Malware in Mobile Platform from Panoramic Industrial View · Malware has developed and broke...
Transcript of Malware in Mobile Platform from Panoramic Industrial View · Malware has developed and broke...
![Page 1: Malware in Mobile Platform from Panoramic Industrial View · Malware has developed and broke through the traditional single concept of program code. It has penetrated into the whole](https://reader033.fdocuments.us/reader033/viewer/2022050420/5f8f9cfc8ba56e0dde2594c2/html5/thumbnails/1.jpg)
Malware in Mobile Platform from
Panoramic Industrial View
Antiy Labs
![Page 2: Malware in Mobile Platform from Panoramic Industrial View · Malware has developed and broke through the traditional single concept of program code. It has penetrated into the whole](https://reader033.fdocuments.us/reader033/viewer/2022050420/5f8f9cfc8ba56e0dde2594c2/html5/thumbnails/2.jpg)
Contents
introduction •a piece of “news” + a mobile phone
phenomenon •new threat
solution • Is everything under control?
analysis •the history of confrontation
conclusion •conclusion
![Page 3: Malware in Mobile Platform from Panoramic Industrial View · Malware has developed and broke through the traditional single concept of program code. It has penetrated into the whole](https://reader033.fdocuments.us/reader033/viewer/2022050420/5f8f9cfc8ba56e0dde2594c2/html5/thumbnails/3.jpg)
INTRODUCTION:
A PIECE OF “NEWS”+ A MOBILE PHONE
![Page 4: Malware in Mobile Platform from Panoramic Industrial View · Malware has developed and broke through the traditional single concept of program code. It has penetrated into the whole](https://reader033.fdocuments.us/reader033/viewer/2022050420/5f8f9cfc8ba56e0dde2594c2/html5/thumbnails/4.jpg)
Talking From A Piece of “News”
![Page 5: Malware in Mobile Platform from Panoramic Industrial View · Malware has developed and broke through the traditional single concept of program code. It has penetrated into the whole](https://reader033.fdocuments.us/reader033/viewer/2022050420/5f8f9cfc8ba56e0dde2594c2/html5/thumbnails/5.jpg)
Analysis
![Page 6: Malware in Mobile Platform from Panoramic Industrial View · Malware has developed and broke through the traditional single concept of program code. It has penetrated into the whole](https://reader033.fdocuments.us/reader033/viewer/2022050420/5f8f9cfc8ba56e0dde2594c2/html5/thumbnails/6.jpg)
Taking from a Grey Mobile Phone
恶意行为
Extra Expenses Customize
Extra Services
Network Flows
Download Other Software
Website Hits
Privacy Steal Message,
Contacts list
![Page 7: Malware in Mobile Platform from Panoramic Industrial View · Malware has developed and broke through the traditional single concept of program code. It has penetrated into the whole](https://reader033.fdocuments.us/reader033/viewer/2022050420/5f8f9cfc8ba56e0dde2594c2/html5/thumbnails/7.jpg)
Analysis on Malware Information
Name com.google.android.providers.enhancedgooglesearch
Chinese Name
Original Name a.apk
URL Source
Collection
Source
System
Platform Android
Format apk
MD5 Value BFBB58D0F8B487869393A0244AE71AFC
CRC32 Value C1C12A99
SHA1 Value 59EE114166CDBCDDB88B38299934021080053D86
Bytes
Malware Information
Name Trojan/Android.droiddg.a[rmt,sys]
CNCERT Name a.remote.droiddg.a
Chines Name
Other Names None
Original/Tied Firmware embedding
Threat type remote system
![Page 8: Malware in Mobile Platform from Panoramic Industrial View · Malware has developed and broke through the traditional single concept of program code. It has penetrated into the whole](https://reader033.fdocuments.us/reader033/viewer/2022050420/5f8f9cfc8ba56e0dde2594c2/html5/thumbnails/8.jpg)
A Truely Funny Story
A grey Android mobile
A sexy E-market
Real E-market
Genuine mobile
![Page 9: Malware in Mobile Platform from Panoramic Industrial View · Malware has developed and broke through the traditional single concept of program code. It has penetrated into the whole](https://reader033.fdocuments.us/reader033/viewer/2022050420/5f8f9cfc8ba56e0dde2594c2/html5/thumbnails/9.jpg)
Diverted Industrial Chain
![Page 10: Malware in Mobile Platform from Panoramic Industrial View · Malware has developed and broke through the traditional single concept of program code. It has penetrated into the whole](https://reader033.fdocuments.us/reader033/viewer/2022050420/5f8f9cfc8ba56e0dde2594c2/html5/thumbnails/10.jpg)
