How Android Malware Fights (and we fight back!) or ... · PDF fileor Research on obfuscation...
Transcript of How Android Malware Fights (and we fight back!) or ... · PDF fileor Research on obfuscation...
![Page 1: How Android Malware Fights (and we fight back!) or ... · PDF fileor Research on obfuscation in Android malware ... Basic4Android yet? ... (and we fight back!) or Research on obfuscation](https://reader031.fdocuments.us/reader031/viewer/2022030510/5aba9b2e7f8b9a297f8be77f/html5/thumbnails/1.jpg)
How Android Malware Fights(and we fight back!)
or Research on obfuscation in Android malware
Axelle Apvrille, Ruchna NigamFortiguard Labs, Fortinet
CARO Workshop, Melbourne, Florida, USAMay 2014
Slides have been edited for public release.
![Page 2: How Android Malware Fights (and we fight back!) or ... · PDF fileor Research on obfuscation in Android malware ... Basic4Android yet? ... (and we fight back!) or Research on obfuscation](https://reader031.fdocuments.us/reader031/viewer/2022030510/5aba9b2e7f8b9a297f8be77f/html5/thumbnails/2.jpg)
Obfuscators
ObfuscatorsProGuard
DexGuard
APKProtectOthers:LVL...
How to...
spotreverse
CARO 2014 - A. Apvrille, R. Nigam 2/23
![Page 3: How Android Malware Fights (and we fight back!) or ... · PDF fileor Research on obfuscation in Android malware ... Basic4Android yet? ... (and we fight back!) or Research on obfuscation](https://reader031.fdocuments.us/reader031/viewer/2022030510/5aba9b2e7f8b9a297f8be77f/html5/thumbnails/3.jpg)
ProGuard
I Spot the a’s: a/a;->a ... (Example: Android/Pincer.A!tr.spyabove)
I Use a custom dictionary -obfuscationdictionary,
-classobfuscationdictionary,
-packageobfuscationdictionary. Possibly generate withhttp://www.random.org/strings (e.g GinMaster.L).
I Approx 33, 000/230, 000 analyzed = 17 malicious samplesusing Proguard
CARO 2014 - A. Apvrille, R. Nigam 3/23
![Page 4: How Android Malware Fights (and we fight back!) or ... · PDF fileor Research on obfuscation in Android malware ... Basic4Android yet? ... (and we fight back!) or Research on obfuscation](https://reader031.fdocuments.us/reader031/viewer/2022030510/5aba9b2e7f8b9a297f8be77f/html5/thumbnails/4.jpg)
License Verification Library (LVL)
package com.android.vending.licensing;
...
public class AESObfuscator implements Obfuscator {
...
private static final String CIPHER_ALGORITHM =
"AES/CBC/PKCS5Padding";
private static final byte[] IV = { 16, 74, 71, -80...
private static final String header =
"com.android.vending.licensing.AESObfuscator-1|";
I header prefix + string to obfuscate → AES → Base64
I used in Android/Plankton.B!tr
Tip: How to Spot
$ find . -type f -name *.smali -print |
xargs grep "AESObfuscator-1"
CARO 2014 - A. Apvrille, R. Nigam 4/23
![Page 5: How Android Malware Fights (and we fight back!) or ... · PDF fileor Research on obfuscation in Android malware ... Basic4Android yet? ... (and we fight back!) or Research on obfuscation](https://reader031.fdocuments.us/reader031/viewer/2022030510/5aba9b2e7f8b9a297f8be77f/html5/thumbnails/5.jpg)
DexGuard-ed samples are painful to reverse
Hard time for AV analysts
I UTF16 →I bad display with jd-gui,I no completion with
Androguard...
