際際滷

際際滷Share a Scribd company logo

Towards the methods of analysis malicious applications for Android

Sergey Staroletov
Sergey Staroletov

The document proposes methods for analyzing malicious Android applications. It discusses analyzing app permissions, sending apps to virus scanning services, dynamically analyzing apps in an emulator, and decompiling apps to study network interactions and logic. A "helper app" is proposed to semi-automatically extract apps, check viruses, run dynamic analysis, decompile, and monitor networks. The methods were used to analyze 50 malware apps from victims, identify intruder domains, and classify trojan groups. Future work includes anti-obfuscation and advanced dynamic tracking.

1 of 22
Download to read offline
Towards the methods of analysis malicious applications for Android operating system Sergey Staroletov Polzunov Altai State Technical University, Lenin avenue 46, Barnaul, 656038, Russia serg_soft@mail.ru
Necessity for the work In 2018 the number of smartphones in the world will be over 50% of the total number of phones However, the computer literacy for todays smartphone users is not keeping pace with the progress in the field of mobile devices Last year hackers in Russia were stolen 349 million rubles* from the owners of phones under Android OS, which is five times more than a year ago * Vedomosti.ru. In Russian. Hackers have stolen from Android owners 349 million rubles for four quarters.
Android OS Android OS itself is a special Linux Kernel, which contains Dalvik virtual machine for execution of Java applications using their own API The application for Android is an apk (Android Package) file, which is a zip archive and it contains some compiled Java-classes of the application in the form of .dex file (Dalvik EXecutable), resources and applications descriptor AndroidManifest.xml within Choosing the Android OS by intruders is primarily caused by its prevalence, availability of cheap Chinese phones under it. Here we have a problem: typical users (especially from the countryside) are not even aware that they work with a minicomputer which can hook a Trojan program and such program could get
. Distribution of new mobile malware by the type in 2015 and 2016* * According to a Kasperskys report
Necessity for the work Department of Applied Mathematics at Altai State Technical University was asked to develop methods, algorithms, and software for the analysis of the injured by the Trojans (like SMS and Bankers) smartphones, to do digital forensic science for analyze the malicious applications Currently there are no generally accepted methods to do it
The goals of the analysis Identify malicious applications among given applications from given phones Make some proof of harmfulness of given application Study algorithms of the work of applications without having sources of it Find the remote hosts which application communicates to, discover sending content, format and protocols Discover users private data leaks Compare various malicious applications and group them Develop and test a general method to make suchlike analyses
Malicious applications identifying As a rule, such dual-purpose applications have a small size, a name and an icon disguised as the popular applications (WhatsApp, Skype, Flash Player, Kaspersky, Sberbank Online, etc.) We can study the permissions, i.e. android.permission.INTERNET android.permission.WRITE_SMS android.permission.READ_SMS android.permission.SEND_SMS android.permission.RECEIVE_SMS Send the app to virustotal.com service
After suspicious app is detected When the malicious application is detected, further analysis on the phone would be inappropriate. As a rule, the application as an apk file is retrieved,and the browsers logs and download history in the phone are analyzed to search from where such application could be obtained Next, the application is analysing on a desktop computer running Android OS emulator Application analisys is complicated because we deal with a compiled application without the presence of the source code.
Low-level debugging the Android applications IDA Pro's proximity browser feature (debugging applications for Dalvik virtual machine)
Analysis of network interactions in the Android applications
