Paper address: http://www.csc.ncsu.edu/faculty/jiang/pubs/OAKLAND12.pdf
In this paper, we focus on the Android platform and aim to systematize or characterize existing Android malware.
The goals and contributions:
- First, we fulfil the need by presenting the first large collection of 1260 Android malware samples in 49 different malware families, which covers the majority of existing Android malware, ranging from their debut in August 2010 to recent ones in October 2011.
- Second, based on the collected malware samples, we perform a timeline analysis of their discovery and thoroughly characterize them based on their detailed behavior breakdown, including the installation, activation, and payloads.
- Third, we perform an evolution-based study of representative Android malware, which shows that they are rapidly evolving and existing anti-malware solutions are seriously lagging behind.
- Source of malware list: the related security announcements, threat reports, and blog contents from existing mobile antivirus companies and active researchers and researchers request malware samples from them or actively crawling from existing official and alternative Android Markets.
- Start summer 2011, the Android malware has indeed increased dramatically, reflected in the rapid emergence of new malware families as well as different variants of the same type.
Three main social engineering-based techniques: repackaging, update attack, and drive-by download.
- One of the most common techniques malware authors use to piggyback malicious payloads into popular applications.
- Approach to quantify the use of repackaging technique among our collection:
- If a sample shares the same package name with an app in the official market, download and compare the difference.
- If the original app is not available in the market, disassemble the malware sample and manually determine.
- In author’s collection, 86.0% of them are repackaged. After classifying them into 49 malware families, we can find that 25 of them infect users by these repackaged apps while 25 of them are standalone apps where most of them are designed to be spyware in the first place. (
GoldDream, utilizes both for its infection)
- Malware authors have chosen a variety of apps for repackaging.
- Also, possibly due to the attempt to hide piggybacked malicious payloads, malware authors tend to use the class-file names which look legitimate and benign.
- One malware family –
jSMSHider– uses a publicly available private key (serial number: b3998086d056cffa) that is distributed in the Android Open Source Project (AOSP).1
- Update Attack
- Instead of enclosing the payload as a whole, some apps only include an update component that will fetch or download the malicious payloads at runtime.
- Silent installation with root exploits.
- Update attacks – cheat customers and is more stealthy.
- Remotely download a new version from network.
- It takes a stealthy route by notifying the users through a third-party library that provides the (legitimate) notification functionality.
- Drive-by Download
- Entice users to download “interesting” or “feature-rich” apps.
GGTracker: special in-app advertisement -> malicious web -> fake Android Market -> malware that will subscribe to a premium-rate service.
Jifake: QR code -> malicious web -> repackaged mobile ICQ client, which sends several SMS messages to a premium-rate number.
ZitMo: when a user is doing online banking with a comprised PC, the user will be redirected to download a particular smartphone app, which is claimed to better protect online banking activities. However, the downloaded app is actually a malware, which can collect and send mTANs or SMS messages to a remote server.
- The first group is considered spyware as claimed by themselves – they intend to be installed to victim’s phones on purpose.（不是很懂这样的APP怎么会有人装）
- The second group includes those fake apps that masquerade as the legitimate apps but stealthily perform malicious actions, such as stealing users’ credentials or sending background SMS messages.
- The third group contains apps that also intentionally include malicious functionality (e.g., sending unauthorized SMS messages or subscribing to some value-added service automatically). They can provide the functionality they claimed. But unknown to users, they also include certain malicious functionality.
- The last group includes those apps that rely on the root privilege to function well. However, without asking the user to grant the root privilege to these apps, they leverage known root exploits to escape from the built-in security sandbox.
|BOOT (Boot Completed)||BOOT_COMPLETED|
|SMS (SMS/MMS)||SMS_RECEIVED WAP_PUSH_RECEIVED|
|NET (Network)||CONNECTIVITY_CHANGE PICK_WIFI_WORK|
|CALL (Phone Events)||PHONE_STATE NEW_OUTGOING_CALL|
|USB (USB Storage)||UMS_CONNECTED UMS_DISCONNECTED|
|MAIN (Main Activity)||ACTION_MAIN |￼|
|PKG (Package)||PACKAGE_ADDED PACKAGE_REMOVED PACKAGE_CHANGED PACKAGE_REPLACED PACKAGE_RESTARTED PACKAGE_INSTALL|
|BATT (Power/Battery)||ACTION_POWER_CONNECTED ACTION_POWER_DISCONNECTED|
|SYS (System Events)||USER_PRESENT INPUT_METHOD_CHANGED SIG_STR|
BOOT_COMPLETEDis the most interested one to existing Android malware. In author’s dataset, 29 (with 83.3% of the samples) malware families listen to this event.
- The SMS_RECEIVED comes second with 21 malware families interested in it.
- Certain malware registers for a variety of events. It allows the malware to reliably or quickly launch the carried payloads.
