17 Save Dalai Lama

7/29/2019 17 Save Dalai Lama

1/51

CS155: Android Malware

Jason Franklin Ph.D.

Research Associate and Visiting Lecturer


2/51

Save the Dalai Lama!

Start


3/51

It's March 24th, 2013...

You're a Tibetan activist named Alice

A


4/51

You receive an email from a fellow activist, Bob

Image: Kaspersky Labs, https://www.securelist.com/en/blog/208194186/Android_Trojan_Found_in_Targeted_Attack, March 26th, 2013

B


5/51

Attached to the email is an Android application


B


6/51

You install the android app...

Now it's running on your android device



7/51

Everything seems fine...

However, things are not as they appear



8/51

Background behaviors

Malware's behaviors triggered by C&C server (chuli)


C&C Server

Location

Data

Contacts

Call Log

SMS Msg

Command


9/51

AndroidBackground


10/51

Android Market Share (1Q12/1Q13)

Image: IDC


11/51

Enterprise Adoption

Source: Citrix


12/51

Centralized Application Distribution

# of apps: 800,000 as of Feb 2013 [1]

# of apps: 50,000+ as ofOct 2012 [2]

[1]. http://en.wikipedia.org/wiki/Google_Play[2]. http://www.theverge.com/2012/9/6/3296612/amazon-appstore-for-android-50000-app-count-september-2012


13/51

App Stores Enable Curation

Google removes 60,000 apps non-compliant, malicious, low quality, spammy

[1]. http://techcrunch.com/2013/04/08/nearly-60k-low-quality-apps-booted-from-google-play-store-in-february-points-to-increased-spam-fighting/


14/51

App Store Promise

Centralization + Curation = Safety

!

?

??

?

!

?


15/51

Reality

Source: McAfee, Feb. 2013http://www.mcafee.com/us/security-awareness/articles/mobile-malware-growth-continuing-2013.aspx

Android has permission basedsecurity model

E.g., Reading user data,sending to internet, writing

to a file all require perms Permissions displayed in app

store and before install User expected to remain vigilant

Common failure point


16/51

Malware Trends

Q1 2012: 5,000 malicious apps detected

Q2 2012: 10,000 malicious apps detected In 1 month

17 malicious apps downloaded 700k times

[1]. http://blog.trendmicro.com/trendlabs-security-intelligence/infographic-behind-the-android-menace-malicious-apps/


17/51

Malware Author's Goals - $$$

Immediate monetization Abuse premium-service (48% )

Send premium SMS in background Display Ads (22%) Data Theft (21%) Click Fraud (7%)

Investment in platform Remote control (19%) Root exploit (11%)

[1]. http://blog.trendmicro.com/trendlabs-security-intelligence/infographic-behind-the-android-menace-malicious-apps/


18/51

Noteworthy Malware - DroidDream

C&C Server

Data

IMEI

Code

Roo

tExploits

OS

Malware hidden in repackaged apps (in Google Play) App functionality drives downloads

Malware may require additional permissions Users unknowingly install app despite permissions After install, app can leak data in background

Android security model requires user vigilance


19/51

Developer Incentives

"Permissions changed in the latest update to readmy phone number. Totally unacceptable for apuzzle game. Uninstalling." [1]

[1] Oh, My Brain! Block Buzzle by mToy, https://play.google.com/store/apps/details?id=biz.mtoy.blockpuzzle&feature=related_apps#?t=W251bGwsMSwxLDEwOSwiYml6Lm10b3kuYmxvY2twdXp6bGUiXQ..

"Uninstallingdue to theadded permissions." [1]

"Simple and challenging game but with new update there is too many Permissions for a

simple game, will not be updating and once completed all levels I will be deleting it." [1]

"Why suddenlyRead phone state

permission?" [1]


20/51

Architecture of an App Store

Submit AcceptR

eje

ct

Distribute

Apps AdmissionSystem

Storage Users

! ??


21/51

Admission System - Google Bouncer


22/51

Inside Google Bouncer (Unofficial)

Performs set of analyses on new app Analysis details not provided

Run app for 5 minutes in emulator

Dynamic analysis Simulate how app will run on Android device Input generation problem

Look for hidden, malicious behavior

Apply set of (undefined) heuristics Few official statements, details sparse Why? Prevent adversary from circumventing?

Standard Google secrecy? Competitive reasons? Risk/reward to openness


23/51

Malware detection game

Defender's Goal: Correctly classify programs

Adversary

DetectionSystem

Policy?

?

?

?

?

!!

!!

?


24/51

Adversary

Adversary's Goal: Violate policy in undetectable way

Adversary

DetectionSystem

Policy?

?

?

?

?

!!

!

!

!


25/51

State acceptable/unacceptable behaviors Data Theft: What personal data can leave device?

User impact: Data privacy (data-out) Device Control: Exploit OS etc.

User impact: device integrity (data-in) Service Misuse: Premium SMS

User impact: $ Spam: How many/which type of ads?

