Post on 14-Apr-2018
7/29/2019 17 Save Dalai Lama
1/51
CS155: Android Malware
Jason Franklin Ph.D.
Research Associate and Visiting Lecturer
7/29/2019 17 Save Dalai Lama
2/51
Save the Dalai Lama!
Start
7/29/2019 17 Save Dalai Lama
3/51
It's March 24th, 2013...
You're a Tibetan activist named Alice
A
7/29/2019 17 Save Dalai Lama
4/51
You receive an email from a fellow activist, Bob
Image: Kaspersky Labs, https://www.securelist.com/en/blog/208194186/Android_Trojan_Found_in_Targeted_Attack, March 26th, 2013
B
7/29/2019 17 Save Dalai Lama
5/51
Attached to the email is an Android application
Image: Kaspersky Labs, https://www.securelist.com/en/blog/208194186/Android_Trojan_Found_in_Targeted_Attack, March 26th, 2013
B
7/29/2019 17 Save Dalai Lama
6/51
You install the android app...
Now it's running on your android device
Image: Kaspersky Labs, https://www.securelist.com/en/blog/208194186/Android_Trojan_Found_in_Targeted_Attack, March 26th, 2013
7/29/2019 17 Save Dalai Lama
7/51
Everything seems fine...
However, things are not as they appear
Image: Kaspersky Labs, https://www.securelist.com/en/blog/208194186/Android_Trojan_Found_in_Targeted_Attack, March 26th, 2013
7/29/2019 17 Save Dalai Lama
8/51
Background behaviors
Malware's behaviors triggered by C&C server (chuli)
Image: Kaspersky Labs, https://www.securelist.com/en/blog/208194186/Android_Trojan_Found_in_Targeted_Attack, March 26th, 2013
C&C Server
Location
Data
Contacts
Call Log
SMS Msg
Command
7/29/2019 17 Save Dalai Lama
9/51
AndroidBackground
7/29/2019 17 Save Dalai Lama
10/51
Android Market Share (1Q12/1Q13)
Image: IDC
7/29/2019 17 Save Dalai Lama
11/51
Enterprise Adoption
Source: Citrix
7/29/2019 17 Save Dalai Lama
12/51
Centralized Application Distribution
# of apps: 800,000 as of Feb 2013 [1]
# of apps: 50,000+ as ofOct 2012 [2]
[1]. http://en.wikipedia.org/wiki/Google_Play[2]. http://www.theverge.com/2012/9/6/3296612/amazon-appstore-for-android-50000-app-count-september-2012
7/29/2019 17 Save Dalai Lama
13/51
App Stores Enable Curation
Google removes 60,000 apps non-compliant, malicious, low quality, spammy
[1]. http://techcrunch.com/2013/04/08/nearly-60k-low-quality-apps-booted-from-google-play-store-in-february-points-to-increased-spam-fighting/
7/29/2019 17 Save Dalai Lama
14/51
App Store Promise
Centralization + Curation = Safety
!
?
??
?
!
?
7/29/2019 17 Save Dalai Lama
15/51
Reality
Source: McAfee, Feb. 2013http://www.mcafee.com/us/security-awareness/articles/mobile-malware-growth-continuing-2013.aspx
Android has permission basedsecurity model
E.g., Reading user data,sending to internet, writing
to a file all require perms Permissions displayed in app
store and before install User expected to remain vigilant
Common failure point
7/29/2019 17 Save Dalai Lama
16/51
Malware Trends
Q1 2012: 5,000 malicious apps detected
Q2 2012: 10,000 malicious apps detected In 1 month
17 malicious apps downloaded 700k times
[1]. http://blog.trendmicro.com/trendlabs-security-intelligence/infographic-behind-the-android-menace-malicious-apps/
7/29/2019 17 Save Dalai Lama
17/51
Malware Author's Goals - $$$
Immediate monetization Abuse premium-service (48% )
Send premium SMS in background Display Ads (22%) Data Theft (21%) Click Fraud (7%)
Investment in platform Remote control (19%) Root exploit (11%)
[1]. http://blog.trendmicro.com/trendlabs-security-intelligence/infographic-behind-the-android-menace-malicious-apps/
7/29/2019 17 Save Dalai Lama
18/51
Noteworthy Malware - DroidDream
C&C Server
Data
IMEI
Code
Roo
tExploits
OS
Malware hidden in repackaged apps (in Google Play) App functionality drives downloads
Malware may require additional permissions Users unknowingly install app despite permissions After install, app can leak data in background
Android security model requires user vigilance
7/29/2019 17 Save Dalai Lama
19/51
Developer Incentives
"Permissions changed in the latest update to readmy phone number. Totally unacceptable for apuzzle game. Uninstalling." [1]
[1] Oh, My Brain! Block Buzzle by mToy, https://play.google.com/store/apps/details?id=biz.mtoy.blockpuzzle&feature=related_apps#?t=W251bGwsMSwxLDEwOSwiYml6Lm10b3kuYmxvY2twdXp6bGUiXQ..
