tackling android s native library malware with robust, efficient … · 2019-01-30 · tackling...
TRANSCRIPT
![Page 1: Tackling Android s Native Library Malware with Robust, Efficient … · 2019-01-30 · Tackling Android’s Native Library Malware with Robust, Efficient and Accurate Similarity](https://reader034.vdocuments.mx/reader034/viewer/2022042314/5ee148a1ad6a402d666c382d/html5/thumbnails/1.jpg)
Tackling Android’s Native LibraryMalware with Robust, Efficientand Accurate Similarity Measures
Anatoli Kalysch (Speaker), Oskar Milisterfer, Mykolai Protsenko, Tilo Müller
August 29, 2018
Friedrich-Alexander-Universität Erlangen-NürnbergDepartment of Computer ScienceIT Security Infrastructures LabSoftware Security Research Group
![Page 2: Tackling Android s Native Library Malware with Robust, Efficient … · 2019-01-30 · Tackling Android’s Native Library Malware with Robust, Efficient and Accurate Similarity](https://reader034.vdocuments.mx/reader034/viewer/2022042314/5ee148a1ad6a402d666c382d/html5/thumbnails/2.jpg)
Outline
Android Malware is Going NativeAndroid Obfuscation in ContextWhy Native Libraries?
Introducing Dimensional EncodingCentroidsComparison Procedure
Bringing it All TogetherAccurate, Efficient, and Robust?Hunting Malware
Conclusion
August 29, 2018 | Anatoli Kalysch | FAU i1 | Tackling Native Android Malware 2/25
![Page 3: Tackling Android s Native Library Malware with Robust, Efficient … · 2019-01-30 · Tackling Android’s Native Library Malware with Robust, Efficient and Accurate Similarity](https://reader034.vdocuments.mx/reader034/viewer/2022042314/5ee148a1ad6a402d666c382d/html5/thumbnails/3.jpg)
Obfuscation on Android
Year Obfuscation Technique
2011 Symmetric Encryption (partly custom) String Encoding2012 Proguard, Steganography, Dalvik Level Encryption2013 Protector (Dexguard), Non-dalvik Encryption2014 Packers, Protectors, and Native Code2015 Packers, Protectors, and Native Code comb. w/ Obfuscators
Table: Malware obfuscation chronology (excerpt) [4].
August 29, 2018 | Anatoli Kalysch | FAU i1 | Tackling Native Android Malware 3/25
![Page 4: Tackling Android s Native Library Malware with Robust, Efficient … · 2019-01-30 · Tackling Android’s Native Library Malware with Robust, Efficient and Accurate Similarity](https://reader034.vdocuments.mx/reader034/viewer/2022042314/5ee148a1ad6a402d666c382d/html5/thumbnails/4.jpg)
Solutions for your obfuscation needs
Packer/Protector Obfuscation Techniques Native Library
Dexguard obfuscation, hooking, anti-dynamic 3
Aliprotect native and dex obf. 3
Tencent native and dex obf., MLU 3
Qihoo native and dex obf., MLU 3
Bangcle native and dex obf., hooking, MLU 3
Ijiami native and dex obf., MLU 3
Table: Protection Measures in Packers and Protectors (excerpt) [3].
August 29, 2018 | Anatoli Kalysch | FAU i1 | Tackling Native Android Malware 4/25
![Page 5: Tackling Android s Native Library Malware with Robust, Efficient … · 2019-01-30 · Tackling Android’s Native Library Malware with Robust, Efficient and Accurate Similarity](https://reader034.vdocuments.mx/reader034/viewer/2022042314/5ee148a1ad6a402d666c382d/html5/thumbnails/5.jpg)
What makes native code so popular?
• Written in C/C++ and compiled, meaning no smali byte code isavailable.
• Huge performance boost if executed on the Dalvik Virtual Machine(DVM), minimal performance boost on the Android RunTime (ART).
• Direct usage of system resources (permission model still applies) andability to manipulate own process components.
