1
INVESTIGATE MALWARE BEHAVIOR ON ANDROID PLATFORM
LOH KE LIH
FACULTY OF INFORMATION AND COMMUNICATION TECHNOLOGY UNIVERSITI TEKNIKAL MALAYSIA MELAKA
2014
BORANG PENGESAHAN STATUS TESIS
2
JUDUL: INVESTIGATE MALWARE BEHAVIOR ON ANDROID PLATFORM SESI PENGAJIAN: SESI 2013/2014 Saya LOH KE LIH mengaku membenarkan tesis (PSM/Sarjana/Doktor Falsafah) ini disimpan di Perpustakaan Fakulti Teknologi Maklumat dan Komunikasi dengan syarat-syarat kegunaan seperti berikut: 1. Tesis dan projek adalah hakmilik Universiti Teknikal Malaysia Melaka. 2. Perpustakaan Fakulti Teknologi Maklumat dan Komunikasi dibenarkan membuat salinan untuk tujuan pengajian sahaja. 3. Perpustakaan Fakulti Teknologi Maklumat dan Komunikasi dibenarkan membuat salinan tesis ini sebagai bahan pertukaran antara institusi pengajian tinggi. 4. ** Sila tandakan (/) _____________ SULIT (Mengandungi maklumat yang berdarjah
keselamatan atau kepentingan Malaysia seperti yang termaktub di dalam AKTA RAHSIA RASMI 1972)
_____________ TERHAD (Mengandungi maklumat TERHAD yang telah
ditentukan oleh organisasi/badan di mana penyelidikan dijalankan)
_____/_______ TIDAK TERHAD __________________________ ___________________________ (TANDATANGAN PENULIS) (TANDATANGAN PENYELIA) Alamat tetap : 18, Jalan Khalidi, Nama Penyelia : En. Zulkiflee 84000 Muar, Muslim Johor, Malaysia Tarikh : __________________________ Tarikh: _____________________
3
INVESTIGATE MALWARE BEHAVIOR ON ANDROID PLATFORM
LOH KE LIH
This report is submitted in partial fulfillment of the requirement for the Bachelor of
Computer Science (Computer Networking)
FACULTY OF INFORMATION AND COMMUNICATION TECHNOLOGY
UNIVERSITI TEKNIKAL MALAYSIA MELAKA
2014
4
DECLARATION
I hereby declare this project report entitled
INVESTIGATE MALWARE BEHAVIOR ON ANDROID PLATFORM
is written by me and is my own effort and that no part has been plagiarized without
citations.
STUDENT :_____________________________ Date:_____________
(LOH KE LIH)
SUPERVISOR:_____________________________ Date:_____________
(EN ZULKIFLEE BIN MUSLIM)
6
ACKNOWLEDGEMENTS
I would like to show my gratitude and appreciation to my supervisor, En Zulkiflee
bin Muslim for all the ideas and advices in guiding me throughout the project.
I would also like to thank my family members especially my parents because they
have given me the greatest support in all sorts of materials throughout my years of
studying in this university.
Last but not least, I would like to thanks to all my friends and course mates for their
kindness in sharing knowledge and resources.
Thanks a lot.
7
ABSTRACT
This project identifies the behaviours of Android malware, BaseBridge
through dynamic analysis. Scope to be conducted in this project are using only one
specific type of android malware and focusing on behaviour of android malware.
Tcpdump will be used in this project to sniff the network. This research will be
contributed in identifying the behavior of BaseBridge in respective network traffic by
using Santoku Linux operating system which contains several tools such as Android
SDK emulator, Wireshark and Tcpdump. In the end of this project, behaviour of
BaseBridge will be concluded. However, there are several constraints and limitations
on this project which is not fully fit for other android malwares’ behaviours. For
future works, a script can be generate and conducted into a complete software system,
so that the processes of capture data can be done automatically by the system thus
enhances the system fit for other android malwares.
