210 likes | 396 Views
Hey, You, Get Off of My Market Detecting Malicious Apps in Official and Alternative Android Markets. Yajin Zhou Zhi Wang Wu Zhou Xuxian Jiang NDSS 2012. in a nutshell…. A systematic study to better understand the overall health of existing Android Markets. smartphones are getting popular.
E N D
Hey, You, Get Off of My MarketDetecting Malicious Apps in Official and Alternative Android Markets Yajin Zhou Zhi Wang Wu Zhou Xuxian Jiang NDSS 2012
in a nutshell… A systematic study to better understand the overall health of existing Android Markets
smartphones are getting popular • Over 100 million smartphones sold in the1st quarter of 2011an 85% year-on-year increase! • Android Market reached 200.000 appmilestone, on May 10, 2011 • Alternative marketplaces streamlinethe process of browsing, downloadingand installing apps
Popularity attracts malware authors • 2010: Geinimi • 2011: ADRD, Pjapps, Bgserv, DroidDream, zHash, BaseBridge,DroidDreamLight, Zsone, jSMSHider • need to better understand the overall health of existing Android Markers
Contributions • The first systematic study on the detection of malicious apps on Android Markets • scalable and efficient detection through: • Permission-based behavioral footprinting • Heuristics-based filtering • identified 211 malware out of 204.040 apps • 2 of them were zero-day with 40 samples(11 found on the official Android Market)
Detecting Known Android Malware • 1st step: quickly exclude unrelated apps through permission-based filtering • 2nd step: detect malware though behavioral footprint matching
Permission-based filtering • Goal: reduce the number of apps that need to be processed afterwards • Eachknown malware will be first pre-processed or distilled into afootprint • Zsone malware: SEND_SMS & RECEIVE_SMS • Number of remaining apps after filtering:
Behavioral footprint matching • manually analyze and distill essential malwarebehaviors into their behavioral footprints • multiple-dimension footprinting scheme uses information derived from: • manifest file (e.g. broadcast receivers) • bytecode (e.g. Android API calls sequence) • structural layout (e.g. internal tree structure)
Detecting Unknown Android Malware • 1st step: find suspicious Java and native code through heuristics-based filtering • 2nd step: detect malware thoughdynamic execution monitoring
Heuristics-based filtering • Heuristics based on Android features that can be misused to dynamic load new code of: • java bytecode from remote untrusted website (e.g. DexClassLoader– 0.58%, 1055 apps) • vast majority related advertisement libs (e.g. AdTOUCH 40%) • native code locally (4.52% of dataset) default location:lib/armeabi
Dynamic execution monitoring • Inspect runtime behaviors triggered by new code • record any calls to the Android framework APIs (permission-related) & their arguments e.g. SmsManager.sendTextMessage • collect system calls used by existing Android root exploits (through a kernel module) e.g. sys_mount • After finding suspicious behaviors from logs manually validation of a zero-day malware • extract behavioral footprint &insert it in the 1st detection engine
Evaluation dataset Datasets: Official Android Market eoeMarket alcatelclub gfan mmoovv total 182,823 distinct apps
Permission-based filtering evaluation 9 malware families have < 6% apps left after applying the permission filtering
Behavioral footprint matching evaluation unofficialofficial 150 malicious apps >= 7 x 21 malicious apps 3 x total apps = total apps 150 4,5 h to complete
Effectiveness of existing AVs Lookout Security & Antivirussoftware installed on aNexus One runningAndroid 2.2.3 T: total D: detected M: missed
False Negatives of DroidRanger • 27 samples from contagio dump • Eliminate duplicates with the same SHA1 values used in footprint extraction 24 distinct samples • The system detected 23 of them 4.2% FN rate • Missing sample:com.android.providers.downloadsmanager • Found that contagio had mis-categorized a sample
Detecting Zero-day malware • Found 1055 apps that invoke DexClassLoader • After a white-listing 240 remained • Angry Birds Cheater • com.crazyapps.angry.birds.cheater.trainer.helper • attempt to load a jar file: plankton_v0.0.4.jar downloaded from a remote website • bot-related functionalities that can be remotely invoked • detected 11 Plakton samples in total
Detecting Zero-day malware • Among 8.272 apps that contain native code, 508 of them keep native code in non-standard dirs • Some apps attempt to remount the system partition with sys_mount syscall to make it writeable • DroidKungFu malware • Equipped with Rageagainstthecage and Exploid in an encrypted form • When runs decrypt and runs the exploits, takes root privs and installs arbitrary apps • such as one that pretends to be the legitimate Google Search app with an identical icon. This app actually acts as a bot client
Summary of detected malware Infection rate of unofficial market places is more than an order of magnitude higher than the official Android Market ~0.02% 179 ~0.20% - 0.47%