2. 1 2 3 Agenda Goal & Objectives Services in the Cloud Tracker Web Portal Next Step To Do 4

3. Goal & Objectives Crawl and Build Android App Repository Profile Android Apps Create databases for Apps and associating data. Auto classific for Android Apps

4. Analytic Workflow

5. 1 2 3 Cloud Services APK Crawler & Parser Dynamic Profile (On-line Emulator) Static Profile (Security Classifier)

6. Market Auto-Crawling Google Play (Eng.) SlideME (Eng.) Gfan (Chinese) GoAPK (Chinese) Mumayi (Chinese) Apps Crawler Crawler Real-life.apk Web Request Stats (GEO IP) ThreatSeeker

7. 3rd party Parsing tools Apktool: decode resources from apk files, such as AndroidMainifest.xml, classes.dex Dex2jar: reads embedded.dex file from apk files and generates.jar file In-house scripts parsing automation database insert.APK Parser

8. Security Classifier Dynamic Profile – auto APK runner – Interactive emulator APK Profile

9. Security Classifier Objective Create a classifier for malicious android app detection A static analysis approach A machine learning approach Data training Mysql queries to retrieve raw data from AppTracker database Analytic features conversion to binary vectors The R code components Preprocessing: convert variables into factor variables or numeric variables accordingly Load R RandomForest library Prediction Import R environment Load R model, read in input (test case) and write out output (classification response)

10. R Module Environment for statistical data analysis, inference and visualization. Ports for Unix, Windows and MacOSX Highly extensible through user-defined functions Generic functions and conventions for standard operations like plot, predict etc. >1200 add-on packages contributed by developers from all over the world e.g. Multivariate Statistics, Machine Learning, Natural Language Processing, Bioinformatics (Bioconductor), SNA,. Interfaces to C, C++, Fortran, Java

11. Confidence 0.50.60.70.80.9 Analytic Results

12. Dynamic Profile How It Works? Steps: 1.Load emulator 2.Install and run APK file 3.System output profile 4.Show on web portal

13. Run APK emulator -avd avdname -no-snapshot-save adb install apkfile aapt dump badging apkfile adb shell am start -n packagename/mainActivity

14. Auto Input adb shell input keyevent "value" 7KEYCODE_016KEYCODE_9 29KEYCODE_A54KEYCODE_Z adb shell sendevent [device] [type] [code] [value] example: adb shell sendevent /dev/input/event0 3 0 40 adb shell sendevent /dev/input/event0 3 1 210 // touch screen (x=40,y=210)

15. Monkey Monkey “The Monkey is a command-line tool that that you can run on any emulator instance or on a device. It sends a pseudo-random stream of user events into the system, which acts as a stress test on the application software you are developing.” adb shell monkey –p package.name -v 500

16. NetworkMonitoring adb shell tcpdump -v 'tcp port 80 and (((ip[2:2]-((ip[0]&0xf) >2))!=0'

17. SMS & Call adb logcat -b radio -s "AT:*" AT Commands PDU SMS messages Decode '0001000a81016681859200000539590c1b03' Suspicious number '1066185829' Message '@9@2@'

18. Interactive InteractiveEmulator Browser-based for end users Example: 50 users have tested this app, average time 3 minutes per user suspicious SMS found no phone call made 1 active network access

19. App Tracker Front page to users Web portal support Top 20 profiles: Malware vs. Benign Real-time crawler status Real-time virus status report Built-in app emulation Back end in cloud ThreatSeeker service Automatic static data analysis Dynamic profile support

20. DemoTime Security Classifier POC Web Portal Framework

21. ThreatSeeker Cloud real-time analytics: Advance Detection (AR) result > Mobile Malware Triton classifications: Mobile Malware Unauthorized Mobile Marketplaces Mobile Solution

22. Next Step Hierarchy Viewer Automation? Robotium?

23. RobotiumLimitation Activity Service Broadcast Receiver Content Provider