• Breaks most Android reverse engineering tools, and less meta data isavailable compared to smali byte code making reverse engineeringharder
August 29, 2018 | Anatoli Kalysch | FAU i1 | Tackling Native Android Malware 5/25
![Page 6: Tackling Android s Native Library Malware with Robust, Efficient … · 2019-01-30 · Tackling Android’s Native Library Malware with Robust, Efficient and Accurate Similarity](https://reader034.vdocuments.mx/reader034/viewer/2022042314/5ee148a1ad6a402d666c382d/html5/thumbnails/6.jpg)
Tackling malicious native libraries on Android
• Need for a solution to the threat posed by malicious native libraries.And ideally this solution is
• automated,
• accurate,
• efficient, and
• robust (regarding code obfuscation).
• Currently we see wide employment of code-similarity measures todetect known malicious code, e.g., hash and signature-basedsolutions.
August 29, 2018 | Anatoli Kalysch | FAU i1 | Tackling Native Android Malware 6/25
![Page 7: Tackling Android s Native Library Malware with Robust, Efficient … · 2019-01-30 · Tackling Android’s Native Library Malware with Robust, Efficient and Accurate Similarity](https://reader034.vdocuments.mx/reader034/viewer/2022042314/5ee148a1ad6a402d666c382d/html5/thumbnails/7.jpg)
Outline
Android Malware is Going NativeAndroid Obfuscation in ContextWhy Native Libraries?
Introducing Dimensional EncodingCentroidsComparison Procedure
Bringing it All TogetherAccurate, Efficient, and Robust?Hunting Malware
Conclusion
August 29, 2018 | Anatoli Kalysch | FAU i1 | Tackling Native Android Malware 7/25
![Page 8: Tackling Android s Native Library Malware with Robust, Efficient … · 2019-01-30 · Tackling Android’s Native Library Malware with Robust, Efficient and Accurate Similarity](https://reader034.vdocuments.mx/reader034/viewer/2022042314/5ee148a1ad6a402d666c382d/html5/thumbnails/8.jpg)
Process Overview
• Create a 3D vector for every function in the native library based on thecontrol-flow graph (CFG)
• From the 3D vectors we create a centroid from the sum of its edgeweights
• The centroids only differ if the underlying functions differ as well
• This encoding introduces an abstraction layer that disregards certainobfuscation techniques
August 29, 2018 | Anatoli Kalysch | FAU i1 | Tackling Native Android Malware 8/25
![Page 9: Tackling Android s Native Library Malware with Robust, Efficient … · 2019-01-30 · Tackling Android’s Native Library Malware with Robust, Efficient and Accurate Similarity](https://reader034.vdocuments.mx/reader034/viewer/2022042314/5ee148a1ad6a402d666c382d/html5/thumbnails/9.jpg)
Creation of a 3D vector
Each basic block (BB) in the CFGs is given a coordinate in the threedimensions• sequence,
• defining the order in which basic blocks (BB) of the CFG are executed
• selection, and• represents the number of outgoing edges for each BB
• repetition.• reflecting the loop depth of the current basic block
After all the BBs were assigned coordinates in the 3D system a unifyingvector can be created.
August 29, 2018 | Anatoli Kalysch | FAU i1 | Tackling Native Android Malware 9/25
![Page 10: Tackling Android s Native Library Malware with Robust, Efficient … · 2019-01-30 · Tackling Android’s Native Library Malware with Robust, Efficient and Accurate Similarity](https://reader034.vdocuments.mx/reader034/viewer/2022042314/5ee148a1ad6a402d666c382d/html5/thumbnails/10.jpg)
Creating Centroids
A Centroid of a 3D-CFG vector is defined as
~c =< cx , cy , cz , π >, with
cx =∑
e(p,q)∈3D−CFG(πpxp + πqxq)π
,
and cy and cz accordingly [1].
The π coordinate is encoded as π =∑
e(p,q)∈3D−CFG(πp + πq) where e(p,q)refers to an edge in the 3D-CFG, which connects the two nodes p and q.
