This is DEEPerent: Tracking App behaviors with (Nothing changed) phone for Evasive android malware



Similar documents
Messing with the Android Runtime

All Your Code Belongs To Us Dismantling Android Secrets With CodeInspect. Steven Arzt Secure Software Engineering Group Steven Arzt 1

AGENDA. Background. The Attack Surface. Case Studies. Binary Protections. Bypasses. Conclusions

Android Packer. facing the challenges, building solutions. Rowland YU. Senior Threat Researcher Virus Bulletin 2014

Attacking Obfuscated Code with IDA Pro. Chris Eagle

Smartphone Security for Android Applications

Blackbox Android. Breaking Enterprise Class Applications and Secure Containers. Marc Blanchou Mathew Solnik 10/13/

Overview of CS 282 & Android

Evading Android Emulator

Advanced ANDROID & ios Hands-on Exploitation

Mobile Application Hacking for Android and iphone. 4-Day Hands-On Course. Syllabus

Paul Sabanal IBM X-Force Advanced Research. State Of The ART. Exploring The New Android KitKat Runtime IBM Corporation

Reversing Android Malware

Parasitics: The Next Generation. Vitaly Zaytsev Abhishek Karnik Joshua Phillips

Leave The App Alone! - Attack and Defense of Android App Hijack

Introduction to Android

Melde- und Analysestelle Informationssicherung MELANI Torpig/Mebroot Reverse Code Engineering (RCE)

Overview. The Android operating system is like a cake consisting of various layers.

Encryption Wrapper. on OSX

Sandy. The Malicious Exploit Analysis. Static Analysis and Dynamic exploit analysis. Garage4Hackers

APPLICATION SECURITY: FROM WEB TO MOBILE. DIFFERENT VECTORS AND NEW ATTACK

The Value of Physical Memory for Incident Response

RE-TRUST Design Alternatives on JVM

Programming the Android Platform. Logistics

Design and Implementation of an Android Host-based Intrusion Prevention System

Hacking your Droid ADITYA GUPTA

An Introduction to Android Application Development. Serdar Akın, Haluk Tüfekçi

Research and Design of Universal and Open Software Development Platform for Digital Home

Dynamic Analysis of Android Malware

Bug hunting. Vulnerability finding methods in Windows 32 environments compared. FX of Phenoelit

Multithreading and Java Native Interface (JNI)!

ANDROID OPERATING SYSTEM

I Control Your Code Attack Vectors Through the Eyes of Software-based Fault Isolation. Mathias Payer, ETH Zurich

Pentesting Android Apps. Sneha Rajguru

ODROID Multithreading in Android

Storm Worm & Botnet Analysis

Example of Standard API

Lecture 1 Introduction to Android

Automating Linux Malware Analysis Using Limon Sandbox Monnappa K A monnappa22@gmail.com

VOC Documentation. Release 0.1. Russell Keith-Magee

AppScope: Application Energy Metering Framework for Android Smartphones using Kernel Activity Monitoring

Fine-grained covert debugging using hypervisors and analysis via visualization

An Introduction to Android. Huang Xuguang Database Lab. Inha University

QUIRE: : Lightweight Provenance for Smart Phone Operating Systems

Introduction to Native Android Development with NDK

Mobile Devices - An Introduction to the Android Operating Environment. Design, Architecture, and Performance Implications

Mobile Payment Security

Chapter 14 Virtual Machines

Mobile Application Security and Penetration Testing Syllabus

HybriDroid: Analysis Framework for Android Hybrid Applications

Analysis of advanced issues in mobile security in android operating system

AllJoyn Android Environment Setup Guide

HP AppPulse Mobile. Adding HP AppPulse Mobile to Your Android App

Tuning WebSphere Application Server ND 7.0. Royal Cyber Inc.

Aurasium: Practical Policy Enforcement for Android Applications

Android Architecture. Alexandra Harrison & Jake Saxton

ANDROID BASED MOBILE APPLICATION DEVELOPMENT and its SECURITY

GlassFish v3. Building an ex tensible modular Java EE application server. Jerome Dochez and Ludovic Champenois Sun Microsystems, Inc.

Bypassing SSL Pinning on Android via Reverse Engineering

Understand and Build Android Programming Environment. Presented by: Che-Wei Chang

Android Application Development. Daniel Switkin Senior Software Engineer, Google Inc.

Last Class: OS and Computer Architecture. Last Class: OS and Computer Architecture

Mobility Introduction Android. Duration 16 Working days Start Date 1 st Oct 2013

The Case for SE Android. Stephen Smalley Trust Mechanisms (R2X) National Security Agency

From Georgia, with Love Win32/Georbot. Is someone trying to spy on Georgians?

