80 - enhancing stealthiness & efficiency of android trojans and defense possibilities (ensead)

8/3/2019 80 - Enhancing Stealthiness & Efficiency of Android Trojans and Defense Possibilities (EnSEAD)

1/22

1


2/22

Enhancing Stealthiness &Enhancing Stealthiness & EfficiencyEfficiencyofof

Android TrojansAndroid Trojans

andand Defense PossibilitiesDefense Possibilities

((EnSEADEnSEAD))

HumayunHumayun AliAli

Mohammad AliMohammad AliZahidZahid AnwarAnwar

(humayun.ali, 10msccsmali, zahid.anwar)@seecs.edu.pk(humayun.ali, 10msccsmali, zahid.anwar)@seecs.edu.pk

National University of Sciences and Technology (NUST),

Islamabad, Pakistan


3/22

Slide Map

About Speaker

Objective

Domain Background and Motivation

Enhancements

CONTACT ARCHIVER Our Android Trojan

Discusing Defense and Future Work

3


4/22

About Speaker

Humayun AliBE Information and Communication Systems Engineering (2006 10)

MS Computer and Communication Security (2010 12)

About NUST NUST was established as an Engineering

University in 1991.

Has expanded scope to Basic, Medical, Management

and Social Sciences.

Was originally based on the concept of multiple

campuses in different cities.

Now all the campuses consolidated into a single

campus in Islamabad.

4


5/22

Objective

To Enhance:1) Stealth Capabilities of Android Trojans

Stealthiness in Communication

2) Efficiency Compressing the data to be transferred

3) & Discussing a Defense Architecture (Future Work) How to Block our attacks/enhancements

5


6/22

Domain Background

and Motivation

A cutting edge Android Trojan with few and innocuous permissions that can extract asmall amount of targeted private information from the audio sensor of the phone.

(profiling and then frequency analysis)

Performs efficient, stealthy local extraction, thereby greatly reducing the communication

cost for delivering stolen data.

Soundcomber automatically infers the destination phone number by analyzing audio.

Circumvents known security defenses, and conveys information remotely without direct

network access.

Soundcomber: A Stealthy and Context-Aware SoundTrojan for Smartphones

18th Annual Network & Distributed System Security Symposium (NDSS '11)

pp. 17--33, San Diego, CA, February 6--9, 2011.

6


7/22

How?

Purpose is to develop a Trojan to steal sensitiveinformation (credit cards numbers, pins, contactnumbers, messages etc.) from Android Phone

And transmit to remote malicious master server.

Two major steps involved: Collect/grab target sensitive information

Transmit this information to malicious master server.

7


8/22

Possible WaysPlan A

Only One App on Android Phone

An App:

Grabs Information

Transmits it outside phone to the attacker.

Plan B

Two Apps on Android Phone

App 1:

Grab the target information.

Send this info. to App 2, detectably, through any legitimate method, e.g.

IPC or common files.

Any other General App like Browser :

Transmit this information over internet.

8


9/22

Problems Plan A

Plan A:

User can see the permissions asked by App

User can reject/delete such application (askingpermission for both microphone and internet)

In recent proposals, a reference monitor could deny

installation: apps asking for both mic/contacts accessand other dangerous permissions

Ref:W. Enck,M. Ongtang, and P.McDaniel. On lightweight mobile phone application certification. In CCS09: Proceedings of the 16th ACM conference on Computer and communications security-

Show on AVD

9


10/22

Problems Plan B

Plan B:

Java written apps are compiled into byte-code.

Each application executes in a separate Dalvik virtual machineinterpreter instance running as a unique user identity.

From underlying Linux system perspective, apps are seeminglyisolated. (kind of sandboxing)

Still dependent on kernel and IPC between apps are regulated by manyrecent proposals:

SAINT at ACSAC 09

TaintDroid at OSDI 10

Ref:1. Independent Security Evaluators, Exploiting android,http://securityevaluators.com/content/case-studies/android/index.jsp2. M. Ongtang, S. E. McLaughlin, W. Enck, and P. D. Mc-Daniel. Semantically rich application-centric security in android. In ACSAC, pages 340349. IEEE ComputerSociety, 2009.

3. W. Enck, P. Gilbert, B.-g. Chun, L. P. Cox, J. Jung, P. McDaniel, and A. N. Sheth. TaintDroid: An information-ow tracking system for realtime privacy monitoring on smartphones. In Proc. of the USENIX Symposium on Operating Systems Design and Implementation (OSDI), Vancouver,October 2010.