- Some malware samples hijack the entry activity of the host apps. Some malware may also hijack certain UI interaction events.
- Privilege Escalation
- 36.7% samples embed at least one root exploit.
- It is common for a malware to have two or more root exploits to maximize its chances for successful exploitations on multiple platform versions.
- Many earlier malware simply copy verbatim the publicly available root exploits without any modification.
- Some malware encrypts these root exploits and then stores them as a resource or asset file. Other malware obfuscates the file names of the associated root exploits.
- Remote Control
- 93.0% samples (1172) turn the infected phones into bots for remote control, 1171 samples that use the HTTP-based web traffic to receive bot commands from their C&C servers.
- Some malware families attempt to be stealthy by encrypting the URLs of remote C&C servers as well as their communication with C&C servers.
- Most C&C servers are registered in domains controlled by attackers themselves, some C&C servers are hosted in public clouds.
- Financial Charge
- One profitable way for attackers is to surreptitiously subscribe to (attacker-controlled) premium-rate services, such as by sending SMS messages.
- Some malware choose not to hard-code premium-rate numbers. They leverage the flexible remote control to push down the numbers at runtime.
- Some malware families need to reply to certain SMS messages.
- Information Collection
- There are 13 malware families (138 samples) in our dataset that collect SMS messages, 15 families (563 samples) gather phone numbers, and 3 families (43 samples) obtain and upload the information about user accounts.
FakeNetflixgathers users’ Netflix accounts and passwords.
- The user credential may be included in SMS messages.
- Based on the comparison,
WRITE_EXTERNAL_STORAGEpermissions are widely requested in both malicious and benign apps.
- But malicious apps clearly tend to request more frequently on the SMS-related permissions, such as
- we observe 688 malware samples request the
RECEIVE_BOOT_COMPLETEDpermission. This number is five times of that in benign apps (137 samples).
- Note that there are 398 malware samples requesting
CHANGE_WIFI_STATEpermission, which is an order of magnitude higher than that in benign apps (34 samples).
- Root Exploits: among these six variants, four of them contain encrypted root exploits.
- C&C Servers: the malware keeps changing the ways to store the C&C server addresses.
- Shadow Payloads:
DroidKungFualso carries with itself an embedded app, which will be stealthily installed once the root exploit is successfully launched.
- The installation of this embedded app will ensure that even the repackaged app has been removed, it can continue to be functional.
- In DroidKungFu1, the embedded app will show a fake Google Search icon while in DroidKungFu2, the embedded app is encrypted and will not display any icon on the phone.
- Obfuscation, JNI, and Others
DroidKungFuinstead encrypts not only those constant strings and C&C servers, but also those native payloads and the embedded app file.
- It rapidly changes different keys for the encryption, aggressively obfuscates the class name in the malicious payload, and exploits JNI interfaces to increase the difficulty for analysis and detection.
- Actively detecting whether the repackaged app has been tampered with or not.
- It will check the signature or the integrity of the current (repackaged) app before unfolding its payloads.
AnserverBotaggressively obfuscates its internal classes, methods, and fields to make them humanly unreadable.
- It intentionally partitions the main payload into three related apps.
- Security Software Detection: Another related self-protection feature used in
AnserverBotis that it can detect the presence of certain mobile anti-virus software.
- C&C Servers: two type of C&C servers
- The first one is similar to traditional C&C servers from which to receive the command.
- The second one instead is used to upgrade its payload and/or the new address of the first type C&C server. (Maybe based on encrypted blog contents, which are maintained by popular blog service providers like sina and baidu)
Test result imply that mobile anti-virus companies are still taking traditional approaches to have a signature database that represents known malware samples.
- Authors’ characterization shows that most existing An- droid malware (86.0%) repackage other legitimate (popular) apps, which indicates that we might be able to effectively mitigate the threat by policing existing Android Markets for repackaging detection.
- Authors’ characterization also indicates that more than one third (36.7%) of Android malware enclose platform-level exploits to escalate their privilege.
- Authors’ characterization shows that existing malware (45.3%) tend to subscribe to premium-rate services with background SMS messages.
- The detection results of existing mobile security software are rather disappointing, which does raise a challenging question on the best model for mobile malware detection.
Some Unfamiliar term:
- root exploit: exploit is a piece of software, a chunk of data, or a sequence of commands that takes advantage of a bug, glitch or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic (usually computerized). Such behavior frequently includes things like gaining control of a computer system, allowing privilege escalation, or a denial-of-service attack.
- payload: In computer security, payload refers to the part of malware which performs a malicious action.
- The current Android security model allows the apps signed with the same platform key of the phone firmware to request the permissions which are otherwise not available to normal third-party apps. One such permission includes the installation of additional apps without user intervention. Unfortunately, a few (earlier) popular custom firmware images were signed by the default key distributed in AOSP. ↩