CopperDroid - On the Reconstruction of Android Apps Behaviors
description
Transcript of CopperDroid - On the Reconstruction of Android Apps Behaviors
![Page 1: CopperDroid - On the Reconstruction of Android Apps Behaviors](https://reader034.fdocuments.us/reader034/viewer/2022051514/54b686224a795946128b45cf/html5/thumbnails/1.jpg)
COPPERDROIDOn the Reconstruction of Android Apps Behaviors
March 21, 2014FACE Kick-Off Meeting
Lorenzo Cavallaro
Information Security GroupRoyal Holloway University of London
![Page 2: CopperDroid - On the Reconstruction of Android Apps Behaviors](https://reader034.fdocuments.us/reader034/viewer/2022051514/54b686224a795946128b45cf/html5/thumbnails/2.jpg)
Royal Holloway University of London. . .S2Lab
. . . . . . . . . . . . . . . . . . . . . . . . . . .CopperDroid Observed Behaviors Demo Conclusions
WHO AM I?
x Post-doc researcher, VU Amsterdam, working with:(Jan 2010—Dec 2011)→ Prof. Andy Tanenbaum
(OS dependability)→ Prof. Herbert Bos
(memory errors, malware analysis, and taint analysis)x Post-doc researcher, UC at Santa Barbara, working with:(Apr 2008—Jan 2010)→ Prof. Giovanni Vigna and Prof. Christopher Kruegel
(malware analysis and detection)x Visiting PhD student, Stony Brook University, working with:(Sep 2006—Feb 2008)→ Prof. R. Sekar
(memory errors protections, taint analysis, malware analysis)
..
Jan 2012 Lecturer (∼Assistant Professor) in the ISGJan 2014 Senior Lecturer (∼Associate Professor) in the ISG
Information Security Group, Royal Holloway University of London<[email protected]> — http://www.isg.rhul.ac.uk/sullivan
2
![Page 3: CopperDroid - On the Reconstruction of Android Apps Behaviors](https://reader034.fdocuments.us/reader034/viewer/2022051514/54b686224a795946128b45cf/html5/thumbnails/3.jpg)
Royal Holloway University of London. . .S2Lab
. . . . . . . . . . . . . . . . . . . . . . . . . . .CopperDroid Observed Behaviors Demo Conclusions
WHO AM I?
x Post-doc researcher, VU Amsterdam, working with:(Jan 2010—Dec 2011)→ Prof. Andy Tanenbaum
(OS dependability)→ Prof. Herbert Bos
(memory errors, malware analysis, and taint analysis)x Post-doc researcher, UC at Santa Barbara, working with:(Apr 2008—Jan 2010)→ Prof. Giovanni Vigna and Prof. Christopher Kruegel
(malware analysis and detection)x Visiting PhD student, Stony Brook University, working with:(Sep 2006—Feb 2008)→ Prof. R. Sekar
(memory errors protections, taint analysis, malware analysis)
..
Jan 2012 Lecturer (∼Assistant Professor) in the ISGJan 2014 Senior Lecturer (∼Associate Professor) in the ISG
Information Security Group, Royal Holloway University of London<[email protected]> — http://www.isg.rhul.ac.uk/sullivan
2
![Page 4: CopperDroid - On the Reconstruction of Android Apps Behaviors](https://reader034.fdocuments.us/reader034/viewer/2022051514/54b686224a795946128b45cf/html5/thumbnails/4.jpg)
ROYAL HOLLOWAYUNIVERSITY OF LONDON
![Page 5: CopperDroid - On the Reconstruction of Android Apps Behaviors](https://reader034.fdocuments.us/reader034/viewer/2022051514/54b686224a795946128b45cf/html5/thumbnails/5.jpg)
![Page 6: CopperDroid - On the Reconstruction of Android Apps Behaviors](https://reader034.fdocuments.us/reader034/viewer/2022051514/54b686224a795946128b45cf/html5/thumbnails/6.jpg)
![Page 7: CopperDroid - On the Reconstruction of Android Apps Behaviors](https://reader034.fdocuments.us/reader034/viewer/2022051514/54b686224a795946128b45cf/html5/thumbnails/7.jpg)
![Page 8: CopperDroid - On the Reconstruction of Android Apps Behaviors](https://reader034.fdocuments.us/reader034/viewer/2022051514/54b686224a795946128b45cf/html5/thumbnails/8.jpg)
Royal Holloway University of London. . .S2Lab
. . . . . . . . . . . . . . . . . . . . . . . . . . .CopperDroid Observed Behaviors Demo Conclusions
ROYAL HOLLOWAY UNIVERSITY OF LONDON
x Founded in 1879 by Thomas Holloway→ Entrepreneur and Philanthropist→ Holloway's pills and ointmentsx Located in Egham, Surrey, close to LHR and London
7
![Page 9: CopperDroid - On the Reconstruction of Android Apps Behaviors](https://reader034.fdocuments.us/reader034/viewer/2022051514/54b686224a795946128b45cf/html5/thumbnails/9.jpg)
Royal Holloway University of London. . .S2Lab
. . . . . . . . . . . . . . . . . . . . . . . . . . .CopperDroid Observed Behaviors Demo Conclusions
ROYAL HOLLOWAY UNIVERSITY OF LONDON (CONT.)
x Royal status in 1886 by Queen Victoriax Three faculties, 18 academic departments, 9,000+undergraduate and postgraduate students from over 100different countriesx Academic Centre of Excellence in Cyber Security Researchx Centre for Doctoral Training in Cyber Security
8
![Page 10: CopperDroid - On the Reconstruction of Android Apps Behaviors](https://reader034.fdocuments.us/reader034/viewer/2022051514/54b686224a795946128b45cf/html5/thumbnails/10.jpg)
S2LAB
![Page 11: CopperDroid - On the Reconstruction of Android Apps Behaviors](https://reader034.fdocuments.us/reader034/viewer/2022051514/54b686224a795946128b45cf/html5/thumbnails/11.jpg)
Royal Holloway University of London. . .S2Lab
. . . . . . . . . . . . . . . . . . . . . . . . . . .CopperDroid Observed Behaviors Demo Conclusions
RESEARCH
Goal
To enhance the Information Security Group's research activitiesat Royal Holloway, establishing a Systems Security Lab (S2Lab)
1. CySeCa: Cyber Security Cartography (co-I)→ Oct 2012—Apr 2016
2. Botnet: Mining the Network Behaviors of Bots (PI)→ Jun 2013—2016
3. MobSec: Mobile and Malware in the Mobile Age (PI)→ Jun 2014—2018
Soon available at http://s2lab.isg.rhul.ac.uk (WIP)
10
![Page 12: CopperDroid - On the Reconstruction of Android Apps Behaviors](https://reader034.fdocuments.us/reader034/viewer/2022051514/54b686224a795946128b45cf/html5/thumbnails/12.jpg)
Royal Holloway University of London. . .S2Lab
. . . . . . . . . . . . . . . . . . . . . . . . . . .CopperDroid Observed Behaviors Demo Conclusions
RESEARCH > PROJECTS
Goal
To enhance the Information Security Group's research activitiesat Royal Holloway, establishing a Systems Security Lab (S2Lab)
1. CySeCa: Cyber Security Cartography (co-I)→ Oct 2012—Apr 2016
2. Botnet: Mining the Network Behaviors of Bots (PI)→ Jun 2013—2016
3. MobSec: Mobile and Malware in the Mobile Age (PI)→ Jun 2014—2018
Soon available at http://s2lab.isg.rhul.ac.uk (WIP)
10
![Page 13: CopperDroid - On the Reconstruction of Android Apps Behaviors](https://reader034.fdocuments.us/reader034/viewer/2022051514/54b686224a795946128b45cf/html5/thumbnails/13.jpg)
Royal Holloway University of London. . .S2Lab
. . . . . . . . . . . . . . . . . . . . . . . . . . .CopperDroid Observed Behaviors Demo Conclusions
RESEARCH > PROJECT > MOBSEC
Jun 2014—2018: £747,777 EPSRC-funded project (EP/L022710/1)
Goals
MobSec aims at exploring mobile-related threats,developing comprehensive mitigation techniques
1. Mobile application analyses to understand the threat, e.g.:→ Comprehensive reconstruction of Android apps behaviors→ Identification of malware-triggered actions→ Stimulation of complex UI interactions
2. Evasion-resistant information leakage solutions
11
![Page 14: CopperDroid - On the Reconstruction of Android Apps Behaviors](https://reader034.fdocuments.us/reader034/viewer/2022051514/54b686224a795946128b45cf/html5/thumbnails/14.jpg)
Royal Holloway University of London. . .S2Lab
. . . . . . . . . . . . . . . . . . . . . . . . . . .CopperDroid Observed Behaviors Demo Conclusions
RESEARCH > PROJECT > MOBSEC
Jun 2014—2018: £747,777 EPSRC-funded project (EP/L022710/1)
Goals
