Cellular Networks and Mobile Computing COMS 6998 10
Cellular Networks and Mobile Computing COMS 6998 -10, Spring 2013 Instructor: Li Erran Li (lel 2139@columbia. edu) http: //www. cs. columbia. edu/~lierranli/coms 6998 -10 Spring 2013/ Lecture 10: Mobile Malware 4/9/13 1
Announcement • Lab sessions on i. OS and Android – Send in your suggested topics • Next lecture by Akhila – instructor out of town 4/9/13 Cellular Networks and Mobile Computing (COMS 6998 -10) 2
Review of Previous Lectures on Mobile Cloud Computing • What is the difference between APNS, GCM and Thialfi? 4/9/13 Cellular Networks and Mobile Computing (COMS 6998 -10) 3
Review of Previous Lectures on Mobile Cloud Computing (Cont’d) • Push notification service – Unreliable: APNS, GCM – Reliable: Thialfi (has a notion of objects) 4/9/13 Cellular Networks and Mobile Computing (COMS 6998 -10) 4
Thialfi Architecture Client library Registrations, notifications, acknowledgments Client Bigtable Object Bigtable Registrar Matcher Client Data center • Each server handles a contiguous range of keys, • Each server maintains an in-memory version • Bigtable: log structured, fast write Notifications Application Backend • Matcher: Object ID registered clients, version • Registrar: Client ID registered objects, notifications 4/9/13 Cellular Networks and Mobile Computing (COMS 6998 -10) Courtesy: Adya et al. 5
Thialfi: Life of a Notification x Ack: x, v 7 Client Bigtable C 1: x, v 7 Notify: x, v 7 Registrar Client C 2 Data center C 2: x, v 7 C 1: x, v 5 v 7 C 2: x, v 7 Object Bigtable v 5; C 1, C 2 x: v 7; 4/9/13 Publish(x, v 7) Matcher Cellular Networks and Mobile Computing (COMS 6998 -10) Courtesy: Adya et al. 6
Review of Previous Lecture (Cont’d) • How to classify location based services? 4/9/13 Cellular Networks and Mobile Computing (COMS 6998 -10) 7
A Taxonomy of Applications Personal Social Current location Driving directions, Nearby restaurants Friend finder, Crowd scenes Past locations Personal travel journal, Geocoded photos Post-it notes, Recommendations Tracks Personalized Driving Directions, Ride sharing, Discovery, Track-Based Search Urban sensing Class of applications enabled by Star. Track 4/9/13 Cellular Networks and Mobile Computing (COMS 6998 -10) Courtesy: Maya et al. 8
Star. Track System Insertion Application Location Manager • Insertion ST Server ST Client ST Server Application ST Server ST Client 4/9/13 • Retrieval • Manipulation • Comparison … Cellular Networks and Mobile Computing (COMS 6998 -10) Courtesy: Maya et al. 9
What are System Challenges of Track Service? 1. Handling error-prone tracks 2. Flexible programming interface 3. Efficient implementation of operations on tracks 4. Scalability and fault tolerance 4/9/13 Cellular Networks and Mobile Computing (COMS 6998 -10) Courtesy: Maya et al. 10
Challenges of Using Raw Tracks Advantages of Canonicalization: – More efficient retrieval and comparison operations – Enables Star. Track to maintain a list of non-duplicate tracks 4/9/13 Cellular Networks and Mobile Computing (COMS 6998 -10) Courtesy: Maya et al. 11
Star. Track API Pre-filter tracks Manipulate tracks Fetch tracks Track Collections (TC): Abstract grouping of tracks – Programming Convenience – Implementation Efficiency • Prevent unnecessary client-server message exchanges − Enable delayed evaluation − Enable caching and use of in-memory data structures 4/9/13 Cellular Networks and Mobile Computing (COMS 6998 -10) Courtesy: Maya et al. 12
Star. Track API: Track Collections Creation TC Make. Collection(Group. Criteria criteria, bool remove. Duplicates) Manipulation TC Join. Track. Collections (TC t. Cs[], bool remove. Duplicates) TC Sort. Tracks (TC t. C, Sort. Attribute attr) TC Take. Tracks(TC t. C, int count) TC Get. Similar. Tracks (TC t. C, Track ref. Track, float sim. Threshold) TC Get. Pass. By. Tracks (TC t. C, Area[] areas) TC Get. Common. Segments(TC t. C, float freq. Threshold) Retrieval Track[] Get. Tracks (TC t. C, int start, int count) 4/9/13 Cellular Networks and Mobile Computing (COMS 6998 -10) Courtesy: Maya et al. 13
