a scalable framework for android antivirus testing andrototal€¦ · yandex app store pdassi...
TRANSCRIPT
![Page 1: A Scalable Framework for Android Antivirus Testing AndroTotal€¦ · Yandex App Store Pdassi iMedicalApps Barnes & Noble Nvidia TegraZone AppCake Handmark Appolicious Appitalism](https://reader036.vdocuments.mx/reader036/viewer/2022081617/6022d86ae69dd92acd3aabcd/html5/thumbnails/1.jpg)
Federico [email protected]
Politecnico di Milano
AndroTotalA Scalable Framework for Android Antivirus TestingJoint work with Andrea Valdi (MSc) and Stefano Zanero (PhD)
![Page 2: A Scalable Framework for Android Antivirus Testing AndroTotal€¦ · Yandex App Store Pdassi iMedicalApps Barnes & Noble Nvidia TegraZone AppCake Handmark Appolicious Appitalism](https://reader036.vdocuments.mx/reader036/viewer/2022081617/6022d86ae69dd92acd3aabcd/html5/thumbnails/2.jpg)
Who I am
Federico Maggi, PhDPost-doctoral Researcher
TopicsAndroid malware, botnet detection, web measurements
BackgroundIntrusion detection, anomaly detection
![Page 3: A Scalable Framework for Android Antivirus Testing AndroTotal€¦ · Yandex App Store Pdassi iMedicalApps Barnes & Noble Nvidia TegraZone AppCake Handmark Appolicious Appitalism](https://reader036.vdocuments.mx/reader036/viewer/2022081617/6022d86ae69dd92acd3aabcd/html5/thumbnails/3.jpg)
www.red-book.eu
The RED BOOKA Roadmap for Systems Security Research
AudiencePolicy makers
Researchers
Journalists Free PDF
ContentVulnerabilities
Social Networks
Critical Infrastructure
Mobile Devices
Malware
. . .
![Page 4: A Scalable Framework for Android Antivirus Testing AndroTotal€¦ · Yandex App Store Pdassi iMedicalApps Barnes & Noble Nvidia TegraZone AppCake Handmark Appolicious Appitalism](https://reader036.vdocuments.mx/reader036/viewer/2022081617/6022d86ae69dd92acd3aabcd/html5/thumbnails/4.jpg)
Roadmap
1. Android threats and protections
2. Limitations
3. Testing antivirus apps
4. AndroTotal
5. Status
![Page 5: A Scalable Framework for Android Antivirus Testing AndroTotal€¦ · Yandex App Store Pdassi iMedicalApps Barnes & Noble Nvidia TegraZone AppCake Handmark Appolicious Appitalism](https://reader036.vdocuments.mx/reader036/viewer/2022081617/6022d86ae69dd92acd3aabcd/html5/thumbnails/5.jpg)
1. Android threats and protections2. Limitations
3. Testing antivirus apps
4. AndroTotal
5. Status
![Page 6: A Scalable Framework for Android Antivirus Testing AndroTotal€¦ · Yandex App Store Pdassi iMedicalApps Barnes & Noble Nvidia TegraZone AppCake Handmark Appolicious Appitalism](https://reader036.vdocuments.mx/reader036/viewer/2022081617/6022d86ae69dd92acd3aabcd/html5/thumbnails/6.jpg)
Android beats them all
July 2013● 79% market share● 1,000,000 official apps● ~90 alternative stores
![Page 7: A Scalable Framework for Android Antivirus Testing AndroTotal€¦ · Yandex App Store Pdassi iMedicalApps Barnes & Noble Nvidia TegraZone AppCake Handmark Appolicious Appitalism](https://reader036.vdocuments.mx/reader036/viewer/2022081617/6022d86ae69dd92acd3aabcd/html5/thumbnails/7.jpg)
Popularity = Security Risks
Source (Trend Micro, Q2 2012)
Num
ber o
f And
roid
mal
war
e sa
mpl
es
