Presented by: Kushal Mehta University of Central Florida Michael Spreitzenbarth, Felix Freiling Friedrich-Alexander- University Erlangen, Germany michael.spreitzenbart,

Slides:

Advertisements

Similar presentations

Android Application Development A Tutorial Driven Course.

Advertisements

Google Android Introduction to Mobile Computing. Android is part of the build a better phone process Open Handset Alliance produces Android Comprises.

Dynamic Analysis of Windows Phone 7 apps Behrang Fouladi, SensePost.

Dissecting Android Malware : Characterization and Evolution

Aurasium: Practical Policy Enforcement for Android Applications By Yaoqi USENIX Security Symposium 2012.

Policy Weaving for Mobile Devices Drew Davidson. Smartphone security is critical – 1200 to 1400 US Army troops to be equipped with Android smartphones.

Aurasium: Practical Policy Enforcement for Android Applications R. Xu, H. Saidi and R. Anderson Presented By: Rajat Khandelwal – 2009CS10209 Parikshit.

A METHODOLOGY FOR EMPIRICAL ANALYSIS OF PERMISSION-BASED SECURITY MODELS AND ITS APPLICATION TO ANDROID David Barrera, H. Güne¸s Kayacık, P.C. van Oorschot,

Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.

(NHA) The Laboratory of Computer Communication and Networking Network Host Analyzer.

Computer Security and Penetration Testing

1 2 3 Agenda Goal & Objectives Services in the Cloud Tracker Web Portal Next Step To Do 4.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Maintaining and Updating Windows Server 2008

ANDROID PROGRAMMING MODULE 1 – GETTING STARTED

Mobile App Monetization: Understanding the Advertising Ecosystem Vaibhav Rastogi.

William Enck, Machigar Ongtang, and Patrick McDaniel.

CS 153 Design of Operating Systems Spring 2015 Lecture 24: Android OS.

Presentation By Deepak Katta

Android Introduction Platform Overview.

Introduction to Mobile Malware

About me Yichuan Wang Android Basics Credit goes to Google and UMBC.

REDCap User Group Meeting New Features for 6.5.x 7/14/15 1.

A METHODOLOGY FOR EMPIRICAL ANALYSIS OF PERMISSION-BASED SECURITY MODELS AND ITS APPLICATION TO ANDROID.

VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw.

Authors: William Enck The Pennsylvania State University Peter Gilbert Duke University Byung-Gon Chun Intel Labs Landon P. Cox Duke University Jaeyeon Jung.

APKInspector -Static Analysis of Android Applications Student: Yuan Tian Mentor: Cong Zheng Backup Mentor: Anthony Kara Jianwei 08/22/2012.

Presented by: Tom Staley. Introduction Rising security concerns in the smartphone app community Use of private data: Passwords Financial records GPS locations.

Capture and Replay Often used for regression test development –Tool used to capture interactions with the system under test. –Inputs must be captured;

ANDROID Presented By Mastan Vali.SK. © artesis 2008 | 2 1. Introduction 2. Platform 3. Software development 4. Advantages Main topics.

A Crawler-based Study of Spyware on the Web Authors: Alexander Moshchuk, Tanya Bragin, Steven D.Gribble, and Henry M. Levy University of Washington 13.

DUE Hello World on the Android Platform.

Android for Java Developers Denver Java Users Group Jan 11, Mike

University of Central Florida TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones Written by Enck, Gilbert,

Chapter 14 Part II: Architectural Adaptation BY: AARON MCKAY.

Android Security Auditing Slides and projects at samsclass.info.

ADV. NETWORK SECURITY CODY WATSON What’s in Your Dongle and Bank Account? Mandatory and Discretionary Protections of External Resources.

ANDROID L. Grewe Components  Java Standard Development Kit (JDK) (download) (latest version)  AndroidStudio.

Dealing with Malware By: Brandon Payne Image source: TechTips.com.

VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw.

ANDROID BY:-AANCHAL MEHTA MNW-880-2K11. Introduction to Android Open software platform for mobile development A complete stack – OS, Middleware, Applications.

Apache JMeter By Lamiya Qasim. Apache JMeter Tool for load test functional behavior and measure performance. Questions: Does JMeter offers support for.

Android System Security Xinming Ou. Android System Basics An open-source operating system for mobile devices (AOSP, led by Google) – Consists of a base.

Dynamic Vetting Android Applications for Privilege-escalation Risks Jiaojiao Fu 1.

VMM Based Rootkit Detection on Android

By, Rutika R. Channawar. Content Introduction Open Handset Alliance Minimum Hardware Requirements Versions Feature Architecture Advantages Disadvantages.

Nguyen Thi Thanh Nha HMCL by Roelof Kemp, Nicholas Palmer, Thilo Kielmann, and Henri Bal MOBICASE 2010, LNICST 2012 Cuckoo: A Computation Offloading Framework.

No Mixed Mode Debugging Support Use Multiple Instances Instead Launch the app under the script debugger Attach with the native debugger from.

Securing a Host Computer BY STEPHEN GOSNER. Definition of a Host  Host  In networking, a host is any device that has an IP address.  Hosts include.

Android and IOS Permissions Why are they here and what do they want from me?

Maintaining and Updating Windows Server 2008 Lesson 8.

CopperDroid Logan Horton. Android - Background Android is complicated to analyse due to having 2 places to check for code execution Normally, code is.