MobSec aims at exploring mobile-related threats,developing comprehensive mitigation techniques
3. Detection of malicious mobile applications and automaticenforcement of fine-grained security policies
4. Hardware-supported virtualization to provide efficientin-device protection against mobile threats
11
![Page 15: CopperDroid - On the Reconstruction of Android Apps Behaviors](https://reader034.fdocuments.us/reader034/viewer/2022051514/54b686224a795946128b45cf/html5/thumbnails/15.jpg)
Royal Holloway University of London. . .S2Lab
. . . . . . . . . . . . . . . . . . . . . . . . . . .CopperDroid Observed Behaviors Demo Conclusions
RESEARCH > PROJECT > MOBSEC > PEOPLE
x Dr Lorenzo Cavallaro→ Principal Investigator→ Information Security Group at Royal Holloway
University of Londonx Dr Johannes Kinder→ Co-Investigator→ Department of Computer Science at Royal Holloway
University of Londonx Dr Igor Muttik→ Project Partner→ Senior Principal Architect at Intel Security (McAfee Labs UK)
..
In addition…
x Kimberly Tam, PhD student in the ISG at RoyalHollowayx Salahuddin J. Khan, PhD student in the ISG at RoyalHollowayx Collaboration with:→ Università degli Studi di Milano, Italy→ Politecnico di Milano, Italyx I am hiring: 2 PostDoc Research Assistants!
12
![Page 16: CopperDroid - On the Reconstruction of Android Apps Behaviors](https://reader034.fdocuments.us/reader034/viewer/2022051514/54b686224a795946128b45cf/html5/thumbnails/16.jpg)
Royal Holloway University of London. . .S2Lab
. . . . . . . . . . . . . . . . . . . . . . . . . . .CopperDroid Observed Behaviors Demo Conclusions
RESEARCH > PROJECT > MOBSEC > PEOPLE
x Dr Lorenzo Cavallaro→ Principal Investigator→ Information Security Group at Royal Holloway
University of Londonx Dr Johannes Kinder→ Co-Investigator→ Department of Computer Science at Royal Holloway
University of Londonx Dr Igor Muttik→ Project Partner→ Senior Principal Architect at Intel Security (McAfee Labs UK)
..
In addition…
x Kimberly Tam, PhD student in the ISG at RoyalHollowayx Salahuddin J. Khan, PhD student in the ISG at RoyalHollowayx Collaboration with:→ Università degli Studi di Milano, Italy→ Politecnico di Milano, Italyx I am hiring: 2 PostDoc Research Assistants!
12
![Page 17: CopperDroid - On the Reconstruction of Android Apps Behaviors](https://reader034.fdocuments.us/reader034/viewer/2022051514/54b686224a795946128b45cf/html5/thumbnails/17.jpg)
COPPERDROID
![Page 18: CopperDroid - On the Reconstruction of Android Apps Behaviors](https://reader034.fdocuments.us/reader034/viewer/2022051514/54b686224a795946128b45cf/html5/thumbnails/18.jpg)
![Page 19: CopperDroid - On the Reconstruction of Android Apps Behaviors](https://reader034.fdocuments.us/reader034/viewer/2022051514/54b686224a795946128b45cf/html5/thumbnails/19.jpg)
Royal Holloway University of London. . .S2Lab
. . . . . . . . . . . . . . . . . . . . . . . . . . .CopperDroid Observed Behaviors Demo Conclusions
MCAFEE Q2 2013
15
![Page 20: CopperDroid - On the Reconstruction of Android Apps Behaviors](https://reader034.fdocuments.us/reader034/viewer/2022051514/54b686224a795946128b45cf/html5/thumbnails/20.jpg)
Royal Holloway University of London. . .S2Lab
. . . . . . . . . . . . . . . . . . . . . . . . . . .CopperDroid Observed Behaviors Demo Conclusions
MCAFEE Q2 2013
..
1. Banking malware
2. (Fake) adult entertainment and dating apps
3. Weaponized legitimate apps that steal user data
4. Fake app installers that actually install spyware
Can current techniques deal with this (new) threat?
15
![Page 21: CopperDroid - On the Reconstruction of Android Apps Behaviors](https://reader034.fdocuments.us/reader034/viewer/2022051514/54b686224a795946128b45cf/html5/thumbnails/21.jpg)
Royal Holloway University of London. . .S2Lab
. . . . . . . . . . . . . . . . . . . . . . . . . . .CopperDroid Observed Behaviors Demo Conclusions
THE (NOT SO SHORT) INTRODUCTION TO ANDROID
x Modified Linux kernelx Android apps written (mostly) in Java and run in a Java-like(Dalvik) VM as userspace processesx Native code may be executed through JNI or native (NDK)x Apps logically divided in components→ Activity, e.g., GUI components→ Services, similar to UNIX daemons→ Broadcast Receivers, to act upon the receipt of specific
events, e.g., phone call, SMS→ Content Providers, storage-agnostic ACL-controlled
abstractions to access data
16
![Page 22: CopperDroid - On the Reconstruction of Android Apps Behaviors](https://reader034.fdocuments.us/reader034/viewer/2022051514/54b686224a795946128b45cf/html5/thumbnails/22.jpg)
Royal Holloway University of London. . .S2Lab
. . . . . . . . . . . . . . . . . . . . . . . . . . .CopperDroid Observed Behaviors Demo Conclusions
ANDROID SECURITY MODEL
No application, by default, has permission to perform anyoperations that would adversely impact other applications, theoperating system, or the user
Sandboxing
Every App has its own UID/GID to enforce system-wide DAC
Permissions
To be granted a permission, App must explicitly request it(e.g., send an SMS, place a call)
All types of applications—Java, native, and hybrid—are sandboxedin the same way and have the same degree of security from eachother
17
![Page 23: CopperDroid - On the Reconstruction of Android Apps Behaviors](https://reader034.fdocuments.us/reader034/viewer/2022051514/54b686224a795946128b45cf/html5/thumbnails/23.jpg)
Royal Holloway University of London. . .S2Lab
. . . . . . . . . . . . . . . . . . . . . . . . . . .CopperDroid Observed Behaviors Demo Conclusions
ANDROID SECURITY MODEL
No application, by default, has permission to perform anyoperations that would adversely impact other applications, theoperating system, or the user
Sandboxing
Every App has its own UID/GID to enforce system-wide DAC
Permissions
To be granted a permission, App must explicitly request it(e.g., send an SMS, place a call)
All types of applications—Java, native, and hybrid—are sandboxedin the same way and have the same degree of security from eachother
17
![Page 24: CopperDroid - On the Reconstruction of Android Apps Behaviors](https://reader034.fdocuments.us/reader034/viewer/2022051514/54b686224a795946128b45cf/html5/thumbnails/24.jpg)
Royal Holloway University of London. . .S2Lab
. . . . . . . . . . . . . . . . . . . . . . . . . . .CopperDroid Observed Behaviors Demo Conclusions
ANDROID SECURITY MODEL
No application, by default, has permission to perform anyoperations that would adversely impact other applications, theoperating system, or the user
Sandboxing
Every App has its own UID/GID to enforce system-wide DAC
Permissions
To be granted a permission, App must explicitly request it(e.g., send an SMS, place a call)
All types of applications—Java, native, and hybrid—are sandboxedin the same way and have the same degree of security from eachother
17
![Page 25: CopperDroid - On the Reconstruction of Android Apps Behaviors](https://reader034.fdocuments.us/reader034/viewer/2022051514/54b686224a795946128b45cf/html5/thumbnails/25.jpg)
Royal Holloway University of London. . .S2Lab
. . . . . . . . . . . . . . . . . . . . . . . . . . .CopperDroid Observed Behaviors Demo Conclusions
INTENTS
An abstract representation of an operation to be performed
Intent Meaning per Recipient
x Activity: an action that must be performed(e.g., to send an e-mail, an App will broadcast thecorresponding intent; the email activity will therefore beexecuted)x Service: similar to activityx Receiver: a container for received data.