August 29, 2018 | Anatoli Kalysch | FAU i1 | Tackling Native Android Malware 10/25
![Page 11: Tackling Android s Native Library Malware with Robust, Efficient … · 2019-01-30 · Tackling Android’s Native Library Malware with Robust, Efficient and Accurate Similarity](https://reader034.vdocuments.mx/reader034/viewer/2022042314/5ee148a1ad6a402d666c382d/html5/thumbnails/11.jpg)
Comparison
• Due to monotonicity properties of centroids [2] the same methods willbe mapped to the same centroid
• Centroids are sortable [2], enabling a faster comparison
• Comparison of two centroids is performed through the computation ofthe Centroid Difference Degree (CDD)
Definition (Centroid Difference Degree)
Given two centroids, ~c and ~d , the CDD is computed as
CDD(~c, ~d) = max(|cx − dx |cx + dx
,|cy − dy |cy + dy
,|cz − dz |cz + dz
,|πc − πd |πc + πd
).
August 29, 2018 | Anatoli Kalysch | FAU i1 | Tackling Native Android Malware 11/25
![Page 12: Tackling Android s Native Library Malware with Robust, Efficient … · 2019-01-30 · Tackling Android’s Native Library Malware with Robust, Efficient and Accurate Similarity](https://reader034.vdocuments.mx/reader034/viewer/2022042314/5ee148a1ad6a402d666c382d/html5/thumbnails/12.jpg)
Putting Centroids to Work on ARM Libraries
• Before application to ARM the right combination of variables andweights needs to be found
• Heuristics for a sane CDD need to be found / defined
• Equally, a Library Similarity Degree (LSD) needs to be defined
August 29, 2018 | Anatoli Kalysch | FAU i1 | Tackling Native Android Malware 12/25
![Page 13: Tackling Android s Native Library Malware with Robust, Efficient … · 2019-01-30 · Tackling Android’s Native Library Malware with Robust, Efficient and Accurate Similarity](https://reader034.vdocuments.mx/reader034/viewer/2022042314/5ee148a1ad6a402d666c382d/html5/thumbnails/13.jpg)
Outline
Android Malware is Going NativeAndroid Obfuscation in ContextWhy Native Libraries?
Introducing Dimensional EncodingCentroidsComparison Procedure
Bringing it All TogetherAccurate, Efficient, and Robust?Hunting Malware
Conclusion
August 29, 2018 | Anatoli Kalysch | FAU i1 | Tackling Native Android Malware 13/25
![Page 14: Tackling Android s Native Library Malware with Robust, Efficient … · 2019-01-30 · Tackling Android’s Native Library Malware with Robust, Efficient and Accurate Similarity](https://reader034.vdocuments.mx/reader034/viewer/2022042314/5ee148a1ad6a402d666c382d/html5/thumbnails/14.jpg)
The Dataset and Malware Families
• 3rd party APK Stores• 18 different app stores• 508,745 apps• 2,346,005,582 methods
• 29 Malware-Families including• Bios.A• DroidDream• Godless• KungFu• OldBoot• Rootnik• TatooHack• VikingHorde• Ycchar
August 29, 2018 | Anatoli Kalysch | FAU i1 | Tackling Native Android Malware 14/25
![Page 15: Tackling Android s Native Library Malware with Robust, Efficient … · 2019-01-30 · Tackling Android’s Native Library Malware with Robust, Efficient and Accurate Similarity](https://reader034.vdocuments.mx/reader034/viewer/2022042314/5ee148a1ad6a402d666c382d/html5/thumbnails/15.jpg)
Accuracy
• Detection of library versions• comparisons of 1,500 unrelated library pairs• testing different pairs of CDD / LSD yielded false positive rates (FPR)
as low as 1% for libraries with more than 100 functions• singnificantly small libraries with less than 100 functions performed
worse with FPR around 10%
• Database clustering• 146,264 native libraries from 40 size-based clusters were categorized
into 4,201 clusters• A name-based library comparison and in some cases a method level
CFG comparison concluded FPRs of less than 2%
August 29, 2018 | Anatoli Kalysch | FAU i1 | Tackling Native Android Malware 15/25
![Page 16: Tackling Android s Native Library Malware with Robust, Efficient … · 2019-01-30 · Tackling Android’s Native Library Malware with Robust, Efficient and Accurate Similarity](https://reader034.vdocuments.mx/reader034/viewer/2022042314/5ee148a1ad6a402d666c382d/html5/thumbnails/16.jpg)
Efficiency - Computation
0 10000 20000 30000 40000 50000 600000
1
2
3
4
5
6
7
Centroid computation Database access
Number of library functions
Sec
onds
Figure: Computation of a centroid with and without database access.