User impact: time Others

No comprehensive taxonomy

Policies


26/51

Example Detection System

Static

Dynamic

STAMP

Static Analysis

More behaviors, fewer details

Dynamic (Runtime) Analysis

Fewer behaviors, more details


27/51

Static and Dynamic Analysis

Static analysis No code execution Benefit: Can certify programs (100% coverage) Challenge: Scalability and false positives

Dynamic analysis Monitor program execution at runtime

Benefit: No false positives Challenge: Input generation to achieve coverage(false negatives)


28/51

Abstract Program Execution

wait

snd

start del end

begin

readcmdsend

exitdelete

States: mapping of variable names to values

Transitions: relation on pairs of statesTraces: sequence of states or state,transition pairs


29/51

Flow Policies

Injection vulnerabilities

Privacy PolicyThis app collects your:ContactsPhone Number

Address

Contacts SendInternet

Source:Contacts Sink: Internet

WebSource:

Untrusted_DataSQL Stmt Sink: SQL

Data theft

Privacy policies Avoid liability, protect consumer privacy


30/51

Static Data Flow Analysis

getLoc() sendSMS()

sendInet()

Source:Location

Sink: SMS

Sink: Internet

Identify source-to-sink flows (a.k.a. data theft) Sources: Location, Calendar, Contacts, Device ID etc. Sinks: Internet, SMS, Disk, etc.


31/51

Data Flow Analysis

Whether data stored in program variablepmayflow to program variable q?

p = ...

t = foo(p);

q = t;

Code example


32/51

Detection of Private-data Leak

Whether the device id may be leakedthrough SMS?

p = getDeviceId();

t = foo(p);

q = t;sendSMS(q);

Code example


33/51

Detection system tradeoffs

Reimplement Android/Java Add sources and sinks

20k methods to inspect

Whole-program analysis High coverage

Low false positive rateSTAMP

Android

Models

App App

Too expensive!

OS

HW


34/51

Tracking Sensitive Data

@STAMP(SRC ="$DEVICEID", SINK ="@return")

android.Telephony.TelephonyManager: String getDeviceId()


35/51

Sources

Account data Audio Calendar

Call log Camera Contacts Device Id Location

Photos (Geotags) SD card data SMS

30+ types ofsensitive data


36/51

Sinks

Internet (socket) SMS

Email System Logs Webview/Browser File System

Broadcast Message

10+ types ofexit points


37/51

Flows

Detectable Flows = Sources x Sink

396 Flow Types


38/51

Detecting background behaviors

Sensitive data leaving device is source-to-sink flow


C&C Server

Location

Data

Contacts

Call Log

SMS Msg

Command


39/51

Stamp Source-to-sink Flows


40/51

Chuli Source-to-sink Flows

ReadSMS

SendIntent

Send Internet

Source:SMS

Sink:Intent

Sink:Internet

ReadContacts

Source:Contacts

ReadIntent

Source:Intent

ReadLocation

Source:Location


41/51

You Saved the Dalai Lama!

Thanks!


42/51

Let's look at an example of a privacy-violating program

Privacy PolicyThis app collects your:

ContactsPhone NumberAddress


43/51

Facebook Contact Sync

Contact Sync for Facebook (unofficial)

Description:

This application allows you to synchronize

your Facebook contacts on Android.

Privacy Policy: (page not found)


44/51

Unknowns

Does this app have hidden behaviors?

Does it steal my Facebook data?

Does it have vulnerabilities?

Does it steal my contacts?


45/51

What you get today

Category Permission Description

Your Accounts AUTHENTICATE_ACCOUNTS Act as an account authenticator

MANAGE_ACCOUNTS Manage accounts list

USE_CREDENTIALS Use authentication credentials

Network Communication INTERNET Full Internet access

ACCESS_NETWORK_STATE View network state

Your Personal Information READ_CONTACTS Read contact data

WRITE_CONTACTS Write contact data

System Tools WRITE_SETTINGS Modify global system settings

WRITE_SYNC_SETTINGS Write sync settings (e.g. Contact sync)

READ_SYNC_SETTINGS Read whether sync is enabled

READ_SYNC_STATS Read history of syncs

Your Accounts GET_ACCOUNTS Discover known accounts

Extra/Custom WRITE_SECURE_SETTINGS Modify secure system settings


46/51

Potential Flows

Sources Sinks

INTERNETREAD_CONTACTS

WRITE_SETTINGSREAD_SYNC_SETTINGS

WRITE_CONTACTSREAD_SYNC_STATS

GET_ACCOUNTS WRITE_SECURE_SETTINGS

WRITE_SETTINGSINTERNET


47/51

Acceptable Flows

Sources Sinks

INTERNETREAD_CONTACTS

WRITE_SETTINGSREAD_SYNC_SETTINGS

WRITE_CONTACTSREAD_SYNC_STATS

GET_ACCOUNTS WRITE_SECURE_SETTINGS

WRITE_SETTINGSINTERNET


48/51

Certification

FB APIWrite

Contacts

Send Internet

Source:FB_Data

Sink:Contact_Book

Sink: InternetRead

ContactsSource:Contacts

Red slashes designate absence of flow

All flows were within expected specification No hidden behaviors


49/51

Review

Described Android malware problem Chuli, DroidDream, data collection incentives

Google Bouncer deployed to detect malware

Dynamic analysis - input generation problem Defined malware detection game Adversary, Detection System, Policy

Stamp detection system Static analysis - scalability/false positives

Privacy analysis Mandatory notification of data collection


50/51

Questions?

Jason Franklin, [email protected]

Credits:

Alex Aiken, John Mitchell, Saswat Anand


51/51

Opportunity

Centralization Certification Safety

Free Beyond testing

Policies,Procedures,

Best practices,Verification

Broadly defined

Cost,Legal Compliance,

Performance,Privacy,Security

+ =

17 Save Dalai Lama

Documents

Transcript of 17 Save Dalai Lama