API Usage: Ride-Sharing Application // get user’s most popular track in the morning TC my. TC = Make. Collection(“name = Maya”, [0800 1000], true); TC my. Pop. TC = Sort. Tracks(my. TC, FREQ); Track track = Get. Tracks(my. Pop. TC, 0, 1); // find tracks of all fellow employees TC ms. TC = Make. Collection(“name. Employer = MS”, [0800 1000], true); // pick tracks from the community most similar to user’s popular track TC similar. TC = Get. Similar. Tracks(ms. TC, track, 0. 8); Track[] similar. Tracks = Get. Tracks(similar. TC, 0, 20); // Verify if each track is frequently traveled by its respective owner User[] result = Find. Owners. Of. Frequent. Tracks(similar. Tracks); 4/9/13 Cellular Networks and Mobile Computing (COMS 6998 -10) Courtesy: Maya et al. 14
Review of Previous Lectures on Mobile Cloud Computing (Cont’d) • What are the different programming models for computation offloading? 4/9/13 Cellular Networks and Mobile Computing (COMS 6998 -10) 15
m. Cloud Programming Model • MAUI: RPC based offloading architecture • Clone. Cloud: tight synchronization between cloud and phone • Odessa: data-flow graph to exploit parallelism in perception applications • COMET: distributed shared memory • MAUI, Clone. Cloud , Odessa all have profiler, solver Remote execution unit 4/9/13 MAUI Clone. Cloud Odessa COMET Methods (RMI) Threads (method entry/exit) Tasks Threads (any place) Cellular Networks and Mobile Computing (COMS 6998 -10) 16
Syllabus • Mobile App Development (lecture 1, 2, 3) – Mobile operating systems: i. OS and Android – Development environments: Xcode, Eclipse with Android SDK – Programming: Objective-C android programming • System Support for Mobile App Optimization (lecture 4, 5) – Mobile device power models, energy profiling and ebug debugging – Core OS topics: virtualization, storage and OS support for power and context management • Interaction with Cellular Networks (lecture 6, 7, 8) – Basics of 3 G/LTE cellular networks – Mobile application cellular radio resource usage profiling – Measurement-based cellular network and traffic characterization • Interaction with the Cloud (lecture 9, 10) – Mobile cloud computing platform services: push notification, i. Cloud and Google Cloud Messaging – Mobile cloud computing architecture and programming models • Mobile Platform Security and Privacy (lecture 11, 12, 13) – Mobile platform security: malware detection and characterization, attacks and defenses – Mobile data and location privacy: attacks, monitoring tools and defenses 4/9/13 Cellular Networks and Mobile Computing (COMS 6998 -10) 17
Outline • Non-malware (Yunjia Dai and David Engelhardt) – Misuse of personal/phone identifiers, and deep penetration of advertising and analytics networks • Malware characterization (Hao Hu and Chaoteng Cheng) – – Installation Activation Malicious payloads Evolution • Droid. Ranger: Non-virtualization-based malware detection (Yibo Zhu and Li Yan) – Behavioral footprint matching for known malware – Dynamic execution monitoring for unknown malware • Droid. Scope Virtualization-based malware detection – Reconstruct OS, Dalvik VM and native view 4/9/13 Cellular Networks and Mobile Computing (COMS 6998 -10) 18
Android Malware: Characterization and Evolution • Malware characterization – Installation – Activation – Malicious payloads • Evolution 4/9/13 Cellular Networks and Mobile Computing (COMS 6998 -10) 19
Motivation 4/9/13 Cellular Networks and Mobile Computing (COMS 6998 -10) Courtesy Yajin Zhou et al. 20
Motivation Cumulative Android Malware Increase 4000% 3, 320% 3500% 3000% 2500% 2000% 1500% 1000% 500% 0% 4/9/13 100% Jun-11 Jul-11 Aug-11 Sep-11 Oct-11 Cellular Networks and Mobile Computing (COMS 6998 -10) Source: Juniper Networks 2011 Nov-11 Dec-11 Mobile Threats Report 21
Motivation • Develop effective defense solutions • Know your enemy – Insightful understanding of Android malware – Comprehensive Android malware samples 4/9/13 Cellular Networks and Mobile Computing (COMS 6998 -10) Courtesy Yajin Zhou et al. 22
Contributions • Present the first largest public collection of Android malware samples – There are total 52 families publicly reported between Aug 2010 and Oct 2011 – Our dataset has 1260 samples in 49 families • Share the dataset with research community – Google “Android Malware Genome Project” • Provide initial insights about Android malware – Characterization – Evolution 4/9/13 Cellular Networks and Mobile Computing (COMS 6998 -10) Courtesy Yajin Zhou et al. 23
