Evaluating Android Antimalware against Transformation A ttacks Vaibhav Rastogi Yan Chen and Xuxian Jiang 1 Lab for Internet and Security Technology Northwestern University ID: 263052
Download Presentation The PPT/PDF document "DroidChameleon" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
DroidChameleon: Evaluating Android Anti-malware against Transformation Attacks
Vaibhav Rastogi, Yan Chen, and Xuxian Jiang
1
Lab for Internet and Security Technology, Northwestern University
†North Carolina State UniversitySlide2
Android Dominance
Smartphone sales already exceed PC salesAndroid world-wide market share ~ 70%Android market share in US ~50%2(Credit: Kantar Worldpanel ComTech
) Slide3
Introduction
3Source: http://play.google.com/ | retrieved: 4/29/2013Slide4
Objective
Smartphone malware is evolvingEncrypted exploits, encrypted C&C information, obfuscated class names, …Polymorphic attacks already seen in the wildTechnique: transform known malware4
What is the resistance of Android anti-malware against malware obfuscations?Slide5
Transformations: Three Types
5Slide6
Trivial TransformationsRepackingUnzip,
rezip, re-signChanges signing key, checksum of whole app packageReassemblingDisassemble bytecode, AndroidManifest, and resources and reassemble againChanges individual files6Slide7
DSA TransformationsChanging package name
Identifier renamingData encryptionEncrypting payloads and native exploitsCall indirections…7Slide8
Evaluation10 Anti-malware products evaluated
AVG, Symantec, Lookout, ESET, Dr. Web, Kaspersky, Trend Micro, ESTSoft (ALYac), Zoner, WebrootMostly million-figure installs; > 10M for threeAll fully functional6 Malware samples usedDroidDream, Geinimi, FakePlayer
, BgServ, BaseBridge, PlanktonLast done in February 2013.
8Slide9
AVG
SymantecLookoutESETDr. WebRepack
x
Reassemble
x
Rename package
x
x
Encrypt
Exploit (EE)
x
Rename identifiers (RI)
x
x
Encrypt Data
(ED)
x
Call Indirection (CI)
x
RI+EE
x
x
x
EE+ED
x
EE+Rename
Files
x
EE+CI
x
x
DroidDream
Example
9Slide10
Kasp
.Trend M.ESTSoftZonerWebrootRepack
Reassemble
x
Rename package
x
x
Encrypt
Exploit (EE)
x
Rename identifiers (RI)
x
x
Encrypt Data (ED)
x
Call Indirection (CI)
x
RI+EE
x
x
EE+ED
x
x
EE+Rename
Files
x
x
EE+CI
x
DroidDream
Example
10Slide11
FindingsAll the studied tools found vulnerable to common transformations
At least 43% signatures are not based on code-level artifacts90% signatures do not require static analysis of Bytecode. Only one tool (Dr. Web) found to be using static analysis11Slide12
Signature Evolution
Study over one year (Feb 2012 – Feb 2013)Key finding: Anti-malware tools have evolved towards content-based signaturesLast year 45% of signatures were evaded by trivial transformations compared to 16% this yearContent-based signatures are still not sufficient12Slide13
Takeaways
13Slide14
ImpactThe focus of a Dark Reading
article on April 29Contacted by Lookout Director of Security Engineering regarding transformation samples and tools on May 2ndContacted by McAfee Lab and TechNewsDaily this week …14Slide15
15Slide16
ConclusionDeveloped a systematic framework for transforming malware
Evaluated latest popular Android anti-malware productsAll products vulnerable to malware transformations16Slide17
Thank You!http://list.cs.northwestern.edu/mobile
17Slide18
Backup
18Slide19
Solutions
19Slide20
Example: String Encryption
20Slide21
Example: String Encryption
21Slide22
NSA TransformationsReflectionObfuscate method calls
Subsequent encryption of method names can defeat all kinds of static analysisBytecode encryptionEncrypt the malicious bytecodeload at runtime using user-defined class loader22Slide23
Product Details
23