![Page 8: A Scalable Framework for Android Antivirus Testing AndroTotal€¦ · Yandex App Store Pdassi iMedicalApps Barnes & Noble Nvidia TegraZone AppCake Handmark Appolicious Appitalism](https://reader036.vdocuments.mx/reader036/viewer/2022081617/6022d86ae69dd92acd3aabcd/html5/thumbnails/8.jpg)
Popularity = Security Risks
Source (Symantec, October 2013)
Q4 2012
Num
ber o
f And
roid
mal
war
e sa
mpl
es
120,000
![Page 9: A Scalable Framework for Android Antivirus Testing AndroTotal€¦ · Yandex App Store Pdassi iMedicalApps Barnes & Noble Nvidia TegraZone AppCake Handmark Appolicious Appitalism](https://reader036.vdocuments.mx/reader036/viewer/2022081617/6022d86ae69dd92acd3aabcd/html5/thumbnails/9.jpg)
● Steal sensitive data● intercept texts or calls● steal passwords
● Turn devices into bots● perform malicious actions
● Financial gain● call or text premium numbers● steal online banking credentials
Attackers goals
![Page 10: A Scalable Framework for Android Antivirus Testing AndroTotal€¦ · Yandex App Store Pdassi iMedicalApps Barnes & Noble Nvidia TegraZone AppCake Handmark Appolicious Appitalism](https://reader036.vdocuments.mx/reader036/viewer/2022081617/6022d86ae69dd92acd3aabcd/html5/thumbnails/10.jpg)
EXAMPLE
![Page 11: A Scalable Framework for Android Antivirus Testing AndroTotal€¦ · Yandex App Store Pdassi iMedicalApps Barnes & Noble Nvidia TegraZone AppCake Handmark Appolicious Appitalism](https://reader036.vdocuments.mx/reader036/viewer/2022081617/6022d86ae69dd92acd3aabcd/html5/thumbnails/11.jpg)
Perkele (Android malware kit)
● Sold for $1,000 on underground markets● Dev kit for bypassing 2-factor authentication
![Page 12: A Scalable Framework for Android Antivirus Testing AndroTotal€¦ · Yandex App Store Pdassi iMedicalApps Barnes & Noble Nvidia TegraZone AppCake Handmark Appolicious Appitalism](https://reader036.vdocuments.mx/reader036/viewer/2022081617/6022d86ae69dd92acd3aabcd/html5/thumbnails/12.jpg)
The attack scheme (1)
www.yourbank.comusername: userpassword: ************
INFECTEDCOMPUTER username: user
password: ******
******
$ $ $ $ $ $ $ $ $ $ $ $ $
![Page 13: A Scalable Framework for Android Antivirus Testing AndroTotal€¦ · Yandex App Store Pdassi iMedicalApps Barnes & Noble Nvidia TegraZone AppCake Handmark Appolicious Appitalism](https://reader036.vdocuments.mx/reader036/viewer/2022081617/6022d86ae69dd92acd3aabcd/html5/thumbnails/13.jpg)
userUSERNAME
************PASSWORD
Login
1-factor authentication (password)
![Page 14: A Scalable Framework for Android Antivirus Testing AndroTotal€¦ · Yandex App Store Pdassi iMedicalApps Barnes & Noble Nvidia TegraZone AppCake Handmark Appolicious Appitalism](https://reader036.vdocuments.mx/reader036/viewer/2022081617/6022d86ae69dd92acd3aabcd/html5/thumbnails/14.jpg)
The attack scheme (2)
www.yourbank.comusername: userpassword: ************
INFECTEDCOMPUTER
ONE TIME SECRET CODE
TYPE IN THE ONE TIME SECRET CODE
TYPE IN THE ONE TIME SECRET CODE
OK
EXPIRED
![Page 15: A Scalable Framework for Android Antivirus Testing AndroTotal€¦ · Yandex App Store Pdassi iMedicalApps Barnes & Noble Nvidia TegraZone AppCake Handmark Appolicious Appitalism](https://reader036.vdocuments.mx/reader036/viewer/2022081617/6022d86ae69dd92acd3aabcd/html5/thumbnails/15.jpg)
************ONE TIME SECRET CODE
GO!
