UpDroid: Updated Android Malware and Its Familial...
Transcript of UpDroid: Updated Android Malware and Its Familial...
![Page 1: UpDroid: Updated Android Malware and Its Familial ...aselcuk.etu.edu.tr/SiberGuvenlikGunu-2019.12.23/KursatAktas.pdf · 21 malware families, 2479 malware samples. Family Classification](https://reader036.fdocuments.in/reader036/viewer/2022062604/5f77acb07397802b1d4ef412/html5/thumbnails/1.jpg)
UpDroid: Updated Android Malware and
Its Familial Classification
Kursat Aktas, Assoc. Prof. Sevil Sen
WISE Lab.Hacettepe University
![Page 2: UpDroid: Updated Android Malware and Its Familial ...aselcuk.etu.edu.tr/SiberGuvenlikGunu-2019.12.23/KursatAktas.pdf · 21 malware families, 2479 malware samples. Family Classification](https://reader036.fdocuments.in/reader036/viewer/2022062604/5f77acb07397802b1d4ef412/html5/thumbnails/2.jpg)
![Page 3: UpDroid: Updated Android Malware and Its Familial ...aselcuk.etu.edu.tr/SiberGuvenlikGunu-2019.12.23/KursatAktas.pdf · 21 malware families, 2479 malware samples. Family Classification](https://reader036.fdocuments.in/reader036/viewer/2022062604/5f77acb07397802b1d4ef412/html5/thumbnails/3.jpg)
Mobile Security
📫 New mobile variants.
- Android is among the most targeted platforms by attackers.
- Mobile devices are usually protected by static analysis-based solutions. - Vulnerable to new attacks.- Vulnerable to new variants of existing attacks.
![Page 4: UpDroid: Updated Android Malware and Its Familial ...aselcuk.etu.edu.tr/SiberGuvenlikGunu-2019.12.23/KursatAktas.pdf · 21 malware families, 2479 malware samples. Family Classification](https://reader036.fdocuments.in/reader036/viewer/2022062604/5f77acb07397802b1d4ef412/html5/thumbnails/4.jpg)
Updating
o One of the most effective evasion strategies.
Update attackso Does not contain any malicious code at the
installation phase.o Add its malicious code at runtime.
![Page 5: UpDroid: Updated Android Malware and Its Familial ...aselcuk.etu.edu.tr/SiberGuvenlikGunu-2019.12.23/KursatAktas.pdf · 21 malware families, 2479 malware samples. Family Classification](https://reader036.fdocuments.in/reader036/viewer/2022062604/5f77acb07397802b1d4ef412/html5/thumbnails/5.jpg)
UpDroid: Updated Android Malware
![Page 6: UpDroid: Updated Android Malware and Its Familial ...aselcuk.etu.edu.tr/SiberGuvenlikGunu-2019.12.23/KursatAktas.pdf · 21 malware families, 2479 malware samples. Family Classification](https://reader036.fdocuments.in/reader036/viewer/2022062604/5f77acb07397802b1d4ef412/html5/thumbnails/6.jpg)
Collecting AppsKoodous oRecently submitted applications oNot detected by other analysists oContaining at least on loading activityoCollected 11490 apps
ApkpureoMost popular apps from each categoryoCollected 6299 apps
![Page 7: UpDroid: Updated Android Malware and Its Familial ...aselcuk.etu.edu.tr/SiberGuvenlikGunu-2019.12.23/KursatAktas.pdf · 21 malware families, 2479 malware samples. Family Classification](https://reader036.fdocuments.in/reader036/viewer/2022062604/5f77acb07397802b1d4ef412/html5/thumbnails/7.jpg)
Analysis of Apps
Each app is run for 15 minutes.DroidBox outputs are collected.
Three filtering mechanism1. loading + data leakage2. loading + malicious network connection3. native code loading signature + data leakage or malicious network connection
![Page 8: UpDroid: Updated Android Malware and Its Familial ...aselcuk.etu.edu.tr/SiberGuvenlikGunu-2019.12.23/KursatAktas.pdf · 21 malware families, 2479 malware samples. Family Classification](https://reader036.fdocuments.in/reader036/viewer/2022062604/5f77acb07397802b1d4ef412/html5/thumbnails/8.jpg)
Dataset Validationsending potential candidate update attacks to VirusTotal.
oDetected more than 10 Avs.oIts dominant label belonging to an updated attack family.o82.66% of candidates confirmed as updated attacks.o7.1% of all connected samples missed our filtering mechanisms.