August 29, 2018 | Anatoli Kalysch | FAU i1 | Tackling Native Android Malware 16/25
![Page 17: Tackling Android s Native Library Malware with Robust, Efficient … · 2019-01-30 · Tackling Android’s Native Library Malware with Robust, Efficient and Accurate Similarity](https://reader034.vdocuments.mx/reader034/viewer/2022042314/5ee148a1ad6a402d666c382d/html5/thumbnails/17.jpg)
Efficiency - Comparison
0 10000 20000 30000 40000 50000 60000 70000 80000 90000 1000000
2
4
6
8
10
12
14
16
Unrelated with DB Unrelated
Variants with DB Variants
Number of library functions
Run
time
in s
econ
ds
Figure: Comparison between related and unrelated libraries.
August 29, 2018 | Anatoli Kalysch | FAU i1 | Tackling Native Android Malware 17/25
![Page 18: Tackling Android s Native Library Malware with Robust, Efficient … · 2019-01-30 · Tackling Android’s Native Library Malware with Robust, Efficient and Accurate Similarity](https://reader034.vdocuments.mx/reader034/viewer/2022042314/5ee148a1ad6a402d666c382d/html5/thumbnails/18.jpg)
Robustness to Obfuscation
Obfuscation Technique Category Detection
modified APK meta data string-based 3
native library relocation file hiding 3
native library renaming string-based 3
variable name obfuscation string-based 3
binary stripping string-based 3
native library payload placement code insertion 3
junk function insertion code insertion 3
literal/arithmetic encoding code insertion 7
BB segment reordering control flow obfuscation 3
opaque predicates control flow obfuscation 7
function in/outlining control flow obfuscation 7
control flow flattening control flow obfuscation 7
August 29, 2018 | Anatoli Kalysch | FAU i1 | Tackling Native Android Malware 18/25
![Page 19: Tackling Android s Native Library Malware with Robust, Efficient … · 2019-01-30 · Tackling Android’s Native Library Malware with Robust, Efficient and Accurate Similarity](https://reader034.vdocuments.mx/reader034/viewer/2022042314/5ee148a1ad6a402d666c382d/html5/thumbnails/19.jpg)
Findings
Market Name Malicious NLs Detected NLs
playmob 26 1089mumayi 36 151baidu 44 368apkmirror 80 3393nduo 128 396up2down 219 4195apkworld 307 1880
Table: Selection of detected malicious native libraries among ARM 32-bit nativelibraries.
August 29, 2018 | Anatoli Kalysch | FAU i1 | Tackling Native Android Malware 19/25
![Page 20: Tackling Android s Native Library Malware with Robust, Efficient … · 2019-01-30 · Tackling Android’s Native Library Malware with Robust, Efficient and Accurate Similarity](https://reader034.vdocuments.mx/reader034/viewer/2022042314/5ee148a1ad6a402d666c382d/html5/thumbnails/20.jpg)
Comparison to VirusTotal
• APKs from detected malicious clusters were uploaded to VirusTotal• Roughly half were detected as malicious
• Next we extracted the native library and uploaded it to VirusTotal aswell
• Note that we analyzed malware that actively uses native code forexploitation
• less than 4% were considered malicious
August 29, 2018 | Anatoli Kalysch | FAU i1 | Tackling Native Android Malware 20/25
![Page 21: Tackling Android s Native Library Malware with Robust, Efficient … · 2019-01-30 · Tackling Android’s Native Library Malware with Robust, Efficient and Accurate Similarity](https://reader034.vdocuments.mx/reader034/viewer/2022042314/5ee148a1ad6a402d666c382d/html5/thumbnails/21.jpg)
Outline
Android Malware is Going NativeAndroid Obfuscation in ContextWhy Native Libraries?
