you don’t need av for android?? how modern multi stage android malware payload is succeeding to...
TRANSCRIPT
You don’t Need AV for Android?? How modern multi stage Android malware is succeeding to infect
Android devices
Jagadeesh ChandraiahThreat Researcher
AVAR 2016
Who am I
2
• Threat Researcher at Sophos, UK
• Interested in Windows, Mobile Malware Analysis and Research
• Spoken at Deepsec, Virus Bulletin in the past
AVAR 2016
Agenda
3
• You don’t need AV for Android
• Android Security services
• Infection timeline
• Multi-Stage Android Malware
• Why we need AV on Android platform
AVAR 2016
Mobile Antivirus is not needed - Google
5
https://nakedsecurity.sophos.com/2014/07/09/googles-android-security-chief-dont-bother-with-anti-virus-is-he-serious/
Security Software firms are Scammers
6
http://www.smh.com.au/technology/security/charlatans-and-scammers-googler-slams-security-software-firms-20111123-1ntpu.html
Security Services
8AVAR 2016
https://static.googleusercontent.com/media/source.android.com/en//security/reports/Google_Android_Security_2015_Report_Final.pdf
Scoring Engine
10AVAR 2016
https://static.googleusercontent.com/media/source.android.com/en//security/reports/Android_WhitePaper_Final_02092016.pdf
• Apps are classified on the scale of Safe to Harmful
• Harmful apps are sent for Human review
Security Services
11AVAR 2016
https://static.googleusercontent.com/media/source.android.com/en//security/reports/Android_WhitePaper_Final_02092016.pdf
14AVAR 2016
https://static.googleusercontent.com/media/source.android.com/en//security/reports/Google_Android_Security_PHA_classifications.pdf
PHA
Android Fragmentation
17
https://developer.android.com/about/dashboards/index.html , Data from 7 day period ending on Nov 7, 2016
AVAR 2016
GingerBread
Ice CreamSandwichJellyBean
KitKat
Lollipop
Marshmallow
Nougat
Gingerbread(2.3.x) 1.3%
Lollipop(5.x) 34.1%
KitKat(4.4) 25.2%
Jelly Bean (4.1-4.3) 13.7%
Marshmallow(6.0) 24.0%
Ice Cream Sandwich(4.0) 1.3%
Nougat(7.0) 0.3%
Android Fragmentation
18AVAR 2016
• Slow pace of adaptation of new Android versions
• Many users with outdated software with lots of security Vulnerabilities.
• Latest security fixes are not rolled out quickly
• Cannot force manufacturers to roll out security updates.
• Business model forces users to buy new phones than update.
Android Fragmentation? Fix
19AVAR 2016
• Google has started rolling out its own devices , PIXEL series.
• Updated some features and updates through Google play services
• Does Google look like solving Fragmentation ? Probably not
• Android is still very popular…
• Developers are writing more apps ….
Google play Infections
22AVAR 2016
~10-12 malware occurrences in Google play store in 2015
Malware seen pretty much every month in 2016
Google play Infections
23AVAR 2016
- Brain Test2
- Turk Clicker
- Xiny
Jan 2016
Feb 2016
Porn Clickers (500k)
InstaAgent2
(100-500k)
Mar 2016
May 2016
-Viking Horde
(50-100k)
- Clicker
-Valeriy
-Level Dropper
(5k)
Jun 2016
Aug 2016
Dress Code1
-Call Jam
-Embassy Spyware
-Dresscode2 (100-500k)
Sep 2016
Nov 2016
Multiple Accounts (1-5Mil)
Many Apps with 100-500k Install
Count
Millions of devices infected
2016
Ghost Push
26AVAR 2016
https://static.googleusercontent.com/media/source.android.com/en//security/reports/Google_Android_Security_2015_Report_Final.pdf
Ghost Push
27AVAR 2016
https://static.googleusercontent.com/media/source.android.com/en//security/reports/Google_Android_Security_2015_Report_Final.pdf
Ghost Push
28AVAR 2016
https://static.googleusercontent.com/media/source.android.com/en//security/reports/Google_Android_Security_2015_Report_Final.pdf
3.5 Billion Installation Attempts
New variants spotted in Sep/Oct 2016
Ghost Push
29AVAR 2016
• Downloader which downloads other malware and aggressive adware.
