(Automated) Behavioral Fingerprinting of Android Applications - Inria

tibburfrogtownMobile - sans fil

14 déc. 2013 (il y a 3 années et 10 mois)

106 vue(s)

(Automated) Behavioral Fingerprinting of Android
Applications
Abdelkader Lahmadi Olivier Festor
Frederic Beck,Eric Finickel,Julien Vaubourg
Universit´e de Lorraine - LORIA - INRIA Nancy Grand Est,France
EPI MADYNES
2013
(compiled on:July 15,2013)
Outline
Android environments
Flow data analysis
Log data analysis
Lahmadi et al Lorraine University - LORIA
Behavioral Fingerprinting of Android Apps
(2/35)
Android environments:overview
Well adopted by users

Smartphone worldwide sales in Q1 2012:144.4 millions units

Android market share of 56.1% (vs 22.9% for Apple iOS)

Growing number of applications:800 000 applications in Goole Play Store
(January 2013)
Well adopted by attackers

Growing number of malicious applications

Android malware Genome project:1200 malwares

VirusTotal:20 000 malwares
A large threat landscape

Bot capabilities:receive and execute commands from a remote server.

Information stealing:user contacts,spying SMS contents and phone calls,
user location tracking

Financial charging:making premium-rate SMS messages and phone calls

Permissions abusing:privilege escalation

Applications repackaging,transformation and drive-by download

Resources draining:phone unusable during emergencies
1.
start a power-intensive service (GPS,Bluetooth)
2.
revert services to their original states
3.
services appear powered-off to a user queries
Lahmadi et al Lorraine University - LORIA
Behavioral Fingerprinting of Android Apps
(3/35)
Our analysis platform
Lahmadi et al Lorraine University - LORIA
Behavioral Fingerprinting of Android Apps
(5/35)
Flow-based measurement:IPFIX/NetFlow protocol
if we don’t measure,we don’t know what’s happening!

Flow:grouping packets into sets that have common properties

{IP protocol,source IP address,source port,destination IP address,
destination port},timeout(60 seconds)
IPFIX:standard IP flow

Information Elements (IE):attributes to be exported,in a clear and
unambiguous manner

A simple protocol to export flows data:sets of values,template of IE
IPFIX/NetFlow:terminology

Packets are observed at an Observation Point

Flows are sets of packets that share common properties:during certain time
interval

Flows are defined using Flow Keys:IEs and their values

Template:ordered sequence of <type,length> pairs to specify the structure
and semantics of exported information
Lahmadi et al Lorraine University - LORIA
Behavioral Fingerprinting of Android Apps
(6/35)
IPFIX/NetFlow architecture
source:Nevil Brownlee.Flow-based measurement:IPFIX development and deployment.IEICE Transactions,94-B(8):2190–2198,2011.
Lahmadi et al Lorraine University - LORIA
Behavioral Fingerprinting of Android Apps
(7/35)
Location-aware network monitoring (1/2)
Smartphone traffic usage over space:simple questions

Where often do users interact with their phones?

How many applications does a user run in a specific location?

How much network traffic does an application generate in a specific location?
Why we need to know such information?

Situational awareness:coupling space and time to understand Android
application network usage

