making malory behave maliciously: targeted fuzzing of android … · 2020. 3. 8. · © fraunhofer...
TRANSCRIPT
![Page 1: Making Malory Behave Maliciously: Targeted Fuzzing of Android … · 2020. 3. 8. · © Fraunhofer 4 Dynamic Analysis? Timing Bombs Emulator Checks Country Checks IP Restrictions](https://reader035.vdocuments.site/reader035/viewer/2022071022/5fd6c81242b81b6d823f3601/html5/thumbnails/1.jpg)
© Fraunhofer
Making Malory Behave Maliciously: Targeted Fuzzing of Android Execution
Environments
Siegfried Rasthofer, Steven Arzt, Stefan Triller (Fraunhofer SIT, Germany)
Michael Pradel (TU Darmstadt, Germany)
![Page 2: Making Malory Behave Maliciously: Targeted Fuzzing of Android … · 2020. 3. 8. · © Fraunhofer 4 Dynamic Analysis? Timing Bombs Emulator Checks Country Checks IP Restrictions](https://reader035.vdocuments.site/reader035/viewer/2022071022/5fd6c81242b81b6d823f3601/html5/thumbnails/2.jpg)
© Fraunhofer 2
![Page 3: Making Malory Behave Maliciously: Targeted Fuzzing of Android … · 2020. 3. 8. · © Fraunhofer 4 Dynamic Analysis? Timing Bombs Emulator Checks Country Checks IP Restrictions](https://reader035.vdocuments.site/reader035/viewer/2022071022/5fd6c81242b81b6d823f3601/html5/thumbnails/3.jpg)
© Fraunhofer 3
@Overrideprotected void onReceive(Bundle sms) {
if(!sms.getBody.startsWith("ak40_1")){
wait(24 hours);
if(Build.FINGERPRINT.startsWith("generic")) return; // we are running in an emulator
if(getCurrentLocation().equals("Germany")
sendSMS(number, sms.getBody());
}}
Environment
Environment: 1. Send SMS to device 2. Content of SMS does not start with “ak40_1“ 3. Wait for 24 hours 4. Run on real device 5. Location-Check for Germany
?
![Page 4: Making Malory Behave Maliciously: Targeted Fuzzing of Android … · 2020. 3. 8. · © Fraunhofer 4 Dynamic Analysis? Timing Bombs Emulator Checks Country Checks IP Restrictions](https://reader035.vdocuments.site/reader035/viewer/2022071022/5fd6c81242b81b6d823f3601/html5/thumbnails/4.jpg)
© Fraunhofer 4
Dynamic Analysis?
Timing Bombs Emulator Checks Country Checks
IP Restrictions Provider Checks Integrity Checks …
…
![Page 5: Making Malory Behave Maliciously: Targeted Fuzzing of Android … · 2020. 3. 8. · © Fraunhofer 4 Dynamic Analysis? Timing Bombs Emulator Checks Country Checks IP Restrictions](https://reader035.vdocuments.site/reader035/viewer/2022071022/5fd6c81242b81b6d823f3601/html5/thumbnails/5.jpg)
© Fraunhofer 5
Static Analysis?
Packer Reflection
Dynamic Codeloading String Obfuscation
…
…
![Page 6: Making Malory Behave Maliciously: Targeted Fuzzing of Android … · 2020. 3. 8. · © Fraunhofer 4 Dynamic Analysis? Timing Bombs Emulator Checks Country Checks IP Restrictions](https://reader035.vdocuments.site/reader035/viewer/2022071022/5fd6c81242b81b6d823f3601/html5/thumbnails/6.jpg)
© Fraunhofer 6
FuzzDroid
Targeted Fuzzing Approach
Static Dynamic
![Page 7: Making Malory Behave Maliciously: Targeted Fuzzing of Android … · 2020. 3. 8. · © Fraunhofer 4 Dynamic Analysis? Timing Bombs Emulator Checks Country Checks IP Restrictions](https://reader035.vdocuments.site/reader035/viewer/2022071022/5fd6c81242b81b6d823f3601/html5/thumbnails/7.jpg)
© Fraunhofer 7
Static Analysis Dynamic Analysis
Environment
Runtime Information
if(Build.FINGERPRINT.startsWith("generic")) return;
if(getCurrentLocation().equals("Germany")sendSMS(number, sms.getBody());
FuzzDroid+
Environment
FINGERPRINT = "zte"
Location = "Argentina"
![Page 8: Making Malory Behave Maliciously: Targeted Fuzzing of Android … · 2020. 3. 8. · © Fraunhofer 4 Dynamic Analysis? Timing Bombs Emulator Checks Country Checks IP Restrictions](https://reader035.vdocuments.site/reader035/viewer/2022071022/5fd6c81242b81b6d823f3601/html5/thumbnails/8.jpg)
© Fraunhofer 8
Static Analysis Dynamic Analysis
Environment
Runtime Information
if(Build.FINGERPRINT.startsWith("generic")) return;
if(getCurrentLocation().equals("Germany")sendSMS(number, sms.getBody());
FuzzDroid+
Environment
FINGERPRINT = "generic"
Location = "Germany"
