Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
SlideShare a Scribd company logo

CopperDroid - On the Reconstruction of Android Apps Behaviors

The document discusses CopperDroid, a project that aims to reconstruct the behaviors of Android apps through dynamic analysis. It provides background on the speaker, Lorenzo Cavallaro, and his affiliations. It also discusses the MobSec project, which uses techniques like CopperDroid to analyze mobile threats and develop mitigations.

1 of 76
Download to read offline

1

COPPERDROID On the Reconstruction of Android Apps Behaviors March 21, 2014 FACE Kick-Off Meeting Lorenzo Cavallaro Information Security Group Royal Holloway University of London

2

Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions WHO AM I? Post-doc researcher, VU Amsterdam, working with: (Jan 2010—Dec 2011) → Prof. Andy Tanenbaum (OS dependability) → Prof. Herbert Bos (memory errors, malware analysis, and taint analysis) Post-doc researcher, UC at Santa Barbara, working with: (Apr 2008—Jan 2010) → Prof. Giovanni Vigna and Prof. Christopher Kruegel (malware analysis and detection) Visiting PhD student, Stony Brook University, working with: (Sep 2006—Feb 2008) → Prof. R. Sekar (memory errors protections, taint analysis, malware analysis) 2

3

Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions WHO AM I? Post-doc researcher, VU Amsterdam, working with: (Jan 2010—Dec 2011) → Prof. Andy Tanenbaum (OS dependability) → Prof. Herbert Bos (memory errors, malware analysis, and taint analysis) Post-doc researcher, UC at Santa Barbara, working with: (Apr 2008—Jan 2010) → Prof. Giovanni Vigna and Prof. Christopher Kruegel (malware analysis and detection) Visiting PhD student, Stony Brook University, working with: (Sep 2006—Feb 2008) → Prof. R. Sekar (memory errors protections, taint analysis, malware analysis) .. Jan 2012 Lecturer (∼Assistant Professor) in the ISG Jan 2014 Senior Lecturer (∼Associate Professor) in the ISG Information Security Group, Royal Holloway University of London <lorenzo.cavallaro@rhul.ac.uk> — http://www.isg.rhul.ac.uk/sullivan 2

4

ROYAL HOLLOWAY UNIVERSITY OF LONDON

5

CopperDroid - On the Reconstruction of Android Apps Behaviors

6

CopperDroid - On the Reconstruction of Android Apps Behaviors

7

CopperDroid - On the Reconstruction of Android Apps Behaviors

8

Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions ROYAL HOLLOWAY UNIVERSITY OF LONDON Founded in 1879 by Thomas Holloway → Entrepreneur and Philanthropist → Holloway's pills and ointments Located in Egham, Surrey, close to LHR and London 7

9

Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions ROYAL HOLLOWAY UNIVERSITY OF LONDON (CONT.) Royal status in 1886 by Queen Victoria Three faculties, 18 academic departments, 9,000+ undergraduate and postgraduate students from over 100 different countries Academic Centre of Excellence in Cyber Security Research Centre for Doctoral Training in Cyber Security 8

10

S2 LAB

11

Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions RESEARCH Goal To enhance the Information Security Group's research activities at Royal Holloway, establishing a Systems Security Lab (S2Lab) 10

12

Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions RESEARCH > PROJECTS Goal To enhance the Information Security Group's research activities at Royal Holloway, establishing a Systems Security Lab (S2Lab) 1. CySeCa: Cyber Security Cartography (co-I) → Oct 2012—Apr 2016 2. Botnet: Mining the Network Behaviors of Bots (PI) → Jun 2013—2016 3. MobSec: Mobile and Malware in the Mobile Age (PI) → Jun 2014—2018 Soon available at http://s2lab.isg.rhul.ac.uk (WIP) 10

13

Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions RESEARCH > PROJECT > MOBSEC Jun 2014—2018: £747,777 EPSRC-funded project (EP/L022710/1) Goals MobSec aims at exploring mobile-related threats, developing comprehensive mitigation techniques 1. Mobile application analyses to understand the threat, e.g.: → Comprehensive reconstruction of Android apps behaviors → Identification of malware-triggered actions → Stimulation of complex UI interactions 2. Evasion-resistant information leakage solutions 11

14

Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions RESEARCH > PROJECT > MOBSEC Jun 2014—2018: £747,777 EPSRC-funded project (EP/L022710/1) Goals MobSec aims at exploring mobile-related threats, developing comprehensive mitigation techniques 3. Detection of malicious mobile applications and automatic enforcement of fine-grained security policies 4. Hardware-supported virtualization to provide efficient in-device protection against mobile threats 11

15

Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions RESEARCH > PROJECT > MOBSEC > PEOPLE Dr Lorenzo Cavallaro → Principal Investigator → Information Security Group at Royal Holloway University of London Dr Johannes Kinder → Co-Investigator → Department of Computer Science at Royal Holloway University of London Dr Igor Muttik → Project Partner → Senior Principal Architect at Intel Security (McAfee Labs UK) 12

16

Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions RESEARCH > PROJECT > MOBSEC > PEOPLE Dr Lorenzo Cavallaro → Principal Investigator → Information Security Group at Royal Holloway University of London Dr Johannes Kinder → Co-Investigator → Department of Computer Science at Royal Holloway University of London Dr Igor Muttik → Project Partner → Senior Principal Architect at Intel Security (McAfee Labs UK) .. In addition… Kimberly Tam, PhD student in the ISG at Royal Holloway Salahuddin J. Khan, PhD student in the ISG at Royal Holloway Collaboration with: → Università degli Studi di Milano, Italy → Politecnico di Milano, Italy I am hiring: 2 PostDoc Research Assistants! 12

17

COPPERDROID

18

CopperDroid - On the Reconstruction of Android Apps Behaviors

19

Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions MCAFEE Q2 2013 15

20

Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions MCAFEE Q2 2013 .. 1. Banking malware 2. (Fake) adult entertainment and dating apps 3. Weaponized legitimate apps that steal user data 4. Fake app installers that actually install spyware Can current techniques deal with this (new) threat? 15

21

Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions THE (NOT SO SHORT) INTRODUCTION TO ANDROID Modified Linux kernel Android apps written (mostly) in Java and run in a Java-like (Dalvik) VM as userspace processes Native code may be executed through JNI or native (NDK) Apps logically divided in components → Activity, e.g., GUI components → Services, similar to UNIX daemons → Broadcast Receivers, to act upon the receipt of specific events, e.g., phone call, SMS → Content Providers, storage-agnostic ACL-controlled abstractions to access data 16

22

Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions ANDROID SECURITY MODEL No application, by default, has permission to perform any operations that would adversely impact other applications, the operating system, or the user 17

23

Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions ANDROID SECURITY MODEL No application, by default, has permission to perform any operations that would adversely impact other applications, the operating system, or the user Sandboxing Every App has its own UID/GID to enforce system-wide DAC Permissions To be granted a permission, App must explicitly request it (e.g., send an SMS, place a call) 17