2-factors authentication (password + secret code)
![Page 16: A Scalable Framework for Android Antivirus Testing AndroTotal€¦ · Yandex App Store Pdassi iMedicalApps Barnes & Noble Nvidia TegraZone AppCake Handmark Appolicious Appitalism](https://reader036.vdocuments.mx/reader036/viewer/2022081617/6022d86ae69dd92acd3aabcd/html5/thumbnails/16.jpg)
The attack scheme (2)
www.yourbank.comusername: userpassword: ************
INFECTEDCOMPUTER
inject QR code
![Page 17: A Scalable Framework for Android Antivirus Testing AndroTotal€¦ · Yandex App Store Pdassi iMedicalApps Barnes & Noble Nvidia TegraZone AppCake Handmark Appolicious Appitalism](https://reader036.vdocuments.mx/reader036/viewer/2022081617/6022d86ae69dd92acd3aabcd/html5/thumbnails/17.jpg)
userUSERNAME
************PASSWORD
Login
SCANTO LOGIN
Luring QR code
![Page 18: A Scalable Framework for Android Antivirus Testing AndroTotal€¦ · Yandex App Store Pdassi iMedicalApps Barnes & Noble Nvidia TegraZone AppCake Handmark Appolicious Appitalism](https://reader036.vdocuments.mx/reader036/viewer/2022081617/6022d86ae69dd92acd3aabcd/html5/thumbnails/18.jpg)
www.evil.org/fake-login-app.apk
The attack scheme (3)
![Page 19: A Scalable Framework for Android Antivirus Testing AndroTotal€¦ · Yandex App Store Pdassi iMedicalApps Barnes & Noble Nvidia TegraZone AppCake Handmark Appolicious Appitalism](https://reader036.vdocuments.mx/reader036/viewer/2022081617/6022d86ae69dd92acd3aabcd/html5/thumbnails/19.jpg)
The attack scheme (4)
www.yourbank.comusername: userpassword: ************
INFECTEDCOMPUTER
ONE TIME SECRET CODE
TYPE IN THE ONE TIME SECRET CODEOK
INFECTEDSMARTPHONE
![Page 20: A Scalable Framework for Android Antivirus Testing AndroTotal€¦ · Yandex App Store Pdassi iMedicalApps Barnes & Noble Nvidia TegraZone AppCake Handmark Appolicious Appitalism](https://reader036.vdocuments.mx/reader036/viewer/2022081617/6022d86ae69dd92acd3aabcd/html5/thumbnails/20.jpg)
The attack scheme (5)
FINANCIAL TRANSACTIONS
$ $ $ $ $ $ $
THE MALWARE HIDES SMSs FROM THE BANK
ALERT
![Page 21: A Scalable Framework for Android Antivirus Testing AndroTotal€¦ · Yandex App Store Pdassi iMedicalApps Barnes & Noble Nvidia TegraZone AppCake Handmark Appolicious Appitalism](https://reader036.vdocuments.mx/reader036/viewer/2022081617/6022d86ae69dd92acd3aabcd/html5/thumbnails/21.jpg)
Android malware distribution
Alternative app stores with pirated apps
Social engineering
Email attachments
![Page 22: A Scalable Framework for Android Antivirus Testing AndroTotal€¦ · Yandex App Store Pdassi iMedicalApps Barnes & Noble Nvidia TegraZone AppCake Handmark Appolicious Appitalism](https://reader036.vdocuments.mx/reader036/viewer/2022081617/6022d86ae69dd92acd3aabcd/html5/thumbnails/22.jpg)
Example fake (malicious) app
Source (Symantec)
![Page 23: A Scalable Framework for Android Antivirus Testing AndroTotal€¦ · Yandex App Store Pdassi iMedicalApps Barnes & Noble Nvidia TegraZone AppCake Handmark Appolicious Appitalism](https://reader036.vdocuments.mx/reader036/viewer/2022081617/6022d86ae69dd92acd3aabcd/html5/thumbnails/23.jpg)
Some names
Perkele● Crimeware kit
Backdoor.AndroidOS.Obad.a● Most sophisticated trojan
Android.Trojan.FakeMart● Trojan, SMS stealer
Stells● Multi-purpose trojan
![Page 24: A Scalable Framework for Android Antivirus Testing AndroTotal€¦ · Yandex App Store Pdassi iMedicalApps Barnes & Noble Nvidia TegraZone AppCake Handmark Appolicious Appitalism](https://reader036.vdocuments.mx/reader036/viewer/2022081617/6022d86ae69dd92acd3aabcd/html5/thumbnails/24.jpg)
Dangerous apps categories
Source (Symantec, October 2013)
![Page 25: A Scalable Framework for Android Antivirus Testing AndroTotal€¦ · Yandex App Store Pdassi iMedicalApps Barnes & Noble Nvidia TegraZone AppCake Handmark Appolicious Appitalism](https://reader036.vdocuments.mx/reader036/viewer/2022081617/6022d86ae69dd92acd3aabcd/html5/thumbnails/25.jpg)