![Page 9: UpDroid: Updated Android Malware and Its Familial ...aselcuk.etu.edu.tr/SiberGuvenlikGunu-2019.12.23/KursatAktas.pdf · 21 malware families, 2479 malware samples. Family Classification](https://reader036.fdocuments.in/reader036/viewer/2022062604/5f77acb07397802b1d4ef412/html5/thumbnails/9.jpg)
UpDroid Overview
21 malware families, 2479 malware samples
![Page 10: UpDroid: Updated Android Malware and Its Familial ...aselcuk.etu.edu.tr/SiberGuvenlikGunu-2019.12.23/KursatAktas.pdf · 21 malware families, 2479 malware samples. Family Classification](https://reader036.fdocuments.in/reader036/viewer/2022062604/5f77acb07397802b1d4ef412/html5/thumbnails/10.jpg)
Family Classification
o Mobile malware variants are on the rise.o Commercial AVs are not reliable.
o Minimize the number of samples to be analysed.
o Help to decrease the analysis time.
![Page 11: UpDroid: Updated Android Malware and Its Familial ...aselcuk.etu.edu.tr/SiberGuvenlikGunu-2019.12.23/KursatAktas.pdf · 21 malware families, 2479 malware samples. Family Classification](https://reader036.fdocuments.in/reader036/viewer/2022062604/5f77acb07397802b1d4ef412/html5/thumbnails/11.jpg)
Static + Dynamic features
![Page 12: UpDroid: Updated Android Malware and Its Familial ...aselcuk.etu.edu.tr/SiberGuvenlikGunu-2019.12.23/KursatAktas.pdf · 21 malware families, 2479 malware samples. Family Classification](https://reader036.fdocuments.in/reader036/viewer/2022062604/5f77acb07397802b1d4ef412/html5/thumbnails/12.jpg)
![Page 13: UpDroid: Updated Android Malware and Its Familial ...aselcuk.etu.edu.tr/SiberGuvenlikGunu-2019.12.23/KursatAktas.pdf · 21 malware families, 2479 malware samples. Family Classification](https://reader036.fdocuments.in/reader036/viewer/2022062604/5f77acb07397802b1d4ef412/html5/thumbnails/13.jpg)
Family Classification Results
![Page 14: UpDroid: Updated Android Malware and Its Familial ...aselcuk.etu.edu.tr/SiberGuvenlikGunu-2019.12.23/KursatAktas.pdf · 21 malware families, 2479 malware samples. Family Classification](https://reader036.fdocuments.in/reader036/viewer/2022062604/5f77acb07397802b1d4ef412/html5/thumbnails/14.jpg)
Static Analysis-Based Approaches
![Page 15: UpDroid: Updated Android Malware and Its Familial ...aselcuk.etu.edu.tr/SiberGuvenlikGunu-2019.12.23/KursatAktas.pdf · 21 malware families, 2479 malware samples. Family Classification](https://reader036.fdocuments.in/reader036/viewer/2022062604/5f77acb07397802b1d4ef412/html5/thumbnails/15.jpg)
Confusion Matrix for the Last5Y dataset
![Page 16: UpDroid: Updated Android Malware and Its Familial ...aselcuk.etu.edu.tr/SiberGuvenlikGunu-2019.12.23/KursatAktas.pdf · 21 malware families, 2479 malware samples. Family Classification](https://reader036.fdocuments.in/reader036/viewer/2022062604/5f77acb07397802b1d4ef412/html5/thumbnails/16.jpg)
Conclusion
A new dataset, UpDroid is introduced.
![Page 17: UpDroid: Updated Android Malware and Its Familial ...aselcuk.etu.edu.tr/SiberGuvenlikGunu-2019.12.23/KursatAktas.pdf · 21 malware families, 2479 malware samples. Family Classification](https://reader036.fdocuments.in/reader036/viewer/2022062604/5f77acb07397802b1d4ef412/html5/thumbnails/17.jpg)
Acknowledgement
This study is supported by TUBITAK (the project 115E150).
THE SCIENTIFIC AND TECHNOLOGICAL RESEARCH COUNCIL OF TURKEY