Detecting the One Percent: Advanced Targeted Malware Detection

Dongwoo Kim : Hyeon-jeong Lee s Husband

Building a Mobile App Security Risk Management Program. Copyright 2012, Security Risk Advisors, Inc. All Rights Reserved

IUCLID 5 Guidance and Support

VM Application Debugging via JTAG: Android TRACE32 JTAG Debug Bridge ADB Architecture Stop-Mode implications for ADB JTAG Transport Outlook

Reverse Engineering and Computer Security

Hotpatching and the Rise of Third-Party Patches

An Introduction to Android

Android builders summit The Android media framework

Adi Hayon Tomer Teller

Training Android Debugging

SYLLABUS MOBILE APPLICATION SECURITY AND PENETRATION TESTING. MASPT at a glance: v1.0 (28/01/2014) 10 highly practical modules

SECURE IMPLEMENTATIONS OF CONTENT PROTECTION (DRM) SCHEMES ON CONSUMER ELECTRONIC DEVICES

When Security Gets in the Way. PenTesting Mobile Apps That Use Certificate Pinning

Lecture 17: Mobile Computing Platforms: Android. Mythili Vutukuru CS 653 Spring 2014 March 24, Monday

Introduction to Android

Threema security assessment

Popular Android Exploits

Android Basics. Xin Yang

Android Development. Lecture AD 0 Android SDK & Development Environment. Università degli Studi di Parma. Mobile Application Development

Static Analysis of Virtualization- Obfuscated Binaries

Deep Inside Android. OpenExpo Zurich September 25 th, Gilles Printemps - Senior Architect. Copyright 2007 Esmertec AG.

I. INTRODUCTION. International Journal of Computer Science Trends and Technology (IJCST) Volume 3 Issue 2, Mar-Apr 2015

Enterprise Mobility Management

Practical Attacks against Mobile Device Management (MDM) Michael Shaulov, CEO Daniel Brodie, Security Researcher Lacoon Mobile Security

Hypervisor-Based, Hardware-Assisted System Monitoring

Full System Emulation:

Transcription:

This is DEEPerent: Tracking App behaviors with (Nothing changed) phone for Evasive android malware

What I will talk about.. Challenges we faced on android malware analysis: Fast code analysis (Reversing) <- always challenge Obfuscation Various dynamic code loading techniques (file/memory) Anti-analysis techniques(advanced android malware, protectors) Native behavior, obfuscation, packing Maintenance Environment detection (Emulator/Rooting detection)

What I will talk about.. A tool for tracking execution flow of android malware Supports tracking the android application with your nothing changed phone The tool has following features to track behaviors of evasive android malwares: No platform modification Regardless of root privilege Selective behavior tracking Support tracking extension(plug-in) Native layer monitoring (libc, JNI, Binder)

Flow-centric code analysis DEX exports a lot of code informations such as method arguments, debug symbols, register information, etc. DVM supports JDWP(Java Debug Wired Protocol) JDWP is excellent tracer for monitoring app s behaviors Method execution flow Symbol information Object tracking Call stack Etc.. What I will talk about.. ART(Android Runtime) supports JDWP

Fast code analysis Tracking behaviors of evasive android malware User-defined method and Third-party libraries monitoring (Crypto, Network, etc) Obfuscated code monitoring (String, Reflection, AssetEncryption, etc) Dynamic loaded code detecting and tracing Breaking anti-analysis techniques (anti-jdwp, anti-gdb, anti-emulator, device detection, etc)

Fast code analysis Tracking behaviors of evasive android malware This code steals phone number, mac address, ip address, IMEI and IMSI

Symbol name obfuscation Obfuscation

String encryption Obfuscation String obfuscation of DexGuard Disassembled code of string obfuscation Discompiled code of string obfuscation

Obfuscation String encryption Code position (for static analysis) Method tracing of String object Decrypted string deobfuscated string is Hello world!

