Android’s Malware Attack, Stealthiness and Defense: An Improvement Mohammad Ali, Humayun Ali and Zahid Anwar 2011 Frontiers of Information Technology
Introduction New challenges to the security Smartphone prone to malwares and trojans A number or approaches have been implemented and proposed to avoid the installation and threats of malicious apps
Behavioral based detection of malware Mechanism to mediate the interaction between apps using security policies No apparent way for malware to perform malicious activities Communicate sensitive information to malicious server
These security mechanisms can be evaded Developing sophisticated malwares Using least and non-malicious combination of permissions Collected information can be communicated to master malicious server with covert channel Using various mechanisms present for different purpose than what they are offered
Mechanisms of the system used to send information that violate the security policy of the system Seem legitimate and provide an implicit way to know two or more application to convey 2 major types of covert channel Storage channel Timing channel
Storage channel Shared mechanism between two processes / application one application is information writer One is information reader
Timing channel Signaling of one process / application to the other process / application Modifying / changing system attributes
Using 2 apps, app1, app2 App1 grabs the sensitive data and send to app2 App2 is a general normal app, eg: a web browser The data sent to app2 is sent out to the master server through internet
How its works Having 2 apps, but communicating in different way Architecture used by soundcomber
2 apps in this architecture Soundcomber app and deliverer app Soundcomber collect sensitive information Using 4 different kinds of covert channels to share information with deliverer app Vibration settings Volume settings Screen brightness settings File locks
Changes levels of volume to transmit bits of information to the deliverer app Deliverer app observing the changes of volume settings Same logic is used in case of the other two methods – vibration and screen brightness settings File locks used to synchronize the write and read of data on a separate file between apps
How to enhance soundcomber architeture Identification of a new covert channel Eg: exchanging information using file permission Implemented this covert channel which comprises collector and deliverer apps Collector and deliverer apps continue to monitor the activity of the file created or deleted by this mechanism Collector app only continues it works if the private files is deleted
Private file is not created when the collector app is collect data After collecting data, it writes file permission on 10 different files. Permission are written to files in a way that permissions contain bits of data to be transmitted After writing permissions, the collector apps finally creates private file Deliverer apps will read the permissions of those 10 files
After done reading permissions, the deliverer apps converts it into the meaningful information and then transmits to master server
Enhancement in efficiency of architecture using basic compression Credit card number and pin is totally random 4 bits used for each number form 0-9 Credit card number required 4*16 = 64bits
Convert directly to its binary representation = 54 bits 10 bits of compression is achieved 54bits/CCN
Implementation
Defense possibilities Block the covert channel of file permission by limiting the rights of the apps by restricting them to do not delete files of other apps Modifying the kernel of android os Monitors these defense mechanisms
Conclusion Lots of work has been done to block malwares in android phones Almost no work is done in defining mechanisms/ frameworks, policies and implementing them to block covert channels