8
ABSTRAK
Projek ini mengenal pasti tingkah laku malware Android, BaseBridge melalui
analisis dinamik. Skop yang akan dijalankan dalam projek ini menggunakan hanya
satu jenis tertentu Android malware dan memberi tumpuan kepada tingkah laku
Android malware. Tcpdump akan digunakan dalam projek ini untuk mengesan
rangkaian BaseBridge. Kajian ini akan menyumbang dalam mengenal pasti tingkah
laku dalam BaseBridge trafik rangkaian masing-masing dengan menggunakan sistem
operasi Linux Santoku yang mengandungi beberapa peralatan seperti Android SDK
emulator, Wireshark dan tcpdump. Di akhir projek ini, tingkah laku BaseBridge akan
dibuatkan kesimpulan. Walau bagaimanapun, terdapat beberapa kekangan dan
batasan projek ini, iaitu tidak cergas sepenuhnya untuk tingkah laku lain malwares
Android. Bagi kerja-kerja masa depan, skrip yang boleh dijana dan dijalankan ke
dalam sistem perisian yang lengkap, supaya proses menangkap data boleh dilakukan
secara automatik oleh sistem itu bagi meningkatkan sistem untuk malwares Android
lain.
9
TABLE OF CONTENTS
DECLARATION i
DEDICATION ii
ACKNOWLEDGEMENTS iii
ABSTRACT iv
ABSTRAK v
TABLE OF CONTENTS vi
LIST OF TABLES x
LIST OF FIGURES xi
LIST OF ABBREVIATIONS xiii
LIST OF ATTACHMENTS xiv
INTRODUCTION 1
1.1 Introduction 1
1.2 Project Background 2
1.3 Problem Statement 3
1.4 Objective 4
1.5 Scope 5
1.6 Project Contribution 5
1.7 Report Organization 6
1.8 Summary 7
LITERATURE REVIEW 8
2.1 Introduction 8
2.2 Android 9
2.2.1 Definition 9
10
2.2.2 Android Architecture 9
2.3 Malware 11
2.3.1 Malware Definition and Category 11
2.3.1.1 Trojan Definition and Classification 13
2.3.2 Android Malware 14
2.3.2.1 BaseBridge 16
2.3.2.2 BaseBridge Characteristics and Behaviour 16
2.4 Malware Detection Technique 17
2.4.1 Anomaly-based Detection 18
2.4.1.1 Dynamic Anomaly-based Detection 18
2.4.1.2 Static Anomaly-based Detection 19
2.4.1.3 Hyrid Anomaly-based Detection 19
2.4.2 Specification-based Detection 19
2.4.2.1 Dynamic Specification-based Detection 20
2.4.2.2 Static Specification-based Detection 20
2.4.2.3 Hyrid Specification-based Detection 20
2.4.3 Signature-based Detection 20
2.4.3.1 Dynamic Signature-based Detection 21
2.4.3.2 Static Signature-based Detection 21
2.4.3.3 Hyrid Signature-based Detection 21
2.5 Parameter 22
2.5.1 Network Traffic 22
2.6 Santoku Linux 23
2.7 Summary 24
METHODOLOGY 25
3.1 Introduction 25
3.2 Project Methodology 25
3.3 Phase I: Requirement Analysis 26
3.4 Phase II: Design 26
3.5 Phase III: Implementation 27
3.6 Phase IV: Testing 28
3.7 Phase V: Operate 28
11
3.8 Project Schedule and Milestones 28
3.9 Summary 31
ANALYSIS & DESIGN 32
4.1 Introduction 32
4.2 Problem Analysis 33
4.3 Requirements Analysis 33
4.3.1 Data Requirements 33
4.3.2 Software Requirements 33
4.3.3 Hardware Requirements 34
4.4 BaseBridge Analysis Approach 35
4.4.1 Network Design 35
4.4.2 Environment Setup 37
4.4.3 Install Malware and Capture Network Traffic 38
4.4.4 Analyse Collected Data 38
4.4 Summary 39
IMPLEMENTATION & TESTING 40
5.1 Introduction 40
5.2 Software Development Environment Setup 41
5.3 Activate Malware, Collect Network Traffic 41
5.3.1 Process Collect Network Traffic Data 41
5.3.2 Network Traffic Collected Data 43
5.4 Test Plan 45
5.4.1 Test Organization 45
5.4.2 Test Environment 45
5.4.3 Test Schedule 46
5.4.4 Test Strategy 47
5.4.4.1 Unit Testing 47
5.4.4.2 Integrate Testing 47
