Presentation is loading. Please wait.

Presentation is loading. Please wait.

Dissecting Android Malware : Characterization and Evolution Author : Yajin Zhou, Xuxuan Jiang TJ.

Similar presentations


Presentation on theme: "Dissecting Android Malware : Characterization and Evolution Author : Yajin Zhou, Xuxuan Jiang TJ."— Presentation transcript:

1 Dissecting Android Malware : Characterization and Evolution Author : Yajin Zhou, Xuxuan Jiang TJ

2 Index of this paper I.Introduction II.Malware Timeline III.Malware Characterization A.Malware Installation 1)Repackaging 2)Update Attack 3)Drive-by Download 4)Others B.Activation C.Malicious Payloads 1)Privilege Escalation 2)Remote Control 3)Financial Charge 4)Information Collection D.Permission Uses IV.Malware Evolution A.DroidKungFu 1)Root Exploits 2)C&C Servers 3)Shadow Payloads 4)Obfuscation, JNI, and Others B.AnserverBot 1)Anti-Analysis 2)Security Software Detection 3)C&C Servers V.Malware Detection VI.Discussion VII.Related Work VIII.Conclusion

3 I. Introduction Smartphone – Shipment : X 3 ↑ (40milion  120mil.) in 2009~2011 ► mobile malware ↑ Android-based malware – Share : 46% ↑ and growing rapidly –400% ↑ since summer 2010 Goals –Malware samples(1260) & families(49) –Timeline analysis –Good example of malware

4 II. Malware Timeline Dataset – 49 families – Official/Alternative Android Market – ~

5 III. A. Malware Installation 1)Repackaging – Most common technique – Concept Download popular apps  Disassemble  Enclose malicious payloads  Re-assemble  Submit

6

7 III. A. 1) Repackaging Where these original apps comes from? What things are done by the authors?

8 III. A. 2) Update Attack Concept – Update component  it download malicious payload

9 III. A. 2) Update Attack

10

11 III. A. 3) Drive-by Download Enticing users to download “interesting” or “feature-rich” apps. For example, – GGTracker : in-app advertisement link – Jifake : QR code – Spitmo and Zitmo : ported version of nefarious PC malware(SpyEye, Zeus)

12 III. B. Activation Using System Event message For example, – BOOT_COMPLETED – SMS_RECEIVED – ACTION_MAIN

13 III. C. Malicious Payloads 1)Privilege Escalation

14

15 III. C. Malicious Payloads 2)Remote Control – 1,172 samples(93%) Turn infected phones into bots 1,171 samples – HTTP-based communicate with C&C servers – C&C servers Amazon cloud Public blog

16 III. C. Malicious Payloads 3)Financial Charge – Premium-rate services 4)Information Collection – SMS messages – Phone numbers – User accounts

17 III. D. Permission Uses

18 IV. Malware Evolution A.DroidKungFu 1)Root Exploits 2)C&C Servers 3)Shadow Payloads 4)Obfuscation

19 IV. B. AnserverBot 1)Anti-Analysis 2)Security Software Detection 3)C&C Servers

20 V. Malware Detection Tested on Nexus One (Android 2.3.7) – Lookout – TrendMicro – AVG Antivirus – Norton

21 VI. Discussion Ecosystem Android Market ASLR, TrustZone and eXecute-Never are needed Lack of fine-grain API control Blocking malware to enter market is needed Cooperation between security vendors

22 VIII. Conclusion Repackaging (86%) Platform-level Escalate Privilege Exploits (36.7%) Bot-like capability (93%)

23 Q & A


Download ppt "Dissecting Android Malware : Characterization and Evolution Author : Yajin Zhou, Xuxuan Jiang TJ."

Similar presentations


Ads by Google