INTERPRETATIONS OF NEW THREATS
![Page 11: Malware in Mobile Platform from Panoramic Industrial View · Malware has developed and broke through the traditional single concept of program code. It has penetrated into the whole](https://reader033.fdocuments.us/reader033/viewer/2022050420/5f8f9cfc8ba56e0dde2594c2/html5/thumbnails/11.jpg)
Crossing the System Platform(Zitmo)
Zitmo
Android
Symbian
WinCE
Zeus Windows
attacker
account/password
random identifying code
Net Bank
RIM OS
![Page 12: Malware in Mobile Platform from Panoramic Industrial View · Malware has developed and broke through the traditional single concept of program code. It has penetrated into the whole](https://reader033.fdocuments.us/reader033/viewer/2022050420/5f8f9cfc8ba56e0dde2594c2/html5/thumbnails/12.jpg)
Steal Message and Contacts List (SW.Spyware)
Propagation Means
– Disguise as Tax Amount Calculating Software Package Calculating
Procedure
– Installation
– Model as QQ Loginform to Lure Uses
– Get the Account and Password of QQ and Send to Some Specific Mobile Phone
Object system
– Android
Harm
– Steal Message Contetns
– The SW.Spyware.B Variant Can Even Monitor the Communication Record of User
Damage Range
– First version of Android virus
Propagaton Time
– July, 2010
![Page 13: Malware in Mobile Platform from Panoramic Industrial View · Malware has developed and broke through the traditional single concept of program code. It has penetrated into the whole](https://reader033.fdocuments.us/reader033/viewer/2022050420/5f8f9cfc8ba56e0dde2594c2/html5/thumbnails/13.jpg)
Spycall (Nickispy)
• Spycall and send back
• Disguise as Google+
in the First Time
2011/09/17 第13页
![Page 14: Malware in Mobile Platform from Panoramic Industrial View · Malware has developed and broke through the traditional single concept of program code. It has penetrated into the whole](https://reader033.fdocuments.us/reader033/viewer/2022050420/5f8f9cfc8ba56e0dde2594c2/html5/thumbnails/14.jpg)
Form Control System(Adrd)
• Trojan/Android.Adrd.a[exp]
Issue the control command and the malware trigger command
Provide the data-accessing address URL needed by
malware behavior
Provide the parameter data needed by malware behavior
Provide updating service for malware files
![Page 15: Malware in Mobile Platform from Panoramic Industrial View · Malware has developed and broke through the traditional single concept of program code. It has penetrated into the whole](https://reader033.fdocuments.us/reader033/viewer/2022050420/5f8f9cfc8ba56e0dde2594c2/html5/thumbnails/15.jpg)
the interdisciplinary use of leak and social engineering
1. Replace normal application
by means of Google
application download bug
2. Consumers download bootleg
applications which are actually
malware, with 200 thousand
victims.
3.Google clears out malware by
remote upgrade interplay and
provides security software
4.The malware attacker
disguises as Google security
software
![Page 16: Malware in Mobile Platform from Panoramic Industrial View · Malware has developed and broke through the traditional single concept of program code. It has penetrated into the whole](https://reader033.fdocuments.us/reader033/viewer/2022050420/5f8f9cfc8ba56e0dde2594c2/html5/thumbnails/16.jpg)
SOLUTION:
IS EVERYTHING UNDER CONTROL
![Page 17: Malware in Mobile Platform from Panoramic Industrial View · Malware has developed and broke through the traditional single concept of program code. It has penetrated into the whole](https://reader033.fdocuments.us/reader033/viewer/2022050420/5f8f9cfc8ba56e0dde2594c2/html5/thumbnails/17.jpg)
Traditional view
Mobile malware
SIS
APK
PE
………
Android
SymbOS
Windows Mobile
Various media
Malware
Host format
System entrance
Spreading media
![Page 18: Malware in Mobile Platform from Panoramic Industrial View · Malware has developed and broke through the traditional single concept of program code. It has penetrated into the whole](https://reader033.fdocuments.us/reader033/viewer/2022050420/5f8f9cfc8ba56e0dde2594c2/html5/thumbnails/18.jpg)
Major Spreading Approaches
• User Flash
• Vendor pre-setting up
• Flash memory share
• USB communication
•GPRS/3G
•Wi-Fi
•PC shared network
• Official
market/network
• Third-party market
