Presentation is loading. Please wait.

Presentation is loading. Please wait.

Rage Against The Virtual Machine: Hindering Dynamic Analysis of Android Malware Thanasis Petsas, Giannis Voyatzis, Elias Athanasopoulos, Sotiris Ioannidis,

Published byVirgil Boyd Modified over 9 years ago

Similar presentations

Presentation on theme: "Rage Against The Virtual Machine: Hindering Dynamic Analysis of Android Malware Thanasis Petsas, Giannis Voyatzis, Elias Athanasopoulos, Sotiris Ioannidis,"— Presentation transcript:

1 Rage Against The Virtual Machine: Hindering Dynamic Analysis of Android Malware Thanasis Petsas, Giannis Voyatzis, Elias Athanasopoulos, Sotiris Ioannidis, Michalis Polychronakis

2 Android Dominates Market Share Smartphones have overtaken client PCs Android accounted for 79% of global smartphone market in 2013 Thanasis Petsas 2 Android79.0% iOS14.2% Other 3.6% Q2 2013 Smartphone Market Share Microsoft 3.3% Source:

3 Android Malware 98% of all mobile threats target Android devices Thanasis Petsas 3 Source: Distribution of mobile malware detected by platform – 2013

4 Android specific anti-malware tools Static analysis tools (AV apps) – Identify malware through signatures – Usually installed by users – Real time protection – How to evade static analysis? Dynamic analysis services – Used by security companies – Run applications on an Emulator – Detect suspicious behavior – How to evade dynamic analysis? Thanasis Petsas 4 DroidChameleon ASIA CCS’13 This work

5 Our Study A taxonomy of emulation evasion heuristics Evaluation of our heuristics on popular dynamic analysis services for Android Countermeasures Thanasis Petsas 5 Objective: Can we effectively detect Android emulated analysis environment?

6 VM Evasion Heuristics Thanasis Petsas 6

7 Static Heuristics Device ID (IdH) – IMEI, IMSI Current build (buildH) – Fields: PRODUCT, MODEL, HARDWARE Routing table (netH) – virtual router address space: 10.0.2/24 – Emulated network IP address: 10.0.2.15 Thanasis Petsas 7 123456789012347 null IMEI MODEL Nexus 5google_sdk /proc/ net/tcp Ordinary network Emulated network Android Pincer malware family

8 Sensors: – A key difference between mobile & conventional systems – new opportunities for mobile devices identification – Can emulators realistically simulate device sensors? Partially: same value, equal time intervals Dynamic Heuristics (1/3) Thanasis Petsas 8 Accelerometer Gyroscope GPS Gravity SensorProximity Sensor Rotation VectorMagnetic Field

9 Dynamic Heuristics (2/3) Thanasis Petsas 9 Generation of the same value at equal time intervals 0.8 ± 0.003043

10 Dynamic Heuristics (3/3) Sensor-based heuristics Android Activity that monitors sensors’ output values We implemented this algorithm for a variety of sensors – Accelerometer (accelH) – magnetic field (magnFH) – rotation vector (rotVecH), – proximity (proximH) – gyroscope (gyrosH) Thanasis Petsas 10

11 Hypervisor Heuristics Try to identify the hosted virtual machine Android Emulator is based on QEMU Our heuristics – Based on QEMU’s incomplete emulation of the actual hardware – Identify QEMU scheduling – Identify QEMU execution using self-modifying code Thanasis Petsas 11

12 Identify QEMU Scheduling (1/2) Virtual PC in QEMU – is updated only after the execution of a basic block ( branch ) – OS scheduling does not occur during a basic block QEMU Binary Translation (BT) Detection – Monitor scheduling addresses of a thread Real Device: Various scheduling points Emulator: A unique scheduling point – BTdetectH Thanasis Petsas 12

13 Identify QEMU Scheduling (2/2) Thanasis Petsas 13 Emulator: A specific scheduling point

14 ARM Architecture Thanasis Petsas 14 Memory I-CacheD-Cache Memory Cache DeviceEmulator old code new code Clean the D-Cache range Invalidate the I-Cache miss Run the code cacheflush Android cacheflush : 1.Clean the D-Cache range 2.Invalidate the I-Cache Caches are not coherent!

15 Identify QEMU execution – xFlowH Thanasis Petsas 15 cacheflush(); with cacheflush: same behavior. without cacheflush: different behavior! different behavior!

16 Implementation Use of Android SDK for static & dynamic heuristics Use of Android NDK for hypervisor heuristics Implementation of an Android app – runs the heuristics – send the results to an HTTP server Repackaging of well known Android malware samples – Smali/Baksmali – Apktool – Patching the Smali Dalvik Bytecode Thanasis Petsas 16

17 Evaluation: Malware Set Thanasis Petsas 17 Source: http://contagiominidump.blogspot.com/

18 Evaluation: Dynamic Analysis Services Stand alone tools – DroidBox, DroidScope, TaintDroid Online services – Andrubis, SandDroid, ApkScan, Visual Threat, TraceDroid, CopperDroid, APK Analyzer, ForeSafe, Mobile SandBox Thanasis Petsas 18