Analysis of network interactions in the Android applications When all the HTTP connections from emulator will go through a proxy, we can log information sent and received by the applications on the phone As a result, we can identify intruders domains through which the Trojan applications receive data and transmit the control commands Having the recorded network data we also can match various versions of the malware, identifying groups of Trojans by comparing the remote hosts and interactions data
Tracing the applications logic with a patched OS kernel The TaintDroid* project was created to tell the user about private data leaks during the work of Android OS applications in the form of push notifications on the top of a phone screen. It patches Android kernel and library code and inserts the own code to reveal and process taint data Next, Droidbox - a framework for the dynamic analysis of applications for Android, which is built on the top of TaintDroids patches and consists of Modified OS kernel, containing TaintDroids patches and additional patches for improving the logging tools Enck, William, et al. TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones. ACM Transactions on Computer Systems (TOCS) 32.2 (2014): 5.
TaintDroid patches @@ -291,8 +310,13 @@ bool javaLangString_compareTo(u4 arg0, u4 arg1 /* * public boolean equals(Object anObject) */ +#ifdef WITH_TAINT_TRACKING +bool javaLangString_equals(u4 arg0, u4 arg1, u4 arg2, u4 arg3, + u4 arg0_taint, u4 arg1_taint, struct Taint* rtaint, JValue* pResult) +#else bool javaLangString_equals(u4 arg0, u4 arg1, u4 arg2, u4 arg3, JValue* pResult) +#endif /*WITH_TAINT_TRACKING*/
TaintDroid/DroidBox They have inserted a code to check the fact of opened files, network access, used encryption algorithms and data pass to encrypt/decrypt functions, sending and receiving SMS (a number and a text of the message), phone calls from applications, class loading into memory Just what is necessary for the analysis of malicious code.
SMS watching process
Decompilation and source code analysis Decompilation is a process to get sources back from the binary code For Java applications it is: *.class -> *.java For Android applications it is: .apk -> .dex -> .jar -> *.class -> *.java For Java applications it is possible to get the code back, but: Obfuscation is a process of entanglement the sources before compilation to make the decompiled sources impossible to view
Java decompilers FernFlower CPR Jadx Procyon ... The results of decompilation depends on source code, obfuscations, decompiler Its better to try all the possible decompilers and select the best result
An example of good obfuscated source var1_5 = var9_1[0] var9_1 = Class.forName(Application.onCreate("ub559u4623 u069bu920cu5140u162bu13b7u927buff0cubf32u1c91u4ae2")) var12_9 = var9_1.getConstructor(new Class[]{var9_1, String.class}) var10_11 = Class.forName(Application.onCreate("ub552u462cu0689u921fu51 01u162bu13bcu927buff29ubf34u1c93u4af3u4a06u3b4au4b63 u895bu8aa6u19b8u62dauecc1u2174u912euc452")) var14_12 = var10_11.getMethod(Application.onCreate ("ub554u4627u0699u9229u5107u1630"), new Class[]{String.class, Integer.TYPE})
The general method
Helper app
Helper app A small aggregated single-window application that performs the functions described here semi-automatically: Getting the permissions and copy the application from an Android phone Make requests to the VirusTotal to check the application in the antivirus databases Start the Android emulator with a patched kernel and system image, analyze the application dynamically, displaying the collected logs Decompile the application by the described decompilers and navigate through the decompiled files Run the integrated proxy server and monitor applications networking activity Later in this application, we plan to generate reports in the standard form for digital forensic science.
Results Proposed the method how to do the analysis in general Created the helper app About 50 malware app were identified in the phones given from victims Some identified intruders domains were blocked Some groups of trojans were classified Future research work for the students (anti- obfuscation, advanced dynamic tracking, low level Android apps debugging,...).

