android malware name: rob brandon date: may 8, 2017 · >>> apk format apks are zip files...
TRANSCRIPT
![Page 1: Android Malware Name: Rob Brandon Date: May 8, 2017 · >>> APK Format APKs are Zip files with a defined structure All APK files contain the following, at a minimum: * Hashes of all](https://reader034.vdocument.in/reader034/viewer/2022043014/5fb26c5dcdce8041661f0c70/html5/thumbnails/1.jpg)
>>> Android Malware
Name: Rob BrandonDate: May 8, 2017
[~]$ _ [1/22]
![Page 2: Android Malware Name: Rob Brandon Date: May 8, 2017 · >>> APK Format APKs are Zip files with a defined structure All APK files contain the following, at a minimum: * Hashes of all](https://reader034.vdocument.in/reader034/viewer/2022043014/5fb26c5dcdce8041661f0c70/html5/thumbnails/2.jpg)
>>> Contents
1. Android Overview
2. Tools for Analyzing Android Malware
3. Challenges When Analyzing Android Malware
4. Android Malware Examples
[~]$ _ [2/22]
![Page 3: Android Malware Name: Rob Brandon Date: May 8, 2017 · >>> APK Format APKs are Zip files with a defined structure All APK files contain the following, at a minimum: * Hashes of all](https://reader034.vdocument.in/reader034/viewer/2022043014/5fb26c5dcdce8041661f0c70/html5/thumbnails/3.jpg)
>>> Malware on Phones?!
Android malware has been a problem for several years and isincreasingly prevalent. Security firm G Data is currentlyfinding 8400 new Android malware samples per day.1
1https://blog.gdatasoftware.com/2017/04/29712-8-400-new-android-malware-samples-every-day
[1. Android Overview]$ _ [3/22]
![Page 4: Android Malware Name: Rob Brandon Date: May 8, 2017 · >>> APK Format APKs are Zip files with a defined structure All APK files contain the following, at a minimum: * Hashes of all](https://reader034.vdocument.in/reader034/viewer/2022043014/5fb26c5dcdce8041661f0c70/html5/thumbnails/4.jpg)
>>> Why Android?
Android is currently by far the global market leader forsmart phones.
Many phones are never updated from the OS they are runningwhen sold - only 4.9% of Android users are running thecurrent version according to Google statistics
Vetted app stores are not available in all countries
While most malware targets Android today, malware for iOS andother mobile OSes does exist
[1. Android Overview]$ _ [4/22]
![Page 5: Android Malware Name: Rob Brandon Date: May 8, 2017 · >>> APK Format APKs are Zip files with a defined structure All APK files contain the following, at a minimum: * Hashes of all](https://reader034.vdocument.in/reader034/viewer/2022043014/5fb26c5dcdce8041661f0c70/html5/thumbnails/5.jpg)
>>> Android Basics
Android system has more levelsof abstraction than desktopoperating systems
Malware can target any ofthese levels
[1. Android Overview]$ _ [5/22]
![Page 6: Android Malware Name: Rob Brandon Date: May 8, 2017 · >>> APK Format APKs are Zip files with a defined structure All APK files contain the following, at a minimum: * Hashes of all](https://reader034.vdocument.in/reader034/viewer/2022043014/5fb26c5dcdce8041661f0c70/html5/thumbnails/6.jpg)
>>> Mobile Malware
Phone malware comes in all the same varieties as PC malware
Mobile also introduces new possibilities for maliciousbehavior* GPS tracking* Accelerometer* SMS C&C* and more
[1. Android Overview]$ _ [6/22]
![Page 7: Android Malware Name: Rob Brandon Date: May 8, 2017 · >>> APK Format APKs are Zip files with a defined structure All APK files contain the following, at a minimum: * Hashes of all](https://reader034.vdocument.in/reader034/viewer/2022043014/5fb26c5dcdce8041661f0c70/html5/thumbnails/7.jpg)
>>> Mobile Constraints
Mobile malware has same constraints as other mobile software
* Limited power* Limited bandwidth* Limited permissions, without exploits
[1. Android Overview]$ _ [7/22]
![Page 8: Android Malware Name: Rob Brandon Date: May 8, 2017 · >>> APK Format APKs are Zip files with a defined structure All APK files contain the following, at a minimum: * Hashes of all](https://reader034.vdocument.in/reader034/viewer/2022043014/5fb26c5dcdce8041661f0c70/html5/thumbnails/8.jpg)
