Android Malware Heuristics

Masata Nishida

AVTOKYO 2012

2012/11/17

(Photo: Android Lineup – Beige By .RGB.)

Who am I ?

Masata Nishida

• SecureBrain, Advanced Research Laboratory

• I’m not a malware researcher, I’m just a software

developer.

• Rubyist

• @masata_masata

Today’s Theme

Presented the same topic at CSS2012.

• CSS (Computer Security Symposium)2012

– 2012/10/30-11/01

– Matsue City, Shimane Prefecture

Title: “Android Malware Heuristicsusing Digital Certificates”

Japanese Title: 署名情報を利用したAndroid マルウェアの推定手法の提案

Android malwares increase

explosively!!

(Photo: High Sheeps By Bertoz)

McAfee Threat Report: Second Quarter 2012 By McAfee Labs

Android malwares increase

explosively!!

(Photo: High Sheeps By Bertoz)

Everyone say:

But…(what is reality?)

Although the number of

malwares is rapidly increasing,

but we don’t actually have

insights into the growth.

Today, we will focus on the

certificate used by Malicious

Android app. Then we can find

another side of Android

malwares.

(Photo: DSC_6557 By euthman)

Background

• Android application must

be digitally signed.

• Self-signed certificate can

be used.

• The signature information

is in META-INF/ directory

in Apk file(zip archive file).

(Photo: Marriage Certificate By The Gearys)

Question

How many Android malwares use the same certificate?

(Photo: Thinking… By Mr Tickle)

I’m bored.I counted number

of unique certificatesin Android malwares.

First, collect malware samples

• Target Android malwares

– are about 15,000 samples.

– include many polymorphic

samples.

Family samples

FakeInst 4,911

Kmin 2,464

OpFake 2,360

Boxer 1,399

DroidKungFu 824

Lotoor 432

GingerMaster 272

SmsSend 221

SmsAgent 209

JiFake 137

Others 1,488

Total 14,717

(Photo: Catching Bugs, II, III By New Mexico Forestry Camp)

Thencount certificates.

(Photo: Microscope Night By Machine Project)

Counting certificates requires lotta patience...

(Photo: Microscope Night By Machine Project)

The result…

Unique certificates

14,717 samples

589 certificates

Many malwares use the same certificate!!

FakeInst

4,911 samples

31 certificates

Polymorphic malwares also use the same certificates.

Polymorphic sample

FakeInst

Most reused certificate

Reused by 2,602 samples

Polymorphic sample

Period of use

Certificates used for over a year.

13 certificates(2,764samples)

Some certificates used for long term.

The Movie (Dougalek)

• An incident in Japan (Apr. 2012)

• Malwares are distributed from Google Play.

– About 50 malwares.

– Used 7 developer accounts.

• The malware sends private information to external

server.

• The application name is like “xxx the Movie”.

– “xxx” is replaced with a pop star or famous game name.

• Installed over 90,000 devices.

• Sent 12,000,000 information to external.

• The suspects were arrested last month(30th Oct 2012).

Japan-specific malware

The Movie (Dougalek)

24 samples

7 certificates

Japan-specific malware

Today’sConclusion

(Photo: New Blackboard By uncultured)

Many Android malwares are signed

using the same certificate.

We can detect new malwares using the

certificates of well-known malwares.

(for now…)

(Photo: The Detective By paurian)

Many Android malwares are signed

using the same certificate.

Not too many malware developers??

or

The private key of the certificates are shared

between malware developers??(Photo: DSC_6565 By euthman)

END

[Appendix]apk analysis library for Ruby• Open Source

– Source: https://github.com/securebrain/ruby_apk

– Install: “$ gem install ruby_apk”

• Requirements

– Ruby1.9.x

• Features

– AndroidManifest.xml analysis

• components(activity, service, receiver, provider)

• use-permission, intent-filter,…

– Extract files in apk

– resource analysis(partial)

– dex analysis(partial)

• Extract classes, methods, fields, strings