CopperDroid: Automatic Reconstruction of Android Malware Behaviors

Kimberly Tam, Salahuddin J. Khan,

Aristide Fattori, Lorenzo Cavallaro

Systems Security Research Lab and Information Security Group

Royal Holloway University of London

Author

Both are doctoral students

Conference: NDSS 2015

• The 2015 Network and Distributed System Security Symposium (NDSS)

• 08-11 February 2015 in San Diego, California.

• CCF Network and Information securityClass-B conference

CopperDroid

• Meaning of Copper• Close Source• Donation from Intel Security (McAfee Labs)

CopperDroid

CopperDroid

Introduction

• Traditional system call analysis misses high-level Android-specific semantics.

• Fail to reconstruct inter-process communications (IPC) and remote procedure call(RPC).

• Automatically perform out-of-the-box(VMI-based) dynamic analysis and reconstruct the behaviors of Android malware.

• Dalvik VM and ART (Android 5.0), x86 and ARM.

Introduction

• Real Value: Recreates complex Android Object to enrich the semantics of the reconstructed OS- and Android-specific behaviors.

• Three Contributions• Automatic IPC unmarshalling

• Value-based Data Flow Analysis

• Behavioral Reconstruction (Combine system call and Binder)

Background: Android System

• Sandbox for each application

• Every APK can be decomposed into one or more components (Activity, Service, Broadcast Receiver…)

• Binder, IPC, RPC

• Android Interface Definition Language (AIDL)

CopperDroid Architecture

CopperDroid Overall Architecture

Automatic IPC Unmarshalling

• Unmarshalling Oracle

• A Java Application

• Input• Binder method signature

• Marshalled parcel blob

• Output• Custom representation of the method

• All parameter values

• First approach to carry out a detailed analysis of such communication channels.

Automatic IPC Unmarshalling

Automatic IPC Unmarshalling

Automatic IPC Unmarshalling

Automatic IPC Unmarshalling

• Unmarshalling Oracle return ↓ to analyser

• AIDL parser (interface parser)• Stub (client)

• Proxy (server)

• Unmarshalling Oracle implement

Observed Behaviors

App Stimulation

• Some behaviors take place when receive a binder.

• Can’t take place from MainActivity.

• Read Manifest, injecting events such as phone calls and reception of SMS.

• Dynamic registering broadcast receiver at run-time can be detect.

App Stimulation

Value-based Data Flow Analysis and Reconstruct Behaviors

Evaluation

Conclusion

• CopperDroid, a VM-based dynamic system call-centric analysis and stimulation technique to both uniformly, and automatically, reconstruct behaviors of Android malware.

• Deserialized IPC and RPC interactions, is key to reconstruct both of OS- and Android-specific behaviors from system level observation point.

• Evaluate 2900 real world Android malware, showing the discovery of additional behaviors.