Introducing 

Prezi AI.

Your new presentation assistant.

Refine, enhance, and tailor your content, source relevant images, and edit visuals quicker than ever before.

Prezi logo
Log in
Loading content…
Loading…

Dynamic Analysis of Android Malware (OWASP)

VV

Victor van der Veen

Transcript

http://tracedroid.few.vu.nl

Implementation

TraceDroid Analysis Platform

Introduction

Automated analysis

Inspection tool

Quickly analyze >100K lines of trace output

Post-Processing

Scope

Application Fundamentals

Limit method tracing to Java code

Enumerate Activities and Services

Apps are written in Java, executed by a VM

Static Analysis

List Activities and Services

13/22

TraceDroid

Use dynamic analysis

Extending Android's Profiler implementation

Hook on method invocations

Distributed as signed jar files (.apk)

foo(Ljava/lang/String;Z[]J)V

Hook on method returns

5/22

6/22

Log output

10/22

Capture network traffic

11/22

14/22

Android Architecture

Related Work

Applications

Application Framework

Contributions

TraceDroid: A Fast and Complete Android Method Tracer

Core Libraries

TraceDroid is fast

Native libraries

OWASP BeNeLux Day 2013, Amsterdam

Benchmark: browse to 8 cached webpages

Dalvik VM

Victor van der Veen

Visit each page 10 times before computing average load time

About me

Security Consultant at ITQ

Linux Kernel

Twitter: @vvdveen

E-Mail: vvanderveen@itq.nl

Mobile Malware

+614%

Android: 92%

Speedup of 1.45 compared to original profiler

15/22

How do we automate analysis?

3/22

Simulation Effectiveness

2/22

Extend Android Profiler to suit our needs

Compare automated analysis against manual input (180 seconds)

Code coverage of 33% is fairly low

9/22

Simulation effects vary per app

~33%

16/22

17/22

Monkeys suck at gaming

Conclusions

Evaluation

Conclusions

Demo

20/22

http://tracedroid.few.vu.nl/

Submit your .apk for automated analysis

18/22

Contact me if you would like to analyze a batch

No source or inspect tool available yet

Stimulation

12/22

Android profiler

Method tracer for developers

Code Coverage Computation

  • Map statically found methods against trace output
  • No object resolution
  • Limited start/stop control
  • Bloated

ZitMo: Zeus in the Mobile

  • Collaborates with PC-based Zeus
  • Steals mobile TAN codes

App

Android Profiler

  • (third-party) Libraries
  • Unreachable code
  • Complex applications

TraceDroid

Manual

  • 17x benign

38.49%

36.04%

31.40%

  • 18x malicious

27.61%

  • Only a small subset of API calls
  • Only for Android 2.1

Code Coverage

Analysis of ~500 samples

  • 250x benign

35.02%

31.10%

  • 242x malicious
  • Evade obfuscation
  • Existing tools for static analysis

AndroGuard

Dex2Jar

TraceDroid

  • Fast and comprehensive Android method tracer
  • Automated analysis of unknown applications
  • Quickly identify suspicious applications
  • Interactive environment to ease post-analysis

Idea

Trace apps in an emulated environment

Monitor behavior

.tar.gz output containing:

  • method traces
  • network dump
  • call graph

Load trace output into Python objects

  • Interactive shell
  • Call graphs for control flow analysis

March 2012

38,689 samples

DroidScope

Uses VMI to reconstruct instructions

Building blocks:

  • Activity

Single screen with a UI

  • Service

Background components

Listener for specific announcements

  • Receiver

e.g., boot completed, sms received

−2.45%

+3.79%

  • Parse return value
  • Get thrown exceptions
  • Interesting features only accessible via Java
  • Existing tools for tracing native code

strace

ltrace

March 2013

276,259 samples

  • Fetch parameters from stack frame
  • Lookup and invoke .tostring() for Objects
  • Convert signatures and descriptors
  • Trace app internally
  • Trace app to application framework
  • Trace app to core libraries

TraceDroid's coverage is about as good as manual analysis

Likely of higher quality due to receiver stimulation

TraceDroid

Modified Android OS for method tracing

Framework for automated dynamic analysis

Detect suspicious activity

Ease post analysis

void foo(java.lang.String, boolean, long[][])

  • Bound to an emulator
  • Not open source at the time

Extract features

  • Search traces for suspicious activity
  • Preliminary results for malware detection: ~93-96%

Droidbox

Injects trace methods into bytecode

Past

  • MSc. in Computer Science, VU University
  • Capture the Flag 'hacking' competitions
  • Memory Errors: The Past, The Present and the Future

(RAID 2012)

  • (partial) Implementation of a trustworthy voting machine
  • Worked on Andrubis with the iSecLab team in Vienna

Monkey Exerciser

  • Stress test GUIs
  • Trace application framework to core libraries
  • Trace core libraries internally

Simulate events to start receivers

  • Reboot
  • Incoming SMS
  • Only a small subset of API calls
  • Break signature

Droidbox

Adds tracing code to core libraries

Choose a template

Whiteboard (AI Assisted)

Unleash creativity and collaboration with our Whiteboard Prezi AI-assisted presentation template, seamlessly combining the simplicity of a traditional whiteboard with the power of digital innovation for dynamic and interactive visual storytelling.

Data Analysis (AI Assisted)

Transform data into insights with our Data Analysis Prezi AI-assisted presentation template, strategically designed to visually convey complex information, enabling impactful presentations that drive informed decision-making.

Hiking Journey (AI Assisted)

Elevate your presentations with our immersive Hiking Journey Prezi AI-assisted presentation template, meticulously crafted to showcase the beauty of your adventures, from scenic trails to breathtaking landscapes, providing a visually compelling experience for every outdoor enthusiast.

Presentations from around the world

Pravoslavna Crkva

Martina Horvat

Variación del Orden deductivo

René Martínez

Kabanata 50

Edward Lorica

Learn more about creating dynamic, engaging presentations with Prezi
Why Prezi is better