Malware Trends The Cumulative Number of New Malware Samples Cumulative Growth of Malware Samples in Our Collection 4/9/13 1400 2010 1200 1260 2011 Anserver. Bot 1000 800 600 0 527 403 400 200 678 Droid. Kung. Fu (including its variants) 13 13 8 9 13 14 18 10 11 12 23 33 66 66 1 2 3 4 Cellular Networks and Mobile Computing (COMS 6998 -10) 115 5 209 6 7 8 Courtesy Yajin Zhou et al. 9 10 24
Malware Characterization • Installation methods • Activation mechanisms • Malicious payloads 4/9/13 Cellular Networks and Mobile Computing (COMS 6998 -10) Courtesy Yajin Zhou et al. 25
Malware Installation • Users tend not to install malware intentionally • Attackers trick users into installing malware – Repackaging – Update attack – Drive-by download 4/9/13 Cellular Networks and Mobile Computing (COMS 6998 -10) Courtesy Yajin Zhou et al. 26
Installation: Repackaging + Attacker 86% of samples in our dataset are repackaged 4/9/13 Cellular Networks and Mobile Computing (COMS 6998 -10) Courtesy Yajin Zhou et al. 27
Installation: Repackaging • Victim apps – Popular games – Utility apps – Entertainment apps • “Trustworthy” package names – com. google. ssearch, com. google. update 4/9/13 Cellular Networks and Mobile Computing (COMS 6998 -10) Courtesy Yajin Zhou et al. 28
Installation: Repackaging Malicious payload Based on public-available code on Google code Cellular Networks and Mobile Computing Repackaged security tool (COMS 6998 -10) 4/9/13 Courtesy Yajin Zhou et al. 29
Installation: Update Attack • Ask user to update to the “latest” version – Child app: Base. Bridge – Downloaded app: Droid. Kung. Fu. Update • Dynamically load and execute bytecode – Plankton, Anserver. Bot 4/9/13 Cellular Networks and Mobile Computing (COMS 6998 -10) Courtesy Yajin Zhou et al. 30
Installation: Update Attack • Droid. Kung. Fu. Update – Download the “latest” version from remote server – The downloaded app is Droid. Kung. Fu malware New version 2. 2 found. Do you want 4/9/13 to download? Cellular Networks and Mobile Computing (COMS 6998 -10) Courtesy Yajin Zhou et al. 31
Installation: Drive-by Download • Trick users into downloading “interesting” apps – QR code: Jifake – In-app advertisement: GGTracker 4/9/13 Cellular Networks and Mobile Computing (COMS 6998 -10) Courtesy Yajin Zhou et al. 32
Installation: Drive-by Download 4/9/13 Cellular Networks and Mobile Computing Biker 69 seems to like (COMS 6998 -10) this app. 33
Malware Activation • By listening to various system events • By hijacking the main activity Distribution of Malware Activation Events The # of malware samples 1200 1050 725 800 782 600 398 400 288 200 0 4/9/13 112 BOOT SMS NET CALL 187 56 17 USB PKG Cellular Networks and Mobile Computing (COMS 6998 -10) BAT SYS MAIN 34
Malicious Payloads • • Privilege escalation Remote control Financial charges Information collection 4/9/13 Cellular Networks and Mobile Computing (COMS 6998 -10) Courtesy Yajin Zhou et al. 35
Payloads: Privilege Escalation • Use publicly available root exploits to gain root privilege – Exploid, RATC, Zimperlich, Killing. In. The. Name. Of, Ginger. Break, zerg. Rush 37% of malware samples use root exploits 30% use more than one root exploit 4/9/13 Cellular Networks and Mobile Computing (COMS 6998 -10) Courtesy Yajin Zhou et al. 36
Payloads: Privilege Escalation • Malware is getting smarter – Droid. Dream: unencrypted root exploits • Exploit name as its file name – Droid. Kung. Fu: encrypted root exploits • myicon, secbino – Droid. Coupon: root exploit with obfuscated file name • ratc. png 4/9/13 Cellular Networks and Mobile Computing (COMS 6998 -10) Courtesy Yajin Zhou et al. 37