![Page 9: Making Malory Behave Maliciously: Targeted Fuzzing of Android … · 2020. 3. 8. · © Fraunhofer 4 Dynamic Analysis? Timing Bombs Emulator Checks Country Checks IP Restrictions](https://reader035.vdocuments.site/reader035/viewer/2022071022/5fd6c81242b81b6d823f3601/html5/thumbnails/9.jpg)
© Fraunhofer 9
+
FuzzDroid
Environment
File Values
Constant Values
Symbolic Execution
Integrity Checks
Primitives-as-Strings
…
Value Provider
![Page 10: Making Malory Behave Maliciously: Targeted Fuzzing of Android … · 2020. 3. 8. · © Fraunhofer 4 Dynamic Analysis? Timing Bombs Emulator Checks Country Checks IP Restrictions](https://reader035.vdocuments.site/reader035/viewer/2022071022/5fd6c81242b81b6d823f3601/html5/thumbnails/10.jpg)
© Fraunhofer 10
Dataflow
a = getMessageBody()
b = a
c = b
c.startsWith("ak40_1")
Constraint
a = valueAND
b = aAND
c = bAND
c startsWith "ak40_1"
String Solver
value = "ak40_1foo"
![Page 11: Making Malory Behave Maliciously: Targeted Fuzzing of Android … · 2020. 3. 8. · © Fraunhofer 4 Dynamic Analysis? Timing Bombs Emulator Checks Country Checks IP Restrictions](https://reader035.vdocuments.site/reader035/viewer/2022071022/5fd6c81242b81b6d823f3601/html5/thumbnails/11.jpg)
© Fraunhofer 11
Dataflow
a = getMessageBody()
b = a
c = b
c.startsWith(dynValue)
String Solver
value = "ak40_1foo"
Runtime Value
Constraint
a = valueAND
b = aAND
c = bAND
c startsWith dynValueAND
dynValue = "ak40_1"
![Page 12: Making Malory Behave Maliciously: Targeted Fuzzing of Android … · 2020. 3. 8. · © Fraunhofer 4 Dynamic Analysis? Timing Bombs Emulator Checks Country Checks IP Restrictions](https://reader035.vdocuments.site/reader035/viewer/2022071022/5fd6c81242b81b6d823f3601/html5/thumbnails/12.jpg)
© Fraunhofer 12
Evaluation
![Page 13: Making Malory Behave Maliciously: Targeted Fuzzing of Android … · 2020. 3. 8. · © Fraunhofer 4 Dynamic Analysis? Timing Bombs Emulator Checks Country Checks IP Restrictions](https://reader035.vdocuments.site/reader035/viewer/2022071022/5fd6c81242b81b6d823f3601/html5/thumbnails/13.jpg)
© Fraunhofer 13
Launch
Launch & Trigger
FuzzDroid
0 17,5 35 52,5 70
62%
16%
10%
209 Apps
IntelliDroid
FuzzDroid
0 17,5 35 52,5 70
62%
11%20 Apps
IntelliDroid: A Targeted Input Generator for the Dynamic Analysis of Android Malware. NDSS 2016
FuzzDroid Effectiveness?
![Page 14: Making Malory Behave Maliciously: Targeted Fuzzing of Android … · 2020. 3. 8. · © Fraunhofer 4 Dynamic Analysis? Timing Bombs Emulator Checks Country Checks IP Restrictions](https://reader035.vdocuments.site/reader035/viewer/2022071022/5fd6c81242b81b6d823f3601/html5/thumbnails/14.jpg)
© Fraunhofer 14
Multi-Analyses Effectiveness?
Targ
et is
rea
ched
(%)
0
14
28
42
56
70
Sym
bolic
Consta
nt File
Integ
rity
Prim
-as-S
tring
s All
62
242424
4956
0
56535355
47
All Except This Value ProviderOnly This Value Provider
![Page 15: Making Malory Behave Maliciously: Targeted Fuzzing of Android … · 2020. 3. 8. · © Fraunhofer 4 Dynamic Analysis? Timing Bombs Emulator Checks Country Checks IP Restrictions](https://reader035.vdocuments.site/reader035/viewer/2022071022/5fd6c81242b81b6d823f3601/html5/thumbnails/15.jpg)
© Fraunhofer 15
Kind of environment value
PrevalenceFile Access 47.97 %
SIM/network operator code 16.82 %Incoming SMS 10.84 %SIM operator name 5.53 %„Timing bomb“ 4.06 %SIM country 3.216 %Integrity Check 1.02 %Admin check 0.68 %Others 9.92 %
![Page 16: Making Malory Behave Maliciously: Targeted Fuzzing of Android … · 2020. 3. 8. · © Fraunhofer 4 Dynamic Analysis? Timing Bombs Emulator Checks Country Checks IP Restrictions](https://reader035.vdocuments.site/reader035/viewer/2022071022/5fd6c81242b81b6d823f3601/html5/thumbnails/16.jpg)
© Fraunhofer 16
![Page 17: Making Malory Behave Maliciously: Targeted Fuzzing of Android … · 2020. 3. 8. · © Fraunhofer 4 Dynamic Analysis? Timing Bombs Emulator Checks Country Checks IP Restrictions](https://reader035.vdocuments.site/reader035/viewer/2022071022/5fd6c81242b81b6d823f3601/html5/thumbnails/17.jpg)
© Fraunhofer 17
Siegfried Rasthofer
Fraunhofer Institute for Secure Information Technology