![Page 1: AndroTotal: A Scalable Framework for Android Antivirus Testing](https://reader033.vdocument.in/reader033/viewer/2022051817/5478f755b37959822b8b45f2/html5/thumbnails/1.jpg)
ANDROTOTALA SCALABLE FRAMEWORK FOR
ANDROID ANTIMALWARE TESTING, ,
,
SECURE2013
Federico Maggi Andrea Valdi Stefano Zanero
Politecnico di Milano DEIB
![Page 2: AndroTotal: A Scalable Framework for Android Antivirus Testing](https://reader033.vdocument.in/reader033/viewer/2022051817/5478f755b37959822b8b45f2/html5/thumbnails/2.jpg)
ROADMAP1. Android threats and protections
2. Limitations
3. Testing antimalware
4. AndroTotal
5. Status
![Page 3: AndroTotal: A Scalable Framework for Android Antivirus Testing](https://reader033.vdocument.in/reader033/viewer/2022051817/5478f755b37959822b8b45f2/html5/thumbnails/3.jpg)
1. ANDROID THREATS AND PROTECTIONS2. LIMITATIONS
3. TESTING ANTIMALWARE4. ANDROTOTAL
5. STATUS
![Page 4: AndroTotal: A Scalable Framework for Android Antivirus Testing](https://reader033.vdocument.in/reader033/viewer/2022051817/5478f755b37959822b8b45f2/html5/thumbnails/4.jpg)
ANDROID FACTS
Rich marketplaces stocked with apps
Very attractive target for attackers
Android is the most popular mobile platform (79%)
![Page 5: AndroTotal: A Scalable Framework for Android Antivirus Testing](https://reader033.vdocument.in/reader033/viewer/2022051817/5478f755b37959822b8b45f2/html5/thumbnails/5.jpg)
ATTACKERS GOALSSteal sensitive data (intercept texts or calls)Turn devices into bots (perform malicious actions)Financial gain (call or text premium numbers)
![Page 6: AndroTotal: A Scalable Framework for Android Antivirus Testing](https://reader033.vdocument.in/reader033/viewer/2022051817/5478f755b37959822b8b45f2/html5/thumbnails/6.jpg)
GROWTH OF MALICIOUS APPS (2011—2012)
http://blog.trendmicro.com/trendlabs-security-intelligence/byod-a-leap-of-faith-for-enterprise-users/
![Page 7: AndroTotal: A Scalable Framework for Android Antivirus Testing](https://reader033.vdocument.in/reader033/viewer/2022051817/5478f755b37959822b8b45f2/html5/thumbnails/7.jpg)
NUMBER OF MOBILE "THREATS" (Q1 2013)Symantec: ~3,900
McAfee: ~60,000
TrendMicro: ~509,000Google @ VB2013: Situation is vastly exaggerated
![Page 8: AndroTotal: A Scalable Framework for Android Antivirus Testing](https://reader033.vdocument.in/reader033/viewer/2022051817/5478f755b37959822b8b45f2/html5/thumbnails/8.jpg)
GOOGLE'S LAYERED SECURITY APPROACHGoogle Play vettingInstall and permission confirmationSMS/call blacklisting and quotaRuntime checks (?)App sandboxing
![Page 9: AndroTotal: A Scalable Framework for Android Antivirus Testing](https://reader033.vdocument.in/reader033/viewer/2022051817/5478f755b37959822b8b45f2/html5/thumbnails/9.jpg)
APP SANDBOXING
"Sensitive" operations require static permissions
![Page 10: AndroTotal: A Scalable Framework for Android Antivirus Testing](https://reader033.vdocument.in/reader033/viewer/2022051817/5478f755b37959822b8b45f2/html5/thumbnails/10.jpg)
1. THREATS AND PROTECTIONS
2. LIMITATIONS3. TESTING ANTIMALWARE
4. ANDROTOTAL5. STATUS
![Page 11: AndroTotal: A Scalable Framework for Android Antivirus Testing](https://reader033.vdocument.in/reader033/viewer/2022051817/5478f755b37959822b8b45f2/html5/thumbnails/11.jpg)
ANTIMALWARE LIMITATIONSNo primitives for auditing running processesWorkarounds:
Signature-based matchingCustom kernel (e.g., intercept syscalls)Root the device and increase the antimalware's privileges
![Page 12: AndroTotal: A Scalable Framework for Android Antivirus Testing](https://reader033.vdocument.in/reader033/viewer/2022051817/5478f755b37959822b8b45f2/html5/thumbnails/12.jpg)
MALWARE LIMITATIONSLess freedom: a malware is an isolated app itselfWorkarounds:
Social engineeringSignature evasion
![Page 13: AndroTotal: A Scalable Framework for Android Antivirus Testing](https://reader033.vdocument.in/reader033/viewer/2022051817/5478f755b37959822b8b45f2/html5/thumbnails/13.jpg)
SIGNATURE EVASIONMORE VARIANTS THAN DISTINCT FAMILIES
http://go.eset.com/us/resources/white-papers/Trends_for_2013_preview
![Page 14: AndroTotal: A Scalable Framework for Android Antivirus Testing](https://reader033.vdocument.in/reader033/viewer/2022051817/5478f755b37959822b8b45f2/html5/thumbnails/14.jpg)
SIGNATURE EVASIONOBFUSCATION, ENCRYPTION, REPACKAGING
Based on this research we implemented 11 mutation scripts.
