You don’t Need AV for Android?? How modern multi stage Android malware is succeeding to infect

Android devices

Jagadeesh ChandraiahThreat Researcher

AVAR 2016

Who am I

2

• Threat Researcher at Sophos, UK

• Interested in Windows, Mobile Malware Analysis and Research

• Spoken at Deepsec, Virus Bulletin in the past

AVAR 2016

Agenda

3

• You don’t need AV for Android

• Android Security services

• Infection timeline

• Multi-Stage Android Malware

• Why we need AV on Android platform

AVAR 2016

You Don’t Need Android AV !!

Mobile Antivirus is not needed - Google

5

https://nakedsecurity.sophos.com/2014/07/09/googles-android-security-chief-dont-bother-with-anti-virus-is-he-serious/

Security Software firms are Scammers

6

http://www.smh.com.au/technology/security/charlatans-and-scammers-googler-slams-security-software-firms-20111123-1ntpu.html

Android Security Services

Security Services

8AVAR 2016

https://static.googleusercontent.com/media/source.android.com/en//security/reports/Google_Android_Security_2015_Report_Final.pdf

Security Services

9AVAR 2016

Scoring Engine

10AVAR 2016

https://static.googleusercontent.com/media/source.android.com/en//security/reports/Android_WhitePaper_Final_02092016.pdf

• Apps are classified on the scale of Safe to Harmful

• Harmful apps are sent for Human review

Security Services

11AVAR 2016

https://static.googleusercontent.com/media/source.android.com/en//security/reports/Android_WhitePaper_Final_02092016.pdf

Potentially Harmful Applications (PHA)

PHA

13AVAR 2016

14AVAR 2016

https://static.googleusercontent.com/media/source.android.com/en//security/reports/Google_Android_Security_PHA_classifications.pdf

PHA

15AVAR 2016

Android Fragmentation

Android Fragmentation

17

https://developer.android.com/about/dashboards/index.html , Data from 7 day period ending on Nov 7, 2016

AVAR 2016

GingerBread

Ice CreamSandwichJellyBean

KitKat

Lollipop

Marshmallow

Nougat

Gingerbread(2.3.x) 1.3%

Lollipop(5.x) 34.1%

KitKat(4.4) 25.2%

Jelly Bean (4.1-4.3) 13.7%

Marshmallow(6.0) 24.0%

Ice Cream Sandwich(4.0) 1.3%

Nougat(7.0) 0.3%

Android Fragmentation

18AVAR 2016

• Slow pace of adaptation of new Android versions

• Many users with outdated software with lots of security Vulnerabilities.

• Latest security fixes are not rolled out quickly

• Cannot force manufacturers to roll out security updates.

• Business model forces users to buy new phones than update.

Android Fragmentation? Fix

19AVAR 2016

• Google has started rolling out its own devices , PIXEL series.

• Updated some features and updates through Google play services

• Does Google look like solving Fragmentation ? Probably not

• Android is still very popular…

• Developers are writing more apps ….

Android Malware Infections

Android Malware Infections

21AVAR 2016

Google play Infections

22AVAR 2016

~10-12 malware occurrences in Google play store in 2015

Malware seen pretty much every month in 2016

Google play Infections

23AVAR 2016

- Brain Test2

- Turk Clicker

- Xiny

Jan 2016

Feb 2016

Porn Clickers (500k)

InstaAgent2

(100-500k)

Mar 2016

May 2016

-Viking Horde

(50-100k)

- Clicker

-Valeriy

-Level Dropper

(5k)

Jun 2016

Aug 2016

Dress Code1

-Call Jam

-Embassy Spyware

-Dresscode2 (100-500k)

Sep 2016

Nov 2016

Multiple Accounts (1-5Mil)

Many Apps with 100-500k Install

Count

Millions of devices infected

2016

Noteworthy Malware

Ghost Push

Ghost Push

26AVAR 2016

https://static.googleusercontent.com/media/source.android.com/en//security/reports/Google_Android_Security_2015_Report_Final.pdf

Ghost Push

27AVAR 2016

https://static.googleusercontent.com/media/source.android.com/en//security/reports/Google_Android_Security_2015_Report_Final.pdf

Ghost Push

28AVAR 2016

https://static.googleusercontent.com/media/source.android.com/en//security/reports/Google_Android_Security_2015_Report_Final.pdf

3.5 Billion Installation Attempts

New variants spotted in Sep/Oct 2016

Ghost Push

29AVAR 2016

• Downloader which downloads other malware and aggressive adware.

