Presentation is loading. Please wait.

Presentation is loading. Please wait.

Automated Remote Repair for Mobile Malware Yacin Nadji, Jonathon Giffin, Patrick Traynor Georgia Institute of Technology ACSAC’ 11.

Published byMary Garrison Modified over 9 years ago

Similar presentations

Presentation on theme: "Automated Remote Repair for Mobile Malware Yacin Nadji, Jonathon Giffin, Patrick Traynor Georgia Institute of Technology ACSAC’ 11."— Presentation transcript:

1 Automated Remote Repair for Mobile Malware Yacin Nadji, Jonathon Giffin, Patrick Traynor Georgia Institute of Technology ACSAC’ 11

2 Outline Introduction Related Work Mobile Malware Airmid Architecture Implementation Discussion Conclusion

3

4 Introduction 70000 new mobile malware samples per day70000 new mobile malware samples per day

5 Introduction Cellular providers will not be able to rely solely upon the rapid identification and removal of malware by mobile market operators

6 Introduction A system for automated detection of and response to malicious software infections on handheld mobile devices – Airmid Airmid: the goddess of healing

7 Introdution We developed laboratory samples of mobile malware ▫Leak private data ▫Dial premium numbers ▫Participate in botnet activity And… ▫Detect the presence of an emulated environment ▫Change their behavior, create hidden background process, scrub logs, and restart on reboot

8 Introduction Contribution ▫Identification of current remediation shortcomings ▫Design and implementation of advanced prototype malware ▫Cooperatively neutralize malware on infected mobile phones

9

10 Related Work Traynor et al. On Cellular Botnets: Measuring the Impact of Malicious Devices on a Cellular Network CoreOn Cellular Botnets: Measuring the Impact of Malicious Devices on a Cellular Network Core Xu et al. Stealthy Video Capturer: A New Video- based Spyware in 3G SmartphonesStealthy Video Capturer: A New Video- based Spyware in 3G Smartphones TaintDroid PiOS

11

12 Mobile Malware In the wild… ▫Privilege escalation to root (DroidDream) ▫Bots (Drad.A) ▫Data exfiltration (DroidKungFu, StreamyScr.A) ▫Backdoor triggered via SMS (Bgyoulu.A) Jailbroken iPhone ▫iKee.B BotiKee.B Bot

13 Mobile Malware Deficiencies of marketplaces: ▫Malware authors can write their apps with logic to evade detection of analysis ▫The Android platform allows users to install apps from third-party marketplaces

14 Mobile Malware Enhanced prototype malware ▫Loudmouth  a Twitter client that leaks private data ▫2Faced  A Facebook client sync app that dials premium numbers ▫Thor  A mobile bot

15 Mobile Malware Loudmouth ▫Malicious mobile functionality  Data exfiltration ▫Evasive functionality  Malware analysis environment detection ▫Benign host app  Twitter client

16 Mobile Malware 2Faced ▫Malicious mobile functionality  Premium number dialer ▫Evasive functionality  Log sanitization and a hidden native process ▫Benign host app  Facebook sync

17 Mobile Malware Thor ▫Malicious mobile functionality  Bot client ▫Evasive functionality  Persistence across reboot ▫Benign host app  Weather display

18 Mobile Malware Permissions use:

19

20 Architecture Threat model ▫Install malware via a variety of usual mechanisms  Drive-by downloads or automated propagation  Distribution on marketplaces ▫Attackers can subvert the correct execution of a benign app  Exploiting a security defect in the app’s design

21 Architecture Assume… ▫A protected software layer on the device lower than the level at which the malware executes  Kernel (if kernel-level malware can be prevented)  Hypervisor (if virtualized environments can be created on a mobile device) ▫A communication channel between the network and each device ▫Detectable malicious behavior in the network

22 Architecture Remote repair

23 Architecture Side-effects: ▫Process termination ▫On-device traffic filtering ▫App update ▫Device update ▫File removal ▫Factory reset

24 Architecture Authenticated communication ▫[UMTS Security Wiki][UMTS Security Wiki] ▫[REF][REF] ▫[SPEC][SPEC] ▫[AKA Mechanism RFC][AKA Mechanism RFC]

25

26

27 Implementation Hardware ▫HTC Dream with Android 1.6

28 Implementation Network component ▫SnortSnort ▫Airmid Server by using Python packet creation library ScapyScapy

29 Implementation Device component ▫A modified Linux kernel 2.6.29 ▫Disable dynamically load kernel modules ▫1200 lines of C

30 Implementation Infection provenance

31 Implementation Infection provenance

32 Implementation Remediation strategies ▫Block the malicious traffic ▫Termination of process ▫Removal of the apk owned by the UID ▫Removal of all files owned by the UID ▫UID < 10000  system user ID  Only block the malicious traffic ▫UID ≧ 10000  Terminate & Remove ▫Any native ARM processes?  If yes  full scan !

