copperdroid: automatic reconstruction of android malware ... · background: android system...
TRANSCRIPT
CopperDroid: Automatic Reconstruction of Android Malware Behaviors
Kimberly Tam, Salahuddin J. Khan,
Aristide Fattori, Lorenzo Cavallaro
Systems Security Research Lab and Information Security Group
Royal Holloway University of London
Author
Both are doctoral students
Conference: NDSS 2015
• The 2015 Network and Distributed System Security Symposium (NDSS)
• 08-11 February 2015 in San Diego, California.
• CCF Network and Information securityClass-B conference
CopperDroid
• Meaning of Copper• Close Source• Donation from Intel Security (McAfee Labs)
CopperDroid
CopperDroid
Introduction
• Traditional system call analysis misses high-level Android-specific semantics.
• Fail to reconstruct inter-process communications (IPC) and remote procedure call(RPC).
• Automatically perform out-of-the-box(VMI-based) dynamic analysis and reconstruct the behaviors of Android malware.
• Dalvik VM and ART (Android 5.0), x86 and ARM.
Introduction
• Real Value: Recreates complex Android Object to enrich the semantics of the reconstructed OS- and Android-specific behaviors.
• Three Contributions• Automatic IPC unmarshalling
• Value-based Data Flow Analysis
• Behavioral Reconstruction (Combine system call and Binder)
Background: Android System
• Sandbox for each application
• Every APK can be decomposed into one or more components (Activity, Service, Broadcast Receiver…)
• Binder, IPC, RPC
• Android Interface Definition Language (AIDL)
CopperDroid Architecture
CopperDroid Overall Architecture
Automatic IPC Unmarshalling
• Unmarshalling Oracle
• A Java Application
• Input• Binder method signature
• Marshalled parcel blob
• Output• Custom representation of the method
• All parameter values
• First approach to carry out a detailed analysis of such communication channels.
Automatic IPC Unmarshalling
Automatic IPC Unmarshalling
Automatic IPC Unmarshalling
Automatic IPC Unmarshalling
• Unmarshalling Oracle return ↓ to analyser
• AIDL parser (interface parser)• Stub (client)
• Proxy (server)
• Unmarshalling Oracle implement
Observed Behaviors
App Stimulation
• Some behaviors take place when receive a binder.
• Can’t take place from MainActivity.
• Read Manifest, injecting events such as phone calls and reception of SMS.
• Dynamic registering broadcast receiver at run-time can be detect.
App Stimulation
Value-based Data Flow Analysis and Reconstruct Behaviors
Evaluation
Conclusion
• CopperDroid, a VM-based dynamic system call-centric analysis and stimulation technique to both uniformly, and automatically, reconstruct behaviors of Android malware.
• Deserialized IPC and RPC interactions, is key to reconstruct both of OS- and Android-specific behaviors from system level observation point.
• Evaluate 2900 real world Android malware, showing the discovery of additional behaviors.