24

Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions ANDROID SECURITY MODEL No application, by default, has permission to perform any operations that would adversely impact other applications, the operating system, or the user Sandboxing Every App has its own UID/GID to enforce system-wide DAC Permissions To be granted a permission, App must explicitly request it (e.g., send an SMS, place a call) All types of applications—Java, native, and hybrid—are sandboxed in the same way and have the same degree of security from each other 17

25

Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions INTENTS An abstract representation of an operation to be performed Intent Meaning per Recipient Activity: an action that must be performed (e.g., to send an e-mail, an App will broadcast the corresponding intent; the email activity will therefore be executed) Service: similar to activity Receiver: a container for received data. 18

26

Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions MANIFEST FILE <?xml version="1.0" encoding="utf-8"?> <manifest xmlns:android="http://schemas.android.com/[...]" package="test.AndroidSMS" android:versionCode="1" android:versionName="1.0"> <uses-permission android:name="[...].RECEIVE_SMS" /> <uses-permission android:name="[...].SEND_SMS" /> <uses-permission android:name="[...].INTERNET" /> <application android:label="@string/app_name" > <receiver android:name=".SMSReceiver"> <intent-filter> <action android:name="test.AndroidSMS.SMS_RECEIVED" /> </intent-filter> </receiver> </application> 19

27

Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions MANIFEST FILE <?xml version="1.0" encoding="utf-8"?> <manifest xmlns:android="http://schemas.android.com/[...]" package="test.AndroidSMS" android:versionCode="1" android:versionName="1.0"> <uses-permission android:name="[...].RECEIVE_SMS" /> <uses-permission android:name="[...].SEND_SMS" /> <uses-permission android:name="[...].INTERNET" /> <application android:label="@string/app_name" > <receiver android:name=".SMSReceiver"> <intent-filter> <action android:name="test.AndroidSMS.SMS_RECEIVED" /> </intent-filter> </receiver> </application> .. 19

28

Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions MANIFEST FILE <?xml version="1.0" encoding="utf-8"?> <manifest xmlns:android="http://schemas.android.com/[...]" package="test.AndroidSMS" android:versionCode="1" android:versionName="1.0"> <uses-permission android:name="[...].RECEIVE_SMS" /> <uses-permission android:name="[...].SEND_SMS" /> <uses-permission android:name="[...].INTERNET" /> <application android:label="@string/app_name" > <receiver android:name=".SMSReceiver"> <intent-filter> <action android:name="test.AndroidSMS.SMS_RECEIVED" /> </intent-filter> </receiver> </application> .. 19

29

Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions THE BINDER PROTOCOL IPC/RPC The Binder protocol enables fast inter-process communication between Apps or between Apps and the system. It also allows Apps to invoke other components' functions (e.g., to place a call or to send a SMS) AIDL The Android Interface Definition Language is used to define which methods of a service can be invoked remotely, among with their parameters. AIDL specifications for Android's core services are available online 20

30

Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions THE BINDER PROTOCOL Binder Driver The Binder protocl core is implemented as a device driver. User- space processes (Apps) can interact with the driver through the /dev/binder virtual device ioctl ioctls are used to by Apps to interact with Binder. Each ioctl takes as argument a command and a data buffer BINDER_WRITE_READ Allows data to be sent/received among Apps 21

31

Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions (ANDROID) MALWARE ANALYSIS .. Static . Instrum. . VMM .. ADAM .. DroidRanger .. RiskRanker .. DroidMOSS . Static . Instrum. . VMM .. DroidScope .. VetDroid .. Bouncer .. ParanoidAndroid .. ActEVE .. Aurasium .. TaintDroid .. Andrubis .. DroidBox 22

32

Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions (ANDROID) MALWARE ANALYSIS: STATIC .. Static . Instrum. . VMM .. ADAM .. DroidRanger .. RiskRanker .. DroidMOSS . Pros • Many information in the Manifest • Java is relatively easy to decompile • Potentially ``sees'' the whole behavior . Cons • Obfuscation & Optimization • Reflection • Dynamic code, Native code 22

33

Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions (ANDROID) MALWARE ANALYSIS: DYNAMIC .. Static . Instrum. . VMM .. DroidScope .. VetDroid .. Bouncer .. ParanoidAndroid .. ActEVE .. Aurasium .. TaintDroid .. Andrubis .. DroidBox . Pros • Resilient to obfuscation • Potentially transparent (VMM) • Less comples than static . Cons • Code coverage • VMI can be cumbersome (VMM) • Instrumentation can be detected 22

34

Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions SYSTEM-CALL CENTRIC ANALYSIS OF ANDROID MALWARE? Traditional Roots A well-established technique to characterize process behaviours Can it be applied to Android? Android architecture is different than traditional devices Are all the interesting behaviours achieved through system calls? → Dalvic VM (Android-specific behaviours, e.g., SMS, phone calls) → OS interactions (e.g., creating a file, network communication) 23

35

Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions COPPERDROID Analysis Goal Automatically reconstructs the behaviors of Android (malicious) apps Unified system call-centric analysis → Obs: behaviors are eventually achieved via system interactions Avoids 2-level (complex) VMIs Avoids invasive modification of the Android system (in fact, none) Android version-independent Dynamically stimulates Apps to disclose additional behaviors Extensive evaluation on 2,900+ Android malware 24

36

Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions COPPERDROID Analysis Goal Automatically reconstructs the behaviors of Android (malicious) apps Unified system call-centric analysis → Obs: behaviors are eventually achieved via system interactions Avoids 2-level (complex) VMIs Avoids invasive modification of the Android system (in fact, none) Android version-independent Dynamically stimulates Apps to disclose additional behaviors Extensive evaluation on 2,900+ Android malware .. Check it out at http://copperdroid.isg.rhul.ac.uk 24

37

Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions ARCHITECTURE ... CopperDroid Emulator . Android OS . Dalvik . Android/Linux Kernel .. CopperDroid Framework . System Call Tracking . Binder Analysis . RSP 25

38

Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions SYSTEM CALLS ON LINUX ARM Invoking Syscalls Like on Intel, on ARM architecture invoking a system call induces a user-to-kernel transiction. (current CPL is stored in the cpsr register) System calls on Linux ARM On ARM invoked through the swi instruction (SoftWare Interrupt) r7 contains the number of the invoked system call r0-r5 contain parameters lr contains the return address 26

39

Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions TRACKING SYSTEM CALLS System Call Analysis Intercept when a system call is invoked We need to intercept return to user-space too! There is no SYSEXIT/SYSRET to intercept Not every system call actually returns to lr (e.g., exit, execve) CopperDroid's Approach instruments QEMU's emulation of the swi instruction instruments QEMU to intercept every cpsr_write (Kernel → User) 27