10


11/22

Then How Soundcomber

did it?

Soundcomber uses Plan B, rather

modified Plan B : A special architecture.

Ref:"Soundcomber: A Stealthy and Context-Aware Sound Trojan for Smartphone, In Proceedings of the 18thAnnual Network & Distributed System Security Symposium (NDSS '11)

11


12/22

Nature of Covert Channels

1. Vibration Settings

2. Volume Settings

3. Screen Brightness Settings

4. File Locks

12


13/22

Defense Against

Soundcomber

Good defense but only good for Soundcomber:

1:Reference Monitor checks the

number to whichcallis made and

decides whether it issensitive

number or not.

2:Ifdialedno. issensitive then

Reference Monitor notifiescontroller

about that

3:Controller communicates to Audio

Flinger Service andit stopsgiving

voice from microphone andsends

silence to anyapplication that asks

for it

13


14/22

ENHANCEMENTSENHANCEMENTSANDAND

DEVELOPMENT OF A TROJANDEVELOPMENT OF A TROJAN

Our Work

14


15/22

Enhancements

Enhancing:

Stealthiness in communication by Identifying a

new: Covert Channel

Efficiency by employing compression

Taking whole number and converting to bits.

Hybrid compression technique (future work).

15


16/22

Enhancements contd.

Covert Channel:

Uses file permissions to transmit bits.

Owner App can change permission of a file asmany times it likes to do.

User dont know

Kernel knows but dont care.

CovertChannelAnimation.swf

16


17/22

Enhancements contd.

Efficiency: 4 bits per digit used:

As 0 to 9 are 10 digits and 24 = 16 possibilities.

So Credit Card No.: 16 Digits = 16*4 = 64 bits per number

And Contact No.: 9 Digits = 9*4 = 36 bits per number. So efficiency can be achieved using famous compression

techniques:

Shannon Fano Coding

Huffman Encoding

Arithmetic Coding

AEP (Asymptotic Equi-partition Property) LZ77, LZ78, LZW, QuickLZ

Our Own Customized Techniques

But All of them failed, Why? Non Availability of Probability Distribution

Shannon Limit

17


18/22

Enhancements contd.

Still we managed to compress: 16*4 = 64 bits

But 254 = 18014398509481984 which is greater than all 16 digitnumber.

So we managed to bring 64 bits to 54 bits = 10 bits compressionper credit card number.

In case of contacts:

9*4 = 36 bits

But 2

30

= 107

37

41824 which is greater than all 9 digit numbers.So compression of 6 bits per contact no.

Or our own hybrid technique (Future Work) Explanation if required.

18


19/22

CONTACT ARCHIVERCONTACT ARCHIVER

An Android Trojan that uses:

Architecture from Soundcomber - 2 Apps, little permissions

Enhancements from us

Apparently:

It asks user to save its contacts and backup whenrequired

Actually:

Harvests contacts and transmit outside

To use for spam messaging

19


20/22

Evaluation and ResultsTrojan&

Channel

Name:

SoundcombersChannel with

Highest Bandwidth:

File Locking Channel

Contact Archivers Channel with

Highest Bandwidth:

File Permissions Channel

Band-

width:685 bps 692.5 bps

20

COMPARISON OF SOUNCOMBER

AND CONTACT ARCHIVER COVERT

CHANNELS IN TERMS OF BANDWITH

No. of

Files10 20 30

Band-

width:692.5 bps 1250 bps 1807.5 bps

CHANGE IN BANDWIDTH OF COVERT

CHANNEL BY INCREASING NUMBER OFFILES INVOLVED IN COMMUNICATION

0

100

200

300

400

500

600

7 10 30 50 100

42 60

180

300

600

No.ofbits

ofcom

pression

Number of Contacts

COMPRESSION ACHIEVED AS

NUMBER OF CONTACTS

INCREASE


21/22

Discussing Defense

& Future Work

Defense proposed by soundcomber team only stops soundcomber:

We discuss to fail our Trojan.

To Block Covert Channel:

Only owner can delete its file, no other app can do.

A generic, open, robust tainting utility.

Able to taint known and unknown covert channels in malicious

communications

Hybrid compression technique to increase efficiency of Android Trojans.

21


22/22

Thank you

80 - enhancing stealthiness & efficiency of android trojans and defense possibilities (ensead)

Documents