• Also known as ‘Rootnik’ , ‘Shedun’ etc,

• An OTA company update infrastructure and Application Install service was causing several Ghost push installations

• Several variants of Ghost push were seen

• Highly Persistent

Ghost Push

30AVAR 2016

31AVAR 2016

Ghost Push

Ghost Push

32AVAR 2016

Ghost Push

33AVAR 2016

Brain Test

Brain Test

35

• Employed Anti analysis

• Anti analysis like IP checking , Time Bomb and Dynamic Loading

• Persistence methods used to avoid uninstalling

• Appeared multiple times on Google play

AVAR 2016

Brain Test

36AVAR 2016

http://blog.checkpoint.com/2015/09/21/braintest-a-new-level-of-sophistication-in-mobile-malware/

Brain Test

37AVAR 2016

Check if hostname contains ‘google ‘or ‘android’

Check IP ranges for Google servers

216.58.192.0 - 216.58.223.255

209.85.128.0 - 209.85.255.255

Brain Test

38AVAR 2016

Persistence

Modification

Script

Many variants with similar execution model

39

• Viking Horde - Botnet

• Godless - Exploit kit, Downloader

• Xiny - Hides payload in Image, Downloader, Ad network

• Rooting exploits and Rooting services used

• Watchdog modules for persistence

• Ad revenue, Click Fraud, Botnets ..

AVAR 2016

Feabme

Feabme

41

• Popular Game on Google play -Up to 1 Million install count

• Had a working game with Phishing code

AVAR 2016

Feabme

42AVAR 2016

• Uses open source cross platform Dotnet framework

• Dll’s inside assemblies folder had malicious code

Feabme

43AVAR 2016

Feabme

44AVAR 2016

Feabme

45AVAR 2016

Feabme

46AVAR 2016

InstaAgent

InstaAgent

48AVAR 2016

• App found on both Google play and ios store

• Was very popular app with up to 100k install count

• Simple credential stealing app with big Impact

• Similar apps appeared multiple times

• Injects JS code into web page to steal data

InstaAgent

49AVAR 2016

InstaAgent

50AVAR 2016

http://peppersoft.net/hacking-the-hacker/

InstaAgent

51AVAR 2016

Dress Code

Dress Code

53AVAR 2016

Dress Code

54

• Lots of Infected Apps found on Google Play

• Some of the apps were installed 100k-500k times

• About 400 Infected apps were found in Google play

• Malware appeared multiple times on Google play

• Creates botnet when user executes infected app.

• Traffic is rerouted to help attacker.

AVAR 2016

http://blog.trendmicro.com/trendlabs-security-intelligence/dresscode-potential-impact-enterprises/

Dress Code

55AVAR 2016

Dress Code

56AVAR 2016

Sophistication and Breaking Security Services

Increased Sophistication

58

• Leave the payload for later stage

• Pretend as Clean app

• Target Popular apps and Games

• Use Exploits, Rooting tools and services

AVAR 2016

Anti Analysis

59

• Detect analysis Environment

• Obfuscation

• Encrypt and Hide Payloads

• Dynamic/Runtime Code

• Detection Evasion using smaller simpler modules and tricks

AVAR 2016

Why do we need Security Software?

So, how big is the malware risk ??

61

• Malware occurrences is still relatively low compared to Windows.

• Risk of infection is also low

AVAR 2016

Need for Security Software

62

• Google have done many Improvements but NOT ENOUGH !!

• Variants have appeared again and again on play store ( Dress Code, Brain Test, Insta care/Agent…)

• Popularity means more Risk !!

•Many threats on Google play found by AV/security firms

• Global AV community, security Researchers , Multiple Solutions

• Alert users about undetected Threats by Google

•Many AV apps are free and also provide extra security features

AVAR 2016

Work Together

63

• Google can’t provide 100% security

• Can’t Detect all Threats like any other Security software

• Google should Join hands with AV community

• Share samples and information for better Eco System

AVAR 2016

AntivirusGoogle

References/Further Read

64

• https://nakedsecurity.sophos.com/2014/07/09/googles-android-security-chief-dont-bother-with-anti-virus-is-he-serious/

• https://static.googleusercontent.com/media/source.android.com/en//security/reports/Android_WhitePaper_Final_02092016.pdf

• https://static.googleusercontent.com/media/source.android.com/en//security/reports/Google_Android_Security_2015_Report_Final.pdf

• https://static.googleusercontent.com/media/source.android.com/en//security/reports/Google_Android_Security_PHA_classifications.pdf http://blog.checkpoint.com/2016/05/09/viking-horde-a-new-type-of-android-malware-on-google-play/

• http://blog.trendmicro.com/trendlabs-security-intelligence/godless-mobile-malware-uses-multiple-exploits-root-devices/

• http://news.drweb.com/show/?i=9803&lng=en&c=5

• http://blog.trustlook.com/2015/07/08/most-successful-malware-on-google-play/

• http://peppersoft.net/hacking-the-hacker/

• http://blog.checkpoint.com/2015/09/21/braintest-a-new-level-of-sophistication-in-mobile-malware/

• http://blog.trendmicro.com/trendlabs-security-intelligence/dresscode-potential-impact-enterprises/

AVAR 2016

@jag_chandra