Aptoide
Insydemarket
PandaApp
AppsEgg
AppTown
AppBrain
AppsLib
ESDN
Mobilism
Mob.org
Handango
Mikandi
Nexva market
Yet Another Android Market
3rd party app marketplaces
Andapponline
SlideMe
AndroidPit
AppsZoom
ApkSuite
Opera App Store
Brothersoft
Camangi
Blackmart Alpha
F-Droid
Amazon
AndroLib
GetJar
Tablified Market
Fetch
Soc.io
Android Downloadz
MerkaMarket
Good Ereader
Mobile9
Phoload
Androidblip
1Mobile
Brophone
LG World
Samsung App Store
Handster
AppsFire
Mobango
AndroidTapp
92Apk
AppChina
CoolApk
Anzhi Market
EOE Market
HiApk
Nduoa
Baidu App Store
D.cn
Gfan
Millet App Store
Taobao
Tencent App Gem
Hyper Market
No Crappy Apps
T Store
Yandex App Store
Pdassi
iMedicalApps
Barnes & Noble
Nvidia TegraZone
AppCake
Handmark
Appolicious
Appitalism
WhiteApp
AppCity
AlternativeTo
Appzil
Naver NStore
Cisco Market
Lenovo App Store
Omnitel Apps
TIM Store
T-Store
T-Market
AT&T
CNET
Android games room
91mobiles
mobiles24
Android Freeware
MplayIt
Hami
Olleh Market
![Page 26: A Scalable Framework for Android Antivirus Testing AndroTotal€¦ · Yandex App Store Pdassi iMedicalApps Barnes & Noble Nvidia TegraZone AppCake Handmark Appolicious Appitalism](https://reader036.vdocuments.mx/reader036/viewer/2022081617/6022d86ae69dd92acd3aabcd/html5/thumbnails/26.jpg)
3rd party sources
Unknown sourcesAllow installation of apps from sources
other than the Play Store
![Page 27: A Scalable Framework for Android Antivirus Testing AndroTotal€¦ · Yandex App Store Pdassi iMedicalApps Barnes & Noble Nvidia TegraZone AppCake Handmark Appolicious Appitalism](https://reader036.vdocuments.mx/reader036/viewer/2022081617/6022d86ae69dd92acd3aabcd/html5/thumbnails/27.jpg)
Do we have any clue on the size?
How many malicious "Android threats"? (Q1 2013)● Symantec: ~3,900● McAfee: ~60,000● TrendMicro: ~509,000
Goolge says that this is vastly exaggerated
![Page 28: A Scalable Framework for Android Antivirus Testing AndroTotal€¦ · Yandex App Store Pdassi iMedicalApps Barnes & Noble Nvidia TegraZone AppCake Handmark Appolicious Appitalism](https://reader036.vdocuments.mx/reader036/viewer/2022081617/6022d86ae69dd92acd3aabcd/html5/thumbnails/28.jpg)
This is vastly exaggerated
Source (Google, VB2013)
![Page 29: A Scalable Framework for Android Antivirus Testing AndroTotal€¦ · Yandex App Store Pdassi iMedicalApps Barnes & Noble Nvidia TegraZone AppCake Handmark Appolicious Appitalism](https://reader036.vdocuments.mx/reader036/viewer/2022081617/6022d86ae69dd92acd3aabcd/html5/thumbnails/29.jpg)
Protections
● Google Play app vetting● Install and permission confirmation● SMS/call blacklisting and quota (Android 4.3)● Runtime checks● App sandboxing● SELinux policies (Android 4.4)
![Page 30: A Scalable Framework for Android Antivirus Testing AndroTotal€¦ · Yandex App Store Pdassi iMedicalApps Barnes & Noble Nvidia TegraZone AppCake Handmark Appolicious Appitalism](https://reader036.vdocuments.mx/reader036/viewer/2022081617/6022d86ae69dd92acd3aabcd/html5/thumbnails/30.jpg)
PERMISSIONS
App sandboxing
Linux kernel
Device (smartphone, tablet)
Process1 ...
Virtual machine
App1
Virtual machine
User1 User2 User3 . . .
Virtual machine
App2 App3
![Page 31: A Scalable Framework for Android Antivirus Testing AndroTotal€¦ · Yandex App Store Pdassi iMedicalApps Barnes & Noble Nvidia TegraZone AppCake Handmark Appolicious Appitalism](https://reader036.vdocuments.mx/reader036/viewer/2022081617/6022d86ae69dd92acd3aabcd/html5/thumbnails/31.jpg)
PERMISSIONS
Linux-based process isolation
Linux kernel
Phone hardware
Process1 Process2 Process3 ...
Virtual machine
App1
Virtual machine
MaliciousApp
Virtual machine
App3
User1 User2 User3 . . .