Payloads: Remote Control • 92% of them use HTTP based C&C servers • C&C server URLs can be encrypted – Pjapps: custom encoding scheme 2 maodb 3 ialke 8 mdeme 3 gkos 9 g 1 icaofm – -> Droid. Kung. Fu 3: AES encryption 29 BB 083 B 93 AE 6 DD 6 FB 4 E 2 F 353586 C 56218 DA 99 F 2421 B 4 B 12 C 6 FC 74 F mobilemeego 91. com – Geinimi: DES encryption F 3 E 8 E 8 FF 2295907534814906 FE 15 A 460 C 3 BA 03 E 78 5 ee 24082 afa 27568 f 4 f 1 e 0 acc 961 d 767 dd 7 e 9 ad 2131 ec 4 c 3 -> – Anserver. Bot: Base 64 -> http: //search. zi 18. com: 8511/search/ Hoipr. Jbh 9 CVp 9 I 0 h 8 Cg 1 z. KVO 7 CAO 7 Cfa. PJSQfv. MUH 2 B 574 i 18 CQ_ 117. 135. 134. 185: 8080 -> http: //b 4. cookier. co. cc: 8080/jk. action 4/9/13 Cellular Networks and Mobile Computing (COMS 6998 -10) Courtesy Yajin Zhou et al. 38
Payloads: Financial Charges • Send SMS – to hardcoded premium-rate numbers • Fake. Player, YZHC … – to other numbers controlled by remote servers • Anserver. Bot, Bean. Bot • Delete/Block SMS – to remove fee charge information • Zsone, Rogue. SPPush … • Reply SMS – to confirm subscription to premium services • GGTracker, Rogue. Lemon … 4/9/13 Cellular Networks and Mobile Computing (COMS 6998 -10) Courtesy Yajin Zhou et al. 39
Payloads: Information Collection Number of Apps Collecting User Information 600 500 400 The # of apps 300 563 200 100 0 4/9/13 138 SMS 43 Phone number Cellular Networks and Mobile Computing (COMS 6998 -10) User account Courtesy Yajin Zhou et al. 40
Permission Usage 137 RECEIVE_BOOT_COMPLETED 688 24 RECEIVE_SMS 499 43 SEND_SMS 553 Manipulate SMS 9 WRITE_SMS 658 Benign Apps 17 READ_SMS 0 Malware 790 34 CHANGE_WIFI_STATE Get started as soon as possible Trigger root exploit 398 200 400 600 800 1000 1200 # of malware samples and benign apps 4/9/13 Cellular Networks and Mobile Computing (COMS 6998 -10) Courtesy Yajin Zhou et al. 41
Evolution: Anserver. Bot • Basebridge + Plankton – Malicious payload: Base. Bridge – Dynamic loading: Plankton 4/9/13 Cellular Networks and Mobile Computing (COMS 6998 -10) Courtesy Yajin Zhou et al. 42
Evolution: Anserver. Bot • Heavy use of encryption String e=Xmlns. d("8 CB 9 z. KRj 84 u. O"); -> on. Key. Down • Heavy use of obfuscation String f=Xmlns. d("8 CBoz. Ki. Trtgdcx. BNutk. E 8 k. MCz. KFNHx. MOKCRD") -> on. Get. Apk_Install_version_id String g=Xmlns. d("u. Ik. Euxy_"); -> valuepayload Encrypted Svvdrz’s blog • Anti-analysis • Security software detection • C&C servers – Address is encrypted Hoipr. Jbh 9 CFE 8 Cr. Or. CRO 7 c. Bw 8 Cp. O 7 CQhr 2 MW 8 t. Me. KNnp 0 JT 57 wr. Qf. Jj. Yfo. FOXxy. OHoig 8 S__ -> – Public blog http: //blog. sina. com. cn/s/blog_8440 ab 780100 rnye. html 4/9/13 Cellular Networks and Mobile Computing (COMS 6998 -10) Courtesy Yajin Zhou et al. 43
Discussion • Most samples are repackaged – Police the Android markets • More than one third samples enclose root exploits – Apply patches timely • Nearly half of the samples subscribe to premium-rate services with background SMS – Enhance Android framework • Mobile security apps can be improved – Develop new defense solutions 4/9/13 Cellular Networks and Mobile Computing (COMS 6998 -10) Courtesy Yajin Zhou et al. 44
Related Work • Identify privacy leakage problems – Taint. Droid [Enck et al. , OSDI 10], Comdroid [Chin et al. , Mobi. Sys 11], Stowaway [Felt et al. , CCS 11], Ad. Risk [Grace et al. , Wi. Sec 12], Woodpecker [Grace et al. , NDSS 12], Droid. MOSS [Zhou et al. , CODASPY 12], … • Enhance Android framework – Kirin [Enck et al, CCS 09], TISSA [Zhou et al. , TRUST 11], QUIRE [Dietz et al. , USENIX Security 11], Cells [Andrus et al. , SOSP 11] … • Assess/survey mobile apps – App Security [Enck et al. , USENIX Security 11], Malware Survery [Felt et al. , CCS -SPSM 11], Droid. Ranger [Zhou et al. , NDSS 11], Risk. Ranker [Grace et al. , Mobi. Sys 12] … 4/9/13 Cellular Networks and Mobile Computing (COMS 6998 -10) Courtesy Yajin Zhou et al. 45
Conclusion • Present the first largest public Android malware collection – Share with whole research community • Characterize the malware samples • Study the evolution of Android malware • Call for better anti-mobile-malware solutions 4/9/13 Cellular Networks and Mobile Computing (COMS 6998 -10) Courtesy Yajin Zhou et al. 46
Dataset Release • Android Malware Genome Project – http: //malgenomeproject. org 4/9/13 Cellular Networks and Mobile Computing (COMS 6998 -10) Courtesy Yajin Zhou et al. 47
