Embed Size (px)
Citation preview
Websense SecurityLabsWebsense SecurityLabs
Websense SecurityLabsWebsense SecurityLabs
11
22
33
AgendaAgenda
Goal & ObjectivesGoal & Objectives
Services in the CloudServices in the Cloud
Tracker Web PortalTracker Web Portal
Next Step To DoNext Step To Do44
Websense SecurityLabsWebsense SecurityLabs
Goal & Goal & ObjectivesObjectives
• Crawl and Build Android App Repository
• Profile Android Apps
• Create databases for Apps and associating data.
• Auto classific for Android Apps
Websense SecurityLabsWebsense SecurityLabs
Analytic WorAnalytic Workflowkflow
Websense SecurityLabsWebsense SecurityLabs
11
22
33
Cloud Cloud ServicesServices
APK CAPK Crawlerrawler & Parser & Parser
Dynamic ProfileDynamic Profile(On-line Emulator)
SStatic Profiletatic Profile(Security Classifier)
Websense SecurityLabsWebsense SecurityLabs
Market Auto-Crawling
• Google Play (Eng.)• SlideME (Eng.)• Gfan (Chinese)• GoAPK (Chinese)• Mumayi (Chinese)
Apps Apps CrawlerCrawler
CrawlerCrawler
Real-lifeReal-life
.apk Web Request Stats
(GEO IP) ThreatSeeker
Websense SecurityLabsWebsense SecurityLabs
3rd party Parsing tools
• Apktool: decode resources from apk files, such as AndroidMainifest.xml, classes.dex
• Dex2jar: reads embedded .dex file from apk files and generates .jar file
In-house scripts
• parsing automation• database insert
.APK Parser.APK Parser
Websense SecurityLabsWebsense SecurityLabs
• Security Classifier• Dynamic Profile
– auto APK runner– Interactive emulator
APK APK ProfileProfile
Websense SecurityLabsWebsense SecurityLabs
Security ClaSecurity Classifierssifier
Objective • Create a classifier for malicious android app detection• A static analysis approach• A machine learning approach
Data training• Mysql queries to retrieve raw data from AppTracker database• Analytic features conversion to binary vectors
The R code components • Preprocessing: convert variables into factor variables or numeric variables accordingly• Load R RandomForest library
Prediction• Import R environment • Load R model, read in input (test case) and write out output (classification response)
Websense SecurityLabsWebsense SecurityLabs
R ModuleR Module
•Environment for statistical data analysis, inference and visualization.
•Ports for Unix, Windows and MacOSX
•Highly extensible through user-defined functions
•Generic functions and conventions for standard operations like plot, predict etc.
• >1200 add-on packages contributed by developers from all over the world
•e.g. Multivariate Statistics, Machine Learning, Natural Language Processing, Bioinfo
rmatics (Bioconductor), SNA, .
•Interfaces to C, C++, Fortran, Java
Websense SecurityLabsWebsense SecurityLabs
Confidence 0.5 0.6 0.7 0.8 0.9
Analytic Results
Websense SecurityLabsWebsense SecurityLabs
Dynamic PrDynamic Profileofile
How It Works?How It Works?Steps:
1. Load emulator2. Install and run APK file3. System output profile 4. Show on web portal
Websense SecurityLabsWebsense SecurityLabs
Run APKRun APK
• emulator -avd avdname -no-snapshot-save
• adb install apkfile
• aapt dump badging apkfile
• adb shell am start -n packagename/mainActivity
Websense SecurityLabsWebsense SecurityLabs
Auto InputAuto Input
• adb shell input keyevent "value"
7 KEYCODE_0 16 KEYCODE_9
29 KEYCODE_A 54 KEYCODE_Z
• adb shell sendevent [device] [type] [code] [value]
example:
adb shell sendevent /dev/input/event0 3 0 40
adb shell sendevent /dev/input/event0 3 1 210
// touch screen (x=40,y=210)
Websense SecurityLabsWebsense SecurityLabs
MonkeyMonkey
“The Monkey is a command-line tool that that you can run on any emulator instance or on a device. It sends a pseudo-random stream of user events into the system, which acts as a stress test on the application software you are developing.”
adb shell monkey –p package.name -v 500
Websense SecurityLabsWebsense SecurityLabs
NetworkNetworkMonitoringMonitoring
adb shell tcpdump -v 'tcp port 80 and (((ip[2:2]-((ip[0]&0xf)<<2))-((tcp[12]&0xf0)>>2))!=0'
Websense SecurityLabsWebsense SecurityLabs
SMS & CallSMS & Call
adb logcat -b radio -s "AT:*"AT CommandsPDU SMS messages Decode '0001000a81016681859200000539590c1b03'
Suspicious number '1066185829'Message '@9@2@'
Websense SecurityLabsWebsense SecurityLabs
IInteractiventeractiveEmulatorEmulator
Browser-based for end users
Example:50 users have tested this app,average time 3 minutes per user
• suspicious SMS found • no phone call made• 1 active network access
Websense SecurityLabsWebsense SecurityLabs
App Tracker App Tracker
Front page to users
• Web portal support
• Top 20 profiles: Malware vs. Benign
• Real-time crawler status
• Real-time virus status report
• Built-in app emulation
Back end in cloud
• ThreatSeeker service
• Automatic static data analysis
• Dynamic profile support
Websense SecurityLabsWebsense SecurityLabs
DemoDemoTimeTime
• Security Classifier POC
• Web Portal Framework
Websense SecurityLabsWebsense SecurityLabs
ThreatSeeker Cloud real-time analytics:• Advance Detection (AR) result > Mobile Malware
Triton classifications: • Mobile Malware• Unauthorized Mobile Marketplaces
Mobile Mobile SolutionSolution
Websense SecurityLabsWebsense SecurityLabs
Next StepNext Step
• Hierarchy Viewer Automation?
• Robotium?
Websense SecurityLabsWebsense SecurityLabs
RobotiumRobotiumLimitationLimitation
• Activity
• Service
• Broadcast Receiver
• Content Provider
Websense SecurityLabsWebsense SecurityLabs