ADAM: An Automatic and Extensible Platform to Stress TestAndroid Anti-Virus Systems, DIVMA2013
DroidChameleon: Evaluating Android Anti-malware againstTransformation Attacks, AsiaCCS2013
![Page 15: AndroTotal: A Scalable Framework for Android Antivirus Testing](https://reader033.vdocument.in/reader033/viewer/2022051817/5478f755b37959822b8b45f2/html5/thumbnails/15.jpg)
1. THREATS AND PROTECTIONS2. LIMITATIONS
3. TESTING ANTIMALWARE4. ANDROTOTAL
5. STATUS
![Page 16: AndroTotal: A Scalable Framework for Android Antivirus Testing](https://reader033.vdocument.in/reader033/viewer/2022051817/5478f755b37959822b8b45f2/html5/thumbnails/16.jpg)
ANTIMALWARE PRODUCTSAbout 100 (free) antimalware appsExtra features on rooted devices
![Page 17: AndroTotal: A Scalable Framework for Android Antivirus Testing](https://reader033.vdocument.in/reader033/viewer/2022051817/5478f755b37959822b8b45f2/html5/thumbnails/17.jpg)
HOW TO TEST THEM?1. Obtain M samples of known malware2. Apply T transformations to each sample3. Analyze M × T variants with P antimalware apps4. Repeat for each of the A Android versions
![Page 18: AndroTotal: A Scalable Framework for Android Antivirus Testing](https://reader033.vdocument.in/reader033/viewer/2022051817/5478f755b37959822b8b45f2/html5/thumbnails/18.jpg)
NUMBERSM = 1,000 (very conservative)T = 11P = 100A = 3 (2.3, 4.1, 4.2)
1,000 × 11 × 100 × 3 = 3,300,000 TESTS
![Page 19: AndroTotal: A Scalable Framework for Android Antivirus Testing](https://reader033.vdocument.in/reader033/viewer/2022051817/5478f755b37959822b8b45f2/html5/thumbnails/19.jpg)
LACK OF AUTOMATION TOOLSVIRUSTOTAL.COM?
Command-line, desktop-based AVs with signatures forAndroidUnclear whether the same signatures will work on therespective mobile productsNo versioning support
![Page 20: AndroTotal: A Scalable Framework for Android Antivirus Testing](https://reader033.vdocument.in/reader033/viewer/2022051817/5478f755b37959822b8b45f2/html5/thumbnails/20.jpg)
STATE OF THE ARTH. Pilz, "Building a test environment for Android anti-malwaretests," Virus Bulletin Conference '12
Human oracle is neededM. Zheng, P. P. C. Lee, and J. C. S. Lui, "ADAM: An Automatic andExtensible Platform to Stress Test Android Anti-Virus Systems,"DIMVA'12
Focus on transformationV. Rastogi, Y. Chen, and X. Jiang, "DroidChameleon: EvaluatingAndroid Anti-malware against Transformation Attacks,"AsiaCCS'13
Focus on transformation
![Page 21: AndroTotal: A Scalable Framework for Android Antivirus Testing](https://reader033.vdocument.in/reader033/viewer/2022051817/5478f755b37959822b8b45f2/html5/thumbnails/21.jpg)
TECHNICAL REQUIREMENTSScalable architectureAndroid antimalware products are UI driven
![Page 22: AndroTotal: A Scalable Framework for Android Antivirus Testing](https://reader033.vdocument.in/reader033/viewer/2022051817/5478f755b37959822b8b45f2/html5/thumbnails/22.jpg)
1. THREATS AND PROTECTIONS2. LIMITATIONS
3. TESTING ANTIMALWARE
4. ANDROTOTAL5. STATUS
![Page 23: AndroTotal: A Scalable Framework for Android Antivirus Testing](https://reader033.vdocument.in/reader033/viewer/2022051817/5478f755b37959822b8b45f2/html5/thumbnails/23.jpg)
