Harvesting Runtime Values in Android Applications That Feature Anti-Analysis Techniques Presented by Vikraman Mohan

Inspiration Security analysts are interested in runtime values such as: URLs to which the data is sent Target phone numbers of SMS messages Targets of reflective method calls However, sophisticated obfuscation, string encryption and emulator detection make human inspection, static analysis and dynamic analysis difficult(Ineffective)

Static Analysis? Dynamic Analysis? Static and Dynamic Analysis Testing if(Build.FINGERPRINT.startsWith("generic")) Static Analysis? msg = AES.decrypt("1234","fri$ds\&S") Dynamic Analysis? nr = "00" if(simCountryIso().equals("US")) nr += "4242" nr += "8888" sendTextMessag e(nr , msg) No No ... 7

Static + Dynamic Analysis So What do we Do ? This is where Harvester Comes into the picture performing a Hybrid Analysis overcoming the demerits of both static and dynamic analysis. Instead of analyzing the actual code, which is hard when obfuscated the tool analyzes byte codes of the application by inspecting runtime values. Static + Dynamic Analysis

What if there are Time bombs or Logic bombs ?  Logic bombs cause an app to suppress any malicious activity if the app itself detects that it is executing within an analysis environment. Time bombs cause an app to suppress the malicious behavior in any case for a longer period of time, or until after a reboot of the phone, etc. This also includes botnet malware that only acts in response to a command received from a command-and-control server-,  it’s dynamic analysis tools will find virtually impossible to guess correctly

Steps Involved in HARVESTER Program slicing (Backward Slicing) Dynamic execution of the sliced program Injection of runtime values(Optional)

1.Program Slicing (Static Analysis) Keeping in mind the end goal to register all conceivable runtime estimations of a logging point, every single conceivable result of a restrictive articulation should be considered. HARVESTER replaces all conditions that are dependent on execution environment by a Boolean flag (Improved Static Analysis) and removes the code that are not of interest. “HARVESTER comes pre-customized with a configuration file listing fields and methods whose return values are known to depend on environment settings.”

2. Dynamic Execution of Sliced Program The Dynamic Analysis runs on the sliced program by combining the sliced code into a single entity. The GUI of the original application is also removed and replaced with direct function calls, this is called the reduced APK code. It return all values of interest of the logging points and also combines the

Run Time Value Injection The Runtime Value injection is an optional step that is provided by the HARVESTER tool to inject these values into other analyzing tools to make to get better results. This is carried out by replacing the reflective function calls with direct calls to the API.  HARVESTER  is the first fully-automated approach that performs such a value injection for Android.

What if the Application has got a high standard of Obfuscation ? When the application is obfuscated in such a way that not all the logging points cannot be identified. The HARVESTER starts to iterate itself from Program Slicing by partially implementing the Reflective method call graph.

User Inputs An .apk has to be given as input to the HARVESTER Pick a class you need to extricate runtime values for Example: URL, shell charges, SMS number, SMS content etc.. These are the input that is expected from the analyst to test an application using Harvester. Once a class is picked the corresponding API executes and gives all relative methods of the specified class.

Analysis Experimentation Tried with 12 malware tests from the most refined malware families e.g. FakeInstaller, Pincer, GinMaster It had 16,799 Malware samples given as input to the Harvester Observations 86.6% Accuracy i.e. It detects at least one value of all logging points. It has a precision of 100% by extracting all the runtime values for the specified categories. It took less than 3 minutes for HARVESTER to run an APK and extract values.

Criticism If the Malware is used to suppress its malicious activities more than 10 minutes then it cannot be detected If the Reflective calls are dependent on user input then Harvester might not be effective The time taken by the Harvester to run an apk does not provide any information regarding the size of the application

Possible Improvements Random Dummy Values can be updated with real possible values. Building an automated GUI testing system Setting up the threshold time instead of 10 mins to environment variable can be more accurate

Thank you Question ?