viruses on mobile platforms why we don't/don't we have viruses on android_
DESCRIPTION
This presentation will discuss the resources available to attackers to write Android viruses, including methods of infecting executables, gaining control from the original app and avoiding detection.TRANSCRIPT
![Page 1: Viruses on mobile platforms why we don't/don't we have viruses on android_](https://reader034.vdocument.in/reader034/viewer/2022052411/557575ccd8b42adb7e8b4779/html5/thumbnails/1.jpg)
Viruses on mobile platforms: Why we don't/don't we have viruses on Android?
Jimmy ShahMobile Security Researcher
![Page 2: Viruses on mobile platforms why we don't/don't we have viruses on android_](https://reader034.vdocument.in/reader034/viewer/2022052411/557575ccd8b42adb7e8b4779/html5/thumbnails/2.jpg)
2 Viruses on mobile platforms: Why we don't/don't we have viruses on Android?
• Virus– Self-replicating program
• May inject itself into clean programs• May have destructive or visible payload
• Worm– Self-replicating program that doesn't infect files– E.g. Internet, MMS or Bluetooth worms
• Trojan– Non-replicating, program that pretends to be another
• May have destructive or visible payload
Definitions
![Page 3: Viruses on mobile platforms why we don't/don't we have viruses on android_](https://reader034.vdocument.in/reader034/viewer/2022052411/557575ccd8b42adb7e8b4779/html5/thumbnails/3.jpg)
Viruses on mobile platforms: Why we don't/don't we have viruses on Android?3
Viruses on Mobile Platforms
PalmOSWindows MobileSymbianAndroid
![Page 4: Viruses on mobile platforms why we don't/don't we have viruses on android_](https://reader034.vdocument.in/reader034/viewer/2022052411/557575ccd8b42adb7e8b4779/html5/thumbnails/4.jpg)
4 Viruses on mobile platforms: Why we don't/don't we have viruses on Android?
• 2000– Palm/Phage
• File infector– Overwriter
• Code resource replaced with virus code– Potentially smaller programs
Palm OS
Credit: Niels Heidenreich Creative Commons Attribution licensed.
![Page 5: Viruses on mobile platforms why we don't/don't we have viruses on android_](https://reader034.vdocument.in/reader034/viewer/2022052411/557575ccd8b42adb7e8b4779/html5/thumbnails/5.jpg)
Viruses on mobile platforms: Why we don't/don't we have viruses on Android?5
Viruses on Mobile Platforms
PalmOS
Windows MobileSymbianAndroid
![Page 6: Viruses on mobile platforms why we don't/don't we have viruses on android_](https://reader034.vdocument.in/reader034/viewer/2022052411/557575ccd8b42adb7e8b4779/html5/thumbnails/6.jpg)
6 Viruses on mobile platforms: Why we don't/don't we have viruses on Android?
• 2007– WinCE/Duts.1536
• Injected itself into all apps in current directory– Asked for permission before running
Windows Mobile
![Page 7: Viruses on mobile platforms why we don't/don't we have viruses on android_](https://reader034.vdocument.in/reader034/viewer/2022052411/557575ccd8b42adb7e8b4779/html5/thumbnails/7.jpg)
7 Viruses on mobile platforms: Why we don't/don't we have viruses on Android?
• 2009– WinCE/PMCryptic
• Polymorphic• Developed with and only ran within emulator
– Author didn't understand how to do self-modifying code on ARM
Windows Mobile
![Page 8: Viruses on mobile platforms why we don't/don't we have viruses on android_](https://reader034.vdocument.in/reader034/viewer/2022052411/557575ccd8b42adb7e8b4779/html5/thumbnails/8.jpg)
Viruses on mobile platforms: Why we don't/don't we have viruses on Android?8
Viruses on Mobile Platforms
PalmOSWindows Mobile
SymbianAndroid
![Page 9: Viruses on mobile platforms why we don't/don't we have viruses on android_](https://reader034.vdocument.in/reader034/viewer/2022052411/557575ccd8b42adb7e8b4779/html5/thumbnails/9.jpg)
9 Viruses on mobile platforms: Why we don't/don't we have viruses on Android?
• 2004– SymbOs/Cabir
• First worm/malware for Symbian
• 2005– SymbOS/Lasco.A
• File infector– Infected SIS installation files
Symbian
![Page 10: Viruses on mobile platforms why we don't/don't we have viruses on android_](https://reader034.vdocument.in/reader034/viewer/2022052411/557575ccd8b42adb7e8b4779/html5/thumbnails/10.jpg)
Viruses on mobile platforms: Why we don't/don't we have viruses on Android?10
Viruses on Mobile Platforms
PalmOSWindows MobileSymbian
Android
![Page 11: Viruses on mobile platforms why we don't/don't we have viruses on android_](https://reader034.vdocument.in/reader034/viewer/2022052411/557575ccd8b42adb7e8b4779/html5/thumbnails/11.jpg)
11 Viruses on mobile platforms: Why we don't/don't we have viruses on Android?
• 2010– Android/Fakeplayer.A
• First trojan
• 20??– Android/??????
• File infector– Haven't seen one yet
Android
![Page 12: Viruses on mobile platforms why we don't/don't we have viruses on android_](https://reader034.vdocument.in/reader034/viewer/2022052411/557575ccd8b42adb7e8b4779/html5/thumbnails/12.jpg)
Viruses on mobile platforms: Why we don't/don't we have viruses on Android?12
Android: What do attackers need to build a virus?