18
![Page 26: CopperDroid - On the Reconstruction of Android Apps Behaviors](https://reader034.fdocuments.us/reader034/viewer/2022051514/54b686224a795946128b45cf/html5/thumbnails/26.jpg)
Royal Holloway University of London. . .S2Lab
. . . . . . . . . . . . . . . . . . . . . . . . . . .CopperDroid Observed Behaviors Demo Conclusions
MANIFEST FILE
<?xml version="1.0" encoding="utf -8"?>
<manifest xmlns:android="http://schemas.android.com/[...]"package="test.AndroidSMS"android:versionCode="1"android:versionName="1.0">
<uses-permission android:name="[...].RECEIVE_SMS" /><uses-permission android:name="[...].SEND_SMS" /><uses-permission android:name="[...].INTERNET" />
<application android:label="@string/app_name" ><receiver android:name=".SMSReceiver">
<intent-filter><action android:name="test.AndroidSMS.SMS_RECEIVED" />
</intent-filter></receiver>
</application>
19
![Page 27: CopperDroid - On the Reconstruction of Android Apps Behaviors](https://reader034.fdocuments.us/reader034/viewer/2022051514/54b686224a795946128b45cf/html5/thumbnails/27.jpg)
Royal Holloway University of London. . .S2Lab
. . . . . . . . . . . . . . . . . . . . . . . . . . .CopperDroid Observed Behaviors Demo Conclusions
MANIFEST FILE
<?xml version="1.0" encoding="utf -8"?>
<manifest xmlns:android="http://schemas.android.com/[...]"package="test.AndroidSMS"android:versionCode="1"android:versionName="1.0">
<uses-permission android:name="[...].RECEIVE_SMS" /><uses-permission android:name="[...].SEND_SMS" /><uses-permission android:name="[...].INTERNET" />
<application android:label="@string/app_name" ><receiver android:name=".SMSReceiver">
<intent-filter><action android:name="test.AndroidSMS.SMS_RECEIVED" />
</intent-filter></receiver>
</application>
..
19
![Page 28: CopperDroid - On the Reconstruction of Android Apps Behaviors](https://reader034.fdocuments.us/reader034/viewer/2022051514/54b686224a795946128b45cf/html5/thumbnails/28.jpg)
Royal Holloway University of London. . .S2Lab
. . . . . . . . . . . . . . . . . . . . . . . . . . .CopperDroid Observed Behaviors Demo Conclusions
MANIFEST FILE
<?xml version="1.0" encoding="utf -8"?>
<manifest xmlns:android="http://schemas.android.com/[...]"package="test.AndroidSMS"android:versionCode="1"android:versionName="1.0">
<uses-permission android:name="[...].RECEIVE_SMS" /><uses-permission android:name="[...].SEND_SMS" /><uses-permission android:name="[...].INTERNET" />
<application android:label="@string/app_name" ><receiver android:name=".SMSReceiver">
<intent-filter><action android:name="test.AndroidSMS.SMS_RECEIVED" />
</intent-filter></receiver>
</application>
..
19
![Page 29: CopperDroid - On the Reconstruction of Android Apps Behaviors](https://reader034.fdocuments.us/reader034/viewer/2022051514/54b686224a795946128b45cf/html5/thumbnails/29.jpg)
Royal Holloway University of London. . .S2Lab
. . . . . . . . . . . . . . . . . . . . . . . . . . .CopperDroid Observed Behaviors Demo Conclusions
THE BINDER PROTOCOL
IPC/RPC
The Binder protocol enables fast inter-process communicationbetween Apps or between Apps and the system. It also allowsApps to invoke other components' functions (e.g., to place a callor to send a SMS)
AIDL
TheAndroid InterfaceDefinition Language is used to definewhichmethods of a service can be invoked remotely, among with theirparameters. AIDL specifications for Android's core services areavailable online
20
![Page 30: CopperDroid - On the Reconstruction of Android Apps Behaviors](https://reader034.fdocuments.us/reader034/viewer/2022051514/54b686224a795946128b45cf/html5/thumbnails/30.jpg)
Royal Holloway University of London. . .S2Lab
. . . . . . . . . . . . . . . . . . . . . . . . . . .CopperDroid Observed Behaviors Demo Conclusions
THE BINDER PROTOCOL
Binder Driver
The Binder protocl core is implemented as a device driver. User-space processes (Apps) can interact with the driver through the/dev/binder virtual device
ioctl
ioctls are used to by Apps to interact with Binder. Each ioctltakes as argument a command and a data buffer
BINDER_WRITE_READ
Allows data to be sent/received among Apps
21
![Page 31: CopperDroid - On the Reconstruction of Android Apps Behaviors](https://reader034.fdocuments.us/reader034/viewer/2022051514/54b686224a795946128b45cf/html5/thumbnails/31.jpg)
Royal Holloway University of London. . .S2Lab
. . . . . . . . . . . . . . . . . . . . . . . . . . .CopperDroid Observed Behaviors Demo Conclusions
(ANDROID) MALWARE ANALYSIS
..
Static
.
Instrum.
.
VMM
..
ADAM
..
DroidRanger
..
RiskRanker
..
DroidMOSS
.
Static
.
Instrum.
.
VMM
..
DroidScope
..VetDroid
..
Bouncer
..
ParanoidAndroid
..
ActEVE
..
Aurasium
..
TaintDroid
..
Andrubis
..
DroidBox
22
![Page 32: CopperDroid - On the Reconstruction of Android Apps Behaviors](https://reader034.fdocuments.us/reader034/viewer/2022051514/54b686224a795946128b45cf/html5/thumbnails/32.jpg)
Royal Holloway University of London. . .S2Lab
. . . . . . . . . . . . . . . . . . . . . . . . . . .CopperDroid Observed Behaviors Demo Conclusions
(ANDROID) MALWARE ANALYSIS: STATIC
..
Static
.
Instrum.
.
VMM
..
ADAM
..
DroidRanger
..
RiskRanker
..
DroidMOSS
.
Pros• Many information in the Manifest• Java is relatively easy to decompile• Potentially ``sees'' the whole behavior
.
