Grace M Zhou Y Shilong Z Jiang X RiskRanker analyses the paths within an android application Potentially malicious security risks are flagged for investigation Summary This application showcases how reverse engineering ID: 780602
Download The PPT/PDF document "RiskRanker : Scalable and Accurate Zero-..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
RiskRanker: Scalable and Accurate Zero-day Android Malware Detection
Grace. M, Zhou. Y,
Shilong
. Z, Jiang.
X
Slide2RiskRanker analyses the paths within an android applicationPotentially malicious security risks are flagged for investigation
Summary
Slide3This application showcases how reverse engineeringAllows fast analysis code paths
Appreciation – Path Traversal
Slide4“The system also needs to be … accurate enough to not miss malicious apps”
This application casts three well documented and small nets
Allows 8.95% positive rate on zero-day flags
Allows malware authors to very easily avoid detection
Criticism – Easy to trick
Slide5Ignores all execution paths resulting from UI callbacks
“Similarly, malware is un-likely to do so via such a
callback
handler – as such handlers are triggered by user interaction”
UI
callbacks
have been abused by malicious software for decades (i.e. browser popups)
First Order: UI Input
Slide6Focuses on non-dynamic reflection -
“It is possible to ignore a large number of reflection calls, as many such calls use constant arguments in practice”
Dynamic adding of malicious code will remain undetected.
First Order: Reflection
Slide7Only forward execution paths are investigated, any ‘unreachable code’ is therefore ignored.
This code could be accessed by changing values in other threads (admitted by the author)
It could also be accessed through dynamic reflection
First Order: Dead Code
Slide8Requires that malicious native code is stored (against best practice) within res or assets directory.
Requires that
encrypted malicious
code uses the native
encrypt/decrypt functions
This check found only one type of malware
Second Order: Native Code
Slide9If you built detection software, would publish the design?
Question
Slide103,281 apps flagged (718 true positive’s)11 undiscovered malware versions
“
families”
18 total malicious ‘samples’
?,??? Undiscovered malware families
A family is a version of a given malware (5 of the 11 were just versions of ‘
DroidKungFu
’)
Statistics