Viruses on mobile platforms why we don't/don't we have viruses on android_
-
Upload
jimmy-shah -
Category
Mobile
-
view
155 -
download
3
description
Transcript of Viruses on mobile platforms why we don't/don't we have viruses on android_
Viruses on mobile platforms: Why we don't/don't we have viruses on Android?
Jimmy ShahMobile Security Researcher
2 Viruses on mobile platforms: Why we don't/don't we have viruses on Android?
• Virus– Self-replicating program
• May inject itself into clean programs• May have destructive or visible payload
• Worm– Self-replicating program that doesn't infect files– E.g. Internet, MMS or Bluetooth worms
• Trojan– Non-replicating, program that pretends to be another
• May have destructive or visible payload
Definitions
Viruses on mobile platforms: Why we don't/don't we have viruses on Android?3
Viruses on Mobile Platforms
PalmOSWindows MobileSymbianAndroid
4 Viruses on mobile platforms: Why we don't/don't we have viruses on Android?
• 2000– Palm/Phage
• File infector– Overwriter
• Code resource replaced with virus code– Potentially smaller programs
Palm OS
Credit: Niels Heidenreich Creative Commons Attribution licensed.
Viruses on mobile platforms: Why we don't/don't we have viruses on Android?5
Viruses on Mobile Platforms
PalmOS
Windows MobileSymbianAndroid
6 Viruses on mobile platforms: Why we don't/don't we have viruses on Android?
• 2007– WinCE/Duts.1536
• Injected itself into all apps in current directory– Asked for permission before running
Windows Mobile
7 Viruses on mobile platforms: Why we don't/don't we have viruses on Android?
• 2009– WinCE/PMCryptic
• Polymorphic• Developed with and only ran within emulator
– Author didn't understand how to do self-modifying code on ARM
Windows Mobile
Viruses on mobile platforms: Why we don't/don't we have viruses on Android?8
Viruses on Mobile Platforms
PalmOSWindows Mobile
SymbianAndroid
9 Viruses on mobile platforms: Why we don't/don't we have viruses on Android?
• 2004– SymbOs/Cabir
• First worm/malware for Symbian
• 2005– SymbOS/Lasco.A
• File infector– Infected SIS installation files
Symbian
Viruses on mobile platforms: Why we don't/don't we have viruses on Android?10
Viruses on Mobile Platforms
PalmOSWindows MobileSymbian
Android
11 Viruses on mobile platforms: Why we don't/don't we have viruses on Android?
• 2010– Android/Fakeplayer.A
• First trojan
• 20??– Android/??????
• File infector– Haven't seen one yet
Android
Viruses on mobile platforms: Why we don't/don't we have viruses on Android?12
Android: What do attackers need to build a virus?
13 Viruses on mobile platforms: Why we don't/don't we have viruses on Android?
• Ability to replicate• Making copies of itself is easy enough
Android – What do attackers need to build a virus?
Replication Infection Evasion
Tool Useful functions
File managers Move, copy,delete files
File transfer programs Network copy,delete files
14 Viruses on mobile platforms: Why we don't/don't we have viruses on Android?
Android – What do attackers need to build a virus?
Replication Infection Evasion
• Ability to inject code into clean apps– This has been done manually in numerous trojans:
– Automating this saves them work and makes actual viruses
Android/Geinimi Android/Jmsonez
Android/PJApp Android/SteamyScr
Android/HippoSMS Android/GoldDream
Android/J.SMSHider Android/DroidKungfu
15 Viruses on mobile platforms: Why we don't/don't we have viruses on Android?
Android – What do attackers need to build a virus?
Replication Infection Evasion
• Locate code– Apps are in APKs.
• APKs are zip files• App code is in classes.dex files.
• Modify Dex files– Format is documented
• http://source.android.com/tech/dalvik/dex-format.html– Multiple tools
Tool Use
Smali/baksmalil Assemnler/disassembler for DEX files.
apktool Unpack/decode APK: resources, smali code, AndroidManifest.xml
16 Viruses on mobile platforms: Why we don't/don't we have viruses on Android?
• Dex files are difficult to modify?• Disassembling easy with baksmali
– Used by Privacy Blocker to mod apps» Memory issues
Attackers – Ability to inject code into clean apps
Replication Infection Evasion
17 Viruses on mobile platforms: Why we don't/don't we have viruses on Android?
• Modifying AndroidManifest.xml can redirect execution– Register for intents
Attackers – Ability to inject code into clean apps
Replication Infection Evasion
Intent Function
android.intent.action.BOOT_COMPLETED Start immediately after system finishes booting
android.permission.RECEIVE_SMS Run when SMS received
android.intent.action.PHONE_STATE Phone state chages; specifically ringing
android.net.wifi.WIFI_STATE_CHANGED Wifi state changes; specifically enabled
18 Viruses on mobile platforms: Why we don't/don't we have viruses on Android?
• Ability to evade detection• Encryption
– Simple obfuscations and ciphers– Complex and well known encryption algorithms
• Pretending to be clean apps– Infected apps– “Legitimate” apps (e.g. Adult entertainment, IM,Web browsers,
games)• Reduce/remove security
– Disable security checks– Remove/disable security & anti-malware software
Android – What do attackers need to build a virus?
Replication Infection Evasion
19 Viruses on mobile platforms: Why we don't/don't we have viruses on Android?
• Ability to evade detection• Encryption
– Simple obfuscations and ciphers– Complex and well known encryption algorithms
• Pretending to be clean apps– Infected apps– “Legitimate” apps (e.g. Adult entertainment, IM,Web browsers,
games)• Reduce/remove security
– Disable security checks– Remove/disable security & anti-malware software
Android – What do attackers need to build a virus?
Replication Infection Evasion
20 Viruses on mobile platforms: Why we don't/don't we have viruses on Android?
Questions?