More Related Content

Towards the methods of analysis malicious applications for Android

  • 1. Towards the methods of analysis malicious applications for Android operating system Sergey Staroletov Polzunov Altai State Technical University, Lenin avenue 46, Barnaul, 656038, Russia serg_soft@mail.ru
  • 2. Necessity for the work In 2018 the number of smartphones in the world will be over 50% of the total number of phones However, the computer literacy for todays smartphone users is not keeping pace with the progress in the field of mobile devices Last year hackers in Russia were stolen 349 million rubles* from the owners of phones under Android OS, which is five times more than a year ago * Vedomosti.ru. In Russian. Hackers have stolen from Android owners 349 million rubles for four quarters.
  • 3. Android OS Android OS itself is a special Linux Kernel, which contains Dalvik virtual machine for execution of Java applications using their own API The application for Android is an apk (Android Package) file, which is a zip archive and it contains some compiled Java-classes of the application in the form of .dex file (Dalvik EXecutable), resources and applications descriptor AndroidManifest.xml within Choosing the Android OS by intruders is primarily caused by its prevalence, availability of cheap Chinese phones under it. Here we have a problem: typical users (especially from the countryside) are not even aware that they work with a minicomputer which can hook a Trojan program and such program could get
  • 4. . Distribution of new mobile malware by the type in 2015 and 2016* * According to a Kasperskys report
  • 5. Necessity for the work Department of Applied Mathematics at Altai State Technical University was asked to develop methods, algorithms, and software for the analysis of the injured by the Trojans (like SMS and Bankers) smartphones, to do digital forensic science for analyze the malicious applications Currently there are no generally accepted methods to do it
  • 6. The goals of the analysis Identify malicious applications among given applications from given phones Make some proof of harmfulness of given application Study algorithms of the work of applications without having sources of it Find the remote hosts which application communicates to, discover sending content, format and protocols Discover users private data leaks Compare various malicious applications and group them Develop and test a general method to make suchlike analyses
  • 7. Malicious applications identifying As a rule, such dual-purpose applications have a small size, a name and an icon disguised as the popular applications (WhatsApp, Skype, Flash Player, Kaspersky, Sberbank Online, etc.) We can study the permissions, i.e. android.permission.INTERNET android.permission.WRITE_SMS android.permission.READ_SMS android.permission.SEND_SMS android.permission.RECEIVE_SMS Send the app to virustotal.com service
  • 8. After suspicious app is detected When the malicious application is detected, further analysis on the phone would be inappropriate. As a rule, the application as an apk file is retrieved,and the browsers logs and download history in the phone are analyzed to search from where such application could be obtained Next, the application is analysing on a desktop computer running Android OS emulator Application analisys is complicated because we deal with a compiled application without the presence of the source code.
  • 9. Low-level debugging the Android applications IDA Pro's proximity browser feature (debugging applications for Dalvik virtual machine)
  • 10. Analysis of network interactions in the Android applications
  • 11. Analysis of network interactions in the Android applications When all the HTTP connections from emulator will go through a proxy, we can log information sent and received by the applications on the phone As a result, we can identify intruders domains through which the Trojan applications receive data and transmit the control commands Having the recorded network data we also can match various versions of the malware, identifying groups of Trojans by comparing the remote hosts and interactions data
  • 12. Tracing the applications logic with a patched OS kernel The TaintDroid* project was created to tell the user about private data leaks during the work of Android OS applications in the form of push notifications on the top of a phone screen. It patches Android kernel and library code and inserts the own code to reveal and process taint data Next, Droidbox - a framework for the dynamic analysis of applications for Android, which is built on the top of TaintDroids patches and consists of Modified OS kernel, containing TaintDroids patches and additional patches for improving the logging tools Enck, William, et al. TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones. ACM Transactions on Computer Systems (TOCS) 32.2 (2014): 5.
  • 13. TaintDroid patches @@ -291,8 +310,13 @@ bool javaLangString_compareTo(u4 arg0, u4 arg1 /* * public boolean equals(Object anObject) */ +#ifdef WITH_TAINT_TRACKING +bool javaLangString_equals(u4 arg0, u4 arg1, u4 arg2, u4 arg3, + u4 arg0_taint, u4 arg1_taint, struct Taint* rtaint, JValue* pResult) +#else bool javaLangString_equals(u4 arg0, u4 arg1, u4 arg2, u4 arg3, JValue* pResult) +#endif /*WITH_TAINT_TRACKING*/
  • 14. TaintDroid/DroidBox They have inserted a code to check the fact of opened files, network access, used encryption algorithms and data pass to encrypt/decrypt functions, sending and receiving SMS (a number and a text of the message), phone calls from applications, class loading into memory Just what is necessary for the analysis of malicious code.
  • 16. Decompilation and source code analysis Decompilation is a process to get sources back from the binary code For Java applications it is: *.class -> *.java For Android applications it is: .apk -> .dex -> .jar -> *.class -> *.java For Java applications it is possible to get the code back, but: Obfuscation is a process of entanglement the sources before compilation to make the decompiled sources impossible to view
  • 17. Java decompilers FernFlower CPR Jadx Procyon ... The results of decompilation depends on source code, obfuscations, decompiler Its better to try all the possible decompilers and select the best result
  • 18. An example of good obfuscated source var1_5 = var9_1[0] var9_1 = Class.forName(Application.onCreate("ub559u4623 u069bu920cu5140u162bu13b7u927buff0cubf32u1c91u4ae2")) var12_9 = var9_1.getConstructor(new Class[]{var9_1, String.class}) var10_11 = Class.forName(Application.onCreate("ub552u462cu0689u921fu51 01u162bu13bcu927buff29ubf34u1c93u4af3u4a06u3b4au4b63 u895bu8aa6u19b8u62dauecc1u2174u912euc452")) var14_12 = var10_11.getMethod(Application.onCreate ("ub554u4627u0699u9229u5107u1630"), new Class[]{String.class, Integer.TYPE})
  • 21. Helper app A small aggregated single-window application that performs the functions described here semi-automatically: Getting the permissions and copy the application from an Android phone Make requests to the VirusTotal to check the application in the antivirus databases Start the Android emulator with a patched kernel and system image, analyze the application dynamically, displaying the collected logs Decompile the application by the described decompilers and navigate through the decompiled files Run the integrated proxy server and monitor applications networking activity Later in this application, we plan to generate reports in the standard form for digital forensic science.
  • 22. Results Proposed the method how to do the analysis in general Created the helper app About 50 malware app were identified in the phones given from victims Some identified intruders domains were blocked Some groups of trojans were classified Future research work for the students (anti- obfuscation, advanced dynamic tracking, low level Android apps debugging,...).