Droid. Ranger • Droid. Ranger: Non-virtualization-based malware detection • Known malware – Permission-based filtering – Behavioral footprint matching for known malware • Unknown malware – Heuristic based filtering, e. g. dynamic loading new code – Dynamic execution monitoring for unknown malware 4/9/13 Cellular Networks and Mobile Computing (COMS 6998 -10) 48
Design Goal • Scalability ØPermission based filtering • Accuracy ØBehavioral footprint matching • Zero-day malware detection ØHeuristics based detection 4/9/13 Cellular Networks and Mobile Computing (COMS 6998 -10) 20
System Overview Malware Samples Representative Android Markets Permission-based Behavioral Footprints Footprint-Based Detection Engine Infection from Known Malware Heuristics-Based Detection Engine Infection from Zero-day Malware App Repository Heuristics Droid. Ranger 4/9/13 Cellular Networks and Mobile Computing (COMS 6998 -10) Courtesy Yajin Zhou et al. 21
Footprint-Based Detection Engine • Filter apps with essential permissions Malware Geinimi Apps INTERNET, SEND_SMS 7, 620 (4. 17%) ADRD INTERNET, ACCESS_NETWORK_STATE RECEIVE_BOOT_COMPLETED 10, 379 (5. 68%) Pjapps INTERNET, RECEIVE_SMS 4, 637 (2. 54%) Bgserv INTERNET, RECEIVE_SMS, SEND_SMS 2, 880 (1. 58%) Droid. Dream CHANGE_WIFI_STATE 4, 096 (2. 24%) z. Hash CHANGE_WIFI_STATE Base. Bridge Droid. Dream. Light Zsone j. SMSHider 4/9/13 Essential Permissions Reduced to 0. 67% when 4, 096 (2. 24%) considering a broadcast receiver NATIVE CODE 8, 272 (4. 52%) INTERNET, READ_PHONE_STATE 71, 095 (38. 89%) RECEIVE_SMS, SEND_SMS 3, 204 (1. 75%) INSTALL_PACKAGES 1, 210 (0. 66%) Cellular Networks and Mobile Computing (COMS 6998 -10) Courtesy Yajin Zhou et al. 51 7
Footprint-Based Detection Engine • Distill malware behaviors as behavioral footprint – Information in manifest file Ø Contain a receiver listening to SMS_RECEIVED – Semantics in the byte-code Behavioral footprint of Zsone Ø Register a receiver listening to SMS_RECEIVED Ø Call abort. Broadcast in the receiver Ø Send SMS messages to premium numbers – Structural layout of the app • Match apps with malware behavioral footprints 4/9/13 Cellular Networks and Mobile Computing (COMS 6998 -10) Courtesy Yajin Zhou et al. 8
Heuristics-Based Detection Engine • Filter apps with dynamic Java/native code loading – 1055 apps load Java code – 508 apps load native code from non-standard locations • Monitor apps’ dynamic execution behaviors – Java code: permission-related framework APIs – Native code: system calls requiring root privileges 4/9/13 Cellular Networks and Mobile Computing (COMS 6998 -10) Courtesy Yajin Zhou et al. 53
Evaluation: Data Set • Crawled the official & four alternative markets • Collected 204, 040 free apps during 05/2011 -06/2011 eoe. Market, 17229 Offical Market, 153002 4/9/13 alcatelclub, 14943 gfan, 10385 mmoovv, 8481 Cellular Networks and Mobile Computing (COMS 6998 -10) Courtesy Yajin Zhou et al. 54
Evaluation: Overview Malware Official Market eoe. Market alcatelclub gfan mmoovv Total Known 21 51 48 20 31 171 Zero-day 11 9 10 1 9 40 Total 32 (0. 02%) 60 (0. 35%) 58 (0. 39%) 21 (0. 20%) 40 (0. 47%) 211 4/9/13 Cellular Networks and Mobile Computing (COMS 6998 -10) Courtesy Yajin Zhou et al. 55
Evaluation: Known Malware Samples • 20 samples from 10 malware families 4/9/13 Malware First Report Summary Geinimi 10/2010 Trojan with bot-like capability ADRD 02/2011 Trojan with bot-like capability Pjapps 02/2011 Trojan with bot-like capability Bgserv 03/2011 Trojan with bot-like capability Droid. Dream 03/2011 Root exploit with Exploid, Rageagainstthecage z. Hash 03/2011 Root exploit with Exploid Base. Bridge 05/2011 Root exploit with Rageagainstthecage Droid. Dream. Light 05/2011 Trojan with information stealing capability Zsone 05/2011 Trojan that sends premium-rate SMS j. SMSHider 06/2011 Trojan that target third-party firmware Cellular Networks and Mobile Computing (COMS 6998 -10) Courtesy Yajin Zhou et al. 56
Evaluation: Apps Infected by Known Malware 0 5 10 15 20 25 30 Geinimi ADRD Pjapps first report: 10/2010 Bgserv Droid. Dream z. Hash Base. Bridge Official Market eoe. Market alcatelclub gfan mmoovv Droid. Dream. Light Zsone j. SMSHider 4/9/13 Cellular Networks and Mobile Computing (COMS 6998 -10) Courtesy Yajin Zhou et al. 57
