Dissecting Android Malware : Characterization and Evolution

Report
Dissecting Android Malware :
Characterization and Evolution
Author : Yajin Zhou, Xuxuan Jiang
TJ
Index of this paper
I. Introduction
II. Malware Timeline
III. Malware Characterization
A.
B.
C.
IV. Malware Evolution
A.
Malware Installation
1)
2)
3)
4)
Repackaging
Update Attack
Drive-by Download
Others
1)
2)
3)
4)
Privilege Escalation
Remote Control
Financial Charge
Information Collection
Activation
Malicious Payloads
D. Permission Uses
B.
DroidKungFu
1)
2)
3)
4)
Root Exploits
C&C Servers
Shadow Payloads
Obfuscation, JNI, and
Others
AnserverBot
1) Anti-Analysis
2) Security Software
Detection
3) C&C Servers
V. Malware Detection
VI. Discussion
VII. Related Work
VIII. Conclusion
I. Introduction
• Smartphone
– Shipment : X 3 ↑ (40milion120mil.) in
2009~2011 ► mobile malware↑
• Android-based malware
– Share : 46%↑ and growing rapidly
– 400% ↑ since summer 2010
• Goals
– Malware samples(1260) & families(49)
– Timeline analysis
– Good example of malware
II. Malware Timeline
• Dataset
– 49 families
– Official/Alternative
Android Market
– 2010-08 ~ 2011-10
III. A. Malware Installation
1) Repackaging
– Most common technique
– Concept
• Download popular apps  Disassemble 
Enclose malicious payloads  Re-assemble
 Submit
III. A. 1) Repackaging
• Where these original apps comes
from?
• What things are done by the
authors?
III. A. 2) Update Attack
• Concept
– Update component  it download
malicious payload
III. A. 2) Update Attack
III. A. 2) Update Attack
III. A. 3) Drive-by Download
• Enticing users to download
“interesting” or “feature-rich” apps.
• For example,
– GGTracker : in-app advertisement link
– Jifake : QR code
– Spitmo and Zitmo : ported version of
nefarious PC malware(SpyEye, Zeus)
III. B. Activation
• Using System Event message
• For example,
– BOOT_COMPLETED
– SMS_RECEIVED
– ACTION_MAIN
III. C. Malicious Payloads
1) Privilege Escalation
III. C. Malicious Payloads
2) Remote Control
– 1,172 samples(93%)
• Turn infected phones into bots
• 1,171 samples
– HTTP-based communicate with C&C servers
– C&C servers
• Amazon cloud
• Public blog
III. C. Malicious Payloads
3) Financial Charge
– Premium-rate services
4) Information Collection
– SMS messages
– Phone numbers
– User accounts
III. D. Permission Uses
IV. Malware Evolution
A. DroidKungFu
1)
2)
3)
4)
Root Exploits
C&C Servers
Shadow Payloads
Obfuscation
IV. B. AnserverBot
1) Anti-Analysis
2) Security Software Detection
3) C&C Servers
V. Malware Detection
• Tested on Nexus One
(Android 2.3.7)
– Lookout
– TrendMicro
– AVG Antivirus
– Norton
VI. Discussion
• Ecosystem Android Market
• ASLR, TrustZone and eXecute-Never are
needed
• Lack of fine-grain API control
• Blocking malware to enter market is needed
• Cooperation between security vendors
VIII. Conclusion
• Repackaging (86%)
• Platform-level Escalate Privilege Exploits
(36.7%)
• Bot-like capability (93%)
Q&A

similar documents