Dissecting Android Malware : Characterization and Evolution

Author : Yajin Zhou, Xuxuan Jiang

TJ

Index of this paperI. IntroductionII. Malware TimelineIII. Malware Characterization

A. Malware Installation1) Repackaging2) Update Attack3) Drive-by Download4) Others

B. ActivationC. Malicious Payloads

1) Privilege Escalation2) Remote Control3) Financial Charge4) Information Collection

D. Permission Uses

IV. Malware EvolutionA. DroidKungFu

1) Root Exploits2) C&C Servers3) Shadow Payloads4) Obfuscation, JNI, and Others

B. AnserverBot1) Anti-Analysis2) Security Software Detection3) C&C Servers

V. Malware DetectionVI. DiscussionVII. Related WorkVIII.Conclusion

I. Introduction• Smartphone

– Shipment : X 3 ↑ (40milion120mil.) in 2009~2011 ► mobile malware↑

• Android-based malware– Share : 46%↑ and growing rapidly– 400% ↑ since summer 2010

• Goals– Malware samples(1260) & families(49)– Timeline analysis– Good example of malware

II. Malware Timeline• Dataset

– 49 families– Official/Alternative An-

droid Market– 2010-08 ~ 2011-10

III. A. Malware Installation1) Repackaging

– Most common technique– Concept

• Download popular apps Disassemble En-close malicious payloads Re-assemble Submit

III. A. 1) Repackaging• Where these original apps comes

from?

• What things are done by the au-thors?

III. A. 2) Update Attack• Concept

– Update component it download mali-cious payload

III. A. 2) Update Attack

III. A. 2) Update Attack

III. A. 3) Drive-by Download• Enticing users to download “interest-

ing” or “feature-rich” apps.• For example,

– GGTracker : in-app advertisement link– Jifake : QR code– Spitmo and Zitmo : ported version of ne-

farious PC malware(SpyEye, Zeus)

III. B. Activation• Using System Event message

• For example,– BOOT_COMPLETED– SMS_RECEIVED– ACTION_MAIN

III. C. Malicious Payloads1) Privilege Escalation

III. C. Malicious Payloads2) Remote Control

– 1,172 samples(93%) • Turn infected phones into bots• 1,171 samples

– HTTP-based communicate with C&C servers

– C&C servers• Amazon cloud• Public blog

III. C. Malicious Payloads3) Financial Charge

– Premium-rate services

4) Information Collection– SMS messages– Phone numbers– User accounts

III. D. Permission Uses

IV. Malware EvolutionA. DroidKungFu

1) Root Exploits2) C&C Servers3) Shadow Payloads4) Obfuscation

IV. B. AnserverBot1) Anti-Analysis

2) Security Software Detection

3) C&C Servers

V. Malware Detection• Tested on Nexus One

(Android 2.3.7)– Lookout– TrendMicro– AVG Antivirus– Norton

VI. Discussion• Ecosystem Android Market

• ASLR, TrustZone and eXecute-Never are needed

• Lack of fine-grain API control

• Blocking malware to enter market is needed

• Cooperation between security vendors

VIII. Conclusion• Repackaging (86%)

• Platform-level Escalate Privilege Ex-ploits (36.7%)

• Bot-like capability (93%)

Q & A