Embed Size (px)
DESCRIPTION
Lookout security analyst Jing Xie presented her research at the Grace Hopper Celebration of Women in Computing on October 9, 2014. She explains the Android app landscape, how malicious apps make it onto the marketplace, and how intelligent research can sniff out the evil apps.
Citation preview
2014
Evil Outline
Android OS & App Development
Malware Landscape
Reverse Engineering
Analysis Insights & Challenges
2014
Android OS
Linux based
Open sourced
Java for app dev
Dalvik VM
(ART since 4.4)
Security &
Privacy
Sandboxing
Permissions
Secure IPC
Cryptography
2014
Making of Apps
2014
Android Malware (NOT VIRUS PLZ!)
2014
Threat Landscape
2014
Depending on Origin
USA France + Spain Russia India ChinaVietnam
•Trojan
•Toll Fraud
•Spyware
•Chargeware
•Surveillanceware
•Spam
•Ransomware
•RootEnabler
•Exploit
•Riskware
2014
Malware as a Business
2014
Agile Malware Development SMSActor
distribution SMS Toll Fraud:
sending premium text messages without consent
April 2012
April 2014
SMSActor: Russian Toll FraudVariant Life Span:• Activated• Deactivated• Decommissioned
2014
Incentive and Feasibility
http://www.onepf.org/appstores/
http://www.techinasia.com/10-android-app-stores-china-2014-edition/
• Anzhi• AppChina• D.cn Games Center• gFan• HiAPK• Aptoide• Panda App• Taobao App Market• Tencent App Gem• Xiaomi• Mumayi
SK T-Store Naver NStore APPZIL olleh Market
o Yandex.Store
A HUGE NUMBER OF Apps Not in Google Play Store
SlideMe.org AppBrain 1MobileMarket Mobile9 Mobango Barzaar Amazon appstore AppZoom AppsLib
2014
Incentive and Feasibility
http://www.theguardian.com/technology/2014/aug/22/android-fragmented-developers-opensignal
2014
Reverse Machinery(一 )
baksmali; apktool
dex2jar + jd-gui/luyten;
input: apk/dex
Output: smali
Output: pseudo Java
2014
Reverse Machinery(二 )
Demo Time
(Click to watch video on YouTube)
2014
Scents of Android Malware(UN)
Disingenuous advertisement• Facebook icon && titled facebook; package name: com.facebook.sms• com.facebook.katana
More than advertised• Irrelevant code package • Payment SDK with no pay button (UI)
Cost money APIs in unexpected context• A system utility app sends SMS or make phone calls• Free game that requires costs money permission
Unnecessary outbound communications• A battery saving app talks to a remote server • Calculator that downloads stuff
2014
Scents of Android Malware(DEUX)
Interesting Log Statements• IsFuckSendIsLuckReceiverIsLuckReceiver的 finally已经开始加锁• ** WHELCOME TO HELL *********
Interesting File Assets• /assets/libremotecontrol.so• PNG is actually dex file
System Level Operations• Checks the root as a game app
Peer Information Exhange• Virus Total says apps is malicious
2014
Analysis Challenges
Technical Contextual
• Evasion Techniques
• Complicated Apps
• Sheer Volume
• Constraints on
Devices
• Nuanced
Context
• Malware
Purpose
• Levels of Puzzle
Solving
2014
When Android Apps Go Evil
Jing [email protected]
Lookout Inc.2014
#GHC14
2014
Thank You!
Thanks to security team + designer @ lookout
