DroidKungFu and AnserverBot

DroidKungFu and
Android Malware Characterisaion part II
Analysis of
Two Malware Families
• DroidKungFu and AnserverBot represent the most recent
incarnation of malware engineering
• Since they first appearance several improvements have been
coded to increase their stealthiness
• There are 6 different known variants of DroidKungFu
• They appeared within a period of 6 months
• Probably many more now
• They contain
Root-kit Exploits
C&C Server comm
Shadow Payloads
Code Obfuscation
DroidKungFu – Root Exploits
4 variants contain root exploits
DroidKungFu is the first to use encrypted root-kit
Root-kit are stored as assets to look like normal data files
Initially the asset name was ratc (RageAgainstTheCage)
Then it has been changed to myicon
DroidKungFu – C&C Comm
All the variants communicate with C&C servers
To evade detection, the C&C servers’ addresses keep changing
DroidKungFu1 uses a plaintext string in one of its Java classes
DroidKungFu2 the address is moved to plain-text in native
• DroidKungFu3 and DroidKungFu4 use encrypted names
(stored in Java class and native code)
DroidKungFu – Shadow Payload
• If the root-kit is successful, then a shadow app will be installed
• The user will not be aware of this app
• This app contains the same code as the malicious payload
included in the repackaged app
• This means that in the event the user removes the host app,
the shadow app will remain
• Variants encrypt the shadow app to evade detection and no
icon is shown
DroidKungFu – Code Obfuscation
• Extensive use of encryption for constant strings, C&C servers’
addresses, native payload and shadow app
• Keys are changed very often
• Extensive use of code obfuscation
• Use of native code and JNI to make more difficult code
• DroidKungFuUpdate use the update attack to download the
actual payload and evade static code analysis
• One of the most advanced malware
• It uses evasion techniques not used before by any other
Android malware
• It has been discovered in repackaged apps available in Chinese
app markets
• It seems that is an evolution of the BaseBridge malware family
AnserverBot – Anti Analysis
• It use the repackaging attack
• However, when installed it checks whether the hosting app
has been tampered with
• It checks the signature and then it unfolds its payload
• It extensively uses code obfuscation to make it human
• The payload is split in three different apps
• The host app plus two shadow apps
AnserverBot – Anti Analysis
• The shadow apps share the same package names
• Com.sec.android.touchScreen.server
• One shadow app is loaded through the update attack
• The other shadow app is dynamically loaded through JVM
dynamic class load method
• However it is not installed!
• AnserverBot is able to load any code retrieved from the C&C
AnserverBot – AV Detection
• This malware is very aggressive
• It tries to detect if AV software is installed in the device
• It contains the encrypted names for security apps
• such as LBE, 360 MobileSafe
• If installed, the malware uses the restartPackage method to
stop the AV and then displays an error message
AnserverBot – C&C Comm
AnserverBot supports two types of C&C servers
One type is used for sending command
The second one is used for retrieving encrypted payloads
To reach the second one, it uses a encrypted entry posted in
public blog providers - i.e. Sina and Baidu
• This entry contains the (encrypted) address of the second C&C
The AVS race
• Given the rapid evolution of malware, AV software is lagging
• Mainly, AVS uses a signature based approach
• It relies on the content of its signature DB
• If an app signature is not there it may not be malware
• How easy is to change the signature of an app?
• Very!
The AVS race
• Interesting report from Imperva
• http://www.imperva.com/docs/HII_Assessing_the_Effectiveness_
• Using unknown malware and submit to AVS
• The goal is to evaluate how effective AVS solutions are
• The results are really scary
Imperva Study Results
• Less than 5% of the malware were detected
• Most of the AVS cannot keep up with a fast changing landscape of
malware families
• AVS requires up to 4 weeks to detect a new malware
• The best of the breed: the free ones!
• Although they had a very high false positive
• Consumers spend $4.5 billion while Enterprises $2.9 billion
• 1/3 of the total money spent on security software
Imperva Study Results
• It might be best to spend some resources on other type of
software that is not AVS
• For AVS better to use free ones
• Note: this study is for PC malware
• Does it apply to Android Malware?
• We will know very soon ;-)

similar documents