Download
dissecting android malware characterization and evolution n.
Skip this Video
Loading SlideShow in 5 Seconds..
Dissecting Android Malware : Characterization and Evolution PowerPoint Presentation
Download Presentation
Dissecting Android Malware : Characterization and Evolution

Dissecting Android Malware : Characterization and Evolution

535 Views Download Presentation
Download Presentation

Dissecting Android Malware : Characterization and Evolution

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Dissecting Android Malware : Characterization and Evolution Author : Yajin Zhou, Xuxuan Jiang TJ

  2. Index of this paper Malware Evolution DroidKungFu Root Exploits C&C Servers Shadow Payloads Obfuscation, JNI, and Others AnserverBot Anti-Analysis Security Software Detection C&C Servers Malware Detection Discussion Related Work Conclusion • Introduction • Malware Timeline • Malware Characterization • Malware Installation • Repackaging • Update Attack • Drive-by Download • Others • Activation • Malicious Payloads • Privilege Escalation • Remote Control • Financial Charge • Information Collection • Permission Uses

  3. I. Introduction • Smartphone • Shipment : X 3 ↑ (40milion120mil.) in 2009~2011 ► mobile malware↑ • Android-based malware • Share : 46%↑ and growing rapidly • 400% ↑ since summer 2010 • Goals • Malware samples(1260) & families(49) • Timeline analysis • Good example of malware

  4. II. Malware Timeline • Dataset • 49 families • Official/Alternative Android Market • 2010-08 ~ 2011-10

  5. III. A. Malware Installation • Repackaging • Most common technique • Concept • Download popular apps  Disassemble  Enclose malicious payloads Re-assemble  Submit

  6. III. A. 1) Repackaging • Where these original apps comes from? • What things are done by the authors?

  7. III. A. 2) Update Attack • Concept • Update component it download malicious payload

  8. III. A. 2) Update Attack

  9. III. A. 2) Update Attack

  10. III. A. 3) Drive-by Download • Enticing users to download “interesting” or “feature-rich” apps. • For example, • GGTracker : in-app advertisement link • Jifake : QR code • Spitmo and Zitmo : ported version of nefarious PC malware(SpyEye, Zeus)

  11. III. B. Activation • Using System Event message • For example, • BOOT_COMPLETED • SMS_RECEIVED • ACTION_MAIN

  12. III. C. Malicious Payloads • Privilege Escalation

  13. III. C. Malicious Payloads • Remote Control • 1,172 samples(93%) • Turn infected phones into bots • 1,171 samples • HTTP-based communicate with C&C servers • C&C servers • Amazon cloud • Public blog

  14. III. C. Malicious Payloads • Financial Charge • Premium-rate services • Information Collection • SMS messages • Phone numbers • User accounts

  15. III. D. Permission Uses

  16. IV. Malware Evolution • DroidKungFu • Root Exploits • C&C Servers • Shadow Payloads • Obfuscation

  17. IV. B. AnserverBot • Anti-Analysis • Security Software Detection • C&C Servers

  18. V. Malware Detection • Tested on Nexus One(Android 2.3.7) • Lookout • TrendMicro • AVG Antivirus • Norton

  19. VI. Discussion • Ecosystem Android Market • ASLR, TrustZone and eXecute-Never are needed • Lack of fine-grain API control • Blocking malware to enter market is needed • Cooperation between security vendors

  20. VIII. Conclusion • Repackaging (86%) • Platform-level Escalate Privilege Exploits (36.7%) • Bot-like capability (93%)

  21. Q & A