I Example: used byAndroid/Dendroid.A!tr (March2014)
Tip: How to spot
$ find . -type f -name "*.smali" -print |
perl -ne ’print if /[$^$ [:ascii:]]/’
CARO 2014 - A. Apvrille, R. Nigam 5/23
![Page 6: How Android Malware Fights (and we fight back!) or ... · PDF fileor Research on obfuscation in Android malware ... Basic4Android yet? ... (and we fight back!) or Research on obfuscation](https://reader031.fdocuments.us/reader031/viewer/2022030510/5aba9b2e7f8b9a297f8be77f/html5/thumbnails/6.jpg)
Tips to reverse DexGuard
Python decryption script template
I Adapt to each case
I Written by Nicolas Falliere
I Does not work with recent versions of DexGuard
Is it acceptable to modify the DEX?
Insert logs in smali, then re-build
invoke-static {v1, v2}, Landroid/util/Log;->e(
Ljava/lang/String;Ljava/lang/String;)I
CARO 2014 - A. Apvrille, R. Nigam 6/23
![Page 7: How Android Malware Fights (and we fight back!) or ... · PDF fileor Research on obfuscation in Android malware ... Basic4Android yet? ... (and we fight back!) or Research on obfuscation](https://reader031.fdocuments.us/reader031/viewer/2022030510/5aba9b2e7f8b9a297f8be77f/html5/thumbnails/7.jpg)
Handy: DEX Strings renaming
How does it work?
1. Parse string id item[]
2. Rename non printable strings,keep same size
IssuesI Make sure no duplicate strings
I Breaks string ordering - but we don’t care
Download
https://github.com/cryptax/dextools/tree/master/hidex
$ ./hidex.pl --input classes.dex --rename-strings
CARO 2014 - A. Apvrille, R. Nigam 7/23
![Page 8: How Android Malware Fights (and we fight back!) or ... · PDF fileor Research on obfuscation in Android malware ... Basic4Android yet? ... (and we fight back!) or Research on obfuscation](https://reader031.fdocuments.us/reader031/viewer/2022030510/5aba9b2e7f8b9a297f8be77f/html5/thumbnails/8.jpg)
Reversing Android/SmsSend.ND!tr
SmsSend.ND!tr -March 2014
I FirstAPKProtectedmalware?
I Spot string"APKProtect"
Make your own custom decryption routine
$ java SmsDecrypt
Processing string: ==aFgIDU0oPWgoK...
d64xor: 96500db3f2242a4b2ac920e4...
Decrypting: ybbc[CENSORED]icp.cc
Andrubis does it :)
CARO 2014 - A. Apvrille, R. Nigam 8/23
![Page 9: How Android Malware Fights (and we fight back!) or ... · PDF fileor Research on obfuscation in Android malware ... Basic4Android yet? ... (and we fight back!) or Research on obfuscation](https://reader031.fdocuments.us/reader031/viewer/2022030510/5aba9b2e7f8b9a297f8be77f/html5/thumbnails/9.jpg)
Custom obfuscation
Custom obfuscationString tables
Encryption
Non Dalvikcode
etc
CARO 2014 - A. Apvrille, R. Nigam 9/23
![Page 10: How Android Malware Fights (and we fight back!) or ... · PDF fileor Research on obfuscation in Android malware ... Basic4Android yet? ... (and we fight back!) or Research on obfuscation](https://reader031.fdocuments.us/reader031/viewer/2022030510/5aba9b2e7f8b9a297f8be77f/html5/thumbnails/10.jpg)
Android/GinMaster.L (Dec 2013) and string tables
Builds its own string table:
package Eg9Vk5Jan;
class x18nAzukp {
final private static char[][] OGqHAYq8N6Y6tswt8g;
static x18nAzukp()
{
v0 = new char[][48];
v1 = new char[49];
v1 = {97, 0, 110, 0, 100, 0, 114, 0, 111, 0, 105,
0, 100, 0, 46, 0, 97, 0, 112, 0, 112, 0, 46, 0, 67, 0,
...
v0[0] = v1;
v2 = new char[56];
v2 = {97, 0, 110, 0, 100, 0, 114, 0, 111, 0, 105,
0, 100, 0, 46, 0, 97, 0, 112, 0, 112, 0, 46, 0, 65, 0,
...