"Uninstallingdue to theadded permissions." [1]
"Simple and challenging game but with new update there is too many Permissions for a
simple game, will not be updating and once completed all levels I will be deleting it." [1]
"Why suddenlyRead phone state
permission?" [1]
7/29/2019 17 Save Dalai Lama
20/51
Architecture of an App Store
Submit AcceptR
eje
ct
Distribute
Apps AdmissionSystem
Storage Users
! ??
7/29/2019 17 Save Dalai Lama
21/51
Admission System - Google Bouncer
7/29/2019 17 Save Dalai Lama
22/51
Inside Google Bouncer (Unofficial)
Performs set of analyses on new app Analysis details not provided
Run app for 5 minutes in emulator
Dynamic analysis Simulate how app will run on Android device Input generation problem
Look for hidden, malicious behavior
Apply set of (undefined) heuristics Few official statements, details sparse Why? Prevent adversary from circumventing?
Standard Google secrecy? Competitive reasons? Risk/reward to openness
7/29/2019 17 Save Dalai Lama
23/51
Malware detection game
Defender's Goal: Correctly classify programs
Adversary
DetectionSystem
Policy?
?
?
?
?
!!
!!
?
7/29/2019 17 Save Dalai Lama
24/51
Adversary
Adversary's Goal: Violate policy in undetectable way
Adversary
DetectionSystem
Policy?
?
?
?
?
!!
!
!
!
7/29/2019 17 Save Dalai Lama
25/51
State acceptable/unacceptable behaviors Data Theft: What personal data can leave device?
User impact: Data privacy (data-out) Device Control: Exploit OS etc.
User impact: device integrity (data-in) Service Misuse: Premium SMS
User impact: $ Spam: How many/which type of ads?
User impact: time Others
No comprehensive taxonomy
Policies
7/29/2019 17 Save Dalai Lama
26/51
Example Detection System
Static
Dynamic
STAMP
Static Analysis
More behaviors, fewer details
Dynamic (Runtime) Analysis
Fewer behaviors, more details
7/29/2019 17 Save Dalai Lama
27/51
Static and Dynamic Analysis
Static analysis No code execution Benefit: Can certify programs (100% coverage) Challenge: Scalability and false positives
Dynamic analysis Monitor program execution at runtime
Benefit: No false positives Challenge: Input generation to achieve coverage(false negatives)
7/29/2019 17 Save Dalai Lama
28/51
Abstract Program Execution
wait
snd
start del end
begin
readcmdsend
exitdelete
States: mapping of variable names to values
Transitions: relation on pairs of statesTraces: sequence of states or state,transition pairs
7/29/2019 17 Save Dalai Lama
29/51
Flow Policies
Injection vulnerabilities
Privacy PolicyThis app collects your:ContactsPhone Number
Address
Contacts SendInternet
Source:Contacts Sink: Internet
WebSource:
Untrusted_DataSQL Stmt Sink: SQL
Data theft
Privacy policies Avoid liability, protect consumer privacy
7/29/2019 17 Save Dalai Lama
30/51
Static Data Flow Analysis
getLoc() sendSMS()
sendInet()
Source:Location
Sink: SMS
Sink: Internet
Identify source-to-sink flows (a.k.a. data theft) Sources: Location, Calendar, Contacts, Device ID etc. Sinks: Internet, SMS, Disk, etc.
7/29/2019 17 Save Dalai Lama
31/51
Data Flow Analysis
Whether data stored in program variablepmayflow to program variable q?
p = ...
t = foo(p);
q = t;
Code example
7/29/2019 17 Save Dalai Lama
32/51
Detection of Private-data Leak
Whether the device id may be leakedthrough SMS?
p = getDeviceId();
t = foo(p);
q = t;sendSMS(q);
Code example
7/29/2019 17 Save Dalai Lama
33/51
Detection system tradeoffs
Reimplement Android/Java Add sources and sinks
20k methods to inspect
Whole-program analysis High coverage
Low false positive rateSTAMP
Android
Models
App App
Too expensive!