5.4.5 Test Design 47
5.4.5.1 Sample APK Set 47
5.5 Test Result & Analysis 48
5.5.1 Network Traffic Attributes 49
12
5.5.2 Network Traffic Graph 49
5.5.2.1 Ideal Graph 50
5.5.2.2 Graph of Number of Packets 51
5.5.2.3 Graph Protocol 52
5.5.2.4 Graph Destination IP Address 53
5.6 Result Analysis 54
5.7 Summary 55
CONCLUSION 56
6.1 Introduction 56
6.2 Project Summarization 56
6.3 Project Contribution 57
6.4 Project Limitation 57
6.5 Future Project 57
6.6 Summary 58
REFERENCES 59
APPENDIX 64
13
LIST OF TABLES
TABLE TITLE PAGE
Table 1.1 Summary of Problem Statement 3
Table 1.2 Summary of Research Question 3
Table 1.3 Summaries of Research Objectives 4
Table 1.4 Summary of Project Contributions 5
Table 2.1 Definitions for Malware Category 12
Table 2.2 Definitions for Trojan Classification 13
Table 2.3 Percentage of Mobile Malware Detected in Different Platform 15
Table 3.1: Milestones 28
Table 4.1: The details of hardware requirement 34
Table 5.1 Software Requirements 45
Table 5.2 Hardware Requirements 46
Table 5.3 Testing Schedule 46
Table 5.4 Sample APK File Summarization 48
Table 5.5 Network Traffic Attribute SA1 49
Table 5.6 Summary of BaseBridge’s Behaviour 54
14
LIST OF FIGURES
FIGURE TITLE PAGE
Figure 2.1 Literature Review Phase 8
Figure 2.2 Android Architecture Structural Diagram 10
Figure 2.3 Malware Categories 11
Figure 2.4 Trojan Classifications 13
Figure 2.5 Type of threats on Android devices 15
Figure 2.6 The Most Frequently Detected Malicious Programs Targeting Android 16
Figure 2.7 The Websites that will access by Android/BaseBridge 17
Figure 2.8 Android Malware Detection Techniques 18
Figure 2.9 IP Header Versions 4 22
Figure 2.10 Santoku Linux Tools 23
Figure 3.1 Project Methodology 26
Figure 4.1 Analysis Approach 35
Figure 4.2 Physical Designs 36
Figure 4.3 Logical Designs 37
Figure 5.1 Steps on Environment Setup 41
Figure 5.2 Process of Collecting Network Traffic 42
Figure 5.3 Collected Network Traffic 43
Figure 5.4 Content of Network Traffic 44
Figure 5.5 Website that visited by BaseBridge 44
Figure 5.6 Ideal Network Traffic Pattern 50
Figure 5.7 Frequency of Packets Number 50
Figure 5.8 Graph of Number of Packets Sample APK 1 51
Figure 5.9 Frequency of Number Packets Sample APK 1 51
Figure 5.10 Graph Protocol per Second 52
15
Figure 5.11 Frequency of Protocol 53
Figure 5.12 Number of Packet from 192.168.61.128 to Destination Port 53
16
LIST OF ABBREVIATIONS
ALPHABET WORDS EXPLANATION
A APK Android Application Package File
ARP Address Resolution Protocol
H HTTP Hypertext Transfer Protocol
T TCP Transmission Control Protocol
U UDP User Datagram Protocol
URL Uniform Resource Locator
17
LIST OF ATTACHMENTS
ATTACHMENT TITLE PAGE
A Gantt Chart 64
B Network Traffic Attributes
B.1 Network Traffic Attributes SA2 65
B.2 Network Traffic Attributes SA3 66
C Network Traffic Graph
C.1 Graph of Number of Packet Sample 67
APK 2
C.2 Frequency of Number Packets Sample 67
APK 2
C.3 Graph of Number of Packet Sample 68
APK 3
C.4 Frequency of Number Packets Sample 68
APK 3
C.5 Graph Protocol for SA 2 69
C.6 Graph Frequency of Protocol SA 2 69
C.5 Graph Protocol for SA 3 70
C.6 Graph Frequency of Protocol SA 3 70
C.9 Number of Packet to Destination Port 71
for SA2
C.10 Number of Packet to Destination Port 71
for SA3
18
CHAPTER I
INTRODUCTION
1.1 Introduction
Nowadays, the mobile platforms and applications are increasing in popularity.
