an antivirus api for android malware recognition

An Antivirus API for Android Malware Recognition

8th IEEE International Conference on Malicious and Unwanted Software(MALWARE 2013)Rafael Fedler, [email protected], October 23, 2013


MotivationProblemTeaser

BackgroundAndroid PlatformAndroid MalwareAndroid Antivirus Software

Approach: Antivirus APIObjectivesFile system traversal for on-demand scanningFile system monitoringFile operations

Discussion

An Antivirus API for Android Malware Recognition | Rafael Fedler | October 23, 2013 | 1

© Fraunhofer

MotivationProblem

� Antivirus software on Android inherently less powerful than on desktopsystems

� Has access to only a select few files on the file system (installationpackage files)

� Cannot scan or monitor file system

� Completely oblivious to anything happening at runtime on a device� Cannot detect malicious file downloads (root exploits, other code) at

runtime� Android apps can download & then execute code at runtime (!)


© Fraunhofer

MotivationTeaser

� Our approach: An interface to be added to the Android platform to allowfor AV

� on-demand scanning of full or partial file system� on-change scanning of changed file system portions for live monitoring� signature and heuristics based malware detection similar to that deployed

by desktop products

� ... without breaking Android’s security architecture


© Fraunhofer





Discussion


© Fraunhofer

BackgroundAndroid Platform

� File system sandboxing mechanism� Every app is assigned its own UID� Every app’s files are set to own, read only for its own UID� → file system sandbox: each app can only access files in its own working

directory� Also applies to antivirus software (!)

� Package database� /data/system/packages.xml, world readable� Upon installation of an app, an entry in package DB is created� Contains, among others, the path to every app’s package file� Package files are world readable (!)


© Fraunhofer

BackgroundAndroid Malware

� 36.7% of all malicious apps deployed root exploits by 2012 [4], probablymore by now

� Allows to break out of sandbox� Often downloaded at runtime, thus invisible to AV software

� Typical course of infection of more advanced malware (e.g., [1, 2])1. Initial propagation

� Disguised as a legitimate app� Repackaged� Update of legitimate app after hijacking of developer’s account and signing

key� etc.

2. Download of root exploit at runtime, in case it is not shipped with apppackage file

3. Mark exploit executable with chmod4. Execute root exploit and carry out payload


© Fraunhofer

BackgroundAndroid Antivirus Software

� Cannot:� ... scan a device’s file system due to sandbox� ... monitor other apps’ behavior at runtime or working directories

� Can only:� Read installed apps’ installation package files

� Remember: Package database world readable, contains app package fileswhich are also world readable

� Read SD card (not used by malware for obvious reasons)


© Fraunhofer

Own conclusion

� Adding ability to scan apps’ working directories and monitor them atruntime: good idea

� Current AV is completely blind and oblivious to any runtime behavior orfile system changes

� ... including malicious code downloaded/created/unpacked/piecedtogether at runtime


© Fraunhofer





Discussion


© Fraunhofer

Approach: Antivirus APIObjectives

1. Scan file system fully (from /) or partially (e.g., from /data/data) ondemand

2. Monitor file system portions (e.g., working directories) at runtime

3. Operations on arbitrary files allowing for signature- and heuristics-basedmalware recognition similar to desktop products

4. All of the above without breaking Android’s security architecture


© Fraunhofer

Approach: Antivirus APIFile system traversal for on-demand scanning

� Objective: Do not disclose file system names or full paths

� Solution: Aliases� Options for implementation:

1. Database mapping aliases ↔ paths2. Dynamic calculation3. Trapdoor function, e.g., RSA

� Allows for traversal of file system tree


© Fraunhofer


Listing 1: Usual directory listinguser@computer : / t o p l e v e l d i r $ l sd i r 1d i r 2f i l e 1f i l e 2f i l e 3

Listing 2: Directory listing using aliases including an entry for parent directory0 p a55822426a5330c04625a41d264c190b1 d b72b7253c45f9d22044c86bf4d7e49022 d 515dc267bbd0af019d22e766af0cb7e43 f f8bb5cc06b4ed23683b276ca05153e824 f 7b2de0a0f16d100dfbf2d84603840ee25 f 9fa5ba9abe67916142cb6bc0eee7658b


© Fraunhofer


� Starting from / or /data/data/, an AV app can traverse the filesystem using such alias handles