40

Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions TRACKING SYSTEM CALLS System Call Analysis Intercept when a system call is invoked We need to intercept return to user-space too! There is no SYSEXIT/SYSRET to intercept Not every system call actually returns to lr (e.g., exit, execve) CopperDroid's Approach instruments QEMU's emulation of the swi instruction instruments QEMU to intercept every cpsr_write (Kernel → User) [c5b02000 - 35 - 35 - zygote] fork( ) = 0x125 [c5b02000 - 35 - 35 - zygote] getpgid( 0x41 ) = 0x23 [c5b02000 - 35 - 35 - zygote] setpgid( 0x125, 0x23 ) = 0x0 [c1c18000 - 293 - 293 - zygote] getuid32( ) = 0x0 [c1c18000 - 293 - 293 - zygote] open(/acct/uid/0/tasks, ... [c1c18000 - 293 - 293 - zygote] fstat64( 0x13, 0xbef7f910 ) = 0x0 [c1c18000 - 293 - 293 - zygote] mprotect( 0x40008000, 0x1000, 0x3 ) = 0x0 [c1c18000 - 293 - 293 - zygote] mprotect( 0x40008000, 0x1000, 0x1 ) = 0x0 [c1c18000 - 293 - 293 - zygote] write( 0x13 - /acct/uid/0/tasks, 0xa24c0 "'0'", 0x1 ) = 0x1 27

41

Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions BRIDGING THE SEMANTIC GAP When dealing with out-of-the-box analyses it is essential to retrieve information about the analyzed system CopperDroid VMI CopperDroid inspects the Android kernel to retrieve the follow- ing: Process names PIDs & TIDs Process resources … 28

42

Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions BRIDGING THE SEMANTIC GAP Observation: when executing kernel code, the base of the stack points to the current executing thread. . 29

43

Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions BRIDGING THE SEMANTIC GAP Observation: when executing kernel code, the base of the stack points to the current executing thread. .. arch/arm/include/asm/thread_info.h . #define THREAD_SIZE 8192 static inline struct thread_info *current_thread_info(void) { register unsigned long sp asm ("sp"); return (struct thread_info *)(sp & ~(THREAD_SIZE − 1)); } 29

44

Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions BRIDGING THE SEMANTIC GAP Observation: when executing kernel code, the base of the stack points to the current executing thread. .. struct thread_info . struct thread_info { unsigned long flags; int preempt_count; mm_segment_t addr_limit; struct task_struct *task; /* main task structure */ ... } 29

45

Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions BRIDGING THE SEMANTIC GAP Observation: when executing kernel code, the base of the stack points to the current executing thread. .. struct task_struct . struct task_struct { volatile long state; void *stack; ... pid_t pid; pid_t tgid; ... char comm[TASK_COMM_LEN]; ... } 29

46

Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions BINDER The Binder protocol is the core of Android IPC/RPC Intents are carried through binder Interactions with the system go through binder Binder driver enforces (some) permission policies For example, applications cannot send SMSs on their own, but must invoke (RPC) the proper system service to do that. . 30

47

Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions BINDER .. Application . SmsManager sms = SmsManager.getDefault(); sms.sendTextMessage("7855551234", null, "Hi There", null, null); 30

48

Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions BINDER .. Application . android.telephony.SmsManager . public void sendTextMessage(...) { ... ISms iccISms = ISms.Stub.asInterface(ServiceManager.getService("isms")); if (iccISms != null) iccISms.sendText(destinationAddress, scAddress, text, sentIntent, deliveryIntent); ... 30

49

Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions BINDER .. Application . android.telephony.SmsManager . com.android.internal.telephony.ISms . public void sendText(...) { android.os.Parcel _data = android.os.Parcel.obtain(); try { _data.writeInterfaceToken(DESCRIPTOR); _data.writeString(destAddr); ... mRemote.transact(Stub.TRANSACTION_sendText, _data, _reply, 0); } 30

50

Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions BINDER .. Application . android.telephony.SmsManager . com.android.internal.telephony.ISms . Kernel (drivers/staging/android/binder.c) . ioctl 30

51

Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions BINDER .. Application . android.telephony.SmsManager . com.android.internal.telephony.ISms . Kernel (drivers/staging/android/binder.c) . ioctl . CopperDroid 30

52

Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions BINDER .. Application . android.telephony.SmsManager . com.android.internal.telephony.ISms . Kernel (drivers/staging/android/binder.c) . ioctl .ioctl(4, 0xc0186201, ... x4bx00x00x00x49x00x20x00x74x00x61x00 x6bx00x65x00x20x00x70x00x6cx00x65x00 x61x00x73x00x75x00x72x00x65x00x20x00 x69x00x6ex00x20x00x68x00x75x00x72x00 x74x00x69x00x6ex00x67x00x20x00x73x00 ...) 30

53

Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions BINDER .. Application . android.telephony.SmsManager . com.android.internal.telephony.ISms . Kernel (drivers/staging/android/binder.c) . ioctl .ioctl(/dev/binder, BINDER_WRITE_READ, ... InterfaceToken = com.android.internal.telephony.ISms, method: sendText, destAddr = 7855551234, scAddr = , text = Hi There ...) 30

54

Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions BINDER CopperDroid deeply inspects the Binder protocol intercepting a subset of the ioctls issued by userspace Apps. .. write_size . write_consumed .write_buffer . read_size . … . BC_* . Params . BC_TR . Params . BC_* . Params .. ioctl(binder_fd, BINDER_WRITE_READ, &binder_write_read); . 31

55

Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions BINDER CopperDroid analyzes BC_TRANSACTIONs and BC_REPLYs BC_* Params BC_TR Params BC_* Params target code uid … data_size buffer InterfaceToken Param 1 Param 2 … struct binder_transaction_data 32

56

Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions BINDER CopperDroid analyzes BC_TRANSACTIONs and BC_REPLYs ... BC_* . Params . BC_TR . Params . BC_* . Params .. target . code . uid . … . data_size . buffer . InterfaceToken . Param 1 . Param 2 . … .. struct binder_transaction_data . ISms.sendText(78555.., ``Hi there'') 32

57

Automatic Android Objects Unmarshalling

58

Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions AUTOMATIC ANDROID OBJECTS UNMARSHALLING Primitive types (e.g., String) are easy to unmarshall → Limited number of manually-written procedures A manual-driven approach for complex Android objects is cumbersome → 300+ Android objects (increasing from version to version) → Manual-driven approach is error-prone and not scientifically exciting We ask to an unmarshalling Oracle! 34

59

Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions THE UNMARSHALLING ORACLE ... CopperDroid Emulator .. Android Emulator . Oracle.. CopperDroid's Analyses . Binder Analysis . Interface Token Identifier . Unmarshalled Paramemters . System Call Analysis . Resource Reconstruction . RSP .. TCP . 35

60

Resource Reconstructor

61

Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions RESOURCE RECONSTRUCTOR Useful to abstract a stream of low-level events into high-level behaviors We build a data dependence graph (DPD) → Nodes are system calls → Edges represent data dependency We then identify def-use chains to cluster related system calls together 37