Cons• Obfuscation & Optimization• Reflection• Dynamic code, Native code
22
![Page 33: CopperDroid - On the Reconstruction of Android Apps Behaviors](https://reader034.fdocuments.us/reader034/viewer/2022051514/54b686224a795946128b45cf/html5/thumbnails/33.jpg)
Royal Holloway University of London. . .S2Lab
. . . . . . . . . . . . . . . . . . . . . . . . . . .CopperDroid Observed Behaviors Demo Conclusions
(ANDROID) MALWARE ANALYSIS: DYNAMIC
..
Static
.
Instrum.
.
VMM
..
DroidScope
..VetDroid
..
Bouncer
..
ParanoidAndroid
..
ActEVE
..
Aurasium
..
TaintDroid
..
Andrubis
..
DroidBox
.
Pros• Resilient to obfuscation• Potentially transparent (VMM)• Less comples than static
.
Cons• Code coverage• VMI can be cumbersome (VMM)• Instrumentation can be detected
22
![Page 34: CopperDroid - On the Reconstruction of Android Apps Behaviors](https://reader034.fdocuments.us/reader034/viewer/2022051514/54b686224a795946128b45cf/html5/thumbnails/34.jpg)
Royal Holloway University of London. . .S2Lab
. . . . . . . . . . . . . . . . . . . . . . . . . . .CopperDroid Observed Behaviors Demo Conclusions
SYSTEM-CALL CENTRIC ANALYSIS OF ANDROID MALWARE?
Traditional Roots
Awell-established technique to characterize process behaviours
Can it be applied to Android?
x Android architecture is different than traditional devicesx Are all the interesting behaviours achieved through systemcalls?→ Dalvic VM
(Android-specific behaviours, e.g., SMS, phone calls)→ OS interactions
(e.g., creating a file, network communication)
23
![Page 35: CopperDroid - On the Reconstruction of Android Apps Behaviors](https://reader034.fdocuments.us/reader034/viewer/2022051514/54b686224a795946128b45cf/html5/thumbnails/35.jpg)
Royal Holloway University of London. . .S2Lab
. . . . . . . . . . . . . . . . . . . . . . . . . . .CopperDroid Observed Behaviors Demo Conclusions
COPPERDROID
Analysis Goal
Automatically reconstructs the behaviors of Android (malicious)apps
x Unified system call-centric analysis→ Obs: behaviors are eventually achieved via system
interactionsx Avoids 2-level (complex) VMIsx Avoids invasive modification of the Android system (in fact,none)x Android version-independentx Dynamically stimulates Apps to disclose additional behaviorsx Extensive evaluation on 2,900+ Android malware
..
Check it out at http://copperdroid.isg.rhul.ac.uk
24
![Page 36: CopperDroid - On the Reconstruction of Android Apps Behaviors](https://reader034.fdocuments.us/reader034/viewer/2022051514/54b686224a795946128b45cf/html5/thumbnails/36.jpg)
Royal Holloway University of London. . .S2Lab
. . . . . . . . . . . . . . . . . . . . . . . . . . .CopperDroid Observed Behaviors Demo Conclusions
COPPERDROID
Analysis Goal
Automatically reconstructs the behaviors of Android (malicious)apps
x Unified system call-centric analysis→ Obs: behaviors are eventually achieved via system
interactionsx Avoids 2-level (complex) VMIsx Avoids invasive modification of the Android system (in fact,none)x Android version-independentx Dynamically stimulates Apps to disclose additional behaviorsx Extensive evaluation on 2,900+ Android malware
..
Check it out at http://copperdroid.isg.rhul.ac.uk
24
![Page 37: CopperDroid - On the Reconstruction of Android Apps Behaviors](https://reader034.fdocuments.us/reader034/viewer/2022051514/54b686224a795946128b45cf/html5/thumbnails/37.jpg)
Royal Holloway University of London. . .S2Lab
. . . . . . . . . . . . . . . . . . . . . . . . . . .CopperDroid Observed Behaviors Demo Conclusions
ARCHITECTURE
...CopperDroid Emulator
.
Android OS
.
Dalvik
.
Android/Linux Kernel
..
CopperDroid Framework
.
SystemCall
Tracking
.
BinderAnalysis
.
RSP
25
![Page 38: CopperDroid - On the Reconstruction of Android Apps Behaviors](https://reader034.fdocuments.us/reader034/viewer/2022051514/54b686224a795946128b45cf/html5/thumbnails/38.jpg)
Royal Holloway University of London. . .S2Lab
. . . . . . . . . . . . . . . . . . . . . . . . . . .CopperDroid Observed Behaviors Demo Conclusions
SYSTEM CALLS ON LINUX ARM
Invoking Syscalls
Like on Intel, onARMarchitecture invoking a systemcall inducesa user-to-kernel transiction.(current CPL is stored in the cpsr register)
System calls on Linux ARM
x On ARM invoked through the swi instruction(SoftWare Interrupt)x r7 contains the number of the invoked system callx r0-r5 contain parametersx lr contains the return address
26
![Page 39: CopperDroid - On the Reconstruction of Android Apps Behaviors](https://reader034.fdocuments.us/reader034/viewer/2022051514/54b686224a795946128b45cf/html5/thumbnails/39.jpg)
Royal Holloway University of London. . .S2Lab
. . . . . . . . . . . . . . . . . . . . . . . . . . .CopperDroid Observed Behaviors Demo Conclusions
TRACKING SYSTEM CALLS
System Call Analysis
x Intercept when a system call is invokedx We need to intercept return to user-space too!x There is no SYSEXIT/SYSRET to interceptx Not every system call actually returns to lr(e.g., exit, execve)
CopperDroid's Approach
x instruments QEMU's emulation of the swi instructionx instruments QEMU to intercept every cpsr_write(Kernel→ User)
27
![Page 40: CopperDroid - On the Reconstruction of Android Apps Behaviors](https://reader034.fdocuments.us/reader034/viewer/2022051514/54b686224a795946128b45cf/html5/thumbnails/40.jpg)
Royal Holloway University of London. . .S2Lab
. . . . . . . . . . . . . . . . . . . . . . . . . . .CopperDroid Observed Behaviors Demo Conclusions
TRACKING SYSTEM CALLS
System Call Analysis
x Intercept when a system call is invokedx We need to intercept return to user-space too!x There is no SYSEXIT/SYSRET to interceptx Not every system call actually returns to lr(e.g., exit, execve)
CopperDroid's Approach
x instruments QEMU's emulation of the swi instructionx instruments QEMU to intercept every cpsr_write(Kernel→ User)
..
[c5b02000 - 35 - 35 - zygote] fork( ) = 0x125[c5b02000 - 35 - 35 - zygote] getpgid( 0x41 ) = 0x23[c5b02000 - 35 - 35 - zygote] setpgid( 0x125, 0x23 ) = 0x0[c1c18000 - 293 - 293 - zygote] getuid32( ) = 0x0[c1c18000 - 293 - 293 - zygote] open(/acct/uid/0/tasks, ...[c1c18000 - 293 - 293 - zygote] fstat64( 0x13, 0xbef7f910 ) =0x0[c1c18000 - 293 - 293 - zygote] mprotect( 0x40008000, 0x1000,0x3 ) = 0x0[c1c18000 - 293 - 293 - zygote] mprotect( 0x40008000, 0x1000,0x1 ) = 0x0[c1c18000 - 293 - 293 - zygote] write( 0x13 - /acct/uid/0/tasks,0xa24c0 "'0'", 0x1 ) = 0x1
27
![Page 41: CopperDroid - On the Reconstruction of Android Apps Behaviors](https://reader034.fdocuments.us/reader034/viewer/2022051514/54b686224a795946128b45cf/html5/thumbnails/41.jpg)
Royal Holloway University of London. . .S2Lab
. . . . . . . . . . . . . . . . . . . . . . . . . . .CopperDroid Observed Behaviors Demo Conclusions
BRIDGING THE SEMANTIC GAP
When dealing with out-of-the-box analyses it is essential toretrieve information about the analyzed system
CopperDroid VMI
CopperDroid inspects the Android kernel to retrieve the follow-ing:
x Process namesx PIDs & TIDsx Process resourcesx …
28
![Page 42: CopperDroid - On the Reconstruction of Android Apps Behaviors](https://reader034.fdocuments.us/reader034/viewer/2022051514/54b686224a795946128b45cf/html5/thumbnails/42.jpg)
Royal Holloway University of London. . .S2Lab
. . . . . . . . . . . . . . . . . . . . . . . . . . .CopperDroid Observed Behaviors Demo Conclusions
BRIDGING THE SEMANTIC GAP
Observation: when executing kernel code, the base of the stackpoints to the current executing thread.
