110 likes | 435 Views
RiskRanker : Scalable and Accurate Zero-day Android Malware Detection. Grace. M, Zhou. Y, Shilong . Z, Jiang. X. Summary. RiskRanker analyses the paths within an android application Potentially malicious security risks are flagged for investigation. Appreciation – Path Traversal .
E N D
RiskRanker: Scalable and Accurate Zero-day Android Malware Detection Grace. M, Zhou. Y, Shilong. Z, Jiang. X
Summary • RiskRanker analyses the paths within an android application • Potentially malicious security risks are flagged for investigation
Appreciation – Path Traversal • This application showcases how reverse engineering • Allows fast analysis code paths
Criticism – Easy to trick “The system also needs to be … accurate enough to not miss malicious apps” This application casts three well documented and small nets • Allows 8.95% positive rate on zero-day flags • Allows malware authors to very easily avoid detection
First Order: UI Input • Ignores all execution paths resulting from UI callbacks • “Similarly, malware is un-likely to do so via such a callback handler – as such handlers are triggered by user interaction” • UI callbacks have been abused by malicious software for decades (i.e. browser popups)
First Order: Reflection • Focuses on non-dynamic reflection - “It is possible to ignore a large number of reflection calls, as many such calls use constant arguments in practice” • Dynamic adding of malicious code will remain undetected.
First Order: Dead Code • Only forward execution paths are investigated, any ‘unreachable code’ is therefore ignored. • This code could be accessed by changing values in other threads (admitted by the author) • It could also be accessed through dynamic reflection
Second Order: Native Code • Requires that malicious native code is stored (against best practice) within res or assets directory. • Requires that encrypted malicious code uses the native encrypt/decrypt functions • This check found only one type of malware
Question • If you built detection software, would publish the design?
Statistics • 3,281 apps flagged (718 true positive’s) • 11 undiscovered malware versions “families” • 18 total malicious ‘samples’ • ?,??? Undiscovered malware families • A family is a version of a given malware (5 of the 11 were just versions of ‘DroidKungFu’)