CARO 2014 - A. Apvrille, R. Nigam 10/23
![Page 11: How Android Malware Fights (and we fight back!) or ... · PDF fileor Research on obfuscation in Android malware ... Basic4Android yet? ... (and we fight back!) or Research on obfuscation](https://reader031.fdocuments.us/reader031/viewer/2022030510/5aba9b2e7f8b9a297f8be77f/html5/thumbnails/11.jpg)
String tables: an attempt to hide strings in code
Using the string table
protected static String rLGAEh9JeCgGn73A(int p2) {
return new String(
Eg9Vk5Jan.x18nAzukp.OGqHAYq8N6Y6tswt8g[p2]);
}
...
new StringBuilder(x18nAzukp.rLGAEh9JeCgGn73A(43))...
At first, the analyst only sees a reference (e.g 43)
Procyon sees it betterclass x18nAzukp {
private static final char[][] OGqHAYq8N6Y6tswt8g;
static {
OGqHAYq8N6Y6tswt8g = new char[][] { { ’a’, ’n’, ’d’, ’r’, ’o’, ’i’, ’d’, ’.’,
’a’, ’p’, ’p’, ’.’, ’C’, ’o’, ’n’, ’t’, ’e’, ’x’, ’t’,...
or use Python snippet like "".join(map(chr, bytes))
CARO 2014 - A. Apvrille, R. Nigam 11/23
![Page 12: How Android Malware Fights (and we fight back!) or ... · PDF fileor Research on obfuscation in Android malware ... Basic4Android yet? ... (and we fight back!) or Research on obfuscation](https://reader031.fdocuments.us/reader031/viewer/2022030510/5aba9b2e7f8b9a297f8be77f/html5/thumbnails/12.jpg)
Encryption in malware
See Cryptography for mobile malware obfuscation, RSA 2011
Example
Android/SmsSpy.HW!tr (Feb 2014): Blowfish encrypted asset isXML configuration file
Stats
27 of malware use encryption - stats collected from 460,493malicious samplesNB. sometimes encryption is used in legitimate portions
CARO 2014 - A. Apvrille, R. Nigam 12/23
![Page 13: How Android Malware Fights (and we fight back!) or ... · PDF fileor Research on obfuscation in Android malware ... Basic4Android yet? ... (and we fight back!) or Research on obfuscation](https://reader031.fdocuments.us/reader031/viewer/2022030510/5aba9b2e7f8b9a297f8be77f/html5/thumbnails/13.jpg)
Loading non Dalvik code
I ELF: Android/DroidKungFu.B, C, E and G processcommands in native code.Android/DroidCoupon hides Rage Against The Cage exploitin a file with PNG extension
ratc.png: ELF 32-bit LSB executable, ARM, version 1 (SYSV),
dynamically linked (uses shared libs), stripped
rbb.png: gzip compressed data, was "busybox", from Unix, ...
I Basic4PPC in WinCE/Redoc. No malware usingBasic4Android yet?