Evaluation: False Positive Pjapps 15 Base. Bridge 4 4 1 j. SMSHider Bgserv ADRD 4/9/13 9 9 6 0 0 31 31 1 3 3 8 Cellular Networks and Mobile Computing (COMS 6998 -10) Droid. Ranger Lookout Ver 6. 11 (11/2011) Look. Out Ver 6. 3 (08/2011) Courtesy Yajin Zhou et al. 58
Evaluation: False Negative • 24 samples in 10 known families from contagio • Droid. Ranger detected 23 sample (96%) – Missed a payload of Droid. Dream, not the malware itself – Found one mis-categorized sample for ADRD 4/9/13 Cellular Networks and Mobile Computing (COMS 6998 -10) Courtesy Yajin Zhou et al. 59
Evaluation: Zero-day Malware • Detected two zero-day malware using heuristics – Plankton: dynamic loading of Java code – Droid. Kung. Fu: dynamic loading of native code • Detected 40 samples using behavioral footprints – 11 samples from the official Android Market – 30 samples from alternative Android Markets 4/9/13 Cellular Networks and Mobile Computing (COMS 6998 -10) Courtesy Yajin Zhou et al. 60
Evaluation: Zero-day Malware • Plankton behaviors – Upload a list of permissions before downloading a payload – Contain bot-like command & control channel • Droid. Kung. Fu behaviors – Contain two encrypted root exploits – Install a payload app mimicking Google Search 4/9/13 Cellular Networks and Mobile Computing (COMS 6998 -10) Courtesy Yajin Zhou et al. 61
Discussion • A call for rigorous vetting process – A large number of user can be infected – Malware can exist in alternative markets for a long time – Root exploits are used by many malware – Zero-day malware exists in Android markets • Need more comprehensive heuristics – background sending of unauthorized SMS messages – bot-like behavior controlled by SMS messages 4/9/13 Cellular Networks and Mobile Computing (COMS 6998 -10) Courtesy Yajin Zhou et al. 62
Related Work • Smartphone platform security – Taint. Droid (Enck et al. , OSDI 10), Pi. OS (Egele et al. , NDSS 11), Stowaway (Felt et al. , CCS 11), Cells (Andrus et al. , SOSP 11), App. Fence (Hornyack et al. , CCS 11), Quire (Dietz et al. , USENIX Security 11), A Study of Android Application Security (Enck et al. , USENIX Security 11), TISSA (Zhou et al. , TRUST 11), Woodpecker (Grace et al. , NDSS 12) … • Malware detection on mobile devices – p. BMDS (Xie et al. , Wi. Sec 10), Virus. Meter (Liu et al. , RAID 09), Crowdroid (Burguera et al. , CCS-SPSM 11) … • Other systematic security study – Honey. Monkey (Wang et al. , NDSS 06), Systematic Web Spyware Study (Moshchuk et al. , NDSS 06), All Your i. FRAMEs Point to Us (Provo et al. , USENIX Security 08) … 4/9/13 Cellular Networks and Mobile Computing (COMS 6998 -10) Courtesy Yajin Zhou et al. 63
Conclusion • Droid. Ranger is a system to systematically study the overall health of existing Android Markets Malware Official Market eoe. Market alcatelclub gfan mmoovv Total Known 21 51 48 20 31 171 Zero-day 11 9 10 1 9 40 Total 32 (0. 02%) 60 (0. 35%) 58 (0. 39%) 21 (0. 20%) 40 (0. 47%) 211 4/9/13 Cellular Networks and Mobile Computing (COMS 6998 -10) Courtesy Yajin Zhou et al. 64
Droid. Scope Virtualization-based malware detection • Runs as a VM – Reconstruct OS, Dalvik VM and native view 4/9/13 Cellular Networks and Mobile Computing (COMS 6998 -10) 65
Android Java Components System Services Apps 4/9/13 Native Components Cellular Networks and Mobile Computing (COMS 6998 -10) Courtesy Lok Kwong Yan & Heng Yin 66
Android Java Components System Services Apps 4/9/13 Native Components Cellular Networks and Mobile Computing (COMS 6998 -10) Courtesy Lok Kwong Yan & Heng Yin 67
Motivation: Static Analysis Dalvik/Java Static Analysis: ded, Dexpler, soot, Woodpecker, Droid. Moss Native Static Analysis: IDA, binutils, BAP 4/9/13 Cellular Networks and Mobile Computing (COMS 6998 -10) Courtesy Lok Kwong Yan & Heng Yin 68
Motivation: Dynamic Analysis Android Analysis: Taint. Droid, Droid. Ranger System Calls logcat, adb 4/9/13 Cellular Networks and Mobile Computing (COMS 6998 -10) Courtesy Lok Kwong Yan & Heng Yin 69
Motivation: Dynamic Analysis External Analysis: Anubis, Ether, TEMU, … 4/9/13 Cellular Networks and Mobile Computing (COMS 6998 -10) Courtesy Lok Kwong Yan & Heng Yin 70