>>> Infection Vectors
Similar to PC malware, with some important differences
Usually requires side-loading to be enabled on device* Phishing* Third party app stores* Exploit kits
[1. Android Overview]$ _ [8/22]
![Page 9: Android Malware Name: Rob Brandon Date: May 8, 2017 · >>> APK Format APKs are Zip files with a defined structure All APK files contain the following, at a minimum: * Hashes of all](https://reader034.vdocument.in/reader034/viewer/2022043014/5fb26c5dcdce8041661f0c70/html5/thumbnails/9.jpg)
>>> APK Format
APKs are Zip files with a defined structure
All APK files contain the following, at a minimum:* Hashes of all files in APK* Signer certificate (Can be self-signed)* AndroidManifest.xml* classes.dex
APK will also contain any other files needed by the app, suchas icons, HTML, etc
[1. Android Overview]$ _ [9/22]
![Page 10: Android Malware Name: Rob Brandon Date: May 8, 2017 · >>> APK Format APKs are Zip files with a defined structure All APK files contain the following, at a minimum: * Hashes of all](https://reader034.vdocument.in/reader034/viewer/2022043014/5fb26c5dcdce8041661f0c70/html5/thumbnails/10.jpg)
>>> Android Manifest
Contains required permissions for app
Also contains default activity for the app aka. program entrypoint and intent handlers
[1. Android Overview]$ _ [10/22]
![Page 11: Android Malware Name: Rob Brandon Date: May 8, 2017 · >>> APK Format APKs are Zip files with a defined structure All APK files contain the following, at a minimum: * Hashes of all](https://reader034.vdocument.in/reader034/viewer/2022043014/5fb26c5dcdce8041661f0c70/html5/thumbnails/11.jpg)
>>> Classes.dex
Old Android runtime used the Dalvik VM to run bytecode.
Current Android RunTime (ART) compiles the classes.dex whenthe app is installed.
[1. Android Overview]$ _ [11/22]
![Page 12: Android Malware Name: Rob Brandon Date: May 8, 2017 · >>> APK Format APKs are Zip files with a defined structure All APK files contain the following, at a minimum: * Hashes of all](https://reader034.vdocument.in/reader034/viewer/2022043014/5fb26c5dcdce8041661f0c70/html5/thumbnails/12.jpg)
>>> Mobile AV
AV software for mobile devices has significant limitations
Unlike PC AV, mobile AV runs in a sandbox with limitedprivileges - it cannot observe other apps as they run
[1. Android Overview]$ _ [12/22]
![Page 13: Android Malware Name: Rob Brandon Date: May 8, 2017 · >>> APK Format APKs are Zip files with a defined structure All APK files contain the following, at a minimum: * Hashes of all](https://reader034.vdocument.in/reader034/viewer/2022043014/5fb26c5dcdce8041661f0c70/html5/thumbnails/13.jpg)
>>> Decompilers
Can usually decompile Dalvik bytecode
Commercial decompiler: JEB
Free Options: dex2jar with JD-GUI, apktool, jadx, many others
[2. Tools for Analyzing Android Malware]$ _ [13/22]
![Page 14: Android Malware Name: Rob Brandon Date: May 8, 2017 · >>> APK Format APKs are Zip files with a defined structure All APK files contain the following, at a minimum: * Hashes of all](https://reader034.vdocument.in/reader034/viewer/2022043014/5fb26c5dcdce8041661f0c70/html5/thumbnails/14.jpg)
>>> Packing
Proguard bundled with SDK from Google
More sophisticated packers available, such as Dexguard
Dynamic loading/packing often required due to limits ofAndroid file format (primarily 16k method limit in DEXformat)
[3. Challenges When Analyzing Android Malware]$ _ [14/22]
![Page 15: Android Malware Name: Rob Brandon Date: May 8, 2017 · >>> APK Format APKs are Zip files with a defined structure All APK files contain the following, at a minimum: * Hashes of all](https://reader034.vdocument.in/reader034/viewer/2022043014/5fb26c5dcdce8041661f0c70/html5/thumbnails/15.jpg)
>>> Packing - continued
Code can also be packed at the assembly level.
Towelroot exploit was initially delivered using codeobfuscated with O-LLVM to increase the time it would take foroutsiders to repurpose the exploit.
