© Fraunhofer Partner in
MALWARE ANALYSIS WITH CODEINSPECTCombating sophisticated Android malware
© Fraunhofer Partner in
AGENDA
Android Malware: Quo Vadis?
Dissecting Malware with CodeInspect
Advanced Static Analysis
Conclusions
© Fraunhofer Partner in
Who Am I?
4th year PhD Student at TU Darmstadt Researcher at Fraunhofer SIT
Research interests: Static analysis IT security
Community service Reviewer for conferences & journals Maintainer of Soot and FlowDroid
© Fraunhofer Partner in
The Android Ecosystem
Developer User
© Fraunhofer Partner in
The Android Ecosystem (2)
vs.
© Fraunhofer Partner in
Are Virus Scanners The Solution?
Signature 1Signature 2…Signature 3
© Fraunhofer Partner in
How Hard Can It Be?
© Fraunhofer Partner in
Malware Evades Detection – Dynamic Analysis (1)
Timing Bombs Emulator Detection Country Targeting
IP Restrictions Provider Checking Integrity Checking
© Fraunhofer Partner in
Malware Evades Detection – Dynamic Analysis (2)
Command-and-Control
UI Dependencies Logic Bombs
File Checking App Checking
© Fraunhofer Partner in
Malware Evades Detection – Static Analysis
Packers Reflection Dynamic CodeLoading
Native Code Interpreters
© Fraunhofer Partner in
What Do You Have to Hide?
vs.
© Fraunhofer Partner in
First Takeaway Messages (1)
No practically usable analysis can be sound Over-approximate everywhere -> useless analysis
Real-world apps escape academic models quickly Use full language with reflection, etc. Mix of programming languages and libraries
© Fraunhofer Partner in
First Takeaway Messages (2)
Real-world constraints Large apps Immense volume of apps published or updated daily Minimum burden for developers and users Get new features out quickly Need good reasons to block apps or people out
© Fraunhofer Partner in
Hybrid Analysis Approach
Static Analysis Dynamic Analysis
Analysis Information
© Fraunhofer Partner in
FuzzDroid (1)
Under which environment does the app execute the given API call?
© Fraunhofer Partner in
FuzzDroid (2)
Static Analysis Dynamic Analysis
Environment
Runtime Data
© Fraunhofer Partner in
FuzzDroid Evaluation
Locations
Apps
0 10 20 30 40 50 60 70 80
Launch Launch & Trigger FuzzDroid
© Fraunhofer Partner in
Human in The Loop
Static Analysis Dynamic Analysis
© Fraunhofer Partner in
© Fraunhofer Partner in
CodeInspect At A Glance (1)
• Based on Eclipse RCP
• Work as you would on source code in Eclipse• Navigate through the code• Add, change, and remove code• Inject arbitrary Java code• Start and debug your app• Inspect and change runtime values
© Fraunhofer Partner in
CodeInspect At A Glance (2)
© Fraunhofer Partner in
CodeInspect At A Glance (3)
• Sophisticated Static and Dynamic Analysis• Permission Use Analysis• Sensitive API Call Detection• Data Flow Tracking• Runtime Code Injection• App Communication Analysis
© Fraunhofer Partner in
public void foo() {
byte[] $arrbyte;java.io.FileOutputStream $FileOutputStream;…
specialinvoke this.<android.app.Service: void onCreate()>();
$File = new java.io.File;specialinvoke $File.<java.io.File: void <init>(java.lang.String)>("/sdcard/test.apk");specialinvoke $FileOutputStream.<java.io.FileOutputStream: void
<init>(java.io.File)>($File);
$arrbyte = newarray (byte)[1024];$int = virtualinvoke $InputStream.<java.io.InputStream: int read(byte[])>($arrbyte);…
The Jimple IR
Method Declaration
Variable Declarations
Implementation
© Fraunhofer Partner in
Live Demo (1)
© Fraunhofer Partner in
Live Demo (2)
© Fraunhofer Partner in
Live Demo (3)
© Fraunhofer Partner in
Live Demo Wrap-Up
1. Find interesting starting points External guidance (network sniff, etc.) Text search Manifest analysis: main activity, application class, etc. Permission uses
2. Debug the app for the details Circumvent environment checks (e.g., emulator) Step over reflective calls for free URLs, IP addresses, e-mail addresses, telephone numbers, etc.
© Fraunhofer Partner in
Advanced Static Analysis: Permission Usage
© Fraunhofer Partner in
Where is this called?
© Fraunhofer Partner in
Investigating the SMS Message
Set breakpoints in onCreate() in sendSms()
Look at the path in between Conditions? Remote triggers? Runtime values?
Emulate necessary events Incoming SMS message, location change, etc.
© Fraunhofer Partner in
Advanced Static Analysis: String Constants (1)
© Fraunhofer Partner in
Advanced Static Analysis: String Constants (2)
© Fraunhofer Partner in
Advanced Static Analysis: String Constants (3)
Look for common patterns http:// and https:// connections Telephone Numbers File paths (/sdcard/)
Case-specific patterns Bank names Country names Strings from SMS messages or e-mails
© Fraunhofer Partner in
Advanced Static Analysis: Sensitive API Calls
© Fraunhofer Partner in
Conclusions
Android malware protected against Static analysis Dynamic analysis
Solution 1: Hybrid analyses FuzzDroid reconstructs environments
Solution 2: Aid the human analyst CodeInspect combines debugger, static, and dynamic analysis
© Fraunhofer Partner in
www.codeinspect.de
Free Demo Version Available!