I Javascript for click fraud in Android/FakePlay.B!tr
CARO 2014 - A. Apvrille, R. Nigam 13/23
![Page 14: How Android Malware Fights (and we fight back!) or ... · PDF fileor Research on obfuscation in Android malware ... Basic4Android yet? ... (and we fight back!) or Research on obfuscation](https://reader031.fdocuments.us/reader031/viewer/2022030510/5aba9b2e7f8b9a297f8be77f/html5/thumbnails/14.jpg)
Packers
PackersHoseDex2Jar
BangCLE
Others:Ijiami
CARO 2014 - A. Apvrille, R. Nigam 14/23
![Page 15: How Android Malware Fights (and we fight back!) or ... · PDF fileor Research on obfuscation in Android malware ... Basic4Android yet? ... (and we fight back!) or Research on obfuscation](https://reader031.fdocuments.us/reader031/viewer/2022030510/5aba9b2e7f8b9a297f8be77f/html5/thumbnails/15.jpg)
HoseDex2Jar
Tip: How To Spot - hidex
$ ~/dev/hideandseek/hidex/hidex.pl --input classes.dex-hosed
WARNING: strange header size: 136080
DEX Header of file:
Magic : 6465780a30333500
De-hose
https://github.com/strazzere/dehoser ;)
CARO 2014 - A. Apvrille, R. Nigam 15/23
![Page 16: How Android Malware Fights (and we fight back!) or ... · PDF fileor Research on obfuscation in Android malware ... Basic4Android yet? ... (and we fight back!) or Research on obfuscation](https://reader031.fdocuments.us/reader031/viewer/2022030510/5aba9b2e7f8b9a297f8be77f/html5/thumbnails/16.jpg)
BangCLE packer - Ruchna Nigam
I Online packing service www.bangcle.com
I Encountered in Android/Feejar.B (2014)
I Real application decrypted at runtime only
I (Most of) packing job done by native libraries - obfuscated too
How to detect?I Presence of libsecmain.so, libsecexe.so, bangcle classes.jar
I com.secapk.wrapper.ApplicationWrapper
I Classes named FirstApplication, MyClassLoader, ACall...
CARO 2014 - A. Apvrille, R. Nigam 16/23
![Page 17: How Android Malware Fights (and we fight back!) or ... · PDF fileor Research on obfuscation in Android malware ... Basic4Android yet? ... (and we fight back!) or Research on obfuscation](https://reader031.fdocuments.us/reader031/viewer/2022030510/5aba9b2e7f8b9a297f8be77f/html5/thumbnails/17.jpg)
BangCLE packer - Ruchna Nigam
I Online packing service www.bangcle.com
I Encountered in Android/Feejar.B (2014)
I Real application decrypted at runtime only
I (Most of) packing job done by native libraries - obfuscated too
How to detect?I Presence of libsecmain.so, libsecexe.so, bangcle classes.jar
I com.secapk.wrapper.ApplicationWrapper
I Classes named FirstApplication, MyClassLoader, ACall...
CARO 2014 - A. Apvrille, R. Nigam 16/23
![Page 18: How Android Malware Fights (and we fight back!) or ... · PDF fileor Research on obfuscation in Android malware ... Basic4Android yet? ... (and we fight back!) or Research on obfuscation](https://reader031.fdocuments.us/reader031/viewer/2022030510/5aba9b2e7f8b9a297f8be77f/html5/thumbnails/18.jpg)
BangCLE packer - Ruchna Nigam
I Online packing service www.bangcle.com
I Encountered in Android/Feejar.B (2014)
I Real application decrypted at runtime only
I (Most of) packing job done by native libraries - obfuscated too
How to detect?I Presence of libsecmain.so, libsecexe.so, bangcle classes.jar
I com.secapk.wrapper.ApplicationWrapper
I Classes named FirstApplication, MyClassLoader, ACall...
CARO 2014 - A. Apvrille, R. Nigam 16/23
![Page 19: How Android Malware Fights (and we fight back!) or ... · PDF fileor Research on obfuscation in Android malware ... Basic4Android yet? ... (and we fight back!) or Research on obfuscation](https://reader031.fdocuments.us/reader031/viewer/2022030510/5aba9b2e7f8b9a297f8be77f/html5/thumbnails/19.jpg)
BangCLE packer - Ruchna Nigam
I Online packing service www.bangcle.com
I Encountered in Android/Feejar.B (2014)
I Real application decrypted at runtime only
I (Most of) packing job done by native libraries - obfuscated too
How to detect?I Presence of libsecmain.so, libsecexe.so, bangcle classes.jar
I com.secapk.wrapper.ApplicationWrapper
I Classes named FirstApplication, MyClassLoader, ACall...
