2014
Evil Outline
Android OS & App Development
Malware Landscape
Reverse Engineering
Analysis Insights & Challenges
2014
Android OS
Linux based
Open sourced
Java for app dev
Dalvik VM
(ART since 4.4)
Security &
Privacy
Sandboxing
Permissions
Secure IPC
Cryptography
2014
Making of Apps
2014
Android Malware (NOT VIRUS PLZ!)
2014
Threat Landscape
2014
Depending on Origin
USA France + Spain Russia India ChinaVietnam
•Trojan
•Toll Fraud
•Spyware
•Chargeware
•Surveillanceware
•Spam
•Ransomware
•RootEnabler
•Exploit
•Riskware
2014
Malware as a Business
2014
Agile Malware Development SMSActor
distribution SMS Toll Fraud:
sending premium text messages without consent
April 2012
April 2014
SMSActor: Russian Toll FraudVariant Life Span:• Activated• Deactivated• Decommissioned
2014
Incentive and Feasibility
http://www.onepf.org/appstores/
http://www.techinasia.com/10-android-app-stores-china-2014-edition/
• Anzhi• AppChina• D.cn Games Center• gFan• HiAPK• Aptoide• Panda App• Taobao App Market• Tencent App Gem• Xiaomi• Mumayi
SK T-Store Naver NStore APPZIL olleh Market
o Yandex.Store
A HUGE NUMBER OF Apps Not in Google Play Store
SlideMe.org AppBrain 1MobileMarket Mobile9 Mobango Barzaar Amazon appstore AppZoom AppsLib
2014
Incentive and Feasibility
http://www.theguardian.com/technology/2014/aug/22/android-fragmented-developers-opensignal
2014
Reverse Machinery(一 )
baksmali; apktool
dex2jar + jd-gui/luyten;
input: apk/dex
Output: smali
Output: pseudo Java
2014
Reverse Machinery(二 )
Demo Time
(Click to watch video on YouTube)
2014
Scents of Android Malware(UN)
Disingenuous advertisement• Facebook icon && titled facebook; package name: com.facebook.sms• com.facebook.katana
More than advertised• Irrelevant code package • Payment SDK with no pay button (UI)
Cost money APIs in unexpected context• A system utility app sends SMS or make phone calls• Free game that requires costs money permission
Unnecessary outbound communications• A battery saving app talks to a remote server • Calculator that downloads stuff
2014
Scents of Android Malware(DEUX)
Interesting Log Statements• IsFuckSendIsLuckReceiverIsLuckReceiver的 finally已经开始加锁• ** WHELCOME TO HELL *********
Interesting File Assets• /assets/libremotecontrol.so• PNG is actually dex file
System Level Operations• Checks the root as a game app
Peer Information Exhange• Virus Total says apps is malicious
2014
Analysis Challenges
Technical Contextual
• Evasion Techniques
• Complicated Apps
• Sheer Volume
• Constraints on
Devices
• Nuanced
Context
• Malware
Purpose
• Levels of Puzzle
Solving
2014
When Android Apps Go Evil
Jing [email protected]
Lookout Inc.2014
#GHC14
2014
Thank You!
Thanks to security team + designer @ lookout
Recommended