SDK for writing UI tests/scrapersPluggable adapters for each antimalwareParametric tests (e.g., version, platform)Task queues with distributed workers
![Page 24: AndroTotal: A Scalable Framework for Android Antivirus Testing](https://reader033.vdocument.in/reader033/viewer/2022051817/5478f755b37959822b8b45f2/html5/thumbnails/24.jpg)
CHARACTERISTICSWeb frontend for humansJSON/REST API for machinesPluggable code-transformation modulesWorks on both emulators and physical devices
![Page 25: AndroTotal: A Scalable Framework for Android Antivirus Testing](https://reader033.vdocument.in/reader033/viewer/2022051817/5478f755b37959822b8b45f2/html5/thumbnails/25.jpg)
![Page 26: AndroTotal: A Scalable Framework for Android Antivirus Testing](https://reader033.vdocument.in/reader033/viewer/2022051817/5478f755b37959822b8b45f2/html5/thumbnails/26.jpg)
![Page 27: AndroTotal: A Scalable Framework for Android Antivirus Testing](https://reader033.vdocument.in/reader033/viewer/2022051817/5478f755b37959822b8b45f2/html5/thumbnails/27.jpg)
![Page 28: AndroTotal: A Scalable Framework for Android Antivirus Testing](https://reader033.vdocument.in/reader033/viewer/2022051817/5478f755b37959822b8b45f2/html5/thumbnails/28.jpg)
![Page 29: AndroTotal: A Scalable Framework for Android Antivirus Testing](https://reader033.vdocument.in/reader033/viewer/2022051817/5478f755b37959822b8b45f2/html5/thumbnails/29.jpg)
![Page 30: AndroTotal: A Scalable Framework for Android Antivirus Testing](https://reader033.vdocument.in/reader033/viewer/2022051817/5478f755b37959822b8b45f2/html5/thumbnails/30.jpg)
WRITING TESTS WAS TEDIOUSWe have abstracted away the low level details, so that
we can focus on the important things: extracting the results.
IS
![Page 31: AndroTotal: A Scalable Framework for Android Antivirus Testing](https://reader033.vdocument.in/reader033/viewer/2022051817/5478f755b37959822b8b45f2/html5/thumbnails/31.jpg)
ANDROPILOTTEST RECIPE (ON-INSTALL DETECTION)
#andrototal-adapters/ComZonerAndroidAntivirus.pyclass TestSuite(base.BaseTestSuite): def on_install_detection(self, sample_path): self.pilot.install_package(sample_path)
if self.pilot.wait_for_activity( "com.zoner.android.antivirus_common.ActScanResults", 10):
result = self.pilot.get_view_by_id("scaninfected_row_virus") else: result = False
![Page 32: AndroTotal: A Scalable Framework for Android Antivirus Testing](https://reader033.vdocument.in/reader033/viewer/2022051817/5478f755b37959822b8b45f2/html5/thumbnails/32.jpg)
TEST RECIPE (ON-DEMAND DETECTION)#...def on_demand_detection(self, sample_path): self.pilot.install_package(sample_path) self.pilot.start_activity("com.zoner.android.antivirus", ".ActMain") self.pilot.wait_for_activity("com.zoner.android.antivirus.ActMain")
self.pilot.tap_on_coordinates(120, 130) self.pilot.wait_for_activity("com.zoner.android.antivirus.ActMalware")
# start scan self.pilot.tap_on_coordinates(120, 80) self.pilot.wait_for_activity( "com.zoner.android.antivirus_common.ActScanResults")
self.pilot.refre dsh()# ...