Introducing Dimensional EncodingCentroidsComparison Procedure
Bringing it All TogetherAccurate, Efficient, and Robust?Hunting Malware
Conclusion
August 29, 2018 | Anatoli Kalysch | FAU i1 | Tackling Native Android Malware 21/25
![Page 22: Tackling Android s Native Library Malware with Robust, Efficient … · 2019-01-30 · Tackling Android’s Native Library Malware with Robust, Efficient and Accurate Similarity](https://reader034.vdocuments.mx/reader034/viewer/2022042314/5ee148a1ad6a402d666c382d/html5/thumbnails/22.jpg)
Conclusion
• Improved version of the centroid similarity measure• Defined heuristics to use with ARM libraries
• Increased efficiency and accuracy
• Robustness against certain obfuscation techniques
• Large-scale study of native library malware in Android third party apps
• 18 third party app stores checked for infection
• 508,745 apps analyzed
• Infection rates of up to 17.05% detected
• Detection rates outperform VirusTotal
August 29, 2018 | Anatoli Kalysch | FAU i1 | Tackling Native Android Malware 22/25
![Page 23: Tackling Android s Native Library Malware with Robust, Efficient … · 2019-01-30 · Tackling Android’s Native Library Malware with Robust, Efficient and Accurate Similarity](https://reader034.vdocuments.mx/reader034/viewer/2022042314/5ee148a1ad6a402d666c382d/html5/thumbnails/23.jpg)
Thank you.
Questions?
August 29, 2018 | Anatoli Kalysch | FAU i1 | Tackling Native Android Malware 23/25
![Page 24: Tackling Android s Native Library Malware with Robust, Efficient … · 2019-01-30 · Tackling Android’s Native Library Malware with Robust, Efficient and Accurate Similarity](https://reader034.vdocuments.mx/reader034/viewer/2022042314/5ee148a1ad6a402d666c382d/html5/thumbnails/24.jpg)
References
[1] Kai Chen, Peng Liu, and Yingjun Zhang.Achieving accuracy and scalability simultaneously in detectingapplication clones on android markets.In Proceedings of the 36th International Conference on SoftwareEngineering, pages 175–186. ACM, 2014.
[2] Kai Chen, Xueqiang Wang, Yi Chen, Peng Wang, Yeonjoon Lee,XiaoFeng Wang, Bin Ma, Aohui Wang, Yingjun Zhang, and Wei Zou.Following devil’s footprints: Cross-platform analysis of potentiallyharmful libraries on android and ios.In Security and Privacy (SP), 2016 IEEE Symposium on, pages357–376. IEEE, 2016.
August 29, 2018 | Anatoli Kalysch | FAU i1 | Tackling Native Android Malware 24(1) /25
![Page 25: Tackling Android s Native Library Malware with Robust, Efficient … · 2019-01-30 · Tackling Android’s Native Library Malware with Robust, Efficient and Accurate Similarity](https://reader034.vdocuments.mx/reader034/viewer/2022042314/5ee148a1ad6a402d666c382d/html5/thumbnails/25.jpg)
[3] Yue Duan, Mu Zhang, Abhishek Vasisht Bhaskar, Heng Yin, XiaoruiPan, Tongxin Li, Xueqiang Wang, and X Wang.Things you may not know about android (un) packers: a systematicstudy based on whole-system emulation.In 25th Annual Network and Distributed System Security Symposium,NDSS, pages 18–21, 2018.
[4] Parvez Faruki, Hossein Fereidooni, Vijay Laxmi, Mauro Conti, andManoj Singh Gaur.Android code protection via obfuscation techniques: Past, present andfuture directions.CoRR, abs/1611.10231, 2016.
[5] Kimberly Tam, Ali Feizollah, Nor Badrul Anuar, Rosli Salleh, andLorenzo Cavallaro.The evolution of android malware and android analysis techniques.ACM Computing Surveys (CSUR), 49(4):76, 2017.
August 29, 2018 | Anatoli Kalysch | FAU i1 | Tackling Native Android Malware 25(2) /25