1 / 17

DroidKungFu and AnserverBot

DroidKungFu and AnserverBot. Android Malware Characterisaion part II. Analysis of Two Malware Families. DroidKungFu and AnserverBot represent the most recent incarnation of malware engineering

gryta
Download Presentation

DroidKungFu and AnserverBot

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. DroidKungFu and AnserverBot Android Malware Characterisaion part II

  2. Analysis of Two Malware Families • DroidKungFu and AnserverBot represent the most recent incarnation of malware engineering • Since they first appearance several improvements have been coded to increase their stealthiness

  3. DroidKungFu • There are 6 different known variants of DroidKungFu • They appeared within a period of 6 months • Probably many more now • They contain • Root-kit Exploits • C&C Server comm • Shadow Payloads • Code Obfuscation

  4. DroidKungFu – Root Exploits • 4 variants contain root exploits • DroidKungFuis the first to use encrypted root-kit • Root-kit are stored as assets to look like normal data files • Initially the asset name was ratc (RageAgainstTheCage) • Then it has been changed to myicon

  5. DroidKungFu – C&C Comm • All the variants communicate with C&C servers • To evade detection, the C&C servers’ addresses keep changing • DroidKungFu1 uses a plaintext string in one of its Java classes • DroidKungFu2 the address is moved to plain-text in native code • DroidKungFu3 and DroidKungFu4 use encrypted names (stored in Java class and native code)

  6. DroidKungFu – Shadow Payload • If the root-kit is successful, then a shadow app will be installed • The user will not be aware of this app • This app contains the same code as the malicious payload included in the repackaged app • This means that in the event the user removes the host app, the shadow app will remain • Variants encrypt the shadow app to evade detection and no icon is shown

  7. DroidKungFu – Code Obfuscation • Extensive use of encryption for constant strings, C&C servers’ addresses, native payload and shadow app • Keys are changed very often • Extensive use of code obfuscation • Use of native code and JNI to make more difficult code analysis • DroidKungFuUpdateuse the update attack to download the actual payload and evade static code analysis

  8. AnserverBot • One of the most advanced malware • It uses evasion techniques not used before by any other Android malware • It has been discovered in repackaged apps available in Chinese app markets • It seems that is an evolution of the BaseBridge malware family

  9. AnserverBot – Anti Analysis • It use the repackaging attack • However, when installed it checks whether the hosting app has been tampered with • It checks the signature and then it unfolds its payload • It extensively uses code obfuscation to make it human unreadable • The payload is split in three different apps • The host app plus two shadow apps

  10. AnserverBot – Anti Analysis • The shadow apps share the same package names • Com.sec.android.touchScreen.server • One shadow app is loaded through the update attack • The other shadow app is dynamically loaded through JVM dynamic class load method • However it is not installed! • AnserverBotis able to load any code retrieved from the C&C server

  11. AnserverBot – AV Detection • This malware is very aggressive • It tries to detect if AV software is installed in the device • It contains the encrypted names for security apps • such as LBE, 360 MobileSafe • If installed, the malware uses the restartPackage method to stop the AV and then displays an error message

  12. AnserverBot – C&C Comm • AnserverBot supports two types of C&C servers • One type is used for sending command • The second one is used for retrieving encrypted payloads • To reach the second one, it uses a encrypted entry posted in public blog providers - i.e. Sina and Baidu • This entry contains the (encrypted) address of the second C&C server

  13. The AVS race • Given the rapid evolution of malware, AV software is lagging behind • Mainly, AVS uses a signature based approach • It relies on the content of its signature DB • If an app signature is not there it may not be malware • How easy is to change the signature of an app? • Very!

  14. The AVS race • Interesting report from Imperva • http://www.imperva.com/docs/HII_Assessing_the_Effectiveness_of_Antivirus_Solutions.pdf • Using unknown malware and submit to AVS • The goal is to evaluate how effective AVS solutions are • The results are really scary

  15. Imperva Study Results • Less than 5% of the malware were detected • Most of the AVS cannot keep up with a fast changing landscape of malware families • AVS requires up to 4 weeks to detect a new malware • The best of the breed: the free ones! • Although they had a very high false positive • Consumers spend $4.5 billion while Enterprises $2.9 billion • 1/3 of the total money spent on security software

  16. Imperva Study Results • It might be best to spend some resources on other type of software that is not AVS • For AVS better to use free ones • Note: this study is for PC malware • Does it apply to Android Malware? • We will know very soon ;-)

  17. Questions?

More Related