CARO 2014 - A. Apvrille, R. Nigam 16/23
![Page 20: How Android Malware Fights (and we fight back!) or ... · PDF fileor Research on obfuscation in Android malware ... Basic4Android yet? ... (and we fight back!) or Research on obfuscation](https://reader031.fdocuments.us/reader031/viewer/2022030510/5aba9b2e7f8b9a297f8be77f/html5/thumbnails/20.jpg)
BangCLE packer - Ruchna Nigam
I Online packing service www.bangcle.com
I Encountered in Android/Feejar.B (2014)
I Real application decrypted at runtime only
I (Most of) packing job done by native libraries - obfuscated too
How to detect?I Presence of libsecmain.so, libsecexe.so, bangcle classes.jar
I com.secapk.wrapper.ApplicationWrapper
I Classes named FirstApplication, MyClassLoader, ACall...
CARO 2014 - A. Apvrille, R. Nigam 16/23
![Page 21: How Android Malware Fights (and we fight back!) or ... · PDF fileor Research on obfuscation in Android malware ... Basic4Android yet? ... (and we fight back!) or Research on obfuscation](https://reader031.fdocuments.us/reader031/viewer/2022030510/5aba9b2e7f8b9a297f8be77f/html5/thumbnails/21.jpg)
BangCLE packer - Ruchna Nigam
I Online packing service www.bangcle.com
I Encountered in Android/Feejar.B (2014)
I Real application decrypted at runtime only
I (Most of) packing job done by native libraries - obfuscated too
How to detect?I Presence of libsecmain.so, libsecexe.so, bangcle classes.jar
I com.secapk.wrapper.ApplicationWrapper
I Classes named FirstApplication, MyClassLoader, ACall...
CARO 2014 - A. Apvrille, R. Nigam 16/23
![Page 22: How Android Malware Fights (and we fight back!) or ... · PDF fileor Research on obfuscation in Android malware ... Basic4Android yet? ... (and we fight back!) or Research on obfuscation](https://reader031.fdocuments.us/reader031/viewer/2022030510/5aba9b2e7f8b9a297f8be77f/html5/thumbnails/22.jpg)
Hands on BangCLE
Mangled export names
Mmap is hooked
Anti-debugging?CARO 2014 - A. Apvrille, R. Nigam 17/23
![Page 23: How Android Malware Fights (and we fight back!) or ... · PDF fileor Research on obfuscation in Android malware ... Basic4Android yet? ... (and we fight back!) or Research on obfuscation](https://reader031.fdocuments.us/reader031/viewer/2022030510/5aba9b2e7f8b9a297f8be77f/html5/thumbnails/23.jpg)
Hands on BangCLE
Mangled export names
Mmap is hooked
Anti-debugging?
CARO 2014 - A. Apvrille, R. Nigam 17/23
![Page 24: How Android Malware Fights (and we fight back!) or ... · PDF fileor Research on obfuscation in Android malware ... Basic4Android yet? ... (and we fight back!) or Research on obfuscation](https://reader031.fdocuments.us/reader031/viewer/2022030510/5aba9b2e7f8b9a297f8be77f/html5/thumbnails/24.jpg)
Hands on BangCLE
Mangled export names
Mmap is hooked
Anti-debugging?
CARO 2014 - A. Apvrille, R. Nigam 17/23
![Page 25: How Android Malware Fights (and we fight back!) or ... · PDF fileor Research on obfuscation in Android malware ... Basic4Android yet? ... (and we fight back!) or Research on obfuscation](https://reader031.fdocuments.us/reader031/viewer/2022030510/5aba9b2e7f8b9a297f8be77f/html5/thumbnails/25.jpg)
Obfuscation in the future: what could it be like?