62

Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions SAMPLE COPPERDROID OUTPUT [c5b02000 - 35 - 35 - zygote] fork( ) = 0x125 [c5b02000 - 35 - 35 - zygote] getpgid( 0x41 ) = 0x23 [c5b02000 - 35 - 35 - zygote] setpgid( 0x125, 0x23 ) = 0x0 [c1c18000 - 293 - 293 - zygote] getuid32( ) = 0x0 [c1c18000 - 293 - 293 - zygote] open(/acct/uid/0/tasks, ...) = 0x13 [c1c18000 - 293 - 293 - zygote] fstat64( 0x13, 0xbef7f910 ) = 0x0 [c1c18000 - 293 - 293 - zygote] mprotect( 0x40008000, 0x1000, 0x3 ) = 0x0 [c1c18000 - 293 - 293 - zygote] mprotect( 0x40008000, 0x1000, 0x1 ) = 0x0 [c1c18000 - 293 - 293 - zygote] write( 0x13 - /acct/uid/0/tasks, 0xa24c0 "'0'", 0x1 ) = 0x1 [c1c18000 - 293 - 293 - zygote] close( 0x13 ) = 0x0 [c1c18000 - 293 - 293 - zygote] prctl( 0x8, 0x1, 0x0, 0x0, 0x0 ) = 0x0 [c1c18000 - 293 - 293 - zygote] setgroups32( 0x2, 0xbef7fa20 ) = 0x0 [c1c18000 - 293 - 293 - zygote] setgid32( 0x2722 ) = 0x0 [c1c18000 - 293 - 293 - zygote] open( /acct/uid/10018/tasks, 0x20242, 0x1b6 ) = 0xfffffffe 38

63

Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions SAMPLE COPPERDROID OUTPUT [c5b02000 - 35 - 35 - zygote] fork( ) = 0x125 [c5b02000 - 35 - 35 - zygote] getpgid( 0x41 ) = 0x23 [c5b02000 - 35 - 35 - zygote] setpgid( 0x125, 0x23 ) = 0x0 [c1c18000 - 293 - 293 - zygote] getuid32( ) = 0x0 [c1c18000 - 293 - 293 - zygote] open (/acct/uid/0/tasks, 0x20242, 0x1b6) = 0x [c1c18000 - 293 - 293 - zygote] fstat64 ( 0x13 , 0xbef7f910 ) = 0x0 [c1c18000 - 293 - 293 - zygote] mprotect( 0x40008000, 0x1000, 0x3 ) = 0x0 [c1c18000 - 293 - 293 - zygote] mprotect( 0x40008000, 0x1000, 0x1 ) = 0x0 [c1c18000 - 293 - 293 - zygote] write ( 0x13 - /acct/uid/0/tasks, 0xa24c0 "'0'", 0x1 ) = 0x1 [c1c18000 - 293 - 293 - zygote] close ( 0x13 ) = 0x0 [c1c18000 - 293 - 293 - zygote] prctl( 0x8, 0x1, 0x0, 0x0, 0x0 ) = 0x0 [c1c18000 - 293 - 293 - zygote] setgroups32( 0x2, 0xbef7fa20 ) = 0x0 [c1c18000 - 293 - 293 - zygote] setgid32( 0x2722 ) = 0x0 [c1c18000 - 293 - 293 - zygote] open( /acct/uid/10018/tasks, 0x20242, 0x1b6 ) = 0xfffffffe 39

64

Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions SAMPLE COPPERDROID OUTPUT [c5b02000 - 35 - 35 - zygote] fork( ) = 0x125 [c5b02000 - 35 - 35 - zygote] getpgid( 0x41 ) = 0x23 [c5b02000 - 35 - 35 - zygote] setpgid( 0x125, 0x23 ) = 0x0 [c1c18000 - 293 - 293 - zygote] getuid32( ) = 0x0 [c1c18000 - 293 - 293 - zygote] open (/acct/uid/0/tasks, 0x20242, 0x1b6) = 0x [c1c18000 - 293 - 293 - zygote] fstat64 ( 0x13 , 0xbef7f910 ) = 0x0 [c1c18000 - 293 - 293 - zygote] mprotect( 0x40008000, 0x1000, 0x3 ) = 0x0 [c1c18000 - 293 - 293 - zygote] mprotect( 0x40008000, 0x1000, 0x1 ) = 0x0 [c1c18000 - 293 - 293 - zygote] write ( 0x13 - /acct/uid/0/tasks, 0xa24c0 "'0'", 0x1 ) = 0x1 [c1c18000 - 293 - 293 - zygote] close ( 0x13 ) = 0x0 [c1c18000 - 293 - 293 - zygote] prctl( 0x8, 0x1, 0x0, 0x0, 0x0 ) = 0x0 [c1c18000 - 293 - 293 - zygote] setgroups32( 0x2, 0xbef7fa20 ) = 0x0 [c1c18000 - 293 - 293 - zygote] setgid32( 0x2722 ) = 0x0 [c1c18000 - 293 - 293 - zygote] open( /acct/uid/10018/tasks, 0x20242, 0x1b6 ) = 0xfffffffe Group as one action: File Access 39

65

Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions SAMPLE COPPERDROID OUTPUT [c5b02000 - 35 - 35 - zygote] fork( ) = 0x125 [c5b02000 - 35 - 35 - zygote] getpgid( 0x41 ) = 0x23 [c5b02000 - 35 - 35 - zygote] setpgid( 0x125, 0x23 ) = 0x0 [c1c18000 - 293 - 293 - zygote] getuid32( ) = 0x0 [c1c18000 - 293 - 293 - zygote] open (/acct/uid/0/tasks, 0x20242, 0x1b6) = 0x [c1c18000 - 293 - 293 - zygote] fstat64 ( 0x13 , 0xbef7f910 ) = 0x0 [c1c18000 - 293 - 293 - zygote] mprotect( 0x40008000, 0x1000, 0x3 ) = 0x0 [c1c18000 - 293 - 293 - zygote] mprotect( 0x40008000, 0x1000, 0x1 ) = 0x0 [c1c18000 - 293 - 293 - zygote] write ( 0x13 - /acct/uid/0/tasks, 0xa24c0 "'0'", 0x1 ) = 0x1 [c1c18000 - 293 - 293 - zygote] close ( 0x13 ) = 0x0 [c1c18000 - 293 - 293 - zygote] prctl( 0x8, 0x1, 0x0, 0x0, 0x0 ) = 0x0 [c1c18000 - 293 - 293 - zygote] setgroups32( 0x2, 0xbef7fa20 ) = 0x0 [c1c18000 - 293 - 293 - zygote] setgid32( 0x2722 ) = 0x0 [c1c18000 - 293 - 293 - zygote] open( /acct/uid/10018/tasks, 0x20242, 0x1b6 ) = 0xfffffffe Recreates file "tasks" with path /acct/uid/0/tasks and "0" written to it 39

66

Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions APPS STIMULATION .. .. (Android) malware needs to be properly stimulated to trigger additional behaviors and increase coverage of dynamic analysis. CopperDroid Ad-Hoc Stimuli 1. Identifies events the target reacts to (mostly contained in the Manifest file) 2. During the analysis, injects custom events (of those identified as useful) 40

67

Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions APPS STIMULATION ... CopperDroid Emulator . Android OS . Dalvik VM . Linux Kernel .. CopperDroid Analysis . System Call Tracking . Binder Analysis . Dalvik Method Tracking . RSP .. To inject events CopperDroid leverages MonkeyRunner 41

