Presentation is loading. Please wait.

Presentation is loading. Please wait.

Harvesting Runtime Values in Android Applications That Feature Anti-Analysis Techniques Presented by Vikraman Mohan.

Published bySamson Dawson Modified over 5 years ago

Similar presentations

Presentation on theme: "Harvesting Runtime Values in Android Applications That Feature Anti-Analysis Techniques Presented by Vikraman Mohan."— Presentation transcript:

1 Harvesting Runtime Values in Android Applications That Feature Anti-Analysis Techniques
Presented by Vikraman Mohan

2 Inspiration Security analysts are interested in runtime values such as: URLs to which the data is sent Target phone numbers of SMS messages Targets of reflective method calls However, sophisticated obfuscation, string encryption and emulator detection make human inspection, static analysis and dynamic analysis difficult(Ineffective)

3 Static Analysis? Dynamic Analysis? Static and Dynamic Analysis Testing
if(Build.FINGERPRINT.startsWith("generic")) Static Analysis? msg = AES.decrypt("1234","fri$ds\&S") Dynamic Analysis? nr = "00" if(simCountryIso().equals("US")) nr += "4242" nr += "8888" sendTextMessag e(nr , msg) No No ... 7

4 Static + Dynamic Analysis
So What do we Do ? This is where Harvester Comes into the picture performing a Hybrid Analysis overcoming the demerits of both static and dynamic analysis. Instead of analyzing the actual code, which is hard when obfuscated the tool analyzes byte codes of the application by inspecting runtime values. Static + Dynamic Analysis

5 What if there are Time bombs or Logic bombs ?
 Logic bombs cause an app to suppress any malicious activity if the app itself detects that it is executing within an analysis environment. Time bombs cause an app to suppress the malicious behavior in any case for a longer period of time, or until after a reboot of the phone, etc. This also includes botnet malware that only acts in response to a command received from a command-and-control server-,  it’s dynamic analysis tools will find virtually impossible to guess correctly

6 Steps Involved in HARVESTER
Program slicing (Backward Slicing) Dynamic execution of the sliced program Injection of runtime values(Optional)

7 1.Program Slicing (Static Analysis)
Keeping in mind the end goal to register all conceivable runtime estimations of a logging point, every single conceivable result of a restrictive articulation should be considered. HARVESTER replaces all conditions that are dependent on execution environment by a Boolean flag (Improved Static Analysis) and removes the code that are not of interest. “HARVESTER comes pre-customized with a configuration file listing fields and methods whose return values are known to depend on environment settings.”

8 2. Dynamic Execution of Sliced Program
The Dynamic Analysis runs on the sliced program by combining the sliced code into a single entity. The GUI of the original application is also removed and replaced with direct function calls, this is called the reduced APK code. It return all values of interest of the logging points and also combines the

9 Run Time Value Injection
The Runtime Value injection is an optional step that is provided by the HARVESTER tool to inject these values into other analyzing tools to make to get better results. This is carried out by replacing the reflective function calls with direct calls to the API.  HARVESTER  is the first fully-automated approach that performs such a value injection for Android.

10 What if the Application has got a high standard of Obfuscation ?
When the application is obfuscated in such a way that not all the logging points cannot be identified. The HARVESTER starts to iterate itself from Program Slicing by partially implementing the Reflective method call graph.

11 User Inputs An .apk has to be given as input to the HARVESTER
Pick a class you need to extricate runtime values for Example: URL, shell charges, SMS number, SMS content etc.. These are the input that is expected from the analyst to test an application using Harvester. Once a class is picked the corresponding API executes and gives all relative methods of the specified class.

12 Analysis Experimentation
Tried with 12 malware tests from the most refined malware families e.g. FakeInstaller, Pincer, GinMaster It had 16,799 Malware samples given as input to the Harvester Observations 86.6% Accuracy i.e. It detects at least one value of all logging points. It has a precision of 100% by extracting all the runtime values for the specified categories. It took less than 3 minutes for HARVESTER to run an APK and extract values.