Research injectbytecode
hide methods
angecryption
CARO 2014 - A. Apvrille, R. Nigam 18/23
![Page 26: How Android Malware Fights (and we fight back!) or ... · PDF fileor Research on obfuscation in Android malware ... Basic4Android yet? ... (and we fight back!) or Research on obfuscation](https://reader031.fdocuments.us/reader031/viewer/2022030510/5aba9b2e7f8b9a297f8be77f/html5/thumbnails/26.jpg)
Inject arbitrary Dalvik bytecode
How does it work?I Jurrian Bremer - ”Abusing Dalvik Beyond Recognition”I Injecting bytecode:
1. Dalvik bytecode represented as UTF16 string2. Instantiate a class object (class with virtual method)3. iput-quick (0xf5): Overwrite address code of virtual function
with address of string4. invoke-virtual: call the method
Example: injecting 0013 07de 000f
Dalvik bytecode:
const/16 v0, #7de
return v0
I 0x13: const/16
I 0x07de = 2014
I 0x0f: return
CARO 2014 - A. Apvrille, R. Nigam 19/23
![Page 27: How Android Malware Fights (and we fight back!) or ... · PDF fileor Research on obfuscation in Android malware ... Basic4Android yet? ... (and we fight back!) or Research on obfuscation](https://reader031.fdocuments.us/reader031/viewer/2022030510/5aba9b2e7f8b9a297f8be77f/html5/thumbnails/27.jpg)
Injecting bytecode PoC - DvmEscape - Bremer
Status
PoC return integers onlyNot seen in malware (yet?).
CARO 2014 - A. Apvrille, R. Nigam 20/23
![Page 28: How Android Malware Fights (and we fight back!) or ... · PDF fileor Research on obfuscation in Android malware ... Basic4Android yet? ... (and we fight back!) or Research on obfuscation](https://reader031.fdocuments.us/reader031/viewer/2022030510/5aba9b2e7f8b9a297f8be77f/html5/thumbnails/28.jpg)
Hidex: hiding methods to dissassemblers
Detect with hidex.pl
CARO 2014 - A. Apvrille, R. Nigam 21/23
![Page 29: How Android Malware Fights (and we fight back!) or ... · PDF fileor Research on obfuscation in Android malware ... Basic4Android yet? ... (and we fight back!) or Research on obfuscation](https://reader031.fdocuments.us/reader031/viewer/2022030510/5aba9b2e7f8b9a297f8be77f/html5/thumbnails/29.jpg)
AngeCryption to hide a APK
I Attack: decrypt a PNG and it becomes an APK
I PoC tool at http://corkami.googlecode.com/svn/trunk/src/angecryption/angecrypt.py
It works!!! (after a few hacks)
$ python angecrypt.py test.apk pic.png modified.apk
’key....’ aes ...
I Duplicate EOCD After all the central directory entries comesthe end of central directory (EOCD) record, which marks theend of the .ZIP file
I Pad to 16 bytes
Alert!
Keep an eye on it in the future!
CARO 2014 - A. Apvrille, R. Nigam 22/23
![Page 30: How Android Malware Fights (and we fight back!) or ... · PDF fileor Research on obfuscation in Android malware ... Basic4Android yet? ... (and we fight back!) or Research on obfuscation](https://reader031.fdocuments.us/reader031/viewer/2022030510/5aba9b2e7f8b9a297f8be77f/html5/thumbnails/30.jpg)
Thank You !
FortiGuard Labs
Follow us on twitter: @FortiGuardLabsor on our blog http://blog.fortinet.comMe: @cryptax or aapvrille at fortinet dot comRuchna: @ r04ch or rnigam at fortinet dot comHidex:https://github.com/cryptax/dextools/tree/master/hidex
Many thanks to: Ange Albertini, Jurriaan Bremer, AnthonyDesnos.
Are those PowerPoint slides? No way! It’s LATEX+ TikZ + Beamer + Lobster
CARO 2014 - A. Apvrille, R. Nigam 23/23