Presentation is loading. Please wait.

Presentation is loading. Please wait.

Presented by: Kushal Mehta University of Central Florida Michael Spreitzenbarth, Felix Freiling Friedrich-Alexander- University Erlangen, Germany michael.spreitzenbart,

Published byRandolph Pierce Modified over 8 years ago

Similar presentations

Presentation on theme: "Presented by: Kushal Mehta University of Central Florida Michael Spreitzenbarth, Felix Freiling Friedrich-Alexander- University Erlangen, Germany michael.spreitzenbart,"— Presentation transcript:

1 Presented by: Kushal Mehta University of Central Florida Michael Spreitzenbarth, Felix Freiling Friedrich-Alexander- University Erlangen, Germany michael.spreitzenbart, felix.freiling@cs.fau.de Florian Echtler, Thomas Schreck Siemens CERT Munich, Germany florian.echtler, t.schreck@siemens.co m Johannes Hoffmann Ruhr-University Bochum Bochum, Germany johannes.hoffmann@ru b.de

2  Android applications are becoming the focus of cyber criminals in the recent years.  With an increase the number of android applications, android malware is also increasing at a very high rate.  The authors present mobile-sandbox which is a novel way to auto analyze android applications.

3  Static: Investigates the properties that can be investigated by inspecting the downloaded app and its source code only. Eg: Signature based inspection used by anti-virus technologies.  Dynamic: In this method, app is run in a secure environment such as sand-box and logs every relevant operation of the app.

4  Static analysis method can countered easily by making function calls to libraries outside the Dalvik/ Java runtime library.  Dynamic analysis is a little harder to counter but still can be worked around during runtime  The author’s approach combines both static and dynamic methods to analyze apps.

5  Hash value is matched with VirusTool database and classified into existing malware families.  The app is then extracted and all the required permissions are analyzed by using aapt tool.  Now Dalvik byte code is converted to Smali. While doing so, the advertising networks are removed.  Then analyze entire smali code for dangerous functions such as sendTextMessage(), getPackageInfo(), getSimCountryIso().

6  The frequency of such function calls is taken into account.  A code-review step is performed to understand which calls are necessary for the app to work correctly.  Statistically coded URL are analyzed and all the implemented timers are broadcasts are filtered out.  By the end of static analysis, an XML file is created with all the information.

7

8  An android emulator provided by google is used to perform app analysis.  But the emulator has limited logging capability hence it is patched with DroidBox.  Logs contain information such as data written to and read from files, sent ad received over the network, SMS messages sent and so on.

9  Native code using JNI is invisible to DroidBox. The android NDK allows function calls to be made to external libraries.  Functions such as socket(), connect(), read(), write() can be potentially used by malware to communicate with external server.  Modified ltrace is used to trace native function calls which attaches to Dalvik VM and logs the information.

10  This is the third logging component and is already supported by the emulator.  The logging information is saved in a PCAP file  This file can be later analyzed using tools such as WireShark.

11  It is necessary for the user to interact in a certain way with the app to trigger the malware.  MonkeyRunner toolkit is used which emulates random user interactions and is provided by the Android SDK.  Other random events are also generated externally such as receiving calls or text messages.

12  Reset emulator to the initial state.  Launch emulator and wait until startup is completed.  Install app to be analyzed.  Launch app in a new Dalvik VM.  Attach ltrace to the VM process running the app.  Launch MonkeyRunner to generate simulated UI events.  Simulate additional user events like phone calls.  Launch a second run of MonkeyRunner.  Collect the Dalvik and ltrace log and the PCAP file.

13

14

15  20 samples were randomly chosen from a set of malicious apps.  Then the authors manually inspected elements from other malware families known from other virus databases.  It turned out that mobile sand-box detected the malware that were included in the dataset.

16  Performance of the application is rather weak and runtimes were between 9 to 14 minutes.  The majority of this time is taken up in installing the application and using the MonkeyRunner script.  Performance can be improved by running multiple instances of analysis frameworks simultaneously

17  Android applications in future will become increasingly aware if they are running on an emulator or the real device  This detection is done by using certain values of the device such as device build, model, kernel.  The authors tried to change these parameters on the emulator to see if the malicious apps cannot detect the emulator.