.
29
![Page 43: CopperDroid - On the Reconstruction of Android Apps Behaviors](https://reader034.fdocuments.us/reader034/viewer/2022051514/54b686224a795946128b45cf/html5/thumbnails/43.jpg)
Royal Holloway University of London. . .S2Lab
. . . . . . . . . . . . . . . . . . . . . . . . . . .CopperDroid Observed Behaviors Demo Conclusions
BRIDGING THE SEMANTIC GAP
Observation: when executing kernel code, the base of the stackpoints to the current executing thread.
..
arch/arm/include/asm/thread_info.h
.
#define THREAD_SIZE 8192static inline struct thread_info *current_thread_info(void){
register unsigned long sp asm ("sp");return (struct thread_info *)(sp & ~(THREAD_SIZE− 1));
}
29
![Page 44: CopperDroid - On the Reconstruction of Android Apps Behaviors](https://reader034.fdocuments.us/reader034/viewer/2022051514/54b686224a795946128b45cf/html5/thumbnails/44.jpg)
Royal Holloway University of London. . .S2Lab
. . . . . . . . . . . . . . . . . . . . . . . . . . .CopperDroid Observed Behaviors Demo Conclusions
BRIDGING THE SEMANTIC GAP
Observation: when executing kernel code, the base of the stackpoints to the current executing thread.
..
struct thread_info
.
struct thread_info {unsigned long flags;int preempt_count;mm_segment_t addr_limit;struct task_struct *task; /* main task structure */...
}
29
![Page 45: CopperDroid - On the Reconstruction of Android Apps Behaviors](https://reader034.fdocuments.us/reader034/viewer/2022051514/54b686224a795946128b45cf/html5/thumbnails/45.jpg)
Royal Holloway University of London. . .S2Lab
. . . . . . . . . . . . . . . . . . . . . . . . . . .CopperDroid Observed Behaviors Demo Conclusions
BRIDGING THE SEMANTIC GAP
Observation: when executing kernel code, the base of the stackpoints to the current executing thread.
..
struct task_struct
.
struct task_struct {volatile long state;void *stack;...pid_t pid;pid_t tgid;...char comm[TASK_COMM_LEN];...
}
29
![Page 46: CopperDroid - On the Reconstruction of Android Apps Behaviors](https://reader034.fdocuments.us/reader034/viewer/2022051514/54b686224a795946128b45cf/html5/thumbnails/46.jpg)
Royal Holloway University of London. . .S2Lab
. . . . . . . . . . . . . . . . . . . . . . . . . . .CopperDroid Observed Behaviors Demo Conclusions
BINDER
The Binder protocol is the core of Android IPC/RPC
x Intents are carried through binderx Interactionswith the system go through binderx Binder driver enforces (some) permission policies
For example, applications cannot send SMSs on their own, butmust invoke (RPC) the proper system service to do that.
.
30
![Page 47: CopperDroid - On the Reconstruction of Android Apps Behaviors](https://reader034.fdocuments.us/reader034/viewer/2022051514/54b686224a795946128b45cf/html5/thumbnails/47.jpg)
Royal Holloway University of London. . .S2Lab
. . . . . . . . . . . . . . . . . . . . . . . . . . .CopperDroid Observed Behaviors Demo Conclusions
BINDER
..
Application
.
SmsManager sms = SmsManager.getDefault();sms.sendTextMessage("7855551234", null, "Hi There", null, null);
30
![Page 48: CopperDroid - On the Reconstruction of Android Apps Behaviors](https://reader034.fdocuments.us/reader034/viewer/2022051514/54b686224a795946128b45cf/html5/thumbnails/48.jpg)
Royal Holloway University of London. . .S2Lab
. . . . . . . . . . . . . . . . . . . . . . . . . . .CopperDroid Observed Behaviors Demo Conclusions
BINDER
..
Application
.
android.telephony.SmsManager
.
public void sendTextMessage(...) {...ISms iccISms = ISms.Stub.asInterface(ServiceManager.getService("isms"));if (iccISms != null)iccISms.sendText(destinationAddress, scAddress, text, sentIntent, deliveryIntent);
...
30
![Page 49: CopperDroid - On the Reconstruction of Android Apps Behaviors](https://reader034.fdocuments.us/reader034/viewer/2022051514/54b686224a795946128b45cf/html5/thumbnails/49.jpg)
Royal Holloway University of London. . .S2Lab
. . . . . . . . . . . . . . . . . . . . . . . . . . .CopperDroid Observed Behaviors Demo Conclusions
BINDER
..
Application
.
android.telephony.SmsManager
.com.android.internal.telephony.ISms
.
public void sendText(...) {android.os.Parcel _data = android.os.Parcel.obtain();try {_data.writeInterfaceToken(DESCRIPTOR);_data.writeString(destAddr);...mRemote.transact(Stub.TRANSACTION_sendText, _data, _reply, 0);
}
30
![Page 50: CopperDroid - On the Reconstruction of Android Apps Behaviors](https://reader034.fdocuments.us/reader034/viewer/2022051514/54b686224a795946128b45cf/html5/thumbnails/50.jpg)
Royal Holloway University of London. . .S2Lab
. . . . . . . . . . . . . . . . . . . . . . . . . . .CopperDroid Observed Behaviors Demo Conclusions
BINDER
..
Application
.
android.telephony.SmsManager
.com.android.internal.telephony.ISms
.
Kernel (drivers/staging/android/binder.c)
.
ioctl
30
![Page 51: CopperDroid - On the Reconstruction of Android Apps Behaviors](https://reader034.fdocuments.us/reader034/viewer/2022051514/54b686224a795946128b45cf/html5/thumbnails/51.jpg)
Royal Holloway University of London. . .S2Lab
. . . . . . . . . . . . . . . . . . . . . . . . . . .CopperDroid Observed Behaviors Demo Conclusions
BINDER
..
Application
.
android.telephony.SmsManager
.com.android.internal.telephony.ISms
.
Kernel (drivers/staging/android/binder.c)
.
ioctl
.
CopperDroid
30
![Page 52: CopperDroid - On the Reconstruction of Android Apps Behaviors](https://reader034.fdocuments.us/reader034/viewer/2022051514/54b686224a795946128b45cf/html5/thumbnails/52.jpg)
Royal Holloway University of London. . .S2Lab
. . . . . . . . . . . . . . . . . . . . . . . . . . .CopperDroid Observed Behaviors Demo Conclusions
BINDER
..
Application
.
android.telephony.SmsManager
.com.android.internal.telephony.ISms
.
