you don’t need av for android?? how modern multi stage android malware payload is succeeding to...
Post on 15-Apr-2017
572 Views
Preview:
TRANSCRIPT
You don’t Need AV for Android?? How modern multi stage Android malware is succeeding to infect
Android devices
Jagadeesh ChandraiahThreat Researcher
AVAR 2016
Who am I
2
• Threat Researcher at Sophos, UK
• Interested in Windows, Mobile Malware Analysis and Research
• Spoken at Deepsec, Virus Bulletin in the past
AVAR 2016
Agenda
3
• You don’t need AV for Android
• Android Security services
• Infection timeline
• Multi-Stage Android Malware
• Why we need AV on Android platform
AVAR 2016
Mobile Antivirus is not needed - Google
5
https://nakedsecurity.sophos.com/2014/07/09/googles-android-security-chief-dont-bother-with-anti-virus-is-he-serious/
Security Software firms are Scammers
6
http://www.smh.com.au/technology/security/charlatans-and-scammers-googler-slams-security-software-firms-20111123-1ntpu.html
Security Services
8AVAR 2016
https://static.googleusercontent.com/media/source.android.com/en//security/reports/Google_Android_Security_2015_Report_Final.pdf
Scoring Engine
10AVAR 2016
https://static.googleusercontent.com/media/source.android.com/en//security/reports/Android_WhitePaper_Final_02092016.pdf
• Apps are classified on the scale of Safe to Harmful
• Harmful apps are sent for Human review
Security Services
11AVAR 2016
https://static.googleusercontent.com/media/source.android.com/en//security/reports/Android_WhitePaper_Final_02092016.pdf
14AVAR 2016
https://static.googleusercontent.com/media/source.android.com/en//security/reports/Google_Android_Security_PHA_classifications.pdf
PHA
Android Fragmentation
17
https://developer.android.com/about/dashboards/index.html , Data from 7 day period ending on Nov 7, 2016
AVAR 2016
GingerBread
Ice CreamSandwichJellyBean
KitKat
Lollipop
Marshmallow
Nougat
Gingerbread(2.3.x) 1.3%
Lollipop(5.x) 34.1%
KitKat(4.4) 25.2%
Jelly Bean (4.1-4.3) 13.7%
Marshmallow(6.0) 24.0%
Ice Cream Sandwich(4.0) 1.3%
Nougat(7.0) 0.3%
Android Fragmentation
18AVAR 2016
• Slow pace of adaptation of new Android versions
• Many users with outdated software with lots of security Vulnerabilities.
• Latest security fixes are not rolled out quickly
• Cannot force manufacturers to roll out security updates.
• Business model forces users to buy new phones than update.
Android Fragmentation? Fix
19AVAR 2016
• Google has started rolling out its own devices , PIXEL series.
• Updated some features and updates through Google play services
• Does Google look like solving Fragmentation ? Probably not
• Android is still very popular…
• Developers are writing more apps ….
Google play Infections
22AVAR 2016
~10-12 malware occurrences in Google play store in 2015
Malware seen pretty much every month in 2016
Google play Infections
23AVAR 2016
- Brain Test2
- Turk Clicker
- Xiny
Jan 2016
Feb 2016
Porn Clickers (500k)
InstaAgent2
(100-500k)
Mar 2016
May 2016
-Viking Horde
(50-100k)
- Clicker
-Valeriy
-Level Dropper
(5k)
Jun 2016
Aug 2016
Dress Code1
-Call Jam
-Embassy Spyware
-Dresscode2 (100-500k)
Sep 2016
Nov 2016
Multiple Accounts (1-5Mil)
Many Apps with 100-500k Install
Count
Millions of devices infected
2016
Ghost Push
26AVAR 2016
https://static.googleusercontent.com/media/source.android.com/en//security/reports/Google_Android_Security_2015_Report_Final.pdf
Ghost Push
27AVAR 2016
https://static.googleusercontent.com/media/source.android.com/en//security/reports/Google_Android_Security_2015_Report_Final.pdf
Ghost Push
28AVAR 2016
https://static.googleusercontent.com/media/source.android.com/en//security/reports/Google_Android_Security_2015_Report_Final.pdf
3.5 Billion Installation Attempts
New variants spotted in Sep/Oct 2016
Ghost Push
29AVAR 2016
• Downloader which downloads other malware and aggressive adware.
