Post on 07-Jul-2015
Android Malware Heuristics
Masata Nishida
AVTOKYO 2012
2012/11/17
(Photo: Android Lineup – Beige By .RGB.)
Who am I ?
Masata Nishida
• SecureBrain, Advanced Research Laboratory
• I’m not a malware researcher, I’m just a software
developer.
• Rubyist
• @masata_masata
Today’s Theme
Presented the same topic at CSS2012.
• CSS (Computer Security Symposium)2012
– 2012/10/30-11/01
– Matsue City, Shimane Prefecture
Title: “Android Malware Heuristicsusing Digital Certificates”
Japanese Title: 署名情報を利用したAndroid マルウェアの推定手法の提案
Android malwares increase
explosively!!
(Photo: High Sheeps By Bertoz)
McAfee Threat Report: Second Quarter 2012 By McAfee Labs
Android malwares increase
explosively!!
(Photo: High Sheeps By Bertoz)
Everyone say:
But…(what is reality?)
Although the number of
malwares is rapidly increasing,
but we don’t actually have
insights into the growth.
Today, we will focus on the
certificate used by Malicious
Android app. Then we can find
another side of Android
malwares.
(Photo: DSC_6557 By euthman)
Background
• Android application must
be digitally signed.
• Self-signed certificate can
be used.
• The signature information
is in META-INF/ directory
in Apk file(zip archive file).
(Photo: Marriage Certificate By The Gearys)
Question
How many Android malwares use the same certificate?
(Photo: Thinking… By Mr Tickle)
I’m bored.I counted number
of unique certificatesin Android malwares.
First, collect malware samples
• Target Android malwares
– are about 15,000 samples.
– include many polymorphic
samples.
Family samples
FakeInst 4,911
Kmin 2,464
OpFake 2,360
Boxer 1,399
DroidKungFu 824
Lotoor 432
GingerMaster 272
SmsSend 221
SmsAgent 209
JiFake 137
Others 1,488
Total 14,717
(Photo: Catching Bugs, II, III By New Mexico Forestry Camp)
Thencount certificates.
(Photo: Microscope Night By Machine Project)
Counting certificates requires lotta patience...
(Photo: Microscope Night By Machine Project)
The result…
Unique certificates
14,717 samples
589 certificates
Many malwares use the same certificate!!
FakeInst
4,911 samples
31 certificates
Polymorphic malwares also use the same certificates.
Polymorphic sample
FakeInst
Most reused certificate
Reused by 2,602 samples
Polymorphic sample
Period of use
Certificates used for over a year.
13 certificates(2,764samples)
Some certificates used for long term.
The Movie (Dougalek)
• An incident in Japan (Apr. 2012)
• Malwares are distributed from Google Play.
– About 50 malwares.
– Used 7 developer accounts.
• The malware sends private information to external
server.
• The application name is like “xxx the Movie”.
– “xxx” is replaced with a pop star or famous game name.
• Installed over 90,000 devices.
• Sent 12,000,000 information to external.
• The suspects were arrested last month(30th Oct 2012).
Japan-specific malware
The Movie (Dougalek)
24 samples
7 certificates
Japan-specific malware
Today’sConclusion
(Photo: New Blackboard By uncultured)
Many Android malwares are signed
using the same certificate.
We can detect new malwares using the
certificates of well-known malwares.
(for now…)
(Photo: The Detective By paurian)
Many Android malwares are signed
using the same certificate.
Not too many malware developers??
or
The private key of the certificates are shared
between malware developers??(Photo: DSC_6565 By euthman)
END
[Appendix]apk analysis library for Ruby• Open Source
– Source: https://github.com/securebrain/ruby_apk
– Install: “$ gem install ruby_apk”
• Requirements
– Ruby1.9.x
• Features
– AndroidManifest.xml analysis
• components(activity, service, receiver, provider)
• use-permission, intent-filter,…
– Extract files in apk
– resource analysis(partial)
– dex analysis(partial)
• Extract classes, methods, fields, strings