![Page 32: A Scalable Framework for Android Antivirus Testing AndroTotal€¦ · Yandex App Store Pdassi iMedicalApps Barnes & Noble Nvidia TegraZone AppCake Handmark Appolicious Appitalism](https://reader036.vdocuments.mx/reader036/viewer/2022081617/6022d86ae69dd92acd3aabcd/html5/thumbnails/32.jpg)
Permissions
Sensitive resources● Location● Contacts● Storage● Accounts
![Page 33: A Scalable Framework for Android Antivirus Testing AndroTotal€¦ · Yandex App Store Pdassi iMedicalApps Barnes & Noble Nvidia TegraZone AppCake Handmark Appolicious Appitalism](https://reader036.vdocuments.mx/reader036/viewer/2022081617/6022d86ae69dd92acd3aabcd/html5/thumbnails/33.jpg)
How about anti-virus apps (AVs)for Android?
![Page 34: A Scalable Framework for Android Antivirus Testing AndroTotal€¦ · Yandex App Store Pdassi iMedicalApps Barnes & Noble Nvidia TegraZone AppCake Handmark Appolicious Appitalism](https://reader036.vdocuments.mx/reader036/viewer/2022081617/6022d86ae69dd92acd3aabcd/html5/thumbnails/34.jpg)
Antivirus/antimalware for Android
Great market opportunity● More than 100 AV-like apps only on Google Play● About 71% of them are mobile only
New companies created solely to produces Android AVs
![Page 35: A Scalable Framework for Android Antivirus Testing AndroTotal€¦ · Yandex App Store Pdassi iMedicalApps Barnes & Noble Nvidia TegraZone AppCake Handmark Appolicious Appitalism](https://reader036.vdocuments.mx/reader036/viewer/2022081617/6022d86ae69dd92acd3aabcd/html5/thumbnails/35.jpg)
![Page 36: A Scalable Framework for Android Antivirus Testing AndroTotal€¦ · Yandex App Store Pdassi iMedicalApps Barnes & Noble Nvidia TegraZone AppCake Handmark Appolicious Appitalism](https://reader036.vdocuments.mx/reader036/viewer/2022081617/6022d86ae69dd92acd3aabcd/html5/thumbnails/36.jpg)
1. Android threats and protections
2. Limitations3. Testing antivirus apps
4. AndroTotal
5. Status
![Page 37: A Scalable Framework for Android Antivirus Testing AndroTotal€¦ · Yandex App Store Pdassi iMedicalApps Barnes & Noble Nvidia TegraZone AppCake Handmark Appolicious Appitalism](https://reader036.vdocuments.mx/reader036/viewer/2022081617/6022d86ae69dd92acd3aabcd/html5/thumbnails/37.jpg)
Antivirus apps are constrained
No primitives for auditing running processes● advanced heuristics● runtime checks
![Page 38: A Scalable Framework for Android Antivirus Testing AndroTotal€¦ · Yandex App Store Pdassi iMedicalApps Barnes & Noble Nvidia TegraZone AppCake Handmark Appolicious Appitalism](https://reader036.vdocuments.mx/reader036/viewer/2022081617/6022d86ae69dd92acd3aabcd/html5/thumbnails/38.jpg)
PERMISSIONS
No primitives for process auditing
Linux kernel
SD card
Process1 ...
Virtual machine
App1ANTIVIRUS
APP
User1 User2 User3 . . .
MaliciousApp
Malicious App
![Page 39: A Scalable Framework for Android Antivirus Testing AndroTotal€¦ · Yandex App Store Pdassi iMedicalApps Barnes & Noble Nvidia TegraZone AppCake Handmark Appolicious Appitalism](https://reader036.vdocuments.mx/reader036/viewer/2022081617/6022d86ae69dd92acd3aabcd/html5/thumbnails/39.jpg)
Antivirus apps are constrained
Workarounds● Signature-based matching● Scan limited portion of the storage● Send sample to cloud service● Custom kernel (not market proof)● Require root privileges (drawbacks)
![Page 40: A Scalable Framework for Android Antivirus Testing AndroTotal€¦ · Yandex App Store Pdassi iMedicalApps Barnes & Noble Nvidia TegraZone AppCake Handmark Appolicious Appitalism](https://reader036.vdocuments.mx/reader036/viewer/2022081617/6022d86ae69dd92acd3aabcd/html5/thumbnails/40.jpg)
Malware apps are constrained, too
Less freedom● A malware is an isolated app itself
Workarounds● Social engineering (users must install the malware)● Signature evasion
![Page 41: A Scalable Framework for Android Antivirus Testing AndroTotal€¦ · Yandex App Store Pdassi iMedicalApps Barnes & Noble Nvidia TegraZone AppCake Handmark Appolicious Appitalism](https://reader036.vdocuments.mx/reader036/viewer/2022081617/6022d86ae69dd92acd3aabcd/html5/thumbnails/41.jpg)
Signature evasion
![Page 42: A Scalable Framework for Android Antivirus Testing AndroTotal€¦ · Yandex App Store Pdassi iMedicalApps Barnes & Noble Nvidia TegraZone AppCake Handmark Appolicious Appitalism](https://reader036.vdocuments.mx/reader036/viewer/2022081617/6022d86ae69dd92acd3aabcd/html5/thumbnails/42.jpg)
Few families, thousands of samples
REPACK & OBFUSCATE
Family 1 Family 2 Family 3AUTHOR
AV COMPANY
DISTRIBUTOR
SELL
S
. . . . . . . . . . .