Droid. Scope Overview 4/9/13 Cellular Networks and Mobile Computing (COMS 6998 -10) Courtesy Lok Kwong Yan & Heng Yin 71
Goals • Dynamic binary instrumentation for Android – Leverage Android Emulator in SDK – No changes to Android Virtual Devices – External instrumentation • Linux context • Dalvik context – Extensible: plugin-support / event-based interface – Performance • Partial JIT support • Instrumentation optimization 4/9/13 Cellular Networks and Mobile Computing (COMS 6998 -10) Courtesy Lok Kwong Yan & Heng Yin 72
Roadmap Ø External instrumentation – Linux context – Dalvik context • Extensible: plugin-support / event-based interface • Evaluation – Performance – Usage 4/9/13 Cellular Networks and Mobile Computing (COMS 6998 -10) Courtesy Lok Kwong Yan & Heng Yin 73
Linux Context: Identify App(s) • Shadow task list – pid, tid, uid, gid, euid, egid, parent pid, pgd, comm – argv[0] • Shadow memory map – Address Space Layout Randomization (Ice Cream Sandwich) • Update on – fork, execve, clone, prctl and mmap 2 4/9/13 Cellular Networks and Mobile Computing (COMS 6998 -10) 74
Java/Dalvik View • Dalvik virtual machine – register machine (all on stack) – 256 opcodes – saved state, glue, pointed to by ARM R 6, on stack in x 86 • mterp – offset-addressing: fetch opcode then jump to (dvm. Asm. Instruction. Start + opcode * 64) – dvm. Asm. Sister. Start for emulation overflow • Which Dalvik opcode? 1. Locate dvm. Asm. Instruction. Start in shadow memory map 2. Calculate opcode = (R 15 - dvm. Asm. Instruction. Start) / 64. 4/9/13 Cellular Networks and Mobile Computing (COMS 6998 -10) Courtesy Lok Kwong Yan & Heng Yin 75
Just In Time (JIT) Compiler • Designed to boost performance • Triggered by counter - mterp is always the default • Trace based – Multiple basic blocks – Multiple exits or chaining cells – Complicates external introspection – Complicates instrumentation 4/9/13 Cellular Networks and Mobile Computing (COMS 6998 -10) Courtesy Lok Kwong Yan & Heng Yin 76
Disabling JIT dvm. Get. Code. Addr(PC) != NULL 4/9/13 Cellular Networks and Mobile Computing (COMS 6998 -10) Courtesy Lok Kwong Yan & Heng Yin 77
Roadmap ü External instrumentation – Linux context – Dalvik context Ø Extensible: plugin-support / event-based interface • Evaluation – Performance – Usage 4/9/13 Cellular Networks and Mobile Computing (COMS 6998 -10) Courtesy Lok Kwong Yan & Heng Yin 78
Instrumentation Design • Event based interface – Execution: e. g. native and Dalvik instructions – Status: updated shadow task list • Query and Set, e. g. interpret and change cpu state • Performance – Example: Native instructions vs. Dalvik instructions – Instrumentation Optimization 4/9/13 Cellular Networks and Mobile Computing (COMS 6998 -10) Courtesy Lok Kwong Yan & Heng Yin 79
Dynamic Instrumentation Update PC in. Cache? yes need. Flush? no yes Translate flush. Type Execute 4/9/13 (un)register. Callback invalidate. Block(s) Cellular Networks and Mobile Computing (COMS 6998 -10) flush. Cache Courtesy Lok Kwong Yan & Heng Yin 80
Instrumentation 4/9/13 Cellular Networks and Mobile Computing (COMS 6998 -10) Courtesy Lok Kwong Yan & Heng Yin 81
Dalvik Instruction Tracer (Example) 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. 19. 20. 21. 22. void opcode_callback(uint 32_t opcode) { printf("[%x] %sn", GET_RPC, opcode. To. Str(opcode)); } void module_callback(int pid) { if (b. Initialized || (get. IBase(pid) == 0)) return; gva_t start. Addr = 0, end. Addr = 0 x. FFFF; get. Mod. Addr(“dfk@classes. dex”, &start. Addr, &end. Addr); add. Disable. JITRange(pid, start. Addr, end. Addr); disable. JITInit(get. Get. Code. Address(pid)); add. Mterp. Opcodes. Range(pid, start. Addr, end. Addr); dalvik. Mterp. Init(get. IBase(pid)); register. Dalvik. Insn. Begin. Cb(&opcode_callback); b. Initialized = 1; } void _init() { set. Target. By. Name("com. andhuhu. fengyinchuanshuo"); register. Target. Modules. Updated. Cb(&module_callback); } 4/9/13 Cellular Networks and Mobile Computing (COMS 6998 -10) Courtesy Lok Kwong Yan & Heng Yin 82