![Page 13: Viruses on mobile platforms why we don't/don't we have viruses on android_](https://reader034.vdocument.in/reader034/viewer/2022052411/557575ccd8b42adb7e8b4779/html5/thumbnails/13.jpg)
13 Viruses on mobile platforms: Why we don't/don't we have viruses on Android?
• Ability to replicate• Making copies of itself is easy enough
Android – What do attackers need to build a virus?
Replication Infection Evasion
Tool Useful functions
File managers Move, copy,delete files
File transfer programs Network copy,delete files
![Page 14: Viruses on mobile platforms why we don't/don't we have viruses on android_](https://reader034.vdocument.in/reader034/viewer/2022052411/557575ccd8b42adb7e8b4779/html5/thumbnails/14.jpg)
14 Viruses on mobile platforms: Why we don't/don't we have viruses on Android?
Android – What do attackers need to build a virus?
Replication Infection Evasion
• Ability to inject code into clean apps– This has been done manually in numerous trojans:
– Automating this saves them work and makes actual viruses
Android/Geinimi Android/Jmsonez
Android/PJApp Android/SteamyScr
Android/HippoSMS Android/GoldDream
Android/J.SMSHider Android/DroidKungfu
![Page 15: Viruses on mobile platforms why we don't/don't we have viruses on android_](https://reader034.vdocument.in/reader034/viewer/2022052411/557575ccd8b42adb7e8b4779/html5/thumbnails/15.jpg)
15 Viruses on mobile platforms: Why we don't/don't we have viruses on Android?
Android – What do attackers need to build a virus?
Replication Infection Evasion
• Locate code– Apps are in APKs.
• APKs are zip files• App code is in classes.dex files.
• Modify Dex files– Format is documented
• http://source.android.com/tech/dalvik/dex-format.html– Multiple tools
Tool Use
Smali/baksmalil Assemnler/disassembler for DEX files.
apktool Unpack/decode APK: resources, smali code, AndroidManifest.xml
![Page 16: Viruses on mobile platforms why we don't/don't we have viruses on android_](https://reader034.vdocument.in/reader034/viewer/2022052411/557575ccd8b42adb7e8b4779/html5/thumbnails/16.jpg)
16 Viruses on mobile platforms: Why we don't/don't we have viruses on Android?
• Dex files are difficult to modify?• Disassembling easy with baksmali
– Used by Privacy Blocker to mod apps» Memory issues
Attackers – Ability to inject code into clean apps
Replication Infection Evasion
![Page 17: Viruses on mobile platforms why we don't/don't we have viruses on android_](https://reader034.vdocument.in/reader034/viewer/2022052411/557575ccd8b42adb7e8b4779/html5/thumbnails/17.jpg)
17 Viruses on mobile platforms: Why we don't/don't we have viruses on Android?
• Modifying AndroidManifest.xml can redirect execution– Register for intents
Attackers – Ability to inject code into clean apps
Replication Infection Evasion
Intent Function
android.intent.action.BOOT_COMPLETED Start immediately after system finishes booting
android.permission.RECEIVE_SMS Run when SMS received
android.intent.action.PHONE_STATE Phone state chages; specifically ringing
android.net.wifi.WIFI_STATE_CHANGED Wifi state changes; specifically enabled
![Page 18: Viruses on mobile platforms why we don't/don't we have viruses on android_](https://reader034.vdocument.in/reader034/viewer/2022052411/557575ccd8b42adb7e8b4779/html5/thumbnails/18.jpg)
18 Viruses on mobile platforms: Why we don't/don't we have viruses on Android?
• Ability to evade detection• Encryption
– Simple obfuscations and ciphers– Complex and well known encryption algorithms
• Pretending to be clean apps– Infected apps– “Legitimate” apps (e.g. Adult entertainment, IM,Web browsers,
games)• Reduce/remove security
– Disable security checks– Remove/disable security & anti-malware software
Android – What do attackers need to build a virus?
Replication Infection Evasion
![Page 19: Viruses on mobile platforms why we don't/don't we have viruses on android_](https://reader034.vdocument.in/reader034/viewer/2022052411/557575ccd8b42adb7e8b4779/html5/thumbnails/19.jpg)
19 Viruses on mobile platforms: Why we don't/don't we have viruses on Android?
• Ability to evade detection• Encryption
– Simple obfuscations and ciphers– Complex and well known encryption algorithms
• Pretending to be clean apps– Infected apps– “Legitimate” apps (e.g. Adult entertainment, IM,Web browsers,
games)• Reduce/remove security
– Disable security checks– Remove/disable security & anti-malware software
Android – What do attackers need to build a virus?
Replication Infection Evasion
![Page 20: Viruses on mobile platforms why we don't/don't we have viruses on android_](https://reader034.vdocument.in/reader034/viewer/2022052411/557575ccd8b42adb7e8b4779/html5/thumbnails/20.jpg)
20 Viruses on mobile platforms: Why we don't/don't we have viruses on Android?
Questions?
![Page 21: Viruses on mobile platforms why we don't/don't we have viruses on android_](https://reader034.vdocument.in/reader034/viewer/2022052411/557575ccd8b42adb7e8b4779/html5/thumbnails/21.jpg)