Slides - ruxcon 2012

idleheadedceleryMobile - Wireless

Dec 10, 2013 (3 years and 6 months ago)

84 views

Websense SecurityLabs

Websense SecurityLabs

1

2

3

Agenda

Goal & Objectives

Services in the Cloud

Tracker Web Portal

Next Step To Do

4

Websense SecurityLabs

Goal &
Objectives


Crawl and Build Android App Repository


Profile Android Apps


Create databases for Apps and associating data.


Auto classific for Android Apps

Websense SecurityLabs

Analytic
Workflow

Websense SecurityLabs

1

2

3

Cloud
Services

APK C
rawler

& Parser

Dynamic Profile

(
On
-
line Emulator
)

S
tatic Profile

(Security Classifier)

Websense SecurityLabs

Market Auto
-
Crawling



Google Play (Eng.)


SlideME (Eng.)


Gfan (Chinese)


GoAPK (Chinese)


Mumayi (Chinese)

Apps
Crawler

Crawler

Real
-
life

.apk Web Request
Stats

(GEO IP) ThreatSeeker

Websense SecurityLabs

3rd party Parsing tools



Apktool: decode resources from apk files, such as



AndroidMainifest.xml, classes.dex


Dex2jar:


reads embedded .dex file from apk files



and generates .jar file


In
-
house scripts



parsing
automation


database insert


.APK Parser

Websense SecurityLabs


Security Classifier


Dynamic Profile


auto
APK
runner


Interactive emulator

APK
Profile

Websense SecurityLabs

Security
Classifier

Objective


Create a classifier for malicious android app detection


A static analysis approach


A machine learning approach

Data training


Mysql queries to retrieve raw data from AppTracker database


Analytic features conversion to binary vectors

The R code components


Preprocessing: convert variables into factor variables or numeric variables accordingly


Load R RandomForest library

Prediction


Import R environment


Load R model, read in input (test case) and write out output (classification response)


Websense SecurityLabs

R Module


Environment for statistical data analysis, inference and visualization.


Ports for Unix, Windows and MacOSX


Highly extensible through user
-
defined functions


Generic functions and conventions for standard operations like plot, predict etc.



>1200 add
-
on packages contributed by developers from all over the world


e.g. Multivariate Statistics, Machine Learning, Natural Language Processing,
Bioinformatics (Bioconductor), SNA, .


Interfaces to C, C++, Fortran, Java

Websense SecurityLabs

Confidence 0.5

0.6

0.7

0.8

0.9

Analytic

Results

Websense SecurityLabs

Dynamic
Profile

How It Works?


Steps:

1.
Load emulator

2.
Install and run APK file

3.
System output profile

4.
Show on
web portal

Websense SecurityLabs

Run APK


emulator
-
avd avdname
-
no
-
snapshot
-
save


adb install apkfile


aapt dump badging apkfile


adb shell am start
-
n packagename/mainActivity



Websense SecurityLabs

Auto Input


adb shell input keyevent "value"


7

KEYCODE_0

16

KEYCODE_9



29

KEYCODE_A

54

KEYCODE_Z


adb shell sendevent [device] [type] [code] [value]


example:



adb shell sendevent /dev/input/event0 3 0 40



adb shell sendevent /dev/input/event0 3 1 210

// touch screen (x=40,y=210)

Websense SecurityLabs


Monkey


The Monkey is a command
-
line tool that that
you can run on any emulator instance or on a
device. It sends a pseudo
-
random stream of user
events into the system, which acts as a stress test
on the application software you are developing.



adb shell monkey

p package.name
-
v 500

Websense SecurityLabs

Network

Monitoring


adb shell tcpdump
-
v 'tcp port 80 and (((ip[2:2]
-
((ip[0]&0xf)<<2))
-
((tcp[12]&0xf0)>>2))!=0'


Websense SecurityLabs

SMS & Call

adb logcat
-
b radio
-
s "AT:*"

AT Commands

PDU SMS messages

Decode
'0001000a81016681859200000539590c1b03'

Suspicious number '1066185829'

Message '@9@2@'

Websense SecurityLabs


I
nteractive

Emulator

Browser
-
based for end users


Example:

50 users have tested this app,

average

time
3
mi
nute
s per user



suspicious SMS
found



no phone call

made


1

active
network ac
cess

Websense SecurityLabs

App Tracker

Front page to users


Web portal support


Top 20 profiles: Malware vs. Benign


Real
-
time crawler status


Real
-
time virus status report


Built
-
in app emulation

Back end in cloud


ThreatSeeker service


Automatic static data analysis


Dynamic profile support

Websense SecurityLabs

Demo

Time


Security Classifier POC


Web P
ortal Framework

Websense SecurityLabs

ThreatSeeker

Cloud real
-
time analytics:


Advance Detection (AR) result > Mobile Malware

Triton classifications:



Mobile Malware


Unauthorized Mobile Marketplaces

Mobile
Solution

Websense SecurityLabs

Next Step


Hierarchy Viewer Automation?


Robotium?



Websense SecurityLabs

Robotium

Limitation


Activity


Service


Broadcast Receiver


Content Provider



Websense SecurityLabs