1 / 21

Yajin Zhou Zhi Wang Wu Zhou Xuxian Jiang NDSS 2012

Hey, You, Get Off of My Market Detecting Malicious Apps in Official and Alternative Android Markets. Yajin Zhou Zhi Wang Wu Zhou Xuxian Jiang NDSS 2012. in a nutshell…. A systematic study to better understand the overall health of existing Android Markets. smartphones are getting popular.

matana
Download Presentation

Yajin Zhou Zhi Wang Wu Zhou Xuxian Jiang NDSS 2012

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Hey, You, Get Off of My MarketDetecting Malicious Apps in Official and Alternative Android Markets Yajin Zhou Zhi Wang Wu Zhou Xuxian Jiang NDSS 2012

  2. in a nutshell… A systematic study to better understand the overall health of existing Android Markets

  3. smartphones are getting popular • Over 100 million smartphones sold in the1st quarter of 2011an 85% year-on-year increase! • Android Market reached 200.000 appmilestone, on May 10, 2011 • Alternative marketplaces streamlinethe process of browsing, downloadingand installing apps

  4. Popularity attracts malware authors • 2010: Geinimi • 2011: ADRD, Pjapps, Bgserv, DroidDream, zHash, BaseBridge,DroidDreamLight, Zsone, jSMSHider •  need to better understand the overall health of existing Android Markers

  5. Contributions • The first systematic study on the detection of malicious apps on Android Markets • scalable and efficient detection through: • Permission-based behavioral footprinting • Heuristics-based filtering • identified 211 malware out of 204.040 apps • 2 of them were zero-day with 40 samples(11 found on the official Android Market)

  6. DroidRanger architecture

  7. Detecting Known Android Malware • 1st step: quickly exclude unrelated apps through permission-based filtering • 2nd step: detect malware though behavioral footprint matching

  8. Permission-based filtering • Goal: reduce the number of apps that need to be processed afterwards • Eachknown malware will be first pre-processed or distilled into afootprint • Zsone malware: SEND_SMS & RECEIVE_SMS • Number of remaining apps after filtering:

  9. Behavioral footprint matching • manually analyze and distill essential malwarebehaviors into their behavioral footprints • multiple-dimension footprinting scheme uses information derived from: • manifest file (e.g. broadcast receivers) • bytecode (e.g. Android API calls sequence) • structural layout (e.g. internal tree structure)

  10. Detecting Unknown Android Malware • 1st step: find suspicious Java and native code through heuristics-based filtering • 2nd step: detect malware thoughdynamic execution monitoring

  11. Heuristics-based filtering • Heuristics based on Android features that can be misused to dynamic load new code of: • java bytecode from remote untrusted website (e.g. DexClassLoader– 0.58%, 1055 apps) • vast majority related advertisement libs (e.g. AdTOUCH 40%) • native code locally (4.52% of dataset) default location:lib/armeabi

  12. Dynamic execution monitoring • Inspect runtime behaviors triggered by new code • record any calls to the Android framework APIs (permission-related) & their arguments e.g. SmsManager.sendTextMessage • collect system calls used by existing Android root exploits (through a kernel module) e.g. sys_mount • After finding suspicious behaviors from logs  manually validation of a zero-day malware • extract behavioral footprint &insert it in the 1st detection engine

  13. Evaluation dataset Datasets: Official Android Market eoeMarket alcatelclub gfan mmoovv total 182,823 distinct apps

  14. Malware families used in the study

  15. Permission-based filtering evaluation 9 malware families have < 6% apps left after applying the permission filtering  

  16. Behavioral footprint matching evaluation unofficialofficial 150 malicious apps >= 7 x 21 malicious apps 3 x total apps = total apps 150 4,5 h to complete

  17. Effectiveness of existing AVs Lookout Security & Antivirussoftware installed on aNexus One runningAndroid 2.2.3 T: total D: detected M: missed

  18. False Negatives of DroidRanger • 27 samples from contagio dump • Eliminate duplicates with the same SHA1 values used in footprint extraction  24 distinct samples • The system detected 23 of them  4.2% FN rate • Missing sample:com.android.providers.downloadsmanager • Found that contagio had mis-categorized a sample

  19. Detecting Zero-day malware • Found 1055 apps that invoke DexClassLoader • After a white-listing 240 remained • Angry Birds Cheater • com.crazyapps.angry.birds.cheater.trainer.helper • attempt to load a jar file: plankton_v0.0.4.jar downloaded from a remote website • bot-related functionalities that can be remotely invoked • detected 11 Plakton samples in total

  20. Detecting Zero-day malware • Among 8.272 apps that contain native code, 508 of them keep native code in non-standard dirs • Some apps attempt to remount the system partition with sys_mount syscall to make it writeable • DroidKungFu malware • Equipped with Rageagainstthecage and Exploid in an encrypted form • When runs decrypt and runs the exploits, takes root privs and installs arbitrary apps • such as one that pretends to be the legitimate Google Search app with an identical icon. This app actually acts as a bot client

  21. Summary of detected malware Infection rate of unofficial market places is more than an order of magnitude higher than the official Android Market ~0.02% 179 ~0.20% - 0.47%

More Related