• Message/multimedia
message User installation
Internet
download
Inserting ROM
PC penetration
第18页
![Page 19: Malware in Mobile Platform from Panoramic Industrial View · Malware has developed and broke through the traditional single concept of program code. It has penetrated into the whole](https://reader033.fdocuments.us/reader033/viewer/2022050420/5f8f9cfc8ba56e0dde2594c2/html5/thumbnails/19.jpg)
Dalvik Disassembling: IDA Pro
第19页
![Page 20: Malware in Mobile Platform from Panoramic Industrial View · Malware has developed and broke through the traditional single concept of program code. It has penetrated into the whole](https://reader033.fdocuments.us/reader033/viewer/2022050420/5f8f9cfc8ba56e0dde2594c2/html5/thumbnails/20.jpg)
Static Analysis: ARM Disassembling
第20页
![Page 21: Malware in Mobile Platform from Panoramic Industrial View · Malware has developed and broke through the traditional single concept of program code. It has penetrated into the whole](https://reader033.fdocuments.us/reader033/viewer/2022050420/5f8f9cfc8ba56e0dde2594c2/html5/thumbnails/21.jpg)
Static Analysis: Java Decompilation
2011/09/20 第21页
![Page 22: Malware in Mobile Platform from Panoramic Industrial View · Malware has developed and broke through the traditional single concept of program code. It has penetrated into the whole](https://reader033.fdocuments.us/reader033/viewer/2022050420/5f8f9cfc8ba56e0dde2594c2/html5/thumbnails/22.jpg)
Dynamic Analysis: SDK Simulator
第22页
![Page 23: Malware in Mobile Platform from Panoramic Industrial View · Malware has developed and broke through the traditional single concept of program code. It has penetrated into the whole](https://reader033.fdocuments.us/reader033/viewer/2022050420/5f8f9cfc8ba56e0dde2594c2/html5/thumbnails/23.jpg)
Dynamic Analysis: Behavior Monitor
第23页
![Page 24: Malware in Mobile Platform from Panoramic Industrial View · Malware has developed and broke through the traditional single concept of program code. It has penetrated into the whole](https://reader033.fdocuments.us/reader033/viewer/2022050420/5f8f9cfc8ba56e0dde2594c2/html5/thumbnails/24.jpg)
Network Analysis
第24页
![Page 25: Malware in Mobile Platform from Panoramic Industrial View · Malware has developed and broke through the traditional single concept of program code. It has penetrated into the whole](https://reader033.fdocuments.us/reader033/viewer/2022050420/5f8f9cfc8ba56e0dde2594c2/html5/thumbnails/25.jpg)
Automatic Analysis
第25页
![Page 26: Malware in Mobile Platform from Panoramic Industrial View · Malware has developed and broke through the traditional single concept of program code. It has penetrated into the whole](https://reader033.fdocuments.us/reader033/viewer/2022050420/5f8f9cfc8ba56e0dde2594c2/html5/thumbnails/26.jpg)
Disassembling Dalvik Code
第26页
![Page 27: Malware in Mobile Platform from Panoramic Industrial View · Malware has developed and broke through the traditional single concept of program code. It has penetrated into the whole](https://reader033.fdocuments.us/reader033/viewer/2022050420/5f8f9cfc8ba56e0dde2594c2/html5/thumbnails/27.jpg)
Disassembling Dalvik Code
第27页
![Page 28: Malware in Mobile Platform from Panoramic Industrial View · Malware has developed and broke through the traditional single concept of program code. It has penetrated into the whole](https://reader033.fdocuments.us/reader033/viewer/2022050420/5f8f9cfc8ba56e0dde2594c2/html5/thumbnails/28.jpg)
Disassembling ARM Code
第28页
![Page 29: Malware in Mobile Platform from Panoramic Industrial View · Malware has developed and broke through the traditional single concept of program code. It has penetrated into the whole](https://reader033.fdocuments.us/reader033/viewer/2022050420/5f8f9cfc8ba56e0dde2594c2/html5/thumbnails/29.jpg)
Decompilation as Java
第29页
![Page 30: Malware in Mobile Platform from Panoramic Industrial View · Malware has developed and broke through the traditional single concept of program code. It has penetrated into the whole](https://reader033.fdocuments.us/reader033/viewer/2022050420/5f8f9cfc8ba56e0dde2594c2/html5/thumbnails/30.jpg)
System Simulation
第30页
