1 / 24

Websense SecurityLabs

Android Analysis on Cloud. Leli@websense.com. Websense SecurityLabs. Agenda. 1. Goal & Objectives. 2. Services in the Cloud. 3. Tracker Web Portal. 4. Next Step To Do. Websense SecurityLabs. Goal & Objectives. Crawl and Build Android App Repository Profile Android Apps

francisdavis
Download Presentation

Websense SecurityLabs

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Android Analysis on Cloud Leli@websense.com Websense SecurityLabs

  2. Agenda 1 Goal & Objectives 2 Services in the Cloud 3 Tracker Web Portal 4 Next Step To Do Websense SecurityLabs

  3. Goal & Objectives • Crawl and Build Android App Repository • Profile Android Apps • Create databases for Apps and associating data. • Auto classific for Android Apps Websense SecurityLabs

  4. Analytic Workflow Websense SecurityLabs

  5. Cloud Services 1 APK Crawler & Parser 2 Static Profile (Security Classifier) 3 Dynamic Profile (On-line Emulator) Websense SecurityLabs

  6. Apps Crawler • Market Auto-Crawling • Google Play (Eng.) • SlideME (Eng.) • Gfan (Chinese) • GoAPK (Chinese) • Mumayi (Chinese) Crawler Real-life .apk Web Request Stats (GEO IP) ThreatSeeker Websense SecurityLabs

  7. .APK Parser • 3rd party Parsing tools • Apktool: decode resources from apk files, such as AndroidMainifest.xml, classes.dex • Dex2jar: reads embedded .dex file from apk files and generates .jar file • In-house scripts • parsing automation • database insert Websense SecurityLabs

  8. Security Classifier Dynamic Profile auto APK runner Interactive emulator APK Profile Websense SecurityLabs

  9. Security Classifier • Objective • Create a classifier for malicious android app detection • A static analysis approach • A machine learning approach • Data training • Mysql queries to retrieve raw data from AppTracker database • Analytic features conversion to binary vectors • The R code components • Preprocessing: convert variables into factor variables or numeric variables accordingly • Load R RandomForest library • Prediction • Import R environment • Load R model, read in input (test case) and write out output (classification response) Websense SecurityLabs

  10. R Module • Environment for statistical data analysis, inference and visualization. • Ports for Unix, Windows and MacOSX • Highly extensible through user-defined functions • Generic functions and conventions for standard operations like plot, predict etc. • >1200 add-on packages contributed by developers from all over the world • e.g. Multivariate Statistics, Machine Learning, Natural Language Processing, Bioinformatics (Bioconductor), SNA, . • Interfaces to C, C++, Fortran, Java Websense SecurityLabs

  11. Analytic Results Confidence 0.5 0.6 0.7 0.8 0.9 Websense SecurityLabs

  12. Dynamic Profile • How It Works? • Steps: • Load emulator • Install and run APK file • System output profile • Show on web portal Websense SecurityLabs

  13. Run APK • emulator -avd avdname -no-snapshot-save • adb install apkfile • aapt dump badging apkfile • adb shell am start -n packagename/mainActivity Websense SecurityLabs

  14. Auto Input • adb shell input keyevent "value" • 7 KEYCODE_0 16 KEYCODE_9 • 29 KEYCODE_A 54 KEYCODE_Z • adb shell sendevent [device] [type] [code] [value] • example: • adb shell sendevent /dev/input/event0 3 0 40 • adb shell sendevent /dev/input/event0 3 1 210 • // touch screen (x=40,y=210) Websense SecurityLabs

  15. Monkey “The Monkey is a command-line tool that that you can run on any emulator instance or on a device. It sends a pseudo-random stream of user events into the system, which acts as a stress test on the application software you are developing.” adb shell monkey –p package.name -v 500 Websense SecurityLabs

  16. Network Monitoring adb shell tcpdump -v 'tcp port 80 and (((ip[2:2]-((ip[0]&0xf)<<2))-((tcp[12]&0xf0)>>2))!=0' Websense SecurityLabs

  17. SMS & Call adb logcat -b radio -s "AT:*" AT Commands PDU SMS messages Decode '0001000a81016681859200000539590c1b03' Suspicious number '1066185829' Message '@9@2@' Websense SecurityLabs

  18. Interactive Emulator • Browser-based for end users • Example: • 50 users have tested this app, • average time 3 minutes per user • suspicious SMS found • no phone call made • 1active network access Websense SecurityLabs

  19. App Tracker • Front page to users • Web portal support • Top 20 profiles: Malware vs. Benign • Real-time crawler status • Real-time virus status report • Built-in app emulation • Back end in cloud • ThreatSeeker service • Automatic static data analysis • Dynamic profile support Websense SecurityLabs

  20. Demo Time • Security Classifier POC • Web Portal Framework Websense SecurityLabs

  21. Mobile Solution • ThreatSeekerCloud real-time analytics: • Advance Detection (AR) result > Mobile Malware • Triton classifications: • Mobile Malware • Unauthorized Mobile Marketplaces Websense SecurityLabs

  22. Next Step • Hierarchy Viewer Automation? • Robotium? Websense SecurityLabs

  23. Activity • Service • Broadcast Receiver • Content Provider Robotium Limitation Websense SecurityLabs

  24. Websense SecurityLabs

More Related