Kernel (drivers/staging/android/binder.c)
.
ioctl
.ioctl(4, 0xc0186201, ...\x4b\x00\x00\x00\x49\x00\x20\x00\x74\x00\x61\x00\x6b\x00\x65\x00\x20\x00\x70\x00\x6c\x00\x65\x00\x61\x00\x73\x00\x75\x00\x72\x00\x65\x00\x20\x00\x69\x00\x6e\x00\x20\x00\x68\x00\x75\x00\x72\x00\x74\x00\x69\x00\x6e\x00\x67\x00\x20\x00\x73\x00 ...)
30
![Page 53: CopperDroid - On the Reconstruction of Android Apps Behaviors](https://reader034.fdocuments.us/reader034/viewer/2022051514/54b686224a795946128b45cf/html5/thumbnails/53.jpg)
Royal Holloway University of London. . .S2Lab
. . . . . . . . . . . . . . . . . . . . . . . . . . .CopperDroid Observed Behaviors Demo Conclusions
BINDER
..
Application
.
android.telephony.SmsManager
.com.android.internal.telephony.ISms
.
Kernel (drivers/staging/android/binder.c)
.
ioctl
.ioctl(/dev/binder, BINDER_WRITE_READ, ...InterfaceToken = com.android.internal.telephony.ISms,method: sendText,destAddr = 7855551234,scAddr = ,text = Hi There ...)
30
![Page 54: CopperDroid - On the Reconstruction of Android Apps Behaviors](https://reader034.fdocuments.us/reader034/viewer/2022051514/54b686224a795946128b45cf/html5/thumbnails/54.jpg)
Royal Holloway University of London. . .S2Lab
. . . . . . . . . . . . . . . . . . . . . . . . . . .CopperDroid Observed Behaviors Demo Conclusions
BINDER
CopperDroid deeply inspects the Binder protocol intercepting asubset of the ioctls issued by userspace Apps.
..
write_size
.write_consumed
.write_buffer .
read_size
.
…
.
BC_*
.
Params
.
BC_TR
.
Params
.
BC_*
.
Params
..
ioctl(binder_fd, BINDER_WRITE_READ, &binder_write_read);
.
31
![Page 55: CopperDroid - On the Reconstruction of Android Apps Behaviors](https://reader034.fdocuments.us/reader034/viewer/2022051514/54b686224a795946128b45cf/html5/thumbnails/55.jpg)
Royal Holloway University of London. . .S2Lab
. . . . . . . . . . . . . . . . . . . . . . . . . . .CopperDroid Observed Behaviors Demo Conclusions
BINDER
CopperDroid analyzes BC_TRANSACTIONs and BC_REPLYs
...
BC_*
.
Params
.
BC_TR
.
Params
.
BC_*
.
Params
..
target
.
code
.
uid
.
…
.
data_size
.
buffer
.
InterfaceToken
.
Param 1
.
Param 2
.
…
..
structbinder_transaction_data
32
![Page 56: CopperDroid - On the Reconstruction of Android Apps Behaviors](https://reader034.fdocuments.us/reader034/viewer/2022051514/54b686224a795946128b45cf/html5/thumbnails/56.jpg)
Royal Holloway University of London. . .S2Lab
. . . . . . . . . . . . . . . . . . . . . . . . . . .CopperDroid Observed Behaviors Demo Conclusions
BINDER
CopperDroid analyzes BC_TRANSACTIONs and BC_REPLYs
...
BC_*
.
Params
.
BC_TR
.
Params
.
BC_*
.
Params
..
target
.
code
.
uid
.
…
.
data_size
.
buffer
.
InterfaceToken
.
Param 1
.
Param 2
.
…
..
structbinder_transaction_data
.
ISms.sendText(78555.., ``Hi there'')
32
![Page 57: CopperDroid - On the Reconstruction of Android Apps Behaviors](https://reader034.fdocuments.us/reader034/viewer/2022051514/54b686224a795946128b45cf/html5/thumbnails/57.jpg)
Automatic Android ObjectsUnmarshalling
![Page 58: CopperDroid - On the Reconstruction of Android Apps Behaviors](https://reader034.fdocuments.us/reader034/viewer/2022051514/54b686224a795946128b45cf/html5/thumbnails/58.jpg)
Royal Holloway University of London. . .S2Lab
. . . . . . . . . . . . . . . . . . . . . . . . . . .CopperDroid Observed Behaviors Demo Conclusions
AUTOMATIC ANDROID OBJECTS UNMARSHALLING
x Primitive types (e.g., String) are easy to unmarshall→ Limited number of manually-written proceduresx A manual-driven approach for complex Android objects is
cumbersome→ 300+ Android objects (increasing from version to version)→ Manual-driven approach is error-prone and not scientifically
excitingx We ask to an unmarshalling Oracle!
34
![Page 59: CopperDroid - On the Reconstruction of Android Apps Behaviors](https://reader034.fdocuments.us/reader034/viewer/2022051514/54b686224a795946128b45cf/html5/thumbnails/59.jpg)
Royal Holloway University of London. . .S2Lab
. . . . . . . . . . . . . . . . . . . . . . . . . . .CopperDroid Observed Behaviors Demo Conclusions
THE UNMARSHALLING ORACLE
...CopperDroid Emulator
..Android Emulator
. Oracle..
CopperDroid's Analyses
.
BinderAnalysis
.
InterfaceToken Identifier
.
UnmarshalledParamemters
.
System CallAnalysis
.
ResourceReconstruction
.
RSP
..
TCP
.
35
![Page 60: CopperDroid - On the Reconstruction of Android Apps Behaviors](https://reader034.fdocuments.us/reader034/viewer/2022051514/54b686224a795946128b45cf/html5/thumbnails/60.jpg)
Resource Reconstructor
![Page 61: CopperDroid - On the Reconstruction of Android Apps Behaviors](https://reader034.fdocuments.us/reader034/viewer/2022051514/54b686224a795946128b45cf/html5/thumbnails/61.jpg)
Royal Holloway University of London. . .S2Lab
. . . . . . . . . . . . . . . . . . . . . . . . . . .CopperDroid Observed Behaviors Demo Conclusions
RESOURCE RECONSTRUCTOR
x Useful to abstract a stream of low-level events intohigh-level behaviorsx We build a data dependence graph (DPD)→ Nodes are system calls→ Edges represent data dependencyx We then identify def-use chains to cluster related system
calls together
37
![Page 62: CopperDroid - On the Reconstruction of Android Apps Behaviors](https://reader034.fdocuments.us/reader034/viewer/2022051514/54b686224a795946128b45cf/html5/thumbnails/62.jpg)
Royal Holloway University of London. . .S2Lab
. . . . . . . . . . . . . . . . . . . . . . . . . . .CopperDroid Observed Behaviors Demo Conclusions
SAMPLE COPPERDROID OUTPUT