19 Methodology (1/2) Thanasis Petsas 19

20 Methodology (2/2) Thanasis Petsas 20

21 Resilience of dynamic analysis tools Thanasis Petsas 21 StaticDynamicHypervisor All studied services are vulnerable to 5 or more heuristics These tools failed to infer malicious behavior of the repackaged malware samples Only 1 service provides information about VM evasion attempts

22 Countermeasures Static heuristics – Emulator modifications Dynamic heuristics – Realistic sensor event simulation Hypervisor heuristics – Accurate binary translation – Hardware-assisted virtualization – Hybrid application execution Thanasis Petsas 22

23 Summary Evaluation of VM evasion to 12 Android dynamic analysis tools Only half of the services detected our most trivial heuristics No service was resilient to our dynamic and hypervisor heuristics Majority of the services failed to detect repackaged malware Only 1 service – generated VM evasion attempts – was resilient to all our static heuristics Thanasis Petsas 23

24 Thank you! Thanasis Petsas 24 Rage Against The Virtual Machine: Hindering Dynamic Analysis of Android Malware Thanasis Petsas, Giannis Voyatzis, Elias Athanasopoulos, Sotiris Ioannidis, {petsas, jvoyatz, elathan, sotiris}@ics.forth.gr Michalis Polychronakis, mikepo@cs.columbia.edu

Download ppt "Rage Against The Virtual Machine: Hindering Dynamic Analysis of Android Malware Thanasis Petsas, Giannis Voyatzis, Elias Athanasopoulos, Sotiris Ioannidis,"

Similar presentations

Performance Testing - Kanwalpreet Singh.

Performance Testing - Kanwalpreet Singh.
Programming Technologies, MIPT, April 7th, 2012 Introduction to Binary Translation Technology Roman Sokolov SMWare

Programming Technologies, MIPT, April 7th, 2012 Introduction to Binary Translation Technology Roman Sokolov SMWare
DroidScope: Seamlessly Reconstructing the OS and Dalvik Semantic Views for Dynamic Android Malware Analysis Lok Kwong Yan, and Heng Yin Syracuse University.

DroidScope: Seamlessly Reconstructing the OS and Dalvik Semantic Views for Dynamic Android Malware Analysis Lok Kwong Yan, and Heng Yin Syracuse University.
Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.

Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.
Day 4-1-1 anti-virus 3-3-1.anti-virus 1 detecting a malicious file malware, detection, hiding, removing.

Day anti-virus anti-virus 1 detecting a malicious file malware, detection, hiding, removing.
Policy Weaving for Mobile Devices Drew Davidson. Smartphone security is critical – 1200 to 1400 US Army troops to be equipped with Android smartphones.

Policy Weaving for Mobile Devices Drew Davidson. Smartphone security is critical – 1200 to 1400 US Army troops to be equipped with Android smartphones.
Automated Remote Repair for Mobile Malware Yacin Nadji, Jonathon Giffin, Patrick Traynor Georgia Institute of Technology ACSAC’ 11.

Automated Remote Repair for Mobile Malware Yacin Nadji, Jonathon Giffin, Patrick Traynor Georgia Institute of Technology ACSAC’ 11.
Aurasium: Practical Policy Enforcement for Android Applications R. Xu, H. Saidi and R. Anderson Presented By: Rajat Khandelwal – 2009CS10209 Parikshit.

Aurasium: Practical Policy Enforcement for Android Applications R. Xu, H. Saidi and R. Anderson Presented By: Rajat Khandelwal – 2009CS10209 Parikshit.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
@ NCSU Zhi NCSU Xuxian Microsoft Research Weidong Microsoft NCSU Peng NCSU ACM CCS’09.

@ NCSU Zhi NCSU Xuxian Microsoft Research Weidong Microsoft NCSU Peng NCSU ACM CCS’09.
ELEC6200, Fall 07, Oct 29 Westrom: Virtual Machines 1 Kenneth Westrom ELEC-6620.

ELEC6200, Fall 07, Oct 29 Westrom: Virtual Machines 1 Kenneth Westrom ELEC-6620.
INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.

INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.
By:Tanvi lotliker TE COMPUTER

By:Tanvi lotliker TE COMPUTER
Dreams in a Nutshell Steven Sommer Microsoft Research Institute Department of Computing Macquarie University.

Dreams in a Nutshell Steven Sommer Microsoft Research Institute Department of Computing Macquarie University.
Introduction to Virtual Machines. Administration Presentation and class participation: 40% –Each student will present two and a half times this semester.

Introduction to Virtual Machines. Administration Presentation and class participation: 40% –Each student will present two and a half times this semester.
Tanenbaum 8.3 See references

Tanenbaum 8.3 See references
Real Security for Server Virtualization Rajiv Motwani 2 nd October 2010.

Real Security for Server Virtualization Rajiv Motwani 2 nd October 2010.
VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw.

VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw.
DroidKungFu and AnserverBot

DroidKungFu and AnserverBot
Introduction to Android Swapnil Pathak www.SecurityXploded.com Advanced Malware Analysis Training Series.

Introduction to Android Swapnil Pathak Advanced Malware Analysis Training Series.

Similar presentations

Ads by Google