OS
HW
7/29/2019 17 Save Dalai Lama
34/51
Tracking Sensitive Data
@STAMP(SRC ="$DEVICEID", SINK ="@return")
android.Telephony.TelephonyManager: String getDeviceId()
7/29/2019 17 Save Dalai Lama
35/51
Sources
Account data Audio Calendar
Call log Camera Contacts Device Id Location
Photos (Geotags) SD card data SMS
30+ types ofsensitive data
7/29/2019 17 Save Dalai Lama
36/51
Sinks
Internet (socket) SMS
Email System Logs Webview/Browser File System
Broadcast Message
10+ types ofexit points
7/29/2019 17 Save Dalai Lama
37/51
Flows
Detectable Flows = Sources x Sink
396 Flow Types
7/29/2019 17 Save Dalai Lama
38/51
Detecting background behaviors
Sensitive data leaving device is source-to-sink flow
Image: Kaspersky Labs, https://www.securelist.com/en/blog/208194186/Android_Trojan_Found_in_Targeted_Attack, March 26th, 2013
C&C Server
Location
Data
Contacts
Call Log
SMS Msg
Command
7/29/2019 17 Save Dalai Lama
39/51
Stamp Source-to-sink Flows
7/29/2019 17 Save Dalai Lama
40/51
Chuli Source-to-sink Flows
ReadSMS
SendIntent
Send Internet
Source:SMS
Sink:Intent
Sink:Internet
ReadContacts
Source:Contacts
ReadIntent
Source:Intent
ReadLocation
Source:Location
7/29/2019 17 Save Dalai Lama
41/51
You Saved the Dalai Lama!
Thanks!
7/29/2019 17 Save Dalai Lama
42/51
Let's look at an example of a privacy-violating program
Privacy PolicyThis app collects your:
ContactsPhone NumberAddress
7/29/2019 17 Save Dalai Lama
43/51
Facebook Contact Sync
Contact Sync for Facebook (unofficial)
Description:
This application allows you to synchronize
your Facebook contacts on Android.
Privacy Policy: (page not found)
7/29/2019 17 Save Dalai Lama
44/51
Unknowns
Does this app have hidden behaviors?
Does it steal my Facebook data?
Does it have vulnerabilities?
Does it steal my contacts?
7/29/2019 17 Save Dalai Lama
45/51
What you get today
Category Permission Description
Your Accounts AUTHENTICATE_ACCOUNTS Act as an account authenticator
MANAGE_ACCOUNTS Manage accounts list
USE_CREDENTIALS Use authentication credentials
Network Communication INTERNET Full Internet access
ACCESS_NETWORK_STATE View network state
Your Personal Information READ_CONTACTS Read contact data
WRITE_CONTACTS Write contact data
System Tools WRITE_SETTINGS Modify global system settings
WRITE_SYNC_SETTINGS Write sync settings (e.g. Contact sync)
READ_SYNC_SETTINGS Read whether sync is enabled
READ_SYNC_STATS Read history of syncs
Your Accounts GET_ACCOUNTS Discover known accounts
Extra/Custom WRITE_SECURE_SETTINGS Modify secure system settings
7/29/2019 17 Save Dalai Lama
46/51
Potential Flows
Sources Sinks
INTERNETREAD_CONTACTS
WRITE_SETTINGSREAD_SYNC_SETTINGS
WRITE_CONTACTSREAD_SYNC_STATS
GET_ACCOUNTS WRITE_SECURE_SETTINGS
WRITE_SETTINGSINTERNET
7/29/2019 17 Save Dalai Lama
47/51
Acceptable Flows
Sources Sinks
INTERNETREAD_CONTACTS
WRITE_SETTINGSREAD_SYNC_SETTINGS
WRITE_CONTACTSREAD_SYNC_STATS
GET_ACCOUNTS WRITE_SECURE_SETTINGS
WRITE_SETTINGSINTERNET
7/29/2019 17 Save Dalai Lama
48/51
Certification
FB APIWrite
Contacts
Send Internet
Source:FB_Data
Sink:Contact_Book
Sink: InternetRead
ContactsSource:Contacts
Red slashes designate absence of flow
All flows were within expected specification No hidden behaviors
7/29/2019 17 Save Dalai Lama
49/51
Review
Described Android malware problem Chuli, DroidDream, data collection incentives
Google Bouncer deployed to detect malware
Dynamic analysis - input generation problem Defined malware detection game Adversary, Detection System, Policy
Stamp detection system Static analysis - scalability/false positives
Privacy analysis Mandatory notification of data collection
7/29/2019 17 Save Dalai Lama
50/51
Questions?
Jason Franklin, Ph.D.jfrankli@cs.stanford.edu
Credits:
Alex Aiken, John Mitchell, Saswat Anand
7/29/2019 17 Save Dalai Lama
51/51
Opportunity
Centralization Certification Safety
Free Beyond testing
Policies,Procedures,
Best practices,Verification
Broadly defined
Cost,Legal Compliance,
Performance,Privacy,Security
+ =