Upload
samuru
View
150
Download
1
Tags:
Embed Size (px)
DESCRIPTION
Dissecting Android Malware : Characterization and Evolution. Author : Yajin Zhou, Xuxuan Jiang TJ. Index of this paper. Malware Evolution DroidKungFu Root Exploits C&C Servers Shadow Payloads Obfuscation, JNI, and Others AnserverBot Anti-Analysis Security Software Detection - PowerPoint PPT Presentation
Citation preview
Dissecting Android Malware : Characterization and Evolution
Author : Yajin Zhou, Xuxuan Jiang
TJ
Index of this paperI. IntroductionII. Malware TimelineIII. Malware Characterization
A. Malware Installation1) Repackaging2) Update Attack3) Drive-by Download4) Others
B. ActivationC. Malicious Payloads
1) Privilege Escalation2) Remote Control3) Financial Charge4) Information Collection
D. Permission Uses
IV. Malware EvolutionA. DroidKungFu
1) Root Exploits2) C&C Servers3) Shadow Payloads4) Obfuscation, JNI, and Others
B. AnserverBot1) Anti-Analysis2) Security Software Detection3) C&C Servers
V. Malware DetectionVI. DiscussionVII. Related WorkVIII.Conclusion
I. Introduction• Smartphone
– Shipment : X 3 ↑ (40milion120mil.) in 2009~2011 ► mobile malware↑
• Android-based malware– Share : 46%↑ and growing rapidly– 400% ↑ since summer 2010
• Goals– Malware samples(1260) & families(49)– Timeline analysis– Good example of malware
II. Malware Timeline• Dataset
– 49 families– Official/Alternative An-
droid Market– 2010-08 ~ 2011-10
III. A. Malware Installation1) Repackaging
– Most common technique– Concept
• Download popular apps Disassemble En-close malicious payloads Re-assemble Submit
III. A. 1) Repackaging• Where these original apps comes
from?
• What things are done by the au-thors?
III. A. 2) Update Attack• Concept
– Update component it download mali-cious payload
III. A. 2) Update Attack
III. A. 2) Update Attack
III. A. 3) Drive-by Download• Enticing users to download “interest-
ing” or “feature-rich” apps.• For example,
– GGTracker : in-app advertisement link– Jifake : QR code– Spitmo and Zitmo : ported version of ne-
farious PC malware(SpyEye, Zeus)
III. B. Activation• Using System Event message
• For example,– BOOT_COMPLETED– SMS_RECEIVED– ACTION_MAIN
III. C. Malicious Payloads1) Privilege Escalation
III. C. Malicious Payloads2) Remote Control
– 1,172 samples(93%) • Turn infected phones into bots• 1,171 samples
– HTTP-based communicate with C&C servers
– C&C servers• Amazon cloud• Public blog
III. C. Malicious Payloads3) Financial Charge
– Premium-rate services
4) Information Collection– SMS messages– Phone numbers– User accounts
III. D. Permission Uses
IV. Malware EvolutionA. DroidKungFu
1) Root Exploits2) C&C Servers3) Shadow Payloads4) Obfuscation
IV. B. AnserverBot1) Anti-Analysis
2) Security Software Detection
3) C&C Servers
V. Malware Detection• Tested on Nexus One
(Android 2.3.7)– Lookout– TrendMicro– AVG Antivirus– Norton
VI. Discussion• Ecosystem Android Market
• ASLR, TrustZone and eXecute-Never are needed
• Lack of fine-grain API control
• Blocking malware to enter market is needed
• Cooperation between security vendors
VIII. Conclusion• Repackaging (86%)
• Platform-level Escalate Privilege Ex-ploits (36.7%)
• Bot-like capability (93%)
Q & A