![Page 43: A Scalable Framework for Android Antivirus Testing AndroTotal€¦ · Yandex App Store Pdassi iMedicalApps Barnes & Noble Nvidia TegraZone AppCake Handmark Appolicious Appitalism](https://reader036.vdocuments.mx/reader036/viewer/2022081617/6022d86ae69dd92acd3aabcd/html5/thumbnails/43.jpg)
1. Android threats and protections
2. Limitations
3. Testing antivirus apps4. AndroTotal
5. Status
![Page 44: A Scalable Framework for Android Antivirus Testing AndroTotal€¦ · Yandex App Store Pdassi iMedicalApps Barnes & Noble Nvidia TegraZone AppCake Handmark Appolicious Appitalism](https://reader036.vdocuments.mx/reader036/viewer/2022081617/6022d86ae69dd92acd3aabcd/html5/thumbnails/44.jpg)
Simple checks (easily evaded)● Package name● Class names
Signatures (easily evaded)● Static signatures
Cloud based (network intensive or easily evaded)● Send each installed APK (network intensive)● Send the hash of the APK (easily evaded)
Are these AV apps any good?
![Page 45: A Scalable Framework for Android Antivirus Testing AndroTotal€¦ · Yandex App Store Pdassi iMedicalApps Barnes & Noble Nvidia TegraZone AppCake Handmark Appolicious Appitalism](https://reader036.vdocuments.mx/reader036/viewer/2022081617/6022d86ae69dd92acd3aabcd/html5/thumbnails/45.jpg)
How to test Android AV apps?
1. Obtain M samples of known malware
2. Apply T code transformation to each sample
3. Produce M × T variants
4. Analyze the variants with P antimalware apps
5. Repeat for each of the A Android versions
![Page 46: A Scalable Framework for Android Antivirus Testing AndroTotal€¦ · Yandex App Store Pdassi iMedicalApps Barnes & Noble Nvidia TegraZone AppCake Handmark Appolicious Appitalism](https://reader036.vdocuments.mx/reader036/viewer/2022081617/6022d86ae69dd92acd3aabcd/html5/thumbnails/46.jpg)
Let's do the math
● Samples = 1,000 (very conservative)● Code Transformations = 10● AV Products = 100● Android versions = 3 (e.g., 2.3, 4.1, 4.2)
1,000 × 11 × 100 × 3 = 3,300,000 tests
![Page 47: A Scalable Framework for Android Antivirus Testing AndroTotal€¦ · Yandex App Store Pdassi iMedicalApps Barnes & Noble Nvidia TegraZone AppCake Handmark Appolicious Appitalism](https://reader036.vdocuments.mx/reader036/viewer/2022081617/6022d86ae69dd92acd3aabcd/html5/thumbnails/47.jpg)
Lack of tools
● VirusTotal.com covers ~29% of Android AVs● H. Pilz, "Building a test environment for Android anti-
malware tests," Virus Bulletin Conference '12● human oracle needed
● M. Zheng, P. P. C. Lee, and J. C. S. Lui, "ADAM: An Automatic and Extensible Platform to Stress Test Android Anti-Virus Systems," DIMVA'12● Focus on code transformation
● V. Rastogi, Y. Chen, and X. Jiang, "DroidChameleon: Evaluating Android Anti-malware against Transformation Attacks," AsiaCCS'13● Focus on code transformation