• Also known as ‘Rootnik’ , ‘Shedun’ etc,
• An OTA company update infrastructure and Application Install service was causing several Ghost push installations
• Several variants of Ghost push were seen
• Highly Persistent
Brain Test
35
• Employed Anti analysis
• Anti analysis like IP checking , Time Bomb and Dynamic Loading
• Persistence methods used to avoid uninstalling
• Appeared multiple times on Google play
AVAR 2016
Brain Test
36AVAR 2016
http://blog.checkpoint.com/2015/09/21/braintest-a-new-level-of-sophistication-in-mobile-malware/
Brain Test
37AVAR 2016
Check if hostname contains ‘google ‘or ‘android’
Check IP ranges for Google servers
216.58.192.0 - 216.58.223.255
209.85.128.0 - 209.85.255.255
Many variants with similar execution model
39
• Viking Horde - Botnet
• Godless - Exploit kit, Downloader
• Xiny - Hides payload in Image, Downloader, Ad network
• Rooting exploits and Rooting services used
• Watchdog modules for persistence
• Ad revenue, Click Fraud, Botnets ..
AVAR 2016
Feabme
41
• Popular Game on Google play -Up to 1 Million install count
• Had a working game with Phishing code
AVAR 2016
Feabme
42AVAR 2016
• Uses open source cross platform Dotnet framework
• Dll’s inside assemblies folder had malicious code
InstaAgent
48AVAR 2016
• App found on both Google play and ios store
• Was very popular app with up to 100k install count
• Simple credential stealing app with big Impact
• Similar apps appeared multiple times
• Injects JS code into web page to steal data
Dress Code
54
• Lots of Infected Apps found on Google Play
• Some of the apps were installed 100k-500k times
• About 400 Infected apps were found in Google play
• Malware appeared multiple times on Google play
• Creates botnet when user executes infected app.
• Traffic is rerouted to help attacker.
AVAR 2016
http://blog.trendmicro.com/trendlabs-security-intelligence/dresscode-potential-impact-enterprises/
Increased Sophistication
58
• Leave the payload for later stage
• Pretend as Clean app
• Target Popular apps and Games
• Use Exploits, Rooting tools and services
AVAR 2016
Anti Analysis
59
• Detect analysis Environment
• Obfuscation
• Encrypt and Hide Payloads
• Dynamic/Runtime Code
• Detection Evasion using smaller simpler modules and tricks
AVAR 2016
So, how big is the malware risk ??
61
• Malware occurrences is still relatively low compared to Windows.
• Risk of infection is also low
AVAR 2016
Need for Security Software
62
• Google have done many Improvements but NOT ENOUGH !!
• Variants have appeared again and again on play store ( Dress Code, Brain Test, Insta care/Agent…)
• Popularity means more Risk !!
•Many threats on Google play found by AV/security firms
• Global AV community, security Researchers , Multiple Solutions
• Alert users about undetected Threats by Google
•Many AV apps are free and also provide extra security features
AVAR 2016
Work Together
63
• Google can’t provide 100% security
• Can’t Detect all Threats like any other Security software
• Google should Join hands with AV community
• Share samples and information for better Eco System
AVAR 2016
AntivirusGoogle
References/Further Read
64
• https://nakedsecurity.sophos.com/2014/07/09/googles-android-security-chief-dont-bother-with-anti-virus-is-he-serious/
• https://static.googleusercontent.com/media/source.android.com/en//security/reports/Android_WhitePaper_Final_02092016.pdf
• https://static.googleusercontent.com/media/source.android.com/en//security/reports/Google_Android_Security_2015_Report_Final.pdf
• https://static.googleusercontent.com/media/source.android.com/en//security/reports/Google_Android_Security_PHA_classifications.pdf http://blog.checkpoint.com/2016/05/09/viking-horde-a-new-type-of-android-malware-on-google-play/
• http://blog.trendmicro.com/trendlabs-security-intelligence/godless-mobile-malware-uses-multiple-exploits-root-devices/
• http://news.drweb.com/show/?i=9803&lng=en&c=5
• http://blog.trustlook.com/2015/07/08/most-successful-malware-on-google-play/
• http://peppersoft.net/hacking-the-hacker/
• http://blog.checkpoint.com/2015/09/21/braintest-a-new-level-of-sophistication-in-mobile-malware/
• http://blog.trendmicro.com/trendlabs-security-intelligence/dresscode-potential-impact-enterprises/
AVAR 2016