[c5b02000 - 35 - 35 - zygote] fork( ) = 0x125[c5b02000 - 35 - 35 - zygote] getpgid( 0x41 ) = 0x23[c5b02000 - 35 - 35 - zygote] setpgid( 0x125, 0x23 ) = 0x0[c1c18000 - 293 - 293 - zygote] getuid32( ) = 0x0[c1c18000 - 293 - 293 - zygote] open(/acct/uid/0/tasks, ...) = 0x13[c1c18000 - 293 - 293 - zygote] fstat64( 0x13, 0xbef7f910 ) = 0x0[c1c18000 - 293 - 293 - zygote] mprotect( 0x40008000, 0x1000, 0x3 )= 0x0[c1c18000 - 293 - 293 - zygote] mprotect( 0x40008000, 0x1000, 0x1 )= 0x0[c1c18000 - 293 - 293 - zygote] write( 0x13 - /acct/uid/0/tasks,0xa24c0 "'0'", 0x1 ) = 0x1[c1c18000 - 293 - 293 - zygote] close( 0x13 ) = 0x0[c1c18000 - 293 - 293 - zygote] prctl( 0x8, 0x1, 0x0, 0x0, 0x0 ) = 0x0[c1c18000 - 293 - 293 - zygote] setgroups32( 0x2, 0xbef7fa20 ) = 0x0[c1c18000 - 293 - 293 - zygote] setgid32( 0x2722 ) = 0x0[c1c18000 - 293 - 293 - zygote] open( /acct/uid/10018/tasks, 0x20242,0x1b6 ) = 0xfffffffe 38
![Page 63: CopperDroid - On the Reconstruction of Android Apps Behaviors](https://reader034.fdocuments.us/reader034/viewer/2022051514/54b686224a795946128b45cf/html5/thumbnails/63.jpg)
Royal Holloway University of London. . .S2Lab
. . . . . . . . . . . . . . . . . . . . . . . . . . .CopperDroid Observed Behaviors Demo Conclusions
SAMPLE COPPERDROID OUTPUT
[c5b02000 - 35 - 35 - zygote] fork( ) = 0x125[c5b02000 - 35 - 35 - zygote] getpgid( 0x41 ) = 0x23[c5b02000 - 35 - 35 - zygote] setpgid( 0x125, 0x23 ) = 0x0[c1c18000 - 293 - 293 - zygote] getuid32( ) = 0x0[c1c18000 - 293 - 293 - zygote] open (/acct/uid/0/tasks, 0x20242, 0x1b6) = 0x13[c1c18000 - 293 - 293 - zygote] fstat64 ( 0x13 , 0xbef7f910 ) = 0x0[c1c18000 - 293 - 293 - zygote] mprotect( 0x40008000, 0x1000, 0x3 )= 0x0[c1c18000 - 293 - 293 - zygote] mprotect( 0x40008000, 0x1000, 0x1 )= 0x0[c1c18000 - 293 - 293 - zygote] write ( 0x13 - /acct/uid/0/tasks,0xa24c0 "'0'", 0x1 ) = 0x1[c1c18000 - 293 - 293 - zygote] close ( 0x13 ) = 0x0[c1c18000 - 293 - 293 - zygote] prctl( 0x8, 0x1, 0x0, 0x0, 0x0 ) = 0x0[c1c18000 - 293 - 293 - zygote] setgroups32( 0x2, 0xbef7fa20 ) = 0x0[c1c18000 - 293 - 293 - zygote] setgid32( 0x2722 ) = 0x0[c1c18000 - 293 - 293 - zygote] open( /acct/uid/10018/tasks, 0x20242,0x1b6 ) = 0xfffffffe 39
![Page 64: CopperDroid - On the Reconstruction of Android Apps Behaviors](https://reader034.fdocuments.us/reader034/viewer/2022051514/54b686224a795946128b45cf/html5/thumbnails/64.jpg)
Royal Holloway University of London. . .S2Lab
. . . . . . . . . . . . . . . . . . . . . . . . . . .CopperDroid Observed Behaviors Demo Conclusions
SAMPLE COPPERDROID OUTPUT
[c5b02000 - 35 - 35 - zygote] fork( ) = 0x125[c5b02000 - 35 - 35 - zygote] getpgid( 0x41 ) = 0x23[c5b02000 - 35 - 35 - zygote] setpgid( 0x125, 0x23 ) = 0x0[c1c18000 - 293 - 293 - zygote] getuid32( ) = 0x0[c1c18000 - 293 - 293 - zygote] open (/acct/uid/0/tasks, 0x20242, 0x1b6) = 0x13[c1c18000 - 293 - 293 - zygote] fstat64 ( 0x13 , 0xbef7f910 ) = 0x0[c1c18000 - 293 - 293 - zygote] mprotect( 0x40008000, 0x1000, 0x3 )= 0x0[c1c18000 - 293 - 293 - zygote] mprotect( 0x40008000, 0x1000, 0x1 )= 0x0[c1c18000 - 293 - 293 - zygote] write ( 0x13 - /acct/uid/0/tasks,0xa24c0 "'0'", 0x1 ) = 0x1[c1c18000 - 293 - 293 - zygote] close ( 0x13 ) = 0x0[c1c18000 - 293 - 293 - zygote] prctl( 0x8, 0x1, 0x0, 0x0, 0x0 ) = 0x0[c1c18000 - 293 - 293 - zygote] setgroups32( 0x2, 0xbef7fa20 ) = 0x0[c1c18000 - 293 - 293 - zygote] setgid32( 0x2722 ) = 0x0[c1c18000 - 293 - 293 - zygote] open( /acct/uid/10018/tasks, 0x20242,0x1b6 ) = 0xfffffffe
..
Group as one action:File Access
39
![Page 65: CopperDroid - On the Reconstruction of Android Apps Behaviors](https://reader034.fdocuments.us/reader034/viewer/2022051514/54b686224a795946128b45cf/html5/thumbnails/65.jpg)
Royal Holloway University of London. . .S2Lab
. . . . . . . . . . . . . . . . . . . . . . . . . . .CopperDroid Observed Behaviors Demo Conclusions
SAMPLE COPPERDROID OUTPUT
[c5b02000 - 35 - 35 - zygote] fork( ) = 0x125[c5b02000 - 35 - 35 - zygote] getpgid( 0x41 ) = 0x23[c5b02000 - 35 - 35 - zygote] setpgid( 0x125, 0x23 ) = 0x0[c1c18000 - 293 - 293 - zygote] getuid32( ) = 0x0[c1c18000 - 293 - 293 - zygote] open (/acct/uid/0/tasks, 0x20242, 0x1b6) = 0x13[c1c18000 - 293 - 293 - zygote] fstat64 ( 0x13 , 0xbef7f910 ) = 0x0[c1c18000 - 293 - 293 - zygote] mprotect( 0x40008000, 0x1000, 0x3 )= 0x0[c1c18000 - 293 - 293 - zygote] mprotect( 0x40008000, 0x1000, 0x1 )= 0x0[c1c18000 - 293 - 293 - zygote] write ( 0x13 - /acct/uid/0/tasks,0xa24c0 "'0'", 0x1 ) = 0x1[c1c18000 - 293 - 293 - zygote] close ( 0x13 ) = 0x0[c1c18000 - 293 - 293 - zygote] prctl( 0x8, 0x1, 0x0, 0x0, 0x0 ) = 0x0[c1c18000 - 293 - 293 - zygote] setgroups32( 0x2, 0xbef7fa20 ) = 0x0[c1c18000 - 293 - 293 - zygote] setgid32( 0x2722 ) = 0x0[c1c18000 - 293 - 293 - zygote] open( /acct/uid/10018/tasks, 0x20242,0x1b6 ) = 0xfffffffe
..
Recreates file "tasks"with path /acct/uid/0/tasks and "0" written to it
39
![Page 66: CopperDroid - On the Reconstruction of Android Apps Behaviors](https://reader034.fdocuments.us/reader034/viewer/2022051514/54b686224a795946128b45cf/html5/thumbnails/66.jpg)
Royal Holloway University of London. . .S2Lab
. . . . . . . . . . . . . . . . . . . . . . . . . . .CopperDroid Observed Behaviors Demo Conclusions
APPS STIMULATION
..
..(Android) malware needs to be properly stimulated to trigger
additional behaviors and increase coverage of dynamicanalysis.
CopperDroid Ad-Hoc Stimuli
1. Identifies events the target reacts to(mostly contained in the Manifest file)
2. During the analysis, injects custom events(of those identified as useful)
40
![Page 67: CopperDroid - On the Reconstruction of Android Apps Behaviors](https://reader034.fdocuments.us/reader034/viewer/2022051514/54b686224a795946128b45cf/html5/thumbnails/67.jpg)
Royal Holloway University of London. . .S2Lab
. . . . . . . . . . . . . . . . . . . . . . . . . . .CopperDroid Observed Behaviors Demo Conclusions
APPS STIMULATION
...