� ls and cd equivalent options will be provided

� Paths passed by the user can be used as entry points; however, aliasescannot be translated back to paths

� Trapdoor parameter only known to system, not to AV

� Path aliases for traversal, file aliases for indirect file access for malwaredetection

� Permanent translation and communication between AV ↔ not veryefficient, but

� /data/data/ usually not very big� Preserves privacy� Sandbox maintained: No direct access outside AV’s working directory


© Fraunhofer

Approach: Antivirus APIFile system monitoring

� Approach: inotify Linux kernel interface

� Processes can place inotify handles on file system objects (directories,files)

� Notification upon change to monitored objects

� inotify handles to be placed in /data/data/ and allsubdirectories


© Fraunhofer

Approach: Antivirus APIFile operations: Regular expressions for signatures and heuristics

� Most detection techniques can be formulated as regular expressions� Signatures� Some static heuristics (regexes matching opcodes)� Feature extraction with offsets: regexes with offsets

� “Proxy” for regular expressions

� API takes signatures in form of regexes, responds “true” if match,“false” if no match


© Fraunhofer

Approach: Antivirus APIFile operations: Hashes

� Hashes on desktop/server platforms: very limited effectiveness� Exploit kits, drive-by infections, droppers, personalized malware, morphic

code� Too many variations of one family, sample numbers too high

� Mobile platforms: much more useful� Centralized distribution (thus also almost no personalized malware),

virtually no app compromising/infection, virtually no drive-by infections,sandboxing prohibits morphing code

� Allow hashes for arbitrary file system objects

� Feature extraction/fast matching/no-matching: hashes from definableoffsets


© Fraunhofer

Approach: Antivirus APISecuring Access to the Interface

� Widespread access to device → tight access control

� Whitelist based: Check signing keys of package requesting access to AVinterface

� Include signing keys of verified AV companies in whitelist

� Feasible effort: Less than 50 AV providers


© Fraunhofer

DiscussionImplementation Details

� File system access backend: POSIX-1003.1e ACLs to provide read-onlyaccess to the interface for either the whole file system or a subtree suchas /data/data/

� Possible addition: Dynamic heuristics� chroot environment or write/network access interception + strings,strace, ltrace

� However, cloud analysis more effective, lower risks, no limited resources

� Risk: File content disclosure through incremental regex construction� Unlikely as only trusted apps will have access to the interface� Secure multi-party computation techniques for privacy preserving regex

matching [3]


© Fraunhofer

Conclusion

� Devised interface allows for:� Signature-based detection� Static heuristics� (Limited) feature extraction/fast matching/no-matching

� On-demand file system scanning

� Live file system change monitoring

� All of the above without disclosing file system names (paths) or filecontents

� Interface only grants access to trusted AV software� Novelty: on-device malware detection comparable to that of non-mobile

platforms� Previously only tests of package installation files� AV completely blind to 99% of file system


© Fraunhofer

Bibliography

X. Jiang.New GappII Trojan Found in Alternative Android Markets, April 27, 2012.http://www.csc.ncsu.edu/faculty/jiang/GappII/ (18.02.2013).

X. Jiang.New RootSmart Android Malware Utilizes the GingerBreak Root Exploit,February 3, 2012.http://www.csc.ncsu.edu/faculty/jiang/RootSmart/.

F. Kerschbaum.Practical private regular expression matching.In Security and Privacy in Dynamic Environments, pages 461–470.Springer, 2006.

Y. Zhou and X. Jiang.Dissecting android malware: Characterization and evolution.In 2012 IEEE Symposium on Security and Privacy (SP), pages 95–109, May2012.An Antivirus API for Android Malware Recognition | Rafael Fedler | October 23, 2013 | 22

© Fraunhofer

Contact Information

Rafael Fedler, [email protected]

Group Mobile SecurityDepartment Service & Application Security

Fraunhofer Research Institution forApplied and Integrated Security (AISEC)

Address: Parkring 485748 Garching (near Munich)Germany

Internet: http://www.aisec.fraunhofer.de

Phone: +49 89 3229986-173Fax: +49 89 3229986-299E-Mail: [email protected]


© Fraunhofer

an antivirus api for android malware recognition

Technology

background android malware

system treean antivirus

runtimean antivirus

antivirus api objectives1

runtime android apps

advanced malware

system sandbox

system portions