A ttacks Vaibhav Rastogi Yan Chen and Xuxian Jiang 1 Lab for Internet and Security Technology Northwestern University North Carolina State University Android Dominance Smartphone sales already exceed PC sales ID: 935979
Download Presentation The PPT/PDF document "DroidChameleon : Evaluating Android Anti..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
DroidChameleon: Evaluating Android Anti-malware against Transformation Attacks
Vaibhav Rastogi, Yan Chen, and Xuxian Jiang
1
Lab for Internet and Security Technology, Northwestern University
†North Carolina State University
Slide2Android Dominance
Smartphone sales already exceed PC salesAndroid world-wide market share ~ 70%Android market share in US ~50%2(Credit: Kantar Worldpanel ComTech
)
Slide3Introduction
3Source: http://play.google.com/ | retrieved: 4/29/2013
Slide4Objective
Smartphone malware is evolvingEncrypted exploits, encrypted C&C information, obfuscated class names, …Polymorphic attacks already seen in the wildTechnique: transform known malware4
What is the resistance of Android anti-malware against malware obfuscations?
Slide5Transformations: Three Types
5
Slide6Trivial TransformationsRepackingUnzip,
rezip, re-signChanges signing key, checksum of whole app packageReassemblingDisassemble bytecode, AndroidManifest, and resources and reassemble againChanges individual files6
Slide7DSA TransformationsChanging package name
Identifier renamingData encryptionEncrypting payloads and native exploitsCall indirections…7
Slide8Evaluation10 Anti-malware products evaluated
AVG, Symantec, Lookout, ESET, Dr. Web, Kaspersky, Trend Micro, ESTSoft (ALYac), Zoner, WebrootMostly million-figure installs; > 10M for threeAll fully functional6 Malware samples usedDroidDream, Geinimi, FakePlayer
, BgServ, BaseBridge, PlanktonLast done in February 2013.
8
Slide9AVG
SymantecLookoutESETDr. WebRepack
x
Reassemble
x
Rename package
x
x
Encrypt
Exploit (EE)
x
Rename identifiers (RI)
x
x
Encrypt Data
(ED)
x
Call Indirection (CI)
x
RI+EE
x
x
x
EE+ED
x
EE+Rename
Files
x
EE+CI
x
x
DroidDream
Example
9
Slide10Kasp
.Trend M.ESTSoftZonerWebrootRepack
Reassemble
x
Rename package
x
x
Encrypt
Exploit (EE)
x
Rename identifiers (RI)
x
x
Encrypt Data (ED)
x
Call Indirection (CI)
x
RI+EE
x
x
EE+ED
x
x
EE+Rename
Files
x
x
EE+CI
x
DroidDream
Example
10
Slide11FindingsAll the studied tools found vulnerable to common transformations
At least 43% signatures are not based on code-level artifacts90% signatures do not require static analysis of Bytecode. Only one tool (Dr. Web) found to be using static analysis11
Slide12Signature Evolution
Study over one year (Feb 2012 – Feb 2013)Key finding: Anti-malware tools have evolved towards content-based signaturesLast year 45% of signatures were evaded by trivial transformations compared to 16% this yearContent-based signatures are still not sufficient12
Slide13Takeaways
13
Slide14ImpactThe focus of a Dark Reading
article on April 29Contacted by Lookout Director of Security Engineering regarding transformation samples and tools on May 2ndContacted by McAfee Lab and TechNewsDaily this week …14
Slide1515
Slide16ConclusionDeveloped a systematic framework for transforming malware
Evaluated latest popular Android anti-malware productsAll products vulnerable to malware transformations16
Slide17Thank You!http://list.cs.northwestern.edu/mobile
17
Slide18Backup
18
Slide19Solutions
19
Slide20Example: String Encryption
20
Slide21Example: String Encryption
21
Slide22NSA TransformationsReflectionObfuscate method calls
Subsequent encryption of method names can defeat all kinds of static analysisBytecode encryptionEncrypt the malicious bytecodeload at runtime using user-defined class loader22
Slide23Product Details
23