DroidKungFu and AnserverBot Android Malware Characterisaion part II Analysis of Two Malware Families • DroidKungFu and AnserverBot represent the most recent incarnation of malware engineering • Since they first appearance several improvements have been coded to increase their stealthiness DroidKungFu • There are 6 different known variants of DroidKungFu • They appeared within a period of 6 months • Probably many more now • They contain • • • • Root-kit Exploits C&C Server comm Shadow Payloads Code Obfuscation DroidKungFu – Root Exploits • • • • • 4 variants contain root exploits DroidKungFu is the first to use encrypted root-kit Root-kit are stored as assets to look like normal data files Initially the asset name was ratc (RageAgainstTheCage) Then it has been changed to myicon DroidKungFu – C&C Comm • • • • All the variants communicate with C&C servers To evade detection, the C&C servers’ addresses keep changing DroidKungFu1 uses a plaintext string in one of its Java classes DroidKungFu2 the address is moved to plain-text in native code • DroidKungFu3 and DroidKungFu4 use encrypted names (stored in Java class and native code) DroidKungFu – Shadow Payload • If the root-kit is successful, then a shadow app will be installed • The user will not be aware of this app • This app contains the same code as the malicious payload included in the repackaged app • This means that in the event the user removes the host app, the shadow app will remain • Variants encrypt the shadow app to evade detection and no icon is shown DroidKungFu – Code Obfuscation • Extensive use of encryption for constant strings, C&C servers’ addresses, native payload and shadow app • Keys are changed very often • Extensive use of code obfuscation • Use of native code and JNI to make more difficult code analysis • DroidKungFuUpdate use the update attack to download the actual payload and evade static code analysis AnserverBot • One of the most advanced malware • It uses evasion techniques not used before by any other Android malware • It has been discovered in repackaged apps available in Chinese app markets • It seems that is an evolution of the BaseBridge malware family AnserverBot – Anti Analysis • It use the repackaging attack • However, when installed it checks whether the hosting app has been tampered with • It checks the signature and then it unfolds its payload • It extensively uses code obfuscation to make it human unreadable • The payload is split in three different apps • The host app plus two shadow apps AnserverBot – Anti Analysis • The shadow apps share the same package names • Com.sec.android.touchScreen.server • One shadow app is loaded through the update attack • The other shadow app is dynamically loaded through JVM dynamic class load method • However it is not installed! • AnserverBot is able to load any code retrieved from the C&C server AnserverBot – AV Detection • This malware is very aggressive • It tries to detect if AV software is installed in the device • It contains the encrypted names for security apps • such as LBE, 360 MobileSafe • If installed, the malware uses the restartPackage method to stop the AV and then displays an error message AnserverBot – C&C Comm • • • • AnserverBot supports two types of C&C servers One type is used for sending command The second one is used for retrieving encrypted payloads To reach the second one, it uses a encrypted entry posted in public blog providers - i.e. Sina and Baidu • This entry contains the (encrypted) address of the second C&C server The AVS race • Given the rapid evolution of malware, AV software is lagging behind • Mainly, AVS uses a signature based approach • It relies on the content of its signature DB • If an app signature is not there it may not be malware • How easy is to change the signature of an app? • Very! The AVS race • Interesting report from Imperva • http://www.imperva.com/docs/HII_Assessing_the_Effectiveness_ of_Antivirus_Solutions.pdf • Using unknown malware and submit to AVS • The goal is to evaluate how effective AVS solutions are • The results are really scary Imperva Study Results • Less than 5% of the malware were detected • Most of the AVS cannot keep up with a fast changing landscape of malware families • AVS requires up to 4 weeks to detect a new malware • The best of the breed: the free ones! • Although they had a very high false positive • Consumers spend $4.5 billion while Enterprises $2.9 billion • 1/3 of the total money spent on security software Imperva Study Results • It might be best to spend some resources on other type of software that is not AVS • For AVS better to use free ones • Note: this study is for PC malware • Does it apply to Android Malware? • We will know very soon ;-) Questions?