with DroidRide And How Not To Min Huang Kai Bu Hanlin Wang Kaiwen Zhu Zhejiang University CyberC 2016 Reviving Android Malware with DroidRide And How Not To Reviving Android Malware ID: 557181
Download Presentation The PPT/PDF document "Reviving Android Malware" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Reviving Android Malwarewith DroidRide: And How Not To
Min Huang, Kai Bu, Hanlin Wang, Kaiwen ZhuZhejiang University
CyberC 2016Slide2
Reviving Android Malware
with DroidRide: And How Not To?Slide3
Reviving Android Malwarewith DroidRide
: And How Not To
malware
repackaged
obfuscated
evaded
install
WOO
HAHSlide4
malware
privilege escalationremote controlfinancial chargesinformation stealing
…Slide5
malwareSlide6
malware
Can scanners/detectors catch all?Slide7
malware
Can scanners/detectors catch all?
in 2011, 20.2%~79.6% of
1260 malware samples
were detected Slide8
malware
Can scanners/detectors catch all?
in 2011, 20.2%~79.6% of1260 malware samples
were detected
How about now? Slide9
Can scanners/detectors catch all?
malware
in 2016, 17.9%~92.7% of58 malware samples
were detected on
VirusTotal
How about now?
no
detector
detects
all
test
known
malwareSlide10
Can scanners/detectors catch all?
malware
in 2016, 17.9%~92.7% of58 malware samples
were detected on
VirusTotal
How about now?
40% of samples evade >50% of detectorsSlide11
malware
Can scanners/detectors catch all?And app store?Slide12
malware
Can scanners/detectors catch all?And app store?
four out of ten top downloaded contact appswere detected as malwareSlide13
malware
Can scanners/detectors catch all?And app store?Fixes on OS? Slide14
malware
Can scanners/detectors catch all?And app store?Fixes on OS? well… Slide15
Reviving Android Malwarewith DroidRide
: And How Not To
malware
repackaged
obfuscated
evaded
install
WOO
HAH
hack to secureSlide16
Reviving Android Malwarewith DroidRide
: And How Not ToSlide17
Reviving Android Malwarewith DroidRide
: And How Not ToSlide18
Reviving Android Malwarewith DroidRide
: And How Not To
repackaging & obfuscation still work
extract exploitable code
(instead of readily available malware samples)
inject it into benign app Slide19
Reviving Android Malwarewith DroidRide
: And How Not To
remote access control
memo appSlide20
repackaged Notes supports
injected remote access controlSlide21
Reviving Android Malwarewith DroidRide
: And How Not ToSlide22
Reviving Android Malwarewith DroidRide
: And How Not To
auto activation & uninstall resistance
register for a sys event
Intent.ACTION_TIME_TICK
to control activation rate Slide23
Reviving Android Malwarewith DroidRide
: And How Not To
auto activation & uninstall resistance
root privilege needed
copy app to sys app folder
potential memory-drain attack Slide24
app escalated to sys level
cannot be selected to delete Slide25
Reviving Android Malwarewith DroidRide
: And How Not To
malware
repackaged
obfuscated
evaded
install
WOO
HAH
hack to secureSlide26
defensesstatic/dynamic analysisbehavioral analysis
market policy…Slide27
Reviving Android Malwarewith DroidRide
: And How Not To
malware
repackaged
obfuscated
evaded
install
WOO
HAH
enhance detectors and Android OSSlide28
Thank YouMin_Huang@cs.cmu.edu, kaibu@zju.edu.cn
demo: https://www.youtube.com/watch?v=uGEcL9jT-a4code: http://pan.baidu.com/s/1i56QNL7 passwd: xo87