![Page 33: AndroTotal: A Scalable Framework for Android Antivirus Testing](https://reader033.vdocument.in/reader033/viewer/2022051817/5478f755b37959822b8b45f2/html5/thumbnails/33.jpg)
![Page 34: AndroTotal: A Scalable Framework for Android Antivirus Testing](https://reader033.vdocument.in/reader033/viewer/2022051817/5478f755b37959822b8b45f2/html5/thumbnails/34.jpg)
WORKFLOW1. Retrieve a suspicious APK2. Choose parameters
Android version(s)List of antimalware product and versionsApply chain of mutations
3. Pull clean image(s) from repository4. Instantiate one test per combination of
Android versionProduct version
5. Enqueue test instances
![Page 35: AndroTotal: A Scalable Framework for Android Antivirus Testing](https://reader033.vdocument.in/reader033/viewer/2022051817/5478f755b37959822b8b45f2/html5/thumbnails/35.jpg)
ARCHITECTUREWeb frontendRepository of clean Android imagesAsynchronous task dispatcherDistributed workers
![Page 36: AndroTotal: A Scalable Framework for Android Antivirus Testing](https://reader033.vdocument.in/reader033/viewer/2022051817/5478f755b37959822b8b45f2/html5/thumbnails/36.jpg)
REST/JSON API AND CLIENTPush (public) and pull (invite only) samples
Python client: https://bitbucket.org/andrototal/tools
$ python andrototal_cli.py -l DEBUG scan -at-key <...> -ms-key <...> path/to/sample.apk sample2.apk more/*samples.apk
Running command: scanUploading file sample.apkScan response: {"resource": "10a6f3efc8bc40c1922facde7d055208"}Uploading file sample2.apkScan response: {"resource": "e870c6748ca3409f84c9c9e1a91daf3f"}Uploading file 40156a176bb4554853f767bb6647fd0ac1925eac.apkScan response: {"resource": "21d6c7234a184db6b8e52f2bab523787"}Uploading file samples-3.apkScan response: {"resource": "ec5b3c94ed624d6993b52a50d63153fa"}
![Page 37: AndroTotal: A Scalable Framework for Android Antivirus Testing](https://reader033.vdocument.in/reader033/viewer/2022051817/5478f755b37959822b8b45f2/html5/thumbnails/37.jpg)
SCALABILITY
![Page 38: AndroTotal: A Scalable Framework for Android Antivirus Testing](https://reader033.vdocument.in/reader033/viewer/2022051817/5478f755b37959822b8b45f2/html5/thumbnails/38.jpg)
1. THREATS AND PROTECTIONS2. LIMITATIONS
3. TESTING ANTIMALWARE4. ANDROTOTAL
5. STATUS
![Page 39: AndroTotal: A Scalable Framework for Android Antivirus Testing](https://reader033.vdocument.in/reader033/viewer/2022051817/5478f755b37959822b8b45f2/html5/thumbnails/39.jpg)
NUMBERS1,275 users subscribed13 antimalware vendors supported (not all public)16 products overall (not all public)23,215 distinct APKs submitted and analyzed
![Page 40: AndroTotal: A Scalable Framework for Android Antivirus Testing](https://reader033.vdocument.in/reader033/viewer/2022051817/5478f755b37959822b8b45f2/html5/thumbnails/40.jpg)
SUPPORTED APPS (PUBLIC)ZONER, Inc. - Zoner AntiVirus Free 1.8.0ZONER, Inc. - Zoner AntiVirus Free 1.7.6AVAST Software - avast! Mobile Security 2.0.3917Doctor Web, Ltd - Dr.Web Anti-virus Light (free) 7.00.3Kaspersky Lab - Kaspersky Mobile Security Lite 9.36.28Kaspersky Lab - Kaspersky Mobile Security 10.4.41Trend Micro - Mobile Security & Antivirus 2.6.2Trend Micro - Mobile Security & Antivirus 3.1NortonMobile - Norton Security & Antivirus 3.2.0.769NortonMobile - Norton Security & Antivirus 3.3.4.970
![Page 41: AndroTotal: A Scalable Framework for Android Antivirus Testing](https://reader033.vdocument.in/reader033/viewer/2022051817/5478f755b37959822b8b45f2/html5/thumbnails/41.jpg)
Label #UDS:DangerousObject.Multi.Generic 3963HEUR:Trojan-SMS.AndroidOS.Opfake.bo 1252not a virus Adware.Airpush.origin.7 701AndroidOS Opfake.CTD 700HEUR:Trojan-SMS.AndroidOS.Opfake.a 628Android.SmsSend.origin.281 620Android:FakeNotify-A [Trj] 620HEUR:Trojan-SMS.AndroidOS.FakeInst.a 512Android.SmsSend.origin.315 485HEUR:Backdoor.AndroidOS.KungFu.a 466Android.SmsSend.origin.585 462Android.SmsSend.origin.629 461Adware.AndroidOS.Airpush-Gen 432HEUR:Backdoor.AndroidOS.BaseBrid.a 390AndroidOS Opfake.CTC 386
![Page 42: AndroTotal: A Scalable Framework for Android Antivirus Testing](https://reader033.vdocument.in/reader033/viewer/2022051817/5478f755b37959822b8b45f2/html5/thumbnails/42.jpg)
AVERAGE SPEED: NO MAJOR WINNER
![Page 43: AndroTotal: A Scalable Framework for Android Antivirus Testing](https://reader033.vdocument.in/reader033/viewer/2022051817/5478f755b37959822b8b45f2/html5/thumbnails/43.jpg)
FUTURE WORKAdd more cores and scaleCompare labels and detection results with VirusTotal.comDeploy on ARM boards and monitor power consumptionOpen malware repository and API: anyone interested?
![Page 44: AndroTotal: A Scalable Framework for Android Antivirus Testing](https://reader033.vdocument.in/reader033/viewer/2022051817/5478f755b37959822b8b45f2/html5/thumbnails/44.jpg)
GRAB A STICKER!
QUESTIONS?http://andrototal.org
@andrototal_org