1 / 10

RiskRanker : Scalable and Accurate Zero-day Android Malware Detection

RiskRanker : Scalable and Accurate Zero-day Android Malware Detection. Grace. M, Zhou. Y, Shilong . Z, Jiang. X. Summary. RiskRanker analyses the paths within an android application Potentially malicious security risks are flagged for investigation. Appreciation – Path Traversal .

early
Download Presentation

RiskRanker : Scalable and Accurate Zero-day Android Malware Detection

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. RiskRanker: Scalable and Accurate Zero-day Android Malware Detection Grace. M, Zhou. Y, Shilong. Z, Jiang. X

  2. Summary • RiskRanker analyses the paths within an android application • Potentially malicious security risks are flagged for investigation

  3. Appreciation – Path Traversal • This application showcases how reverse engineering • Allows fast analysis code paths

  4. Criticism – Easy to trick “The system also needs to be … accurate enough to not miss malicious apps” This application casts three well documented and small nets • Allows 8.95% positive rate on zero-day flags • Allows malware authors to very easily avoid detection

  5. First Order: UI Input • Ignores all execution paths resulting from UI callbacks • “Similarly, malware is un-likely to do so via such a callback handler – as such handlers are triggered by user interaction” • UI callbacks have been abused by malicious software for decades (i.e. browser popups)

  6. First Order: Reflection • Focuses on non-dynamic reflection - “It is possible to ignore a large number of reflection calls, as many such calls use constant arguments in practice” • Dynamic adding of malicious code will remain undetected.

  7. First Order: Dead Code • Only forward execution paths are investigated, any ‘unreachable code’ is therefore ignored. • This code could be accessed by changing values in other threads (admitted by the author) • It could also be accessed through dynamic reflection

  8. Second Order: Native Code • Requires that malicious native code is stored (against best practice) within res or assets directory. • Requires that encrypted malicious code uses the native encrypt/decrypt functions • This check found only one type of malware

  9. Question • If you built detection software, would publish the design?

  10. Statistics • 3,281 apps flagged (718 true positive’s) • 11 undiscovered malware versions “families” • 18 total malicious ‘samples’ • ?,??? Undiscovered malware families • A family is a version of a given malware (5 of the 11 were just versions of ‘DroidKungFu’)

More Related