Dissecting Android Malware : Characterization and Evolution
Author : Yajin Zhou, Xuxuan Jiang
TJ
Index of this paperI. IntroductionII. Malware TimelineIII. Malware Characterization
A. Malware Installation1) Repackaging2) Update Attack3) Drive-by Download4) Others
B. ActivationC. Malicious Payloads
1) Privilege Escalation2) Remote Control3) Financial Charge4) Information Collection
D. Permission Uses
IV. Malware EvolutionA. DroidKungFu
1) Root Exploits2) C&C Servers3) Shadow Payloads4) Obfuscation, JNI, and Oth-
ers
B. AnserverBot1) Anti-Analysis2) Security Software Detection3) C&C Servers
V. Malware DetectionVI. DiscussionVII. Related WorkVIII.Conclusion
I. Introduction
• Smartphone– Shipment : X 3 ↑ (40milion120mil.) in
2009~2011 ► mobile malware↑
• Android-based malware– Share : 46%↑ and growing rapidly– 400% ↑ since summer 2010
• Goals– Malware samples(1260) & families(49)– Timeline analysis– Good example of malware
II. Malware Timeline
• Dataset– 49 families– Official/Alternative An-
droid Market– 2010-08 ~ 2011-10
III. A. Malware Installation
1) Repackaging– Most common technique– Concept
• Download popular apps Disassemble En-close malicious payloads Re-assemble Submit
III. A. 1) Repackaging
• Where these original apps comes from?
• What things are done by the au-thors?
III. A. 2) Update Attack
• Concept– Update component it download mali-
cious payload
III. A. 2) Update Attack
III. A. 2) Update Attack
III. A. 3) Drive-by Download
• Enticing users to download “interest-ing” or “feature-rich” apps.
• For example,– GGTracker : in-app advertisement link– Jifake : QR code– Spitmo and Zitmo : ported version of ne-
farious PC malware(SpyEye, Zeus)
III. B. Activation
• Using System Event message
• For example,– BOOT_COMPLETED– SMS_RECEIVED– ACTION_MAIN
III. C. Malicious Payloads
1) Privilege Escalation
III. C. Malicious Payloads
2) Remote Control– 1,172 samples(93%)
• Turn infected phones into bots• 1,171 samples
– HTTP-based communicate with C&C servers
– C&C servers• Amazon cloud• Public blog
III. C. Malicious Payloads
3) Financial Charge– Premium-rate services
4) Information Collection– SMS messages– Phone numbers– User accounts
III. D. Permission Uses
IV. Malware Evolution
A. DroidKungFu
1) Root Exploits2) C&C Servers3) Shadow Payloads4) Obfuscation
IV. B. AnserverBot
1) Anti-Analysis
2) Security Software Detection
3) C&C Servers
V. Malware Detection
• Tested on Nexus One(Android 2.3.7)– Lookout– TrendMicro– AVG Antivirus– Norton
VI. Discussion
• Ecosystem Android Market
• ASLR, TrustZone and eXecute-Never are needed
• Lack of fine-grain API control
• Blocking malware to enter market is needed
• Cooperation between security vendors
VIII. Conclusion
• Repackaging (86%)
• Platform-level Escalate Privilege Ex-ploits (36.7%)
• Bot-like capability (93%)
Q & A
Top Related