introduction to mobile malware. outline ➢ introduction ➢ types of malware ➢ malware examples...

28
Introduction to Mobile Malware

Upload: martha-benson

Post on 25-Dec-2015

248 views

Category:

Documents


4 download

TRANSCRIPT

Introduction to Mobile Malware

Outline

➢Introduction➢Types of Malware➢Malware examples➢How Malware Spreads➢Prevention➢AndroRAT Hands-on Lab

Introduction

● Mobile Security has become a fast growing issue– Nearly 100,000 new malicious programs for mobile

devices were detected in 2013 (Kaspersky Lab)– More than twice the number detected in 2012

Types of Malware

In terms of functionality, there are three types:● Mobile Device Data Stealers● Rooting Capable Malware● Premium Service Abuser

Mobile Device Data Stealers

Mobile Device Data Stealers – Malware that steals personal information such as contacts, phone logs, browsing habbit, SMS and GPS data.

Mobile Device Data Stealer Example: NickiBot

● NickiBot – a malware with client and server components

– Can perform (GPS-based) location monitoring, sound recording, email-based uploading, as well as call log collection.

– After installation it will obtain the phone’s International Mobile Equipment Identity (IMEI) and runs in the background while trying to connect to a server.

● It only works on phones that have the ability to connect to a particular server.

– if the phone does not connect to the server, NickiBot will automatically terminate.

● NickiBot will only execute certain function when it receives commands from the server or through SMS.

Nickibot Permission Review

● Permissions needed:– android.permission.INTERNET

– android.permission.ACCESS_FINE_LOCATION

– android.permission.ACCESS_COARSE_LOCATION

– android.permission.READ_PHONE_STATE

– android.permission.READ_CONTACTS

NikiBot Code Example: Stealing Contacts

Pseudo code:Uri CONTENT_URI = ContactsContract.Contacts.CONTENT_URI;

Cursor cursor = contentResolver.query (CONTENT_URI, null, null, null, null);

// cursor points to a contact

String name, num;

while(cursor.next != null){

name = c.name; // get the contact name

num = c.num; // get the contact phone number

}

Print name and num;

Mobile Device Data Stealer Example: Find and Call

● Find and Call – a malware on iOS and Android devices

● When it is started on your device, it will ask you to register your device online

● Once registration is completed it will begin spreading to the contacts in the phone

– By sending SMS spam messages embedding an URL in the message

● It will also upload the contact book to a remote server

Rooting Capable Malware

Rooting capable Malware – Malware that controls a device by obtaining root access. Once malware has root access to your phone it becomes very challenging to remove it.

Rooting

• Rooting allows higher level of customization– Installing from unofficial markets– System Backups– Tethering- the connection of one device to another via cable or wireless– Uninstalling apps

• However, malwares can take advantage of root commands to obtain permissions

Rooting Capable Malware Example 1– DroidDream

● DroidDream is a high threat level malware that has rooting capability

● It can infect many legitimate applications. ● It has client and server components● The application that is infected with DroidDream

client can root the device and send sensitive information like the IMEI to a remote server.– IMEI (International Mobile Station Equipment

Identifier)

Rooting Capable Malware Example 2 – DroidKungFu

● DroidKungFu obtains absolute control of the phone in order to access arbitrary files in the phone

● Has the capability to install or remove any packages which will result in certain applications not working.

● Some minor variants of the DroidKungFu have the ability to change the user homepage without the user knowing.

Premium Service Abusers

Premium Service abusers – Malware that will send SMS messages or dial premium services that will charge the device owner.

Premium Service Abusers Example 1 -Zsone

● Zsone: found in China.– Once the user runs the app on their phone, the app

will send an SMS message to subscribe the user to a premium-rate SMS service. .

