Symantec's Secret Sauce for Mobile Threat Protection. Jon Dreyfus, Ellen Linardi, Matthew Yeo

Transcription

1 Symantec's Secret Sauce for Mobile Threat Protection Jon Dreyfus, Ellen Linardi, Matthew Yeo 1

2 Agenda Threat landscape and Mobile Insight overview What s unique about Mobile Insight Mobile Insight Intelligence Use Case How does Mobile Insight help Enterprise secure their 2

3 Growth of Android Apps 3

4 Malware: Risky Market Places Malicious APK's

5 Malware Isn t The Only Concern Even legitimate apps can Read and collect private data from the device Embed annoying ad libraries to monetize free apps Drain battery and consume bandwidth, costing money and decreasing device lifespan Users demand more from mobile security malware detection is the table stakes 5

6 Mobile Insight Statistics Russia China ,200,456 Signers (Publishers) Majority of Bad Actors Stores Crawled Continuously APKs 10,732,318 APKs w/ High Severity Privacy Leaks 1,423,876 App titles 3,413,556 Malicious APKs 1,066,611 APKs w/ Ad Libraries 4,069,030 APKs w/privacy Leaks 5,751, Thousand new apps processed every 24 hours 1 trillion rows of metadata 6

7 5000 Foot View Data Sources Data Analytics Platform Community Automation Platform Malware Detection App stores Collect Apps SDAP Data store (all app attributes) Trust Greyware Static Analysis Performance Partners Dynamic Analysis 7

8 What we do and how we re different 8

9 Breadth of Information Continuously crawl over 200 Android markets Download apps Record metadata Collect data from 5 million Norton Community Watch participants Never-before-seen app binaries Anonymized app usage statistics Lean on Symantec s vast collection of non-mobile data Known command and control servers Malicious URL s 9

10 Deep Static Analysis Identify attributes typical of malware Has no visible user interface Has hidden executable files embedded Is not localized Compute code similarity against all other analyzed APK s Identify sensitive code paths Contain interesting combinations of sensitive API calls Focus more on these in dynamic analysis 10

11 Cutting Edge Dynamic Analysis Run apps in an emulator running a modified Android OS Intelligently drive the user interface Analyze text to find key controls Attempt to log in to common authentication providers Force start unreachable areas of code Record detailed application behavior Track sensitive data as it flows through memory Impervious to encryption or obfuscation of values Flag when written to the network Record all interesting events Network connections Phone calls Text messages sent 11

12 Importance of Dynamic Analysis Most malicious behaviors are not visible statically Malicious code might be obfuscated or dynamically loaded The details of the action are important What information is written to the network? Is the server known to be malicious? Is the SMS message sent to a premium rate number? Static analysis is false positive and false negative prone for privacy leaks Applications rarely do everything they could do with their permissions or API calls Sensitive API calls can be hidden with reflection or dynamically loading code We report observed behaviors, not potential behaviors 12

13 Heavy Data Crunching Bring all data into one place to make decisions Load into Symantec Data Analytics Platform Identify malicious apps by looking at everything we know about them Static and dynamic traits, market information, reputation in the community Compare against all other apps we have analyzed Apply sophisticated machine learning Hundreds of features about each app Trained with our large ground truth corpus Different classifiers to find different classes of malware 13

14 What we ve found 14

15 Common Malware Behaviors 100 % of Malicious APK s Permission Observed 20 0 Load Dynamic Code Collect Sensitive Data Send SMS Block Incoming SMS Make Phone Call 15

16 Malware Detections in the Field Average Malware Blocks per Day Detected Through Reputation Detected Through Atomation Known Malware Family Sep-13 Oct-13 Nov-13 Dec-13 Jan-14 Feb-14 Mar-14 16

17 Privacy: Commonly Exported Data 60 % of All APKs Installed Apps Device Details IMEI or IMSI Location Phone Number 17

18 Privacy Concerns: Free vs. Paid Apps High Severity 19% Free Apps Low Severity 13% High Severity 5% Paid Apps Low Severity 13% None 32% Medium Severity 36% None 51% Medium Severity 31% 18

19 Google Play Categories of Performance Hogs High Battery Usage High Bandwidth Usage Music and Audio 3% Media and Video 4% Tools 4% News and Magazines 5% Other 25% Games 52% Entertainm ent 7% Social 4% Tools 5% Other 30% Media and Video 10% Games 18% Entertainm ent 12% News and Magazines 9% Music and Audio 12% 19

20 Protecting Enterprise with Mobile Insight 20

21 Why is this relevant to Enterprise? With BYOD, user and corporate data live together so when apps ask the users for permission to access data it impacts your organization as well. Cost to determine if each individual app is safe is prohibitively expensive - Mobile Insight provides a behavior-based malware detection along with risk management approach to screening mobile apps Helps enterprise users really understand what the mobile apps are really doing and what Enterprise data they have access to 21

22 Leveraging Mobile Insight Providing necessary intelligence for your enterprise users Allowing admins to inspect apps for malware and policy compliance prior to distributing the apps into Enterprise Using mobile insight intelligence to blacklist apps with harmful characteristics like ad network, data leakage risks, etc 22

23 Future areas for Mobile Insight Enterprise Control App Stores or Search Engines Carriers App Developers Control policies about what types of apps are allowed on managed devices Brand/App Spoof Detection Allow these customers to give the user addition security, privacy and performance information about the application so users can make informed decisions Ability to monitor what s going across their network in terms of apps/malware, privacy and performance Allow individual application developers to gain insight into what they re building and how users will see it Symantec's Secret Sauce for Mobile Threat Protection SYMANTEC VISION

24 Questions? Symantec's Secret Sauce for Mobile Threat Protection SYMANTEC VISION

25 Thank you! YOUR FEEDBACK IS VALUABLE TO US! Please take a few minutes to fill out the short session survey available on the mobile app the survey will be available shortly after the session ends. Watch for and complete the more extensive post-event survey that will arrive via a few days after the conference. To download the app, go to or search for Vision 2014 in the itunes or Android stores. 25