18  Mobile sandbox was used to analyze 36,000 randomly chosen apps and 4000 randomly chosen apps from the malware set.  Mobile sandbox detected a total of 4641 malicious apps.  Out of the 36000 apps chosen, 641 were detected to be malicious.

19  Total percentage of malicious apps detected from the dataset is 1.78% (641 out of 36000 )  Out of these, as many as 35 apps were not detected as malicious by other anti-virus software.  The performance of mobile sandbox still needs to be vastly improved but it has a better rate of detection than other virus detection software.

20

Download ppt "Presented by: Kushal Mehta University of Central Florida Michael Spreitzenbarth, Felix Freiling Friedrich-Alexander- University Erlangen, Germany michael.spreitzenbart,"

Similar presentations

Android Application Development A Tutorial Driven Course.

Android Application Development A Tutorial Driven Course.
Google Android Introduction to Mobile Computing. Android is part of the build a better phone process Open Handset Alliance produces Android Comprises.

Google Android Introduction to Mobile Computing. Android is part of the build a better phone process Open Handset Alliance produces Android Comprises.
Dynamic Analysis of Windows Phone 7 apps Behrang Fouladi, SensePost.

Dynamic Analysis of Windows Phone 7 apps Behrang Fouladi, SensePost.
Dissecting Android Malware : Characterization and Evolution

Dissecting Android Malware : Characterization and Evolution
Aurasium: Practical Policy Enforcement for Android Applications By Yaoqi USENIX Security Symposium 2012.

Aurasium: Practical Policy Enforcement for Android Applications By Yaoqi USENIX Security Symposium 2012.
Policy Weaving for Mobile Devices Drew Davidson. Smartphone security is critical – 1200 to 1400 US Army troops to be equipped with Android smartphones.

Policy Weaving for Mobile Devices Drew Davidson. Smartphone security is critical – 1200 to 1400 US Army troops to be equipped with Android smartphones.
Aurasium: Practical Policy Enforcement for Android Applications R. Xu, H. Saidi and R. Anderson Presented By: Rajat Khandelwal – 2009CS10209 Parikshit.

Aurasium: Practical Policy Enforcement for Android Applications R. Xu, H. Saidi and R. Anderson Presented By: Rajat Khandelwal – 2009CS10209 Parikshit.
A METHODOLOGY FOR EMPIRICAL ANALYSIS OF PERMISSION-BASED SECURITY MODELS AND ITS APPLICATION TO ANDROID David Barrera, H. Güne¸s Kayacık, P.C. van Oorschot,

A METHODOLOGY FOR EMPIRICAL ANALYSIS OF PERMISSION-BASED SECURITY MODELS AND ITS APPLICATION TO ANDROID David Barrera, H. Güne¸s Kayacık, P.C. van Oorschot,
Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.
(NHA) The Laboratory of Computer Communication and Networking Network Host Analyzer.

(NHA) The Laboratory of Computer Communication and Networking Network Host Analyzer.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
1 2 3 Agenda Goal & Objectives Services in the Cloud Tracker Web Portal Next Step To Do 4.

1 2 3 Agenda Goal & Objectives Services in the Cloud Tracker Web Portal Next Step To Do 4.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Maintaining and Updating Windows Server 2008

Maintaining and Updating Windows Server 2008
ANDROID PROGRAMMING MODULE 1 – GETTING STARTED

ANDROID PROGRAMMING MODULE 1 – GETTING STARTED
Mobile App Monetization: Understanding the Advertising Ecosystem Vaibhav Rastogi.

Mobile App Monetization: Understanding the Advertising Ecosystem Vaibhav Rastogi.
William Enck, Machigar Ongtang, and Patrick McDaniel.

William Enck, Machigar Ongtang, and Patrick McDaniel.
CS 153 Design of Operating Systems Spring 2015 Lecture 24: Android OS.

CS 153 Design of Operating Systems Spring 2015 Lecture 24: Android OS.
Presentation By Deepak Katta

Presentation By Deepak Katta
Android Introduction Platform Overview.

Android Introduction Platform Overview.

Similar presentations

Ads by Google