Anomalies detection:unexpected behavior
Associate a location to observed Flows

draft-festor-ipfix-metering-process-location-01.txt

Geographic coordinates:latitude,longitude,altitude

Civic location:human-usable information,postal address,proximity
information
Lahmadi et al Lorraine University - LORIA
Behavioral Fingerprinting of Android Apps
(9/35)
Visualization over Google Maps
Coupling Flowoid with SURFmap:joint work with the University of Twente
Lahmadi et al Lorraine University - LORIA
Behavioral Fingerprinting of Android Apps
(11/35)
Visualization over Google Maps
Coupling Flowoid with SURFmap:joint work with the University of Twente
Lahmadi et al Lorraine University - LORIA
Behavioral Fingerprinting of Android Apps
(12/35)
A first look at network traffic of an Android device
A lazy smartphone user:me -:)
Service
Day
We browsing with pre-installer browser
Every day
News browsing with pre-installed application
Every day
Download an application from the Market
Saturday
Realtime news using a browser
Saturday
IPTV
Sunday
TABLE I
USED SERVICES ON THE ANDROID DEVICE OVER DATA COLLECTION
DAYS.
!"
#"
$!"
$#"
%!"
%#"
&!"
&#"
'!"
#("
)("
*("
+("
,("
$!("
$$("
$%("
$&("
$'("
$#("
$)("
$*("
$+("
$,("
%!("
%$("
%%("
%&("
%'("
$("
%("
&("
'("
#("
!"#$%&'()'*(+,-*,%.'/(0,0'
-./012.3"
-342.3"
Fig.2.Hourly number of contacted hosts by a device during different two
days.
Service
peak load
No user activity
58.6 bps
Browsing a real time blogging
26.3 kbps
News application
40.8 kbps
Downloading an application
400.9 kbps
IPTV application
999.1 kbps
TABLE II
NETWORK LOAD VARIATIONS FOR DIFFERENT USER ORIGINATED
ACTIVITIES.
#(")("*("+(",("$("%("&("'("#("
Transport protocol
Flows
Packets
Bytes
Total IP traffic
Saturday
(flows/pkts/bytes)
TCP
72.5%
97.9%
99.2%
(1843/42.4K/25.2MB)
UDP
27.5%
1.99%
0.8%
(679/886/211.4KB)
Sunday
(flows/pkts/bytes)
TCP
40.7%
12.8%
8.57%
(324/7.3K/3.3MB)
UDP
59.1%
87.17%
91.4%
(471/49.6K/35.2MB)
TABLE III
FRACTION OF FLOWS,PACKETS AND BYTES UTILIZATION OF VARIOUS
TRANSPORT PROTOCOLS DURING TWO DAYS.
Application protocol
Flows
Packets
Bytes
Total IP traffic
Saturday
(flows/pkts/bytes)
HTTP(80)
57.28 - 61.81
84 - 87
79.16 - 93.47
(751-751/18123-18936/1.9MB-21.5MB)
HTTPS (443)
12.43 - 13.25
12.58 - 10.96
16.10 - 6.08
(163-161/2715-2384/0.3MB-1.4MB)
DNS (53)
22.57 - 24.11
1.41 - 1.37
0.79 - 0.4
(296-293/306-299/19.58KB-95.5KB)
Sunday
(flows/pkts/bytes)
HTTP(80)
(16.06-26.84)
(35.28-4.44)
(46.58 - 6.1)
(80-80/2678-2191/0.37MB-2.3MB)
HTTPS (443)
(12.85-20.8)
(13.59 - 1.89)
(15.26 - 1.08)
(64 - 62/1032-933/127KB-420KB)
DNS (53)
(26.9 - 44.29)
(1.76 - 0.26)
(1.06 - 0.11)
(134 - 132/134 - 132/8.8KB - 43KB)
Multimedia
(1 - 1.67 )
(42.2 - 93)
(29.26 - 92.57)
(5 - 5/3209 - 45885/243KB - 34.9MB)
TABLE IV
FRACTION OF FLOWS,PACKETS AND BYTES UTILIZATION (OUTGOING DATA/INCOMING DATA) OF VARIOUS APPLICATION-LAYER PROTOCOLS DURING
TWO DAYS.
Lahmadi et al Lorraine University - LORIA
Behavioral Fingerprinting of Android Apps
(13/35)
Android applications:NetFlow-based behaviour
Candy Crush Saga:free game
Power Usage Summary
Twitter
Yahoo!weather
Lahmadi et al Lorraine University - LORIA
Behavioral Fingerprinting of Android Apps
(14/35)
Android applications:NetFlow-based behaviour
Facebook.katana
Facebook.orca
google.android.location
Accuweather
Lahmadi et al Lorraine University - LORIA
Behavioral Fingerprinting of Android Apps
(15/35)
Our second tool:Android log data exporter