68

Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions EVALUATION 1,200 malware from the Android Malware Genome Project, 395 from the Contagio repository, and 1,300+ from McAfee.. 28% additional behaviors on 60% of Genome samples 22% additional behaviors on 73% of Contagio samples 28% additional behaviors on 61% of McAfee samples # Malware Stim. Samples w/ Behavior Incr. Behavior Family Add. Behav. w/o Stim. w/ Stimuli 1 ADRD 3.9 17/21 7.24 4.5 (63%) 2 AnserverBot 3.9 186/187 31.52 8.2 (27%) 3 BaseBridge 2.9 70/122 16.44 5.2 (32%) 4 BeanBot 3.1 4/8 0.12 3.8 (3000%) 5 CruseWin 4.0 2/2 1.00 2.0 (200%) 6 GamblerSMS 4.0 1/1 1.00 3.0 (300%) 7 SMSReplicator 4.0 1/1 0.00 6.0 (⊥) 8 Zsone 5.0 12/12 16.67 3.8 (23%) 42

69

OBSERVED BEHAVIORS

70

Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions BEHAVIORAL MINDMAP ..Behavior. Exec external application .. Shell . Generic . Privilege escalation . Install APK . Access Personal Info. . . SMS . Contacts . Phone Info. . Location . Network Access . . HTTP . DNS . Other .SMS Send . . Make Call . . Alter FS . 44

71

Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions Behavior Class No Stimulation Stimulation FS Access 889/1365 (65.13%) 912/1365 (66.81%) Access Personal Info. 558/1365 (40.88%) 903/1365 (66.15%) Network Access 457/1365 (33.48%) 461/1365 (33.77%) Exec. External Appf. 171/1365 (12.52%) 171/1365 (12.52%) Send SMS 38/1365 (2.78%) 42/1365 (3.08%) Make/Alter Call 1/1365 (0.07%) 55/1365 (4.03%) Table: Overall behavior breakdown of McAfee samples. 45

72

Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions Behavior Class Subclass No Stim Stim Network Access Generic 483 489 HTTP 309 318 DNS 416 416 FS Access Write 889 912 Access Personal Info. SMS 32 266 Phone 510 559 Accounts 51 672 Location 143 147 Exec. External App. Generic 132 132 Priv. Esc. 103 103 Shell 73 73 Inst. APK 8 8 Send SMS --- 38 42 Make/Alter Call --- 1 55 Table: Detailed behavior breakdown of McAfee samples. 46

73

DEMO http://copperdroid.isg.rhul.ac.uk

74

CONCLUSIONS

75

Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions CONCLUSIONS CopperDroid Goal Automatically reconstructs the behaviors of Android malware Unified system call-centric analysis that avoid 2-level VMIs → All the behaviors are eventually achieved via system interactions Automatic unmarshalling of Android objects → Online/offline Oracle analysis Dynamically stimulates Apps to disclose additional behaviors Extensive evaluation on 2,900+ Android malware (28% additional behaviors on 60% of Genome samples) (22% additional behaviors on 73% of Contagio samples) (28% additional behaviors on 61% of McAfee samples) 49

76

Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions CONCLUSIONS CopperDroid Goal Automatically reconstructs the behaviors of Android malware Unified system call-centric analysis that avoid 2-level VMIs → All the behaviors are eventually achieved via system interactions Automatic unmarshalling of Android objects → Online/offline Oracle analysis Dynamically stimulates Apps to disclose additional behaviors Extensive evaluation on 2,900+ Android malware (28% additional behaviors on 60% of Genome samples) (22% additional behaviors on 73% of Contagio samples) (28% additional behaviors on 61% of McAfee samples) .. 1. Available at http://copperdroid.isg.rhul.ac.uk 2. Ongoing project, basic step of the EPSRC-funded MobSec 2.1 Behavioral attribution 2.2 Information leak detection (no taint-tracking!) 2.3 Benign / Malicious Android malware detection 2.4 Automatic clustering and classification 2.5 UI-driven/aided symbolic execution 2.6 … 49