![Page 31: Malware in Mobile Platform from Panoramic Industrial View · Malware has developed and broke through the traditional single concept of program code. It has penetrated into the whole](https://reader033.fdocuments.us/reader033/viewer/2022050420/5f8f9cfc8ba56e0dde2594c2/html5/thumbnails/31.jpg)
Network Data Analysis
第31页
![Page 32: Malware in Mobile Platform from Panoramic Industrial View · Malware has developed and broke through the traditional single concept of program code. It has penetrated into the whole](https://reader033.fdocuments.us/reader033/viewer/2022050420/5f8f9cfc8ba56e0dde2594c2/html5/thumbnails/32.jpg)
Dynamic Behavior Monitor
第32页
![Page 33: Malware in Mobile Platform from Panoramic Industrial View · Malware has developed and broke through the traditional single concept of program code. It has penetrated into the whole](https://reader033.fdocuments.us/reader033/viewer/2022050420/5f8f9cfc8ba56e0dde2594c2/html5/thumbnails/33.jpg)
Automatic Comprehensive Analysis
第33页
![Page 34: Malware in Mobile Platform from Panoramic Industrial View · Malware has developed and broke through the traditional single concept of program code. It has penetrated into the whole](https://reader033.fdocuments.us/reader033/viewer/2022050420/5f8f9cfc8ba56e0dde2594c2/html5/thumbnails/34.jpg)
Visualized Comprehensive Analysis
第34页
![Page 35: Malware in Mobile Platform from Panoramic Industrial View · Malware has developed and broke through the traditional single concept of program code. It has penetrated into the whole](https://reader033.fdocuments.us/reader033/viewer/2022050420/5f8f9cfc8ba56e0dde2594c2/html5/thumbnails/35.jpg)
ANALYSIS:
THE HISTORY OF CONFRONTATION
![Page 36: Malware in Mobile Platform from Panoramic Industrial View · Malware has developed and broke through the traditional single concept of program code. It has penetrated into the whole](https://reader033.fdocuments.us/reader033/viewer/2022050420/5f8f9cfc8ba56e0dde2594c2/html5/thumbnails/36.jpg)
Those Forgotten Grey Faces ?
CIH 1998
Melisa 1999
Sasser 2004
![Page 37: Malware in Mobile Platform from Panoramic Industrial View · Malware has developed and broke through the traditional single concept of program code. It has penetrated into the whole](https://reader033.fdocuments.us/reader033/viewer/2022050420/5f8f9cfc8ba56e0dde2594c2/html5/thumbnails/37.jpg)
Those Forgotten Red Alert ?
![Page 38: Malware in Mobile Platform from Panoramic Industrial View · Malware has developed and broke through the traditional single concept of program code. It has penetrated into the whole](https://reader033.fdocuments.us/reader033/viewer/2022050420/5f8f9cfc8ba56e0dde2594c2/html5/thumbnails/38.jpg)
A Cross-Platform Contrast
2001 2010
![Page 39: Malware in Mobile Platform from Panoramic Industrial View · Malware has developed and broke through the traditional single concept of program code. It has penetrated into the whole](https://reader033.fdocuments.us/reader033/viewer/2022050420/5f8f9cfc8ba56e0dde2594c2/html5/thumbnails/39.jpg)
Winux(2001)
![Page 40: Malware in Mobile Platform from Panoramic Industrial View · Malware has developed and broke through the traditional single concept of program code. It has penetrated into the whole](https://reader033.fdocuments.us/reader033/viewer/2022050420/5f8f9cfc8ba56e0dde2594c2/html5/thumbnails/40.jpg)
Cross Platform-Mobile + PC Bimorphism
912812352001_3rd.sisx SymbianUpdateSrv.exe
dlinstall.dat (sisx)
install.dat20
(sisx)
0xe61caca0.dat (jar)
class files symbianDL.exe
symbianStarter.exe symbianSrv.exe
symbianChkServer.exe
start and update new module
download module
service-monitoring module
clearing module
heartbeat telecontrol module
Function disguising module
![Page 41: Malware in Mobile Platform from Panoramic Industrial View · Malware has developed and broke through the traditional single concept of program code. It has penetrated into the whole](https://reader033.fdocuments.us/reader033/viewer/2022050420/5f8f9cfc8ba56e0dde2594c2/html5/thumbnails/41.jpg)
The Confrontation History Since 1988
Normalized Confrontation
Systematical Confrontation
Industrial Confrontation
![Page 42: Malware in Mobile Platform from Panoramic Industrial View · Malware has developed and broke through the traditional single concept of program code. It has penetrated into the whole](https://reader033.fdocuments.us/reader033/viewer/2022050420/5f8f9cfc8ba56e0dde2594c2/html5/thumbnails/42.jpg)