![Page 48: A Scalable Framework for Android Antivirus Testing AndroTotal€¦ · Yandex App Store Pdassi iMedicalApps Barnes & Noble Nvidia TegraZone AppCake Handmark Appolicious Appitalism](https://reader036.vdocuments.mx/reader036/viewer/2022081617/6022d86ae69dd92acd3aabcd/html5/thumbnails/48.jpg)
1. Android threats and protections
2. Limitations
3. Testing antivirus apps
4. AndroTotal5. Status
![Page 49: A Scalable Framework for Android Antivirus Testing AndroTotal€¦ · Yandex App Store Pdassi iMedicalApps Barnes & Noble Nvidia TegraZone AppCake Handmark Appolicious Appitalism](https://reader036.vdocuments.mx/reader036/viewer/2022081617/6022d86ae69dd92acd3aabcd/html5/thumbnails/49.jpg)
AndroTotal www.andrototal.orgSDK for writing UI tests/scrapers
Pluggable adapters for each antimalware
Parametric tests (e.g., version, platform)
Web frontend for humans
REST/JSON API for machines
![Page 50: A Scalable Framework for Android Antivirus Testing AndroTotal€¦ · Yandex App Store Pdassi iMedicalApps Barnes & Noble Nvidia TegraZone AppCake Handmark Appolicious Appitalism](https://reader036.vdocuments.mx/reader036/viewer/2022081617/6022d86ae69dd92acd3aabcd/html5/thumbnails/50.jpg)
![Page 51: A Scalable Framework for Android Antivirus Testing AndroTotal€¦ · Yandex App Store Pdassi iMedicalApps Barnes & Noble Nvidia TegraZone AppCake Handmark Appolicious Appitalism](https://reader036.vdocuments.mx/reader036/viewer/2022081617/6022d86ae69dd92acd3aabcd/html5/thumbnails/51.jpg)
![Page 52: A Scalable Framework for Android Antivirus Testing AndroTotal€¦ · Yandex App Store Pdassi iMedicalApps Barnes & Noble Nvidia TegraZone AppCake Handmark Appolicious Appitalism](https://reader036.vdocuments.mx/reader036/viewer/2022081617/6022d86ae69dd92acd3aabcd/html5/thumbnails/52.jpg)
![Page 53: A Scalable Framework for Android Antivirus Testing AndroTotal€¦ · Yandex App Store Pdassi iMedicalApps Barnes & Noble Nvidia TegraZone AppCake Handmark Appolicious Appitalism](https://reader036.vdocuments.mx/reader036/viewer/2022081617/6022d86ae69dd92acd3aabcd/html5/thumbnails/53.jpg)
![Page 54: A Scalable Framework for Android Antivirus Testing AndroTotal€¦ · Yandex App Store Pdassi iMedicalApps Barnes & Noble Nvidia TegraZone AppCake Handmark Appolicious Appitalism](https://reader036.vdocuments.mx/reader036/viewer/2022081617/6022d86ae69dd92acd3aabcd/html5/thumbnails/54.jpg)
![Page 55: A Scalable Framework for Android Antivirus Testing AndroTotal€¦ · Yandex App Store Pdassi iMedicalApps Barnes & Noble Nvidia TegraZone AppCake Handmark Appolicious Appitalism](https://reader036.vdocuments.mx/reader036/viewer/2022081617/6022d86ae69dd92acd3aabcd/html5/thumbnails/55.jpg)
Architecture
![Page 56: A Scalable Framework for Android Antivirus Testing AndroTotal€¦ · Yandex App Store Pdassi iMedicalApps Barnes & Noble Nvidia TegraZone AppCake Handmark Appolicious Appitalism](https://reader036.vdocuments.mx/reader036/viewer/2022081617/6022d86ae69dd92acd3aabcd/html5/thumbnails/56.jpg)
AV app 1
Malicious app 1
Malicious app 2
Malicious app 3
...