13 Criticism If the Malware is used to suppress its malicious activities more than 10 minutes then it cannot be detected If the Reflective calls are dependent on user input then Harvester might not be effective The time taken by the Harvester to run an apk does not provide any information regarding the size of the application

14 Possible Improvements
Random Dummy Values can be updated with real possible values. Building an automated GUI testing system Setting up the threshold time instead of 10 mins to environment variable can be more accurate

15 Thank you Question ?

Download ppt "Harvesting Runtime Values in Android Applications That Feature Anti-Analysis Techniques Presented by Vikraman Mohan."

Similar presentations

Logical and Physical Design of an Information System

Logical and Physical Design of an Information System
Operating System Security : David Phillips A Study of Windows Rootkits.

Operating System Security : David Phillips A Study of Windows Rootkits.
Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.

Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.
C++ fundamentals.

C++ fundamentals.
State coverage: an empirical analysis based on a user study Dries Vanoverberghe, Emma Eyckmans, and Frank Piessens.

State coverage: an empirical analysis based on a user study Dries Vanoverberghe, Emma Eyckmans, and Frank Piessens.
Presentation By Deepak Katta

Presentation By Deepak Katta
Jarhead Analysis and Detection of Malicious Java Applets Johannes Schlumberger, Christopher Kruegel, Giovanni Vigna University of California Annual Computer.

Jarhead Analysis and Detection of Malicious Java Applets Johannes Schlumberger, Christopher Kruegel, Giovanni Vigna University of California Annual Computer.
Chapter Seven Advanced Shell Programming. 2 Lesson A Developing a Fully Featured Program.

Chapter Seven Advanced Shell Programming. 2 Lesson A Developing a Fully Featured Program.
DroidKungFu and AnserverBot

DroidKungFu and AnserverBot
WARNINGBIRD: A Near Real-time Detection System for Suspicious URLs in Twitter Stream.

WARNINGBIRD: A Near Real-time Detection System for Suspicious URLs in Twitter Stream.
Testing Tools. Categories of testing tools Black box testing, or functional testing Testing performed via GUI. The tool helps in emulating end-user actions.

Testing Tools. Categories of testing tools Black box testing, or functional testing Testing performed via GUI. The tool helps in emulating end-user actions.
 Collection of connected programs communicating with similar programs to perform tasks  Legal  IRC bots to moderate/administer channels  Origin of.

 Collection of connected programs communicating with similar programs to perform tasks  Legal  IRC bots to moderate/administer channels  Origin of.
APT29 HAMMERTOSS Jayakrishnan M.

APT29 HAMMERTOSS Jayakrishnan M.
Presented by: Kushal Mehta University of Central Florida Michael Spreitzenbarth, Felix Freiling Friedrich-Alexander- University Erlangen, Germany michael.spreitzenbart,

Presented by: Kushal Mehta University of Central Florida Michael Spreitzenbarth, Felix Freiling Friedrich-Alexander- University Erlangen, Germany michael.spreitzenbart,
Www.SecurityXploded.com. Disclaimer The Content, Demonstration, Source Code and Programs presented here is AS IS without any warranty or conditions.

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
CloudAppSec : Cloud Based Application Security for Android Applications Animesh Nandanwar85843974 Kshitij Desai 64167444 Mayuresh Randive26924684.

CloudAppSec : Cloud Based Application Security for Android Applications Animesh Nandanwar Kshitij Desai Mayuresh Randive
Ether: Malware Analysis via Hardware Virtualization Extensions Author: Artem Dinaburg, Paul Royal, Monirul Sharif, Wenke Lee Presenter: Yi Yang Presenter:

Ether: Malware Analysis via Hardware Virtualization Extensions Author: Artem Dinaburg, Paul Royal, Monirul Sharif, Wenke Lee Presenter: Yi Yang Presenter:
Mark Aslett Microsoft Introduction to Application Compatibility.

Mark Aslett Microsoft Introduction to Application Compatibility.
Chapter 14 Part II: Architectural Adaptation BY: AARON MCKAY.

Chapter 14 Part II: Architectural Adaptation BY: AARON MCKAY.
Auther: Kevian A. Roudy and Barton P. Miller Speaker: Chun-Chih Wu Adviser: Pao, Hsing-Kuo.

Auther: Kevian A. Roudy and Barton P. Miller Speaker: Chun-Chih Wu Adviser: Pao, Hsing-Kuo.

Similar presentations

Ads by Google