54.jpg)
Certification
FB APIWrite
Contacts
Send Internet
Source: FB_Data
Sink: Contact_Book
Sink: InternetRead Contacts
Source: Contacts
● Red slashes designate absence of flow
● All flows were within expected specification○ No hidden behaviors
![Page 55: CS155: Android Malware](https://reader034.vdocuments.site/reader034/viewer/2022042600/586a0e251a28ab3d018bb012/html5/thumbnails/55.jpg)
You Saved the Dalai Lama!
Let’s review!
![Page 56: CS155: Android Malware](https://reader034.vdocuments.site/reader034/viewer/2022042600/586a0e251a28ab3d018bb012/html5/thumbnails/56.jpg)
Review
● Described Android malware problem○ Chuli, DroidDream, data collection incentives
● Google Bouncer deployed to detect malware○ Dynamic analysis - input generation problem
● Defined malware detection game○ Adversary, Detection System, Policy
● Stamp detection system○ Static analysis - scalability/false positives
● Privacy analysis○ Mandatory notification of data collection
![Page 57: CS155: Android Malware](https://reader034.vdocuments.site/reader034/viewer/2022042600/586a0e251a28ab3d018bb012/html5/thumbnails/57.jpg)
You Saved the Dalai Lama!
Questions?
![Page 59: CS155: Android Malware](https://reader034.vdocuments.site/reader034/viewer/2022042600/586a0e251a28ab3d018bb012/html5/thumbnails/59.jpg)
Abstract Program Execution
wait
snd
start del endbegin
readcmdsend
exitdelete
States: mapping of variable names to valuesTransitions: relation on pairs of statesTraces: sequence of states or state,transition pairs
![Page 60: CS155: Android Malware](https://reader034.vdocuments.site/reader034/viewer/2022042600/586a0e251a28ab3d018bb012/html5/thumbnails/60.jpg)
Opportunity
Centralization Certification Safety
Free Beyond testing
Policies,Procedures,
Best practices,Verification
Broadly defined
Cost,Legal Compliance,
Performance,Privacy,Security
+ =