• Also known as ‘Rootnik’ , ‘Shedun’ etc,
• An OTA company update infrastructure and Application Install service was causing several Ghost push installations
• Several variants of Ghost push were seen
• Highly Persistent
Brain Test
35
• Employed Anti analysis
• Anti analysis like IP checking , Time Bomb and Dynamic Loading
• Persistence methods used to avoid uninstalling
• Appeared multiple times on Google play
AVAR 2016
Brain Test
36AVAR 2016
http://blog.checkpoint.com/2015/09/21/braintest-a-new-level-of-sophistication-in-mobile-malware/
Brain Test
37AVAR 2016
Check if hostname contains ‘google ‘or ‘android’
Check IP ranges for Google servers
216.58.192.0 - 216.58.223.255
209.85.128.0 - 209.85.255.255
Many variants with similar execution model
39
• Viking Horde - Botnet
• Godless - Exploit kit, Downloader
• Xiny - Hides payload in Image, Downloader, Ad network
• Rooting exploits and Rooting services used
• Watchdog modules for persistence
• Ad revenue, Click Fraud, Botnets ..
AVAR 2016
Feabme
41
• Popular Game on Google play -Up to 1 Million install count
• Had a working game with Phishing code
AVAR 2016
Feabme
42AVAR 2016
• Uses open source cross platform Dotnet framework
• Dll’s inside assemblies folder had malicious code
InstaAgent
48AVAR 2016
• App found on both Google play and ios store
• Was very popular app with up to 100k install count
• Simple credential stealing app with big Impact
• Similar apps appeared multiple times
• Injects JS code into web page to steal data
Dress Code
54
• Lots of Infected Apps found on Google Play
• Some of the apps were installed 100k-500k times
• About 400 Infected apps were found in Google play
• Malware appeared multiple times on Google play
• Creates botnet when user executes infected app.
• Traffic is rerouted to help attacker.
AVAR 2016
http://blog.trendmicro.com/trendlabs-security-intelligence/dresscode-potential-impact-enterprises/
Increased Sophistication
58
• Leave the payload for later stage
• Pretend as Clean app
• Target Popular apps and Games
• Use Exploits, Rooting tools and services
AVAR 2016
Anti Analysis
59
• Detect analysis Environment
• Obfuscation
• Encrypt and Hide Payloads
• Dynamic/Runtime Code
• Detection Evasion using smaller simpler modules and tricks
AVAR 2016
So, how big is the malware risk ??
61
• Malware occurrences is still relatively low compared to Windows.
• Risk of infection is also low
AVAR 2016
Need for Security Software
62
• Google have done many Improvements but NOT ENOUGH !!
• Variants have appeared again and again on play store ( Dress Code, Brain Test, Insta care/Agent…)
• Popularity means more Risk !!
•Many threats on Google play found by AV/security firms
• Global AV community, security Researchers , Multiple Solutions
• Alert users about undetected Threats by Google
•Many AV apps are free and also provide extra security features
AVAR 2016
Work Together
63
• Google can’t provide 100% security
• Can’t Detect all Threats like any other Security software
• Google should Join hands with AV community
• Share samples and information for better Eco System
AVAR 2016
AntivirusGoogle
References/Further Read
64
• https://nakedsecurity.sophos.com/2014/07/09/googles-android-security-chief-dont-bother-with-anti-virus-is-he-serious/
• https://static.googleusercontent.com/media/source.android.com/en//security/reports/Android_WhitePaper_Final_02092016.pdf
• https://static.googleusercontent.com/media/source.android.com/en//security/reports/Google_Android_Security_2015_Report_Final.pdf
• https://static.googleusercontent.com/media/source.android.com/en//security/reports/Google_Android_Security_PHA_classifications.pdf http://blog.checkpoint.com/2016/05/09/viking-horde-a-new-type-of-android-malware-on-google-play/
• http://blog.trendmicro.com/trendlabs-security-intelligence/godless-mobile-malware-uses-multiple-exploits-root-devices/
• http://news.drweb.com/show/?i=9803&lng=en&c=5
• http://blog.trustlook.com/2015/07/08/most-successful-malware-on-google-play/
• http://peppersoft.net/hacking-the-hacker/
• http://blog.checkpoint.com/2015/09/21/braintest-a-new-level-of-sophistication-in-mobile-malware/
• http://blog.trendmicro.com/trendlabs-security-intelligence/dresscode-potential-impact-enterprises/
AVAR 2016
top related