However, the popular platform such as Android has greatly stimulated the spread of
mobile malware. In order to identify the problem that cause mobile malware spread
rapidly, we will discuss about the background of the project which is Android and
malware. The research problem will be formulated into three research questions.
Based on the research questions, the current problem that faced by the Android user
will be clearly shown. After that, the research objective can be generated and all
works done in this project will be based on the research objective.
Firstly, for the purpose to do this project, project background will be discussed. The
background of Android platform and malware will be described. Secondly, the
research problem will be summarised. After that the research question and objective
will be conducted. Project scope and contribution will also be discussed. Lastly, the
report organization will be described to make sure the project is carry out in correct
flow.
19
1.2 Project Background
In recent year, the using of smart phone is increasing. There are several of operating
system used in smart phone such as Android, IOS, Window, Blackberry and
Symbian. Android is the most popular platform used in smart phone which is 79.0%
compare to Apple IOS (14.2%), Windows Phone (3.3%), Blackberry (2.7%) and
other (0.9%) (mobiThinking, 2014). Android is the largest installed platform and
growing fast which placed first among others smart phone operating systems
(Micheal Oleaga, 2014, Guru, 2014).
As more and more smart phones come out, the amount of people accessing the
Internet greatly increases. So, there is a rapid increase in the amount of malware
targeting Android smart phones since it is the most popular operating system used in
smart phone. 99% of mobile malware targeted Android devices last year (Brad Reed,
2014).
Malware, short for malicious software, is software used to damage or control the
computer operation, gather with sensitive information, or gain access to private
computer systems. It can be emerged as a collection of code, script, active content
and embedded in other application (McMahon, 2013). Therefore, a script can be
generating in order to detect the android malware that found in the smart phones.
Examples of android malware such as DroidKungFu, BeanBot, BaseBridge are the
major threats to the security of the android mobile. However, there are some malware
will re-implementing some of their malicious functionalities in native code. The
changes are possibly to make their detection and analysis harder. (Yajin Zhou, 2012).
So, the parameter will be analyzing to know the attack pattern of the malware.
The malware are grows rapidly, some effectively defend should take against the
malware. In order to create a method to defend against the malware, we need to study,
analysis and investigate about the malware. We need to how the malware behaves
when executed, how it got here, what is the purpose and how it runs (Kris Kendall,
2007).
20
Therefore, dynamic analysis will be using in this project to analyse the android
malware. It will focuses on the behaviour of attack, determine how and what it gets
installed, how it run, what files have been added or modified, who they are
communicate to, etc (Dennis Distler, 2007). So, the parameter such as system call
and network traffic will be investigate in this project.
1.3 Problem Statement
Nowadays, malicious code is reportedly infecting Android devices at a rapid speed.
Therefore, Android phone users are advised to take extra precautions on this situation.
However, the malware characteristics cause difficulty for users to identify and detect
their behaviours. The Research Problem (PR) is summarized into Table 1.1.
Table 1.1 Summary of Problem Statement
No Research Problem
RP1 Difficult to detect the appearance of android malware inside the smart
phone because most of the anti-virus software is low accuracy.