– Txtnation is an example of premium-rate SMS service

● It provides Bulk SMS alerts and reminders, SMS Billing for Premium Rate SMS for content services

Premium Service Code Example● Permissions needed:

– android.permission.SEND_SMS

● Sending SMS:

public void sendSMS() {

String phoneNumber = "0123456789";

String message = "Hello World!";

SmsManager smsManager = SmsManager.getDefault();

smsManager.sendTextMessage(add parameter);

}

How mobile malware spreads● Infect via Bluetooth

– Malware can spread to other Bluetooth devices in surrounding areas

● User Download from suspicious sites– Malware authors create fake websites to cause their

malware being downloaded

● Repackage as Trojan– Malware author disassemble a popular app, enclose

malicious payloads, re-assemble and submit to App Store

● Apps automatically download updates– During the update, malicious commands are downloaded to

the phone

Mobile Malware Prevention

● Google Play store's Protection against Mobile Malware

● Anti-virus software● Best Practices for Mobile Device Users to

Defend against Malware ● Malware Prevention and Detection Using

Sandbox

Google Play Store’s Protection Against Mobile Malware

● Google play store does not allow worms, virus, Trojan horses or malware to be updated to google play store

● However, the process of uploading apps does not completely prevent malware being uploaded to the Google play store

● Google’s bouncer software is a measure to prevent malware in Google play store

Google’s Bouncer Software

● Bouncer is a dynamic analyzer that scans new and old malware on the play store periodically.

● 40% of malware was detected and removed● Problems:

– Each time it only runs for 5 minutes on one app and only does dynamic analysis

– Therefore if a malware did not misbehave during the scan it will not be removed

Anti-virus● When a new software is downloaded, anti-virus software will

automatically scan

● When an external drive is used, the drive will be automatically scanned

● If no virus is found, scan will continue to its destination.

● If virus is found in a file

– The infected file can be disinfected and the scan will continue to its destination while alerting the user

– The infected file cannot be disinfected and will be moved to a sandbox.

● Popular antivirus software: AVG, Lookout, Norton and Mobile Care.

Best Practices for Mobile Device Users to Defend against Malware

● Always look at the permissions requested by the app and check to see if the app really needs that function of the phone.

● Download from Reliable Sources

● Install updates as soon as they are released

● If device is infected with malware, remove as quickly as possible.

● Use password-based authorization on the device

● Install security software and antivirus

● Do not root device. Rooting may give malware control to the device

● Encrypt your data – some android devices have full encryption.

Malware Prevention and Detection Using Sandbox - 1

● Sandbox– An area that is separated from critical resources of a

system, in which untested code is run– Static and dynamic analysis tools can be run within

sandbox

● Mobile Sandbox (proposed by Spreitzenbarth et al.)– Static analysis to check for dangerous function calls (such

as connecting to premium service)– Dynamic analysis to monitor whether sensitive

information leaves the phone

Malware Prevention and Detection Using Sandbox - 2

● A mechanism to identify malware that uses packing and obfuscation to avoid Antivirus (Lee et. al)– The API call sequence o the malware is converted to a call graph,

which is reduced to a code graph

– A code graph is used to uniquely identify the malware

● Airmid– A prototype tool that automatically identifies and responds to mobile

malware based on their network behavior

– Network sensors detect malicious traffic and alerts the device

– A program on the device identifies the executable code responsible and creates a plan of action to repair the device

● Filtering the traffic at the device, sandboxing or removing the app, patching the device, or restoring the device to its factory settings

AndroRAT

● It is a remote administration tool (RAT) for Android devices● It allows an attacker to remotely gain control over another

device and steal information from it● It has client and server components

● The client is Android APK file running on an Android device

● The server is java file running on a server

• Client can be injected into another Android application to become a Trojan by using AndroRAT APK binder

AndroRAT Features

● Retrieve call log and place a calls● Retrieve and send SMS messages● Retrieve contact information● Retrieve and download files from mobile device● Capture and stream sound/video ● Get device location● Open a URL in the default browser

AndroRat Implementation

• The client side:– runs on a mobile device as a

simple application – A button “start service” initiates

the communication between the device and the server

• The server side:– socket programming is used for

client/server communication using TCP

AndroRat Binder Implementation