CopperDroid Emulator
.
Android OS
.
Dalvik VM
.
Linux Kernel
..
CopperDroid Analysis
.
SystemCall
Tracking
.
BinderAnalysis
.
DalvikMethodTracking
.RSP ..
To inject eventsCopperDroid leveragesMonkeyRunner
41
![Page 68: CopperDroid - On the Reconstruction of Android Apps Behaviors](https://reader034.fdocuments.us/reader034/viewer/2022051514/54b686224a795946128b45cf/html5/thumbnails/68.jpg)
Royal Holloway University of London. . .S2Lab
. . . . . . . . . . . . . . . . . . . . . . . . . . .CopperDroid Observed Behaviors Demo Conclusions
EVALUATION
1,200 malware from the Android Malware Genome Project, 395from the Contagio repository, and 1,300+ from McAfee..
28% additional behaviors on 60% of Genome samples22% additional behaviors on 73% of Contagio samples28% additional behaviors on 61% of McAfee samples
#Malware
Stim.Samples w/ Behavior Incr. Behavior
Family Add. Behav. w/o Stim. w/ Stimuli
1 ADRD 3.9 17/21 7.24 4.5 (63%)2 AnserverBot 3.9 186/187 31.52 8.2 (27%)3 BaseBridge 2.9 70/122 16.44 5.2 (32%)4 BeanBot 3.1 4/8 0.12 3.8 (3000%)5 CruseWin 4.0 2/2 1.00 2.0 (200%)6 GamblerSMS 4.0 1/1 1.00 3.0 (300%)7 SMSReplicator 4.0 1/1 0.00 6.0 (⊥)8 Zsone 5.0 12/12 16.67 3.8 (23%)
42
![Page 69: CopperDroid - On the Reconstruction of Android Apps Behaviors](https://reader034.fdocuments.us/reader034/viewer/2022051514/54b686224a795946128b45cf/html5/thumbnails/69.jpg)
OBSERVED BEHAVIORS
![Page 70: CopperDroid - On the Reconstruction of Android Apps Behaviors](https://reader034.fdocuments.us/reader034/viewer/2022051514/54b686224a795946128b45cf/html5/thumbnails/70.jpg)
Royal Holloway University of London. . .S2Lab
. . . . . . . . . . . . . . . . . . . . . . . . . . .CopperDroid Observed Behaviors Demo Conclusions
BEHAVIORAL MINDMAP
..Behavior.Exec
externalapplication
..
Shell
.
Generic
. Privilegeescalation
.
InstallAPK
.
AccessPersonalInfo.
.
.
SMS
.
Contacts
.
PhoneInfo.
.
Location
.
NetworkAccess
.
.
HTTP
.
DNS
.
Other
.SMS Send . .
Make Call
..
Alter FS
.
44
![Page 71: CopperDroid - On the Reconstruction of Android Apps Behaviors](https://reader034.fdocuments.us/reader034/viewer/2022051514/54b686224a795946128b45cf/html5/thumbnails/71.jpg)
Royal Holloway University of London. . .S2Lab
. . . . . . . . . . . . . . . . . . . . . . . . . . .CopperDroid Observed Behaviors Demo Conclusions
Behavior Class No Stimulation Stimulation
FS Access 889/1365 (65.13%) 912/1365 (66.81%)Access Personal Info. 558/1365 (40.88%) 903/1365 (66.15%)Network Access 457/1365 (33.48%) 461/1365 (33.77%)Exec. External Appf. 171/1365 (12.52%) 171/1365 (12.52%)Send SMS 38/1365 (2.78%) 42/1365 (3.08%)Make/Alter Call 1/1365 (0.07%) 55/1365 (4.03%)
Table: Overall behavior breakdown of McAfee samples.
45
![Page 72: CopperDroid - On the Reconstruction of Android Apps Behaviors](https://reader034.fdocuments.us/reader034/viewer/2022051514/54b686224a795946128b45cf/html5/thumbnails/72.jpg)
Royal Holloway University of London. . .S2Lab
. . . . . . . . . . . . . . . . . . . . . . . . . . .CopperDroid Observed Behaviors Demo Conclusions
Behavior Class Subclass No Stim Stim
Network AccessGeneric 483 489HTTP 309 318DNS 416 416
FS Access Write 889 912
Access Personal Info.
SMS 32 266Phone 510 559Accounts 51 672Location 143 147
Exec. External App.
Generic 132 132Priv. Esc. 103 103Shell 73 73Inst. APK 8 8
Send SMS --- 38 42
Make/Alter Call --- 1 55
Table: Detailed behavior breakdown of McAfee samples.
46
![Page 74: CopperDroid - On the Reconstruction of Android Apps Behaviors](https://reader034.fdocuments.us/reader034/viewer/2022051514/54b686224a795946128b45cf/html5/thumbnails/74.jpg)
CONCLUSIONS
![Page 75: CopperDroid - On the Reconstruction of Android Apps Behaviors](https://reader034.fdocuments.us/reader034/viewer/2022051514/54b686224a795946128b45cf/html5/thumbnails/75.jpg)
Royal Holloway University of London. . .S2Lab
. . . . . . . . . . . . . . . . . . . . . . . . . . .CopperDroid Observed Behaviors Demo Conclusions
CONCLUSIONS
CopperDroid Goal
Automatically reconstructs the behaviors of Android malware
x Unified system call-centric analysis that avoid 2-level VMIs→ All the behaviors are eventually achieved via system
interactionsx Automatic unmarshalling of Android objects→ Online/offline Oracle analysisx Dynamically stimulates Apps to disclose additional behaviorsx Extensive evaluation on 2,900+ Android malware
(28% additional behaviors on 60% of Genome samples)(22% additional behaviors on 73% of Contagio samples)(28% additional behaviors on 61% of McAfee samples)
..
1. Available at http://copperdroid.isg.rhul.ac.uk2. Ongoing project, basic step of the EPSRC-funded MobSec
2.1 Behavioral attribution2.2 Information leak detection (no taint-tracking!)2.3 Benign / Malicious Android malware detection2.4 Automatic clustering and classification2.5 UI-driven/aided symbolic execution2.6 …
49
![Page 76: CopperDroid - On the Reconstruction of Android Apps Behaviors](https://reader034.fdocuments.us/reader034/viewer/2022051514/54b686224a795946128b45cf/html5/thumbnails/76.jpg)
Royal Holloway University of London. . .S2Lab
. . . . . . . . . . . . . . . . . . . . . . . . . . .CopperDroid Observed Behaviors Demo Conclusions
CONCLUSIONS
CopperDroid Goal
Automatically reconstructs the behaviors of Android malware
x Unified system call-centric analysis that avoid 2-level VMIs→ All the behaviors are eventually achieved via system
interactionsx Automatic unmarshalling of Android objects→ Online/offline Oracle analysisx Dynamically stimulates Apps to disclose additional behaviorsx Extensive evaluation on 2,900+ Android malware
(28% additional behaviors on 60% of Genome samples)(22% additional behaviors on 73% of Contagio samples)(28% additional behaviors on 61% of McAfee samples)
..
1. Available at http://copperdroid.isg.rhul.ac.uk2. Ongoing project, basic step of the EPSRC-funded MobSec
2.1 Behavioral attribution2.2 Information leak detection (no taint-tracking!)2.3 Benign / Malicious Android malware detection2.4 Automatic clustering and classification2.5 UI-driven/aided symbolic execution2.6 …
49