Thus, Research Questions (RQ) which depicted in Table 1.2 is constructed to
identify the research problem as discussed in previous section.
Table 1.2 Summary of Research Question
No Research Question
RQ1 What is the behaviour of different android malware?
RQ2 What is the parameter used to detect the android malware's
behaviour?
RQ3 How to detect the android malware using parameter?
RQ1: What is the behaviour of different android malware?
This research question is used to study the behaviour of malware by identify which
techniques is suitable to use for collecting data for different type of malware.
21
RQ2: What is the parameter used to detect the android malware's behaviour?
This research question is formulated by considering the android malware’s behaviour
issue because there are many different type of malware and that may infect to
different parameter. Thus, it is important to identifying which parameter is suitable to
use for study the malware’s behaviour.
RQ3: How to detect the android malware using parameter?
This research question is formulated by considering the way to extract the behavior
of the android malware using parameter and generate the attack pattern dynamically.
1.4 Objective
Based on the research questions formulated in previous section, appropriate research
objectives (RO) are developed as follows:
Table 1.3 Summaries of Research Objectives
RP RQ RO Research Objective
RP1
RQ1 RO1 To classify the android malware's behaviour.
RQ2 RO2 To identify the parameter used to detect the android malware's
behaviour.
RQ3 RO3 To detect the android malware using parameter.
RO1: To classify the android malware's behaviour.
Firstly, we need to classify the type of android malware and the behaviour of android
malware in order to find out the feature of malware. Different type of malware may
have different type of behaviour.
RO2: To identify the parameter used to detect the android malware's behaviour.
We need to investigate the suitable parameter used to identify the behaviour of
android malware in order to generate the attack pattern of malware and do the
detection
22
RO3: To detect the android malware using parameter.
After identify the parameter, we need to develop a script to detect the android
malware automatically using its parameter.
1.5 Scope
Scope of project is going to be conducted as follows:
1. Using only one specific type of android malware.
2. Focusing on behaviour of android malware in order to generate the attack
patterns of android malware by using network traffic.
3. Tcpdump and Wireshark will be used in this project to sniff the network.
1.6 Project Contribution
The contribution of this project are summarized in Table 1.4
Table 1.4 Summary of project contributions
RP RQ RO RC Research Contribution
RP1
RQ1 RO1 RC1 The classification of android malware's behaviour.
RQ2 RO2 RC2 The parameter of android malware's behaviour.
RQ3 RO3 RC3 Detecting the malware’s attack pattern using parameter.
Table 1.4 shows the project contributions based on the research problem, research
questions and research objective.
23
1.7 Report Organization
Chapter 1: Introduction
This chapter will discuss about the introduction, project background, problem
statement, research question, research objective, project scope, project contribution
and report organization.
Chapter 2: Literature Review
This chapter will study about the related works such as android, malware, malware
attack pattern, malware analysis technique, parameter and operating system used.
The related works will be contribute to the next chapter.
Chapter 3: Methodology
This chapter will explain the method used to analyse android malware and project
methodology. Project schedule and milestones will discuss in this chapter to finish
the project in time.
Chapter 4: Analysis and Design
This chapter will introduce the problem analysis, requirements of software and
hardware. The experimental design such as logical design and physical design will
also conduct in this chapter. Environment will setup based on the requirements.
Chapter 5: Implementation and Testing
This chapter will describe the method to implement and test the collected data in
order to carry out the graph to support the evidence. The test result and analysis will
conclude in this chapter.
Chapter 6: Conclusion
This chapter will summarize all chapters as a conclusion. Project summarization,
limitation and future work will discuss.
24
1.8 Summary
As a conclusion, this project will identify the behaviour of Android malware using
dynamic analysis. The problem statement, research questions, research objectives
and scope are discussed in this chapter to identify and solve the problem. Besides
that, report organization also carried out in this chapter to make sure the project runs
in sequence. In the next chapter, more research and related works about Android
malware and malware detection technique will be discussing.