The basics
AV app 2
ANDROID EMULATOR (restored at every test)
![Page 57: A Scalable Framework for Android Antivirus Testing AndroTotal€¦ · Yandex App Store Pdassi iMedicalApps Barnes & Noble Nvidia TegraZone AppCake Handmark Appolicious Appitalism](https://reader036.vdocuments.mx/reader036/viewer/2022081617/6022d86ae69dd92acd3aabcd/html5/thumbnails/57.jpg)
User interface automation
![Page 58: A Scalable Framework for Android Antivirus Testing AndroTotal€¦ · Yandex App Store Pdassi iMedicalApps Barnes & Noble Nvidia TegraZone AppCake Handmark Appolicious Appitalism](https://reader036.vdocuments.mx/reader036/viewer/2022081617/6022d86ae69dd92acd3aabcd/html5/thumbnails/58.jpg)
Under the hood (1)
![Page 59: A Scalable Framework for Android Antivirus Testing AndroTotal€¦ · Yandex App Store Pdassi iMedicalApps Barnes & Noble Nvidia TegraZone AppCake Handmark Appolicious Appitalism](https://reader036.vdocuments.mx/reader036/viewer/2022081617/6022d86ae69dd92acd3aabcd/html5/thumbnails/59.jpg)
Under the hood (2)
![Page 60: A Scalable Framework for Android Antivirus Testing AndroTotal€¦ · Yandex App Store Pdassi iMedicalApps Barnes & Noble Nvidia TegraZone AppCake Handmark Appolicious Appitalism](https://reader036.vdocuments.mx/reader036/viewer/2022081617/6022d86ae69dd92acd3aabcd/html5/thumbnails/60.jpg)
REST/JSON API and client
● http://code.andrototal.org/tool
![Page 61: A Scalable Framework for Android Antivirus Testing AndroTotal€¦ · Yandex App Store Pdassi iMedicalApps Barnes & Noble Nvidia TegraZone AppCake Handmark Appolicious Appitalism](https://reader036.vdocuments.mx/reader036/viewer/2022081617/6022d86ae69dd92acd3aabcd/html5/thumbnails/61.jpg)
1. Android threats and protections
2. Limitations
3. Testing antivirus apps
4. AndroTotal
5. Status
![Page 62: A Scalable Framework for Android Antivirus Testing AndroTotal€¦ · Yandex App Store Pdassi iMedicalApps Barnes & Noble Nvidia TegraZone AppCake Handmark Appolicious Appitalism](https://reader036.vdocuments.mx/reader036/viewer/2022081617/6022d86ae69dd92acd3aabcd/html5/thumbnails/62.jpg)
Status
● 13 antivirus vendors supported (not all public)● 16 products overall (not all public)● 1,451 users subscribed● 29,791+ distinct APKs submitted and analyzed
![Page 63: A Scalable Framework for Android Antivirus Testing AndroTotal€¦ · Yandex App Store Pdassi iMedicalApps Barnes & Noble Nvidia TegraZone AppCake Handmark Appolicious Appitalism](https://reader036.vdocuments.mx/reader036/viewer/2022081617/6022d86ae69dd92acd3aabcd/html5/thumbnails/63.jpg)
Notable consumer/producers
● Symantec● Kaspersky● Sophos● ESET● Andrubis (sandbox)● CopperDroid (VM introspection)● ForeSafe (sandbox)● SandDroid (sandbox)● VisualThreat (sandbox + static analysis)● AndroidObservatory (data collection)
![Page 64: A Scalable Framework for Android Antivirus Testing AndroTotal€¦ · Yandex App Store Pdassi iMedicalApps Barnes & Noble Nvidia TegraZone AppCake Handmark Appolicious Appitalism](https://reader036.vdocuments.mx/reader036/viewer/2022081617/6022d86ae69dd92acd3aabcd/html5/thumbnails/64.jpg)
Most popular malware namesLabel Samples
UDS:DangerousObject.Multi.Generic 4820
not a virus Adware.Airpush.origin.7 1942
Trojan-SMS.AndroidOS.Opfake.bo 1542
AndroidOS_Opfake.CTD 795
Adware.AndroidOS.Airpush-Gen 789
Trojan-SMS.AndroidOS.Opfake.a 763
Android.SmsSend.origin.281 640
Android.SmsSend.origin.629 639
Android:FakeNotify-A [Trj] 631
Trojan-SMS.AndroidOS.FakeInst.a 616
![Page 65: A Scalable Framework for Android Antivirus Testing AndroTotal€¦ · Yandex App Store Pdassi iMedicalApps Barnes & Noble Nvidia TegraZone AppCake Handmark Appolicious Appitalism](https://reader036.vdocuments.mx/reader036/viewer/2022081617/6022d86ae69dd92acd3aabcd/html5/thumbnails/65.jpg)
Future work
● Add more cores and scale● Add more antivirus apps● Make it an open malware repository for research
We're always looking for good, motivated students to work on projects like this one!
![Page 66: A Scalable Framework for Android Antivirus Testing AndroTotal€¦ · Yandex App Store Pdassi iMedicalApps Barnes & Noble Nvidia TegraZone AppCake Handmark Appolicious Appitalism](https://reader036.vdocuments.mx/reader036/viewer/2022081617/6022d86ae69dd92acd3aabcd/html5/thumbnails/66.jpg)
Federico [email protected]
Politecnico di Milano
Questions?Grab a sticker!
http://andrototal.org@andrototal_org