Lack of dynamic analysis tools makes this kind of obfuscationtedious to break
[3. Challenges When Analyzing Android Malware]$ _ [15/22]
![Page 16: Android Malware Name: Rob Brandon Date: May 8, 2017 · >>> APK Format APKs are Zip files with a defined structure All APK files contain the following, at a minimum: * Hashes of all](https://reader034.vdocument.in/reader034/viewer/2022043014/5fb26c5dcdce8041661f0c70/html5/thumbnails/16.jpg)
>>> Limited Dynamic Analysis Tools
Qemu-based emulator is the most common. Only solution forrunning ARM
Other emulators are available, none are focused on malwareanalysis
None allow easy introspection or debugging
[3. Challenges When Analyzing Android Malware]$ _ [16/22]
![Page 17: Android Malware Name: Rob Brandon Date: May 8, 2017 · >>> APK Format APKs are Zip files with a defined structure All APK files contain the following, at a minimum: * Hashes of all](https://reader034.vdocument.in/reader034/viewer/2022043014/5fb26c5dcdce8041661f0c70/html5/thumbnails/17.jpg)
>>> Lab Setup Is Challenging
A full lab requires a working, instrumented mock-up of boththe cell network and wifi
Requires EM isolation to avoid interfering with other users
[3. Challenges When Analyzing Android Malware]$ _ [17/22]
![Page 18: Android Malware Name: Rob Brandon Date: May 8, 2017 · >>> APK Format APKs are Zip files with a defined structure All APK files contain the following, at a minimum: * Hashes of all](https://reader034.vdocument.in/reader034/viewer/2022043014/5fb26c5dcdce8041661f0c70/html5/thumbnails/18.jpg)
>>> Operation Emmental
Used combination of spearphishing to get banking creds alongwith Android app to intercept 2FA sent by SMS 2
2http://www.bankinfosecurity.com/malware-bypasses-2-factor-authentication-a-7090
[4. Android Malware Examples]$ _ [18/22]
![Page 19: Android Malware Name: Rob Brandon Date: May 8, 2017 · >>> APK Format APKs are Zip files with a defined structure All APK files contain the following, at a minimum: * Hashes of all](https://reader034.vdocument.in/reader034/viewer/2022043014/5fb26c5dcdce8041661f0c70/html5/thumbnails/19.jpg)
>>> Dualtoy
Windows malware that pushes Android malware onto phonesconnected to the PC 3
3http://researchcenter.paloaltonetworks.com/2016/09/dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices/
[4. Android Malware Examples]$ _ [19/22]
![Page 20: Android Malware Name: Rob Brandon Date: May 8, 2017 · >>> APK Format APKs are Zip files with a defined structure All APK files contain the following, at a minimum: * Hashes of all](https://reader034.vdocument.in/reader034/viewer/2022043014/5fb26c5dcdce8041661f0c70/html5/thumbnails/20.jpg)
>>> Android:Ssucl
And the reverse: Android malware that uses USB Autorun toinfect Windows machines 4
4https://blog.avast.com/2013/02/08/malware-infects-android-and-windows-at-the-same-time/
[4. Android Malware Examples]$ _ [20/22]
![Page 21: Android Malware Name: Rob Brandon Date: May 8, 2017 · >>> APK Format APKs are Zip files with a defined structure All APK files contain the following, at a minimum: * Hashes of all](https://reader034.vdocument.in/reader034/viewer/2022043014/5fb26c5dcdce8041661f0c70/html5/thumbnails/21.jpg)
>>> Orbot malware
Android malware that uses TOR .onion domains for C&C 5
5https://securelist.com/blog/incidents/58528/the-first-tor-trojan-for-android/
[4. Android Malware Examples]$ _ [21/22]
![Page 22: Android Malware Name: Rob Brandon Date: May 8, 2017 · >>> APK Format APKs are Zip files with a defined structure All APK files contain the following, at a minimum: * Hashes of all](https://reader034.vdocument.in/reader034/viewer/2022043014/5fb26c5dcdce8041661f0c70/html5/thumbnails/22.jpg)
>>> Godless Exploit Kit
Able to infect over 90% of Android phones as of December 20166
6http://blog.trendmicro.com/trendlabs-security-intelligence/godless-mobile-malware-uses-multiple-exploits-root-devices/
[4. Android Malware Examples]$ _ [22/22]