Presented by: Saurabh Kumar Sinha (MRT07UGBIT 186) IT VII Semester, Shobhit University Meerut.

The Basics of Android App Development Sankarshan Mridha Satadal Sengupta.

Module 51 (Mobile Device Fundamentals - Android)

Android Mobile Application Development

Free for All! Assessing User Data Exposure to Advertising Libraries on Android Campbell Foskin.

Are these ads safe? Detecting hidden attacks through the mobile app-web interface Vaibhav Rastogi, Rui Shao, Yan Chen, Xiang Pan, Shihong Zou, and Ryan.

Android Runtime – Dalvik VM

Harvesting Runtime Values in Android Applications That Feature Anti-Analysis Techniques Presented by Vikraman Mohan.

Presented by Xiaohui (Amy) Lin

Application Development A Tutorial Driven Course

The Most Popular Android UI Automation Testing Tool Andrii Voitenko

Android Platform, Android App Basic Components

Mobile Programming Dr. Mohsin Ali Memon.

Basic Dynamic Analysis VMs and Sandboxes

CMPE419 Mobile Application Development

Lecture 34: Testing II April 24, 2017 Selenium testing script 7/7/2019

When Machine Learning Meets Security – Secure ML or Use ML to Secure sth.? ECE 693.

Presentation transcript:

Presented by: Kushal Mehta University of Central Florida Michael Spreitzenbarth, Felix Freiling Friedrich-Alexander- University Erlangen, Germany michael.spreitzenbart, Florian Echtler, Thomas Schreck Siemens CERT Munich, Germany ﬂorian.echtler, m Johannes Hoffmann Ruhr-University Bochum Bochum, Germany b.de

 Android applications are becoming the focus of cyber criminals in the recent years.  With an increase the number of android applications, android malware is also increasing at a very high rate.  The authors present mobile-sandbox which is a novel way to auto analyze android applications.

 Static: Investigates the properties that can be investigated by inspecting the downloaded app and its source code only. Eg: Signature based inspection used by anti-virus technologies.  Dynamic: In this method, app is run in a secure environment such as sand-box and logs every relevant operation of the app.

 Static analysis method can countered easily by making function calls to libraries outside the Dalvik/ Java runtime library.  Dynamic analysis is a little harder to counter but still can be worked around during runtime  The author’s approach combines both static and dynamic methods to analyze apps.

 Hash value is matched with VirusTool database and classified into existing malware families.  The app is then extracted and all the required permissions are analyzed by using aapt tool.  Now Dalvik byte code is converted to Smali. While doing so, the advertising networks are removed.  Then analyze entire smali code for dangerous functions such as sendTextMessage(), getPackageInfo(), getSimCountryIso().

 The frequency of such function calls is taken into account.  A code-review step is performed to understand which calls are necessary for the app to work correctly.  Statistically coded URL are analyzed and all the implemented timers are broadcasts are filtered out.  By the end of static analysis, an XML file is created with all the information.

 An android emulator provided by google is used to perform app analysis.  But the emulator has limited logging capability hence it is patched with DroidBox.  Logs contain information such as data written to and read from files, sent ad received over the network, SMS messages sent and so on.

 Native code using JNI is invisible to DroidBox. The android NDK allows function calls to be made to external libraries.  Functions such as socket(), connect(), read(), write() can be potentially used by malware to communicate with external server.  Modified ltrace is used to trace native function calls which attaches to Dalvik VM and logs the information.

 This is the third logging component and is already supported by the emulator.  The logging information is saved in a PCAP file  This file can be later analyzed using tools such as WireShark.

 It is necessary for the user to interact in a certain way with the app to trigger the malware.  MonkeyRunner toolkit is used which emulates random user interactions and is provided by the Android SDK.  Other random events are also generated externally such as receiving calls or text messages.

 Reset emulator to the initial state.  Launch emulator and wait until startup is completed.  Install app to be analyzed.  Launch app in a new Dalvik VM.  Attach ltrace to the VM process running the app.  Launch MonkeyRunner to generate simulated UI events.  Simulate additional user events like phone calls.  Launch a second run of MonkeyRunner.  Collect the Dalvik and ltrace log and the PCAP file.

 20 samples were randomly chosen from a set of malicious apps.  Then the authors manually inspected elements from other malware families known from other virus databases.  It turned out that mobile sand-box detected the malware that were included in the dataset.

 Performance of the application is rather weak and runtimes were between 9 to 14 minutes.  The majority of this time is taken up in installing the application and using the MonkeyRunner script.  Performance can be improved by running multiple instances of analysis frameworks simultaneously

 Android applications in future will become increasingly aware if they are running on an emulator or the real device  This detection is done by using certain values of the device such as device build, model, kernel.  The authors tried to change these parameters on the emulator to see if the malicious apps cannot detect the emulator.

 Mobile sandbox was used to analyze 36,000 randomly chosen apps and 4000 randomly chosen apps from the malware set.  Mobile sandbox detected a total of 4641 malicious apps.  Out of the apps chosen, 641 were detected to be malicious.

 Total percentage of malicious apps detected from the dataset is 1.78% (641 out of )  Out of these, as many as 35 apps were not detected as malicious by other anti-virus software.  The performance of mobile sandbox still needs to be vastly improved but it has a better rate of detection than other virus detection software.