Plugins • API Tracer – System calls • open, close, read, write, includes parameters and return values – Native library calls – Java API calls • Java Strings converted to C Strings • Native and Dalvik Instruction Tracers • Taint Tracker – – 4/9/13 Taints ARM instructions One bit per byte Data movement & Arithmetic instructions including barrel shifter Does not support control flow tainting Cellular Networks and Mobile Computing (COMS 6998 -10) Courtesy Lok Kwong Yan & Heng Yin 83
Roadmap ü External instrumentation – Linux context – Dalvik context ü Extensible: plugin-support / event-based interface Ø Evaluation – Performance – Usage 4/9/13 Cellular Networks and Mobile Computing (COMS 6998 -10) 84
Implementation • Configuration – QEMU 0. 10. 50 – part of Gingerbread SDK – Gingerbread • “user-eng” • No changes to source – Linux 2. 6. 29, QEMU kernel branch 4/9/13 Cellular Networks and Mobile Computing (COMS 6998 -10) Courtesy Lok Kwong Yan & Heng Yin 85
Performance Evaluation • Seven free benchmark Apps – – – – An. Tu Benchmark (ABench. Mark) by An. Tu Caffeine. Mark by Ravi Reddy CF-Bench by Chainfire Mobile processor benchmark (Multicore) by Andrei Karpushonak Benchmark by Softweg Linpack by Greene. Computing • Six tests repeated five times each – – – 4/9/13 Baseline NO-JIT Baseline – uses a build with JIT disabled at runtime Context Only API Tracer Dalvik Instruction Trace Taint Tracker Cellular Networks and Mobile Computing (COMS 6998 -10) Courtesy Lok Kwong Yan & Heng Yin 86
Select Performance Results APITracer vs. NOJIT Results are not perfect Dynamic Symbol Retrieval Overhead 4/9/13 Cellular Networks and Mobile Computing (COMS 6998 -10) Courtesy Lok Kwong Yan & Heng Yin 87
Usage Evaluation • Use Droid. Scope to analyze real world malware – API Tracer – Dalvik Instruction Tracer + dexdump – Taint Tracker – taint IMEI/IMSI @ move_result_object after get. IMEI/get. IMSI • Analyze included exploits – Removed patches in Gingerbread – Intercept system calls – Native instruction tracer 4/9/13 Cellular Networks and Mobile Computing (COMS 6998 -10) Courtesy Lok Kwong Yan & Heng Yin 88
Droid Kung Fu • Three encrypted payloads – ratc (Rage Against The Cage) – killall (ratc wrapper) – gjsvro (udev exploit) • Three execution methods – – 4/9/13 piped commands to a shell (default execution path) Runtime. exec() Java API (instrumented path) JNI to native library terminal emulator (instrumented path) Instrumented return values for is. Version 221 and get. Permission methods Cellular Networks and Mobile Computing (COMS 6998 -10) Courtesy Lok Kwong Yan & Heng Yin 89
Droid Kung Fu: Taint. Tracker 4/9/13 Cellular Networks and Mobile Computing (COMS 6998 -10) Courtesy Lok Kwong Yan & Heng Yin 90
Droid. Dream • Same payloads as Droid. Kung. Fu • Two processes – Normal droiddream process clears logcat – droiddream: remote is malicious • xor-encrypts private information before leaking • Instrumented sys_connect and sys_write 4/9/13 Cellular Networks and Mobile Computing (COMS 6998 -10) Courtesy Lok Kwong Yan & Heng Yin 91
Droid Dream: Taint. Tracker 4/9/13 Cellular Networks and Mobile Computing (COMS 6998 -10) Courtesy Lok Kwong Yan & Heng Yin 92
Droid. Dream: crypt trace 4/9/13 Cellular Networks and Mobile Computing (COMS 6998 -10) Courtesy Lok Kwong Yan & Heng Yin 93
Related Work • Static Analysis – ded, Dexpler, soot – Woodpecker, Droid. Moss • Dynamic Analysis – – Taint. Droid. Ranger PIN, Valgrind, Dynamo. RIO Anubis, TEMU, Ether, Pin. OS • Introspection – Virtuoso – VMWatcher 4/9/13 Cellular Networks and Mobile Computing (COMS 6998 -10) Courtesy Lok Kwong Yan & Heng Yin 94
Challenges • JIT – Full JIT support – Flushing JIT cache • Emulation detection – Real Sensors: GPS, Microphone, etc. – Bouncer • Timing assumptions, timeouts, events • Closed source systems, e. g. i. OS 4/9/13 Cellular Networks and Mobile Computing (COMS 6998 -10) Courtesy Lok Kwong Yan & Heng Yin 95
Summary • Droid. Scope – Dynamic binary instrumentation for Android – Built on Android Emulator in SDK – External Introspection & Instrumentation support – Four plugins • • API Tracer Native Instruction Tracer Dalvik Instruction Tracers Taint. Tracker – Partial JIT support 4/9/13 Cellular Networks and Mobile Computing (COMS 6998 -10) Courtesy Lok Kwong Yan & Heng Yin 96
- Slides: 96