33 Implementation Performance evaluation

34

35 Discussion Airmid control ▫Some may not trust a cellular network provider ▫Airmid is not a “one size fits all” solution ▫Proxied via VPN ▫Roaming? ▫Relaying on IDS

36 Discussion Device hardening ▫Disable LKM ▫Virtualization?  L4Android L4Android

37

Download ppt "Automated Remote Repair for Mobile Malware Yacin Nadji, Jonathon Giffin, Patrick Traynor Georgia Institute of Technology ACSAC’ 11."

Similar presentations

!! Are we under attack !! Consumer devices continue to invade *Corporate enterprise – just wanting to plug in* Mobile Device Management.

!! Are we under attack !! Consumer devices continue to invade *Corporate enterprise – just wanting to plug in* Mobile Device Management.
Dissecting Android Malware : Characterization and Evolution

Dissecting Android Malware : Characterization and Evolution
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.

Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.
Rootkits on Smart Phones: Attacks, Implications and Opportunities Jeffrey Bickford, Ryan O’Hare, Arati Baliga, Vinod Ganapathy, and Liviu Iftode Department.

Rootkits on Smart Phones: Attacks, Implications and Opportunities Jeffrey Bickford, Ryan O’Hare, Arati Baliga, Vinod Ganapathy, and Liviu Iftode Department.
Policy Weaving for Mobile Devices Drew Davidson. Smartphone security is critical – 1200 to 1400 US Army troops to be equipped with Android smartphones.

Policy Weaving for Mobile Devices Drew Davidson. Smartphone security is critical – 1200 to 1400 US Army troops to be equipped with Android smartphones.
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
SCRUB: Secure Computing Research for Users’ Benefit David Wagner 1.

SCRUB: Secure Computing Research for Users’ Benefit David Wagner 1.
Aurasium: Practical Policy Enforcement for Android Applications R. Xu, H. Saidi and R. Anderson Presented By: Rajat Khandelwal – 2009CS10209 Parikshit.

Aurasium: Practical Policy Enforcement for Android Applications R. Xu, H. Saidi and R. Anderson Presented By: Rajat Khandelwal – 2009CS10209 Parikshit.
ROOTKIT VIRUS by Himanshu Mishra Points to be covered Introduction History Uses Classification Installation and Cloaking Detection Removal.

ROOTKIT VIRUS by Himanshu Mishra Points to be covered Introduction History Uses Classification Installation and Cloaking Detection Removal.
Fundamentals of Computer Security Geetika Sharma Fall 2008.

Fundamentals of Computer Security Geetika Sharma Fall 2008.
Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung(1203584897) Sriram Gopinath(1203800749)

Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) Sriram Gopinath( )
Aurasium: Practical Policy Enforcement for Android Applications R. Xu, H. Saidi and R. Anderson.

Aurasium: Practical Policy Enforcement for Android Applications R. Xu, H. Saidi and R. Anderson.
Taming Mr Hayes: Mitigating Signaling Based Attacks on Smartphones Colin Mulliner, Steffen Liebergeld, Matthias Lannge, and Jean-Pierre Seifert Technische.

Taming Mr Hayes: Mitigating Signaling Based Attacks on Smartphones Colin Mulliner, Steffen Liebergeld, Matthias Lannge, and Jean-Pierre Seifert Technische.
Kaspersky Open Space Security: Release 2 World-class security solution for your business.

Kaspersky Open Space Security: Release 2 World-class security solution for your business.
Efficient Protection of Kernel Data Structures via Object Partitioning Abhinav Srivastava, Jonathon Giffin AT&T Labs-Research, HP Fortify ACSAC 2012.

Efficient Protection of Kernel Data Structures via Object Partitioning Abhinav Srivastava, Jonathon Giffin AT&T Labs-Research, HP Fortify ACSAC 2012.
Android Security What is out there? Waqar Aziz. Android Market Share - I 2.

Android Security What is out there? Waqar Aziz. Android Market Share - I 2.
CS 153 Design of Operating Systems Spring 2015 Lecture 24: Android OS.

CS 153 Design of Operating Systems Spring 2015 Lecture 24: Android OS.
Presentation By Deepak Katta

Presentation By Deepak Katta
Real Security for Server Virtualization Rajiv Motwani 2 nd October 2010.

Real Security for Server Virtualization Rajiv Motwani 2 nd October 2010.

Similar presentations

Ads by Google