Method invocation hiding Obfuscation Method invocation hiding of DexGuard Method invocation hiding insist of string encryption and Java reflection

Method invocation hiding Obfuscation Method invocation hiding of DexGuard (Most invocation hiding is performed using Java reflection) java.lang.reflect.method->invoke (Method hiding by java reflection) A object of dalvik.system.dexfile created using java reflection

Fast code analysis: example Complicated code: TamperDetection of DexGuard DexGuard employs multiple obfuscation techniques (String encryption, Class encryption, method invocation hiding)

Fast code analysis: example Complicated code: TamperDetection of DexGuard 1 st loading 2 nd loading Integrity checking routine

Fast code analysis: example Complicated code: TamperDetection of DexGuard Certification checking routine

Dynamic code loading Dynamic loading: DEX file There are several hooking point to detect dynamic code loading You can get the loaded dex file with collaboration between JDWP and Injected code Injected Code Alarm! and Extraction! Second DEX file Detect dynamic loading! App DEX <App process>

Dynamic code loading Dynamic loading: memory patch To patch code, it needs to call mprotect() to change memory privilege writable to patch code We hook the mprotect() and rejects request for write privilege It will cause access violation (SIGSEGV) Alarm! and Extraction! Signal handler - Instruction caused the signal (Code address in CodePatch.so) - Accessed memory address (Encrypted area) - Thread context Write! DEX image (read-only area) Code area CodePatch.so <App process>

In sighandler function, we got these information 1) Address of instruction caused segmentation fault: 0x40147370 - Link Register: 0x727ee4a1 2) Accessed memory address: 0x727e203c 3) Thread context (PC: 0x40147370) We found Unpacking routine of APKProtect easily! without reversing - Address 0x40147370 is in memset function - 0x727ee4a1 is for apkprotect.so - While loop is unpacking routine - Scalpel detected the unpacking point Accessed memory: 0x727e203c is in classes.dex - 727df000-727e3000 rw-p 00000000 b3:1a 918654 /data/dalvik-cache/data@app@google.service-1.apk@classes.dex - 727e3000-727e4000 r--p 00004000 b3:1a 918654 /data/dalvik-cache/data@app@google.service-1.apk@classes.dex - 727e4000-727ed000 rw-p 00005000 b3:1a 918654 /data/dalvik-cache/data@app@google.service-1.apk@classes.dex - 727ed000-727f1000 r-xp 00000000 b3:1a 1179701 /data/app-lib/google.service-1/libapkprotect.so - 727f1000-727f2000 -w-p 00003000 b3:1a 1179701 /data/app-lib/google.service-1/libapkprotect.so - 727f2000-727f3000 rw-p 00004000 b3:1a 1179701 /data/app-lib/google.service-1/libapkprotect.so Link Register: x727e203c

Monitoring extension Monitoring extension performs using dex injection We can inject monitoring extension whenever it needs We makes our own process environment to track behaviors of the evasive android application using wait-for-debug feature (Wait-for-debug feature has presented in BlackHat ASIA 2015 ) With monitoring extension, we can get the various things in nothing changed phone such as anti-analysis techniques, file extraction, Exploring app private directory, various detection, etc

Example(Fake KakaoTalk Security Plug-in) www.virusbtn.com/virusbulletin/archive/2013/12/vb201312-kakaotalk Mixed-environment code with JNI Malwares conceal their behaviors with using Native code Java Export table 3 1 2? Native code Encrypted string

Tracking Native Behavior Need 3-layer monitoring JNI : calling native, calling Java Libc : calling libc Binder : communication with other app/service

Tracking Native Behavior Java Component Dalvik VM Native Tracker Native Component Libc Target App Android App, Service Manager Binder

Tracking Native Behavior : JNI Java Native Hook dvmcalljnimethod() void dvmcalljnimethod(unsigned int const* args, Jvalue *presult, Method const* method, void *self) Native Java Change functions table in JNIEnv jint JNI_xxxxxxx(JNIEnv* env, void *reserved )

Tracking Native Behavior : JNI

Tracking Native Behavior : LIBC Monitor calling libc with JNI Showing libc function and call stack

Tracking Native Behavior : BINDER NOT hooking ioctl() at binder driver Hooking Binder function(related transact) at IPC layer So we can monitor custom service No performance issue Can see all Message between targeted App and service/app through the binder

Tracking Native Behavior : BINDER Service Client Service Server Service User Service Layer BnFooService foo() BpFooService foo() RPC Layer BnFooService ontransact() BpBinder transact() IPC Layer BBinder ontransact() transact() Service Layer IPCThreadState IPCThreadState transact() executecommand() talkwithdriver() talkwithdriver() Ioctl() Ioctl() Binder Driver

Tracking Native Behavior : BINDER Target Service Service Code Service Data dump Reply Data dump

Tracking Native Behavior : BINDER In addition to protecting information of analyst Camera, MIC, GPS Device info(phone number, IMEI, USIM, IMSI, etc)

DEMO

Thank you Yeongung Park: santapark5@gmail.com Junyoung Choi: iamyoung00@gmail.com

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information