Upload
jimmy-shah
View
110
Download
1
Embed Size (px)
DESCRIPTION
The 'Platypus' talk Malware on mobile phones is rapidly increasing. There are many reasons for this, but the primary one is the ease of monetizing malware on mobile phones, Attackers are incentivized to create more malware faster and cheaper. They are overwhelming the limited resources of malware researchers with this glut of cheap and "good enough" malware. Malware can be identified by humans, but there is insufficient time to handle all that is released daily by malware writers. There is a need to develop both better heuristics and the tools that let an analyst separate the wheat from the chaff. The presentation will cover not just the development of heuristics for mobile malware, but also its path from simple detection to more advanced and more successful(i.e fewer false positives) detection. Along the way we will cover the missteps and pitfalls that slow the development of automation.
Citation preview
Mobile Malware Heuristics: The path from 'eh' to pretty good'.
Jimmy Shah, Mobile Malware Researcher, McAfeeCreditrs:By Google (http://www.android.com/branding.html) [CC-BY-SA-3.0 (http://creativecommons.org/licenses/by-sa/3.0)], via Wikimedia CommonsPhotography by User: MrX [CC-BY-SA-3.0 (http://creativecommons.org/licenses/by-sa/3.0)], via Wikimedia CommonsBy Mazenl77 (FindIcons) [CC-BY-3.0-2.5-2.0-1.0 (http://creativecommons.org/licenses/by/3.0-2.5-2.0-1.0)], via Wikimedia Commons
The Problem
● About a 1,000,000 apps● Not all are good
○ How do you tell?■ Manual Analysis■ Automate it
The Problem, cont.
● How do you tell?● Manual Analysis
○ Slow, doesn’t scale, ties up resources● Automate it
○ use knowledge from researchers○ scale up with more hw○ catch the majority of copycats/script kiddies
Heuristics
What are Heuristics?
● heu·ris·tic [hyoo-ris-tik or, often, yoo-] adjective 1. serving to indicate or point out; stimulating interest as a means of furthering investigation.
"heuristic." Dictionary.com Unabridged. Random House, Inc. 5 Aug. 2013. <Dictionary.com http://dictionary.reference.com/browse/heuristic>.
What are Heuristics?
● Rules of thumb○ It looks like a duck○ It walks like a duck
■ It’s probably a duck
"heuristic." Dictionary.com Unabridged. Random House, Inc. 5 Aug. 2013. <Dictionary.com http://dictionary.reference.com/browse/heuristic>.
What are Heuristics?
● Rules of thumb○ It looks like a duck
■ it has a beak○ It walks like a duck
■ It has webbed feet
By Pearson Scott Foresman [Public domain], via Wikimedia Commons https://upload.wikimedia.org/wikipedia/commons/thumb/b/b3/Duck_1_%28PSF%29.png/632px-Duck_1_%28PSF%29.png
Duck?It’s a Duck!
What are Heuristics?
● Rules of thumb○ It looks like a duck
■ it has a beak○ It walks like a duck
■ It has webbed feet
By Pearson Scott Foresman [Public domain], via Wikimedia Commonshttps://upload.wikimedia.org/wikipedia/commons/thumb/c/ca/Platypus_3_%28PSF%29.png/320px-Platypus_3_%28PSF%29.png
Duck?Nope, it’s a Platypus.
Heuristic scanner: DmpAxml.pl
git://git.assembla.com/dexdump.git
Heuristic scanner: DmpAxml.pl~$ ./DmpAxml.pl
DmpAxml - AndroidManifest.xml File Dumper ver. 0.7
Copyright 2013 Jimmy Shah All rights reserved.
Usage: /home/js/dexdump/DmpAxml.pl [-adspih] filename
Options:
-a Dump all
-d Dump printable AndroidManifest.xml
-s Dump string table
-p Dump Permissions
-i Dump Intents
-r Dump Activities
-h Run heuristics
Ideas for Heuristics
Heuristic ideas: Permissions
● Bad apps ask for permissions they dont need○ True○ They're more likely to request many permissions that
they do need/use● Bad apps use a particular set of permissions
○ True○ So do clean apps
● Insufficently unique. ○ Good chance to FP on clean apps○ Too many FPs to use by itself
Heuristic ideas: Permissions, cont.~$ ./DmpAxml.pl -h 517298409.apk
---------------------|
Suspcious Permissions|
---------------------|
android.permission.INTERNET
android.permission.ACCESS_FINE_LOCATION
android.permission.READ_CONTACTS
INTERNET Transmit and receive traffic via the Internet
ACCESS_FINE_LOCATION GPS location vs. Wifi or cell tower
READ_CONTACTS Read Contact information
Android/PBL.A - A phone book leaking malware
Heuristic ideas: Certificates
● Blacklisting malicious developers ○ Bad apks from the same malware author are signed
with the same certificate ■ True■ Not all bad apks from the same author are signed
with the same certificate■ Newer variants may use different certificates
○ Insufficiently unique.■ Chance to FP■ Higher chance for False Negative(missed
heuristic detection)
Heuristic ideas: Certificates, cont.~$ ./DmpAxml.pl -h ./4D60F52138C44B903582C4EBB9661969.apk
----------------|
Possible Variant|
----------------|
Android/FakeInstaller Variant
Android/Fakeinstaller - A trojan that pretends to be an installer for a legitimate app
Heuristic ideas: Activities
● Malware uses specific Activity names to launch○ legit apps with injected malicious code○ trojans○ spyware
● Not as useful for obfuscated apps○ unidentifiable or changing activity names
● Complex malware can avoid notice by injecting code into legitmate Activity
Heuristic ideas: Multiple Indicators
● Each Heuristic has its individual FP rate ○ Chances that actual malware is missed ○ Heuristic can not be too specific or it becomes a
unique signature for a particular malware ● Combining multiple indicators can reduce
this rate○ Ex: Certificate blacklisting plus Permissions ○ Chance is low enough to indicate malware without
excluding too many variants
Heuristic ideas: Multiple Indic., cont.~$ ./DmpAxml.pl -h ./d20cb0bb5d87bfc8394bda0d8964d663.apk
----------------|
Possible Variant|
----------------|
Android/FakeInstaller Variant
---------------------|
Suspcious Permissions|
---------------------|
android.permission.INTERNET
android.permission.ACCESS_FINE_LOCATION
android.permission.READ_CONTACTS
INTERNET Transmit and receive traffic via the Internet
SEND_SMS Send SMS messages
ACCESS_NETWORK_STATE Checks network connectivity
Android/Fakeinstaller - A trojan that pretends to be an installer for a legitimate app
Heuristic ideas: Multiple Indic., cont.
● 70 unknown samples● Training set of about 200 known malware● 10 samples, possible variants of known malware
○ Android/Fladstep■ fake flash player■ browser, loads malicious site
○ Android/VDLoader■ backdoor trojan, steals user info
● 1 out of 7 detection rate(~14%)○ 10 apps that warrant a closer look
Questions?