Export Android log data:logcat and dumpsys tools
Lahmadi et al Lorraine University - LORIA
Behavioral Fingerprinting of Android Apps
(24/35)
Android log data
Android log data:example
03-27 14:29:03.164 2806 12458 I am_create_activity:
[1087249640,77,com.instagram.android/.activity.MainTabActivity,android.intent.action.MAIN,NULL,NULL,270532608]
03-27 14:29:03.245 2806 2811 I am_proc_start:
[13259,10153,com.instagram.android,activity,com.instagram.android/.activity.MainTabActivity]
03-27 14:29:03.295 2806 2987 I am_proc_bound:
[13259,com.instagram.android]
03-27 14:29:03.295 2806 2987 I am_restart_activity:
[1087249640,77,com.instagram.android/.activity.MainTabActivity]
03-27 14:29:03.965 2806 2973 I am_pause_activity:
[1087249640,com.instagram.android/.activity.MainTabActivity]
03-27 14:29:03.965 2806 2984 I am_finish_activity:
[1087249640,77,com.instagram.android/.activity.MainTabActivity,app-request]
Lahmadi et al Lorraine University - LORIA
Behavioral Fingerprinting of Android Apps
(26/35)
More examples
System service:
com.android.IMEITracker
Evernote application:
com.android.evernote
Lahmadi et al Lorraine University - LORIA
Behavioral Fingerprinting of Android Apps
(28/35)
Anatomy of an Android SMS-trojan
Let’s take an example:modeled after GoldDream:
http://www.cs.ncsu.edu/faculty/jiang/GoldDream/
1.
Register a receiver to android.provider.Telephony.SMS
RECEIVED and
andoid.intent.action.NEW
OUTGOING
CALL
2.
Calls abortBroadcast
3.
Intercept Received SMS,store their contents and phone numbers
4.
Intercept outgoing calls,store phone numbers
5.
Upload collected data to a server
6.
Send SMS messages to specific premium numbers
Lahmadi et al Lorraine University - LORIA
Behavioral Fingerprinting of Android Apps
(29/35)
Log data of the SMS-trojan (1/2)
03-25 00:44:48.735 2806 2811 I am_create_activity:
[1083044528,28,fr.collimator.mymalware/.Malicious,android.intent.action.MAIN,NULL,NULL,268435456]
03-25 00:44:48.735 2806 2811 I am_proc_start:
[11394,10190,fr.collimator.mymalware,activity,fr.collimator.mymalware/.Malicious]
03-25 00:44:48.765 2806 2987 I am_proc_bound:
[11394,fr.collimator.mymalware]
03-25 00:44:48.770 2806 2987 I am_restart_activity:
[1083044528,28,fr.collimator.mymalware/.Malicious]
03-25 00:44:48.770 2806 2987 I am_pause_activity:
[1083044528,fr.collimator.mymalware/.Malicious]
03-25 00:44:48.805 2806 2987 I am_create_service:
[1086132656,fr.collimator.mymalware/.background,,11394]
Lahmadi et al Lorraine University - LORIA
Behavioral Fingerprinting of Android Apps
(30/35)
Log data of the SMS-trojan (2/2)
APP* UID
10190
ProcessRecord{
4054da80
11394:fr.collimator.mymalware/10190}
..... pid=11394 starting=false lastPss=0
.... services=[ServiceRecord{40bd11b0 fr.collimator.mymalware/.background}]
receivers=[ReceiverList{40a98510 11394 fr.collimator.mymalware/10190 remote:40569cb8}]
* ServiceRecord{40bd11b0 fr.collimator.mymalware/.background}
intent={cmp=fr.collimator.mymalware/.background}
.... app=ProcessRecord{
4054da80
11394:fr.collimator.mymalware/10190}
.... startRequested=true stopIfKilled=false callStart=true lastStartId=1ReceiverList{
40a98510
11394 fr.collimator.mymalware/10190
remote:40569cb8} app=ProcessRecord{
4054da80
11394:fr.collimator.mymalware/10190}
pid=11394 uid=
10190
Filter #0: BroadcastFilter{40a985b0}
... Action: "
android.intent.action.NEW_OUTGOING_CALL
"
... Historical Broadcast #36:
BroadcastRecord{40a54748
android.intent.action.NEW_OUTGOING_CALL
}
Intent { act=android.intent.action.NEW_OUTGOING_CALL (has extras) }
... Receiver #0: BroadcastFilter{40a985b0 ReceiverList{
40a98510
11394 fr.collimator.mymalware/
10190 remote:40569cb8}}
Lahmadi et al Lorraine University - LORIA
Behavioral Fingerprinting of Android Apps
(31/35)
Self-organizing Maps:unsupervised learning
Mapping of high-dimensional input vectors

onto a discrete output space:the map

each region is an area of the input space

each node:weight vector of the same dimension as the input vector
Lahmadi et al Lorraine University - LORIA
Behavioral Fingerprinting of Android Apps
(32/35)
Conclusions
Understanding Android applications behaviour

Network behaviour:generated flows

System:generated logs
Machine learning techniques

Process mining:extract a running behaviour

Self-organized-Maps:characterize applications behaviour
This represents first step toward making automated fingerprinting of Android
applications

Goal:characterize malicious applications
Lahmadi et al Lorraine University - LORIA
Behavioral Fingerprinting of Android Apps
(35/35)