Notable Event and Typical Method of Normalized Confrontation
• Bouncing Ball Virus
• Encrypted Virus
• Metamorphic Virus
• Script Virus
• Macro Virus
• Pattern Matching Penetrated
• Difficulty Promoted
• Direct Attack Mechanism
• Disrupting the Wording Chain
• Interfering Mechanism
• Normalized Confrontation
![Page 43: Malware in Mobile Platform from Panoramic Industrial View · Malware has developed and broke through the traditional single concept of program code. It has penetrated into the whole](https://reader033.fdocuments.us/reader033/viewer/2022050420/5f8f9cfc8ba56e0dde2594c2/html5/thumbnails/43.jpg)
Normalized Confrontation
Object obataining
Solution
Virus database
framework current diverter
preprocessor matching box
assessor disposer
![Page 44: Malware in Mobile Platform from Panoramic Industrial View · Malware has developed and broke through the traditional single concept of program code. It has penetrated into the whole](https://reader033.fdocuments.us/reader033/viewer/2022050420/5f8f9cfc8ba56e0dde2594c2/html5/thumbnails/44.jpg)
Systematical confrontation(2000~2005)
![Page 45: Malware in Mobile Platform from Panoramic Industrial View · Malware has developed and broke through the traditional single concept of program code. It has penetrated into the whole](https://reader033.fdocuments.us/reader033/viewer/2022050420/5f8f9cfc8ba56e0dde2594c2/html5/thumbnails/45.jpg)
Systematical confrontation (notable event)
The Emerge of P2P Zombie Network
The Application of PKI System in Zombie Network
Attack on VirusTotal by distributed DDos
Shift from Client to Could Port
![Page 46: Malware in Mobile Platform from Panoramic Industrial View · Malware has developed and broke through the traditional single concept of program code. It has penetrated into the whole](https://reader033.fdocuments.us/reader033/viewer/2022050420/5f8f9cfc8ba56e0dde2594c2/html5/thumbnails/46.jpg)
Industrial Confrontation (2005—Now)
underground industrial
system
information industrial
system
![Page 47: Malware in Mobile Platform from Panoramic Industrial View · Malware has developed and broke through the traditional single concept of program code. It has penetrated into the whole](https://reader033.fdocuments.us/reader033/viewer/2022050420/5f8f9cfc8ba56e0dde2594c2/html5/thumbnails/47.jpg)
underground industrial
player
invade enterprise
server steal secret sale
invade server network games
steal virtual currency steal account
invade website massively
compile malware
spreading
steal bank account
launder money
steal network exchange account
steal virtual property
incorporate Zombie network
send rubbish e-mail
reject service attack
charge spread
obtain money
An Integral Whole Seen from Underground Economy Chain
forum spread tying spread
SP expense deducting
mobile malware code
Compile mobile malware
![Page 48: Malware in Mobile Platform from Panoramic Industrial View · Malware has developed and broke through the traditional single concept of program code. It has penetrated into the whole](https://reader033.fdocuments.us/reader033/viewer/2022050420/5f8f9cfc8ba56e0dde2594c2/html5/thumbnails/48.jpg)
Industrial Chain: Complex and Interminable
48
baseband chip
solution OS spare-parts
sale approach
application software
content supplier
service supplier
Software supplier
manufacturing
Qualcomm TI
ARM MemoryBattery
Symbian、WM、Macos、android、
palm……
genuine product grey product
custom and tie
TechFaith DaTang
……
official after-sale
private service
sale service
app store
personal
enterprise
security vendors
![Page 49: Malware in Mobile Platform from Panoramic Industrial View · Malware has developed and broke through the traditional single concept of program code. It has penetrated into the whole](https://reader033.fdocuments.us/reader033/viewer/2022050420/5f8f9cfc8ba56e0dde2594c2/html5/thumbnails/49.jpg)
Summary
Malware has developed and broke through the
traditional single concept of program code. It has
penetrated into the whole system of society, politics,
economy and life. It is impossible to resist malware
effectively only relying on anti-virus vendors. The
battle against malware requires the management and
resistance of the whole social system.
Anti-virus men of all countries, unite!
Thank you!