More Related Content

CopperDroid - On the Reconstruction of Android Apps Behaviors

  • 1. COPPERDROID On the Reconstruction of Android Apps Behaviors March 21, 2014 FACE Kick-Off Meeting Lorenzo Cavallaro Information Security Group Royal Holloway University of London
  • 2. Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions WHO AM I? Post-doc researcher, VU Amsterdam, working with: (Jan 2010—Dec 2011) → Prof. Andy Tanenbaum (OS dependability) → Prof. Herbert Bos (memory errors, malware analysis, and taint analysis) Post-doc researcher, UC at Santa Barbara, working with: (Apr 2008—Jan 2010) → Prof. Giovanni Vigna and Prof. Christopher Kruegel (malware analysis and detection) Visiting PhD student, Stony Brook University, working with: (Sep 2006—Feb 2008) → Prof. R. Sekar (memory errors protections, taint analysis, malware analysis) 2
  • 3. Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions WHO AM I? Post-doc researcher, VU Amsterdam, working with: (Jan 2010—Dec 2011) → Prof. Andy Tanenbaum (OS dependability) → Prof. Herbert Bos (memory errors, malware analysis, and taint analysis) Post-doc researcher, UC at Santa Barbara, working with: (Apr 2008—Jan 2010) → Prof. Giovanni Vigna and Prof. Christopher Kruegel (malware analysis and detection) Visiting PhD student, Stony Brook University, working with: (Sep 2006—Feb 2008) → Prof. R. Sekar (memory errors protections, taint analysis, malware analysis) .. Jan 2012 Lecturer (∼Assistant Professor) in the ISG Jan 2014 Senior Lecturer (∼Associate Professor) in the ISG Information Security Group, Royal Holloway University of London <lorenzo.cavallaro@rhul.ac.uk> — http://www.isg.rhul.ac.uk/sullivan 2
  • 8. Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions ROYAL HOLLOWAY UNIVERSITY OF LONDON Founded in 1879 by Thomas Holloway → Entrepreneur and Philanthropist → Holloway's pills and ointments Located in Egham, Surrey, close to LHR and London 7
  • 9. Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions ROYAL HOLLOWAY UNIVERSITY OF LONDON (CONT.) Royal status in 1886 by Queen Victoria Three faculties, 18 academic departments, 9,000+ undergraduate and postgraduate students from over 100 different countries Academic Centre of Excellence in Cyber Security Research Centre for Doctoral Training in Cyber Security 8
  • 11. Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions RESEARCH Goal To enhance the Information Security Group's research activities at Royal Holloway, establishing a Systems Security Lab (S2Lab) 10
  • 12. Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions RESEARCH > PROJECTS Goal To enhance the Information Security Group's research activities at Royal Holloway, establishing a Systems Security Lab (S2Lab) 1. CySeCa: Cyber Security Cartography (co-I) → Oct 2012—Apr 2016 2. Botnet: Mining the Network Behaviors of Bots (PI) → Jun 2013—2016 3. MobSec: Mobile and Malware in the Mobile Age (PI) → Jun 2014—2018 Soon available at http://s2lab.isg.rhul.ac.uk (WIP) 10
  • 13. Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions RESEARCH > PROJECT > MOBSEC Jun 2014—2018: £747,777 EPSRC-funded project (EP/L022710/1) Goals MobSec aims at exploring mobile-related threats, developing comprehensive mitigation techniques 1. Mobile application analyses to understand the threat, e.g.: → Comprehensive reconstruction of Android apps behaviors → Identification of malware-triggered actions → Stimulation of complex UI interactions 2. Evasion-resistant information leakage solutions 11
  • 14. Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions RESEARCH > PROJECT > MOBSEC Jun 2014—2018: £747,777 EPSRC-funded project (EP/L022710/1) Goals MobSec aims at exploring mobile-related threats, developing comprehensive mitigation techniques 3. Detection of malicious mobile applications and automatic enforcement of fine-grained security policies 4. Hardware-supported virtualization to provide efficient in-device protection against mobile threats 11
  • 15. Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions RESEARCH > PROJECT > MOBSEC > PEOPLE Dr Lorenzo Cavallaro → Principal Investigator → Information Security Group at Royal Holloway University of London Dr Johannes Kinder → Co-Investigator → Department of Computer Science at Royal Holloway University of London Dr Igor Muttik → Project Partner → Senior Principal Architect at Intel Security (McAfee Labs UK) 12
  • 16. Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions RESEARCH > PROJECT > MOBSEC > PEOPLE Dr Lorenzo Cavallaro → Principal Investigator → Information Security Group at Royal Holloway University of London Dr Johannes Kinder → Co-Investigator → Department of Computer Science at Royal Holloway University of London Dr Igor Muttik → Project Partner → Senior Principal Architect at Intel Security (McAfee Labs UK) .. In addition… Kimberly Tam, PhD student in the ISG at Royal Holloway Salahuddin J. Khan, PhD student in the ISG at Royal Holloway Collaboration with: → Università degli Studi di Milano, Italy → Politecnico di Milano, Italy I am hiring: 2 PostDoc Research Assistants! 12
  • 19. Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions MCAFEE Q2 2013 15
  • 20. Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions MCAFEE Q2 2013 .. 1. Banking malware 2. (Fake) adult entertainment and dating apps 3. Weaponized legitimate apps that steal user data 4. Fake app installers that actually install spyware Can current techniques deal with this (new) threat? 15
  • 21. Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions THE (NOT SO SHORT) INTRODUCTION TO ANDROID Modified Linux kernel Android apps written (mostly) in Java and run in a Java-like (Dalvik) VM as userspace processes Native code may be executed through JNI or native (NDK) Apps logically divided in components → Activity, e.g., GUI components → Services, similar to UNIX daemons → Broadcast Receivers, to act upon the receipt of specific events, e.g., phone call, SMS → Content Providers, storage-agnostic ACL-controlled abstractions to access data 16
  • 22. Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions ANDROID SECURITY MODEL No application, by default, has permission to perform any operations that would adversely impact other applications, the operating system, or the user 17
  • 23. Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions ANDROID SECURITY MODEL No application, by default, has permission to perform any operations that would adversely impact other applications, the operating system, or the user Sandboxing Every App has its own UID/GID to enforce system-wide DAC Permissions To be granted a permission, App must explicitly request it (e.g., send an SMS, place a call) 17
  • 24. Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions ANDROID SECURITY MODEL No application, by default, has permission to perform any operations that would adversely impact other applications, the operating system, or the user Sandboxing Every App has its own UID/GID to enforce system-wide DAC Permissions To be granted a permission, App must explicitly request it (e.g., send an SMS, place a call) All types of applications—Java, native, and hybrid—are sandboxed in the same way and have the same degree of security from each other 17
  • 25. Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions INTENTS An abstract representation of an operation to be performed Intent Meaning per Recipient Activity: an action that must be performed (e.g., to send an e-mail, an App will broadcast the corresponding intent; the email activity will therefore be executed) Service: similar to activity Receiver: a container for received data. 18
  • 26. Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions MANIFEST FILE <?xml version="1.0" encoding="utf-8"?> <manifest xmlns:android="http://schemas.android.com/[...]" package="test.AndroidSMS" android:versionCode="1" android:versionName="1.0"> <uses-permission android:name="[...].RECEIVE_SMS" /> <uses-permission android:name="[...].SEND_SMS" /> <uses-permission android:name="[...].INTERNET" /> <application android:label="@string/app_name" > <receiver android:name=".SMSReceiver"> <intent-filter> <action android:name="test.AndroidSMS.SMS_RECEIVED" /> </intent-filter> </receiver> </application> 19
  • 27. Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions MANIFEST FILE <?xml version="1.0" encoding="utf-8"?> <manifest xmlns:android="http://schemas.android.com/[...]" package="test.AndroidSMS" android:versionCode="1" android:versionName="1.0"> <uses-permission android:name="[...].RECEIVE_SMS" /> <uses-permission android:name="[...].SEND_SMS" /> <uses-permission android:name="[...].INTERNET" /> <application android:label="@string/app_name" > <receiver android:name=".SMSReceiver"> <intent-filter> <action android:name="test.AndroidSMS.SMS_RECEIVED" /> </intent-filter> </receiver> </application> .. 19
  • 28. Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions MANIFEST FILE <?xml version="1.0" encoding="utf-8"?> <manifest xmlns:android="http://schemas.android.com/[...]" package="test.AndroidSMS" android:versionCode="1" android:versionName="1.0"> <uses-permission android:name="[...].RECEIVE_SMS" /> <uses-permission android:name="[...].SEND_SMS" /> <uses-permission android:name="[...].INTERNET" /> <application android:label="@string/app_name" > <receiver android:name=".SMSReceiver"> <intent-filter> <action android:name="test.AndroidSMS.SMS_RECEIVED" /> </intent-filter> </receiver> </application> .. 19
  • 29. Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions THE BINDER PROTOCOL IPC/RPC The Binder protocol enables fast inter-process communication between Apps or between Apps and the system. It also allows Apps to invoke other components' functions (e.g., to place a call or to send a SMS) AIDL The Android Interface Definition Language is used to define which methods of a service can be invoked remotely, among with their parameters. AIDL specifications for Android's core services are available online 20
  • 30. Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions THE BINDER PROTOCOL Binder Driver The Binder protocl core is implemented as a device driver. User- space processes (Apps) can interact with the driver through the /dev/binder virtual device ioctl ioctls are used to by Apps to interact with Binder. Each ioctl takes as argument a command and a data buffer BINDER_WRITE_READ Allows data to be sent/received among Apps 21
  • 31. Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions (ANDROID) MALWARE ANALYSIS .. Static . Instrum. . VMM .. ADAM .. DroidRanger .. RiskRanker .. DroidMOSS . Static . Instrum. . VMM .. DroidScope .. VetDroid .. Bouncer .. ParanoidAndroid .. ActEVE .. Aurasium .. TaintDroid .. Andrubis .. DroidBox 22
  • 32. Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions (ANDROID) MALWARE ANALYSIS: STATIC .. Static . Instrum. . VMM .. ADAM .. DroidRanger .. RiskRanker .. DroidMOSS . Pros • Many information in the Manifest • Java is relatively easy to decompile • Potentially ``sees'' the whole behavior . Cons • Obfuscation & Optimization • Reflection • Dynamic code, Native code 22
  • 33. Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions (ANDROID) MALWARE ANALYSIS: DYNAMIC .. Static . Instrum. . VMM .. DroidScope .. VetDroid .. Bouncer .. ParanoidAndroid .. ActEVE .. Aurasium .. TaintDroid .. Andrubis .. DroidBox . Pros • Resilient to obfuscation • Potentially transparent (VMM) • Less comples than static . Cons • Code coverage • VMI can be cumbersome (VMM) • Instrumentation can be detected 22
  • 34. Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions SYSTEM-CALL CENTRIC ANALYSIS OF ANDROID MALWARE? Traditional Roots A well-established technique to characterize process behaviours Can it be applied to Android? Android architecture is different than traditional devices Are all the interesting behaviours achieved through system calls? → Dalvic VM (Android-specific behaviours, e.g., SMS, phone calls) → OS interactions (e.g., creating a file, network communication) 23
  • 35. Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions COPPERDROID Analysis Goal Automatically reconstructs the behaviors of Android (malicious) apps Unified system call-centric analysis → Obs: behaviors are eventually achieved via system interactions Avoids 2-level (complex) VMIs Avoids invasive modification of the Android system (in fact, none) Android version-independent Dynamically stimulates Apps to disclose additional behaviors Extensive evaluation on 2,900+ Android malware 24
  • 36. Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions COPPERDROID Analysis Goal Automatically reconstructs the behaviors of Android (malicious) apps Unified system call-centric analysis → Obs: behaviors are eventually achieved via system interactions Avoids 2-level (complex) VMIs Avoids invasive modification of the Android system (in fact, none) Android version-independent Dynamically stimulates Apps to disclose additional behaviors Extensive evaluation on 2,900+ Android malware .. Check it out at http://copperdroid.isg.rhul.ac.uk 24
  • 37. Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions ARCHITECTURE ... CopperDroid Emulator . Android OS . Dalvik . Android/Linux Kernel .. CopperDroid Framework . System Call Tracking . Binder Analysis . RSP 25
  • 38. Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions SYSTEM CALLS ON LINUX ARM Invoking Syscalls Like on Intel, on ARM architecture invoking a system call induces a user-to-kernel transiction. (current CPL is stored in the cpsr register) System calls on Linux ARM On ARM invoked through the swi instruction (SoftWare Interrupt) r7 contains the number of the invoked system call r0-r5 contain parameters lr contains the return address 26
  • 39. Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions TRACKING SYSTEM CALLS System Call Analysis Intercept when a system call is invoked We need to intercept return to user-space too! There is no SYSEXIT/SYSRET to intercept Not every system call actually returns to lr (e.g., exit, execve) CopperDroid's Approach instruments QEMU's emulation of the swi instruction instruments QEMU to intercept every cpsr_write (Kernel → User) 27
  • 40. Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions TRACKING SYSTEM CALLS System Call Analysis Intercept when a system call is invoked We need to intercept return to user-space too! There is no SYSEXIT/SYSRET to intercept Not every system call actually returns to lr (e.g., exit, execve) CopperDroid's Approach instruments QEMU's emulation of the swi instruction instruments QEMU to intercept every cpsr_write (Kernel → User) [c5b02000 - 35 - 35 - zygote] fork( ) = 0x125 [c5b02000 - 35 - 35 - zygote] getpgid( 0x41 ) = 0x23 [c5b02000 - 35 - 35 - zygote] setpgid( 0x125, 0x23 ) = 0x0 [c1c18000 - 293 - 293 - zygote] getuid32( ) = 0x0 [c1c18000 - 293 - 293 - zygote] open(/acct/uid/0/tasks, ... [c1c18000 - 293 - 293 - zygote] fstat64( 0x13, 0xbef7f910 ) = 0x0 [c1c18000 - 293 - 293 - zygote] mprotect( 0x40008000, 0x1000, 0x3 ) = 0x0 [c1c18000 - 293 - 293 - zygote] mprotect( 0x40008000, 0x1000, 0x1 ) = 0x0 [c1c18000 - 293 - 293 - zygote] write( 0x13 - /acct/uid/0/tasks, 0xa24c0 "'0'", 0x1 ) = 0x1 27
  • 41. Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions BRIDGING THE SEMANTIC GAP When dealing with out-of-the-box analyses it is essential to retrieve information about the analyzed system CopperDroid VMI CopperDroid inspects the Android kernel to retrieve the follow- ing: Process names PIDs & TIDs Process resources … 28
  • 42. Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions BRIDGING THE SEMANTIC GAP Observation: when executing kernel code, the base of the stack points to the current executing thread. . 29
  • 43. Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions BRIDGING THE SEMANTIC GAP Observation: when executing kernel code, the base of the stack points to the current executing thread. .. arch/arm/include/asm/thread_info.h . #define THREAD_SIZE 8192 static inline struct thread_info *current_thread_info(void) { register unsigned long sp asm ("sp"); return (struct thread_info *)(sp & ~(THREAD_SIZE − 1)); } 29
  • 44. Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions BRIDGING THE SEMANTIC GAP Observation: when executing kernel code, the base of the stack points to the current executing thread. .. struct thread_info . struct thread_info { unsigned long flags; int preempt_count; mm_segment_t addr_limit; struct task_struct *task; /* main task structure */ ... } 29
  • 45. Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions BRIDGING THE SEMANTIC GAP Observation: when executing kernel code, the base of the stack points to the current executing thread. .. struct task_struct . struct task_struct { volatile long state; void *stack; ... pid_t pid; pid_t tgid; ... char comm[TASK_COMM_LEN]; ... } 29
  • 46. Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions BINDER The Binder protocol is the core of Android IPC/RPC Intents are carried through binder Interactions with the system go through binder Binder driver enforces (some) permission policies For example, applications cannot send SMSs on their own, but must invoke (RPC) the proper system service to do that. . 30
  • 47. Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions BINDER .. Application . SmsManager sms = SmsManager.getDefault(); sms.sendTextMessage("7855551234", null, "Hi There", null, null); 30
  • 48. Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions BINDER .. Application . android.telephony.SmsManager . public void sendTextMessage(...) { ... ISms iccISms = ISms.Stub.asInterface(ServiceManager.getService("isms")); if (iccISms != null) iccISms.sendText(destinationAddress, scAddress, text, sentIntent, deliveryIntent); ... 30
  • 49. Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions BINDER .. Application . android.telephony.SmsManager . com.android.internal.telephony.ISms . public void sendText(...) { android.os.Parcel _data = android.os.Parcel.obtain(); try { _data.writeInterfaceToken(DESCRIPTOR); _data.writeString(destAddr); ... mRemote.transact(Stub.TRANSACTION_sendText, _data, _reply, 0); } 30
  • 50. Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions BINDER .. Application . android.telephony.SmsManager . com.android.internal.telephony.ISms . Kernel (drivers/staging/android/binder.c) . ioctl 30
  • 51. Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions BINDER .. Application . android.telephony.SmsManager . com.android.internal.telephony.ISms . Kernel (drivers/staging/android/binder.c) . ioctl . CopperDroid 30
  • 52. Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions BINDER .. Application . android.telephony.SmsManager . com.android.internal.telephony.ISms . Kernel (drivers/staging/android/binder.c) . ioctl .ioctl(4, 0xc0186201, ... x4bx00x00x00x49x00x20x00x74x00x61x00 x6bx00x65x00x20x00x70x00x6cx00x65x00 x61x00x73x00x75x00x72x00x65x00x20x00 x69x00x6ex00x20x00x68x00x75x00x72x00 x74x00x69x00x6ex00x67x00x20x00x73x00 ...) 30
  • 53. Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions BINDER .. Application . android.telephony.SmsManager . com.android.internal.telephony.ISms . Kernel (drivers/staging/android/binder.c) . ioctl .ioctl(/dev/binder, BINDER_WRITE_READ, ... InterfaceToken = com.android.internal.telephony.ISms, method: sendText, destAddr = 7855551234, scAddr = , text = Hi There ...) 30
  • 54. Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions BINDER CopperDroid deeply inspects the Binder protocol intercepting a subset of the ioctls issued by userspace Apps. .. write_size . write_consumed .write_buffer . read_size . … . BC_* . Params . BC_TR . Params . BC_* . Params .. ioctl(binder_fd, BINDER_WRITE_READ, &binder_write_read); . 31
  • 55. Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions BINDER CopperDroid analyzes BC_TRANSACTIONs and BC_REPLYs BC_* Params BC_TR Params BC_* Params target code uid … data_size buffer InterfaceToken Param 1 Param 2 … struct binder_transaction_data 32
  • 56. Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions BINDER CopperDroid analyzes BC_TRANSACTIONs and BC_REPLYs ... BC_* . Params . BC_TR . Params . BC_* . Params .. target . code . uid . … . data_size . buffer . InterfaceToken . Param 1 . Param 2 . … .. struct binder_transaction_data . ISms.sendText(78555.., ``Hi there'') 32
  • 58. Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions AUTOMATIC ANDROID OBJECTS UNMARSHALLING Primitive types (e.g., String) are easy to unmarshall → Limited number of manually-written procedures A manual-driven approach for complex Android objects is cumbersome → 300+ Android objects (increasing from version to version) → Manual-driven approach is error-prone and not scientifically exciting We ask to an unmarshalling Oracle! 34
  • 59. Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions THE UNMARSHALLING ORACLE ... CopperDroid Emulator .. Android Emulator . Oracle.. CopperDroid's Analyses . Binder Analysis . Interface Token Identifier . Unmarshalled Paramemters . System Call Analysis . Resource Reconstruction . RSP .. TCP . 35
  • 61. Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions RESOURCE RECONSTRUCTOR Useful to abstract a stream of low-level events into high-level behaviors We build a data dependence graph (DPD) → Nodes are system calls → Edges represent data dependency We then identify def-use chains to cluster related system calls together 37
  • 62. Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions SAMPLE COPPERDROID OUTPUT [c5b02000 - 35 - 35 - zygote] fork( ) = 0x125 [c5b02000 - 35 - 35 - zygote] getpgid( 0x41 ) = 0x23 [c5b02000 - 35 - 35 - zygote] setpgid( 0x125, 0x23 ) = 0x0 [c1c18000 - 293 - 293 - zygote] getuid32( ) = 0x0 [c1c18000 - 293 - 293 - zygote] open(/acct/uid/0/tasks, ...) = 0x13 [c1c18000 - 293 - 293 - zygote] fstat64( 0x13, 0xbef7f910 ) = 0x0 [c1c18000 - 293 - 293 - zygote] mprotect( 0x40008000, 0x1000, 0x3 ) = 0x0 [c1c18000 - 293 - 293 - zygote] mprotect( 0x40008000, 0x1000, 0x1 ) = 0x0 [c1c18000 - 293 - 293 - zygote] write( 0x13 - /acct/uid/0/tasks, 0xa24c0 "'0'", 0x1 ) = 0x1 [c1c18000 - 293 - 293 - zygote] close( 0x13 ) = 0x0 [c1c18000 - 293 - 293 - zygote] prctl( 0x8, 0x1, 0x0, 0x0, 0x0 ) = 0x0 [c1c18000 - 293 - 293 - zygote] setgroups32( 0x2, 0xbef7fa20 ) = 0x0 [c1c18000 - 293 - 293 - zygote] setgid32( 0x2722 ) = 0x0 [c1c18000 - 293 - 293 - zygote] open( /acct/uid/10018/tasks, 0x20242, 0x1b6 ) = 0xfffffffe 38
  • 63. Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions SAMPLE COPPERDROID OUTPUT [c5b02000 - 35 - 35 - zygote] fork( ) = 0x125 [c5b02000 - 35 - 35 - zygote] getpgid( 0x41 ) = 0x23 [c5b02000 - 35 - 35 - zygote] setpgid( 0x125, 0x23 ) = 0x0 [c1c18000 - 293 - 293 - zygote] getuid32( ) = 0x0 [c1c18000 - 293 - 293 - zygote] open (/acct/uid/0/tasks, 0x20242, 0x1b6) = 0x [c1c18000 - 293 - 293 - zygote] fstat64 ( 0x13 , 0xbef7f910 ) = 0x0 [c1c18000 - 293 - 293 - zygote] mprotect( 0x40008000, 0x1000, 0x3 ) = 0x0 [c1c18000 - 293 - 293 - zygote] mprotect( 0x40008000, 0x1000, 0x1 ) = 0x0 [c1c18000 - 293 - 293 - zygote] write ( 0x13 - /acct/uid/0/tasks, 0xa24c0 "'0'", 0x1 ) = 0x1 [c1c18000 - 293 - 293 - zygote] close ( 0x13 ) = 0x0 [c1c18000 - 293 - 293 - zygote] prctl( 0x8, 0x1, 0x0, 0x0, 0x0 ) = 0x0 [c1c18000 - 293 - 293 - zygote] setgroups32( 0x2, 0xbef7fa20 ) = 0x0 [c1c18000 - 293 - 293 - zygote] setgid32( 0x2722 ) = 0x0 [c1c18000 - 293 - 293 - zygote] open( /acct/uid/10018/tasks, 0x20242, 0x1b6 ) = 0xfffffffe 39
  • 64. Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions SAMPLE COPPERDROID OUTPUT [c5b02000 - 35 - 35 - zygote] fork( ) = 0x125 [c5b02000 - 35 - 35 - zygote] getpgid( 0x41 ) = 0x23 [c5b02000 - 35 - 35 - zygote] setpgid( 0x125, 0x23 ) = 0x0 [c1c18000 - 293 - 293 - zygote] getuid32( ) = 0x0 [c1c18000 - 293 - 293 - zygote] open (/acct/uid/0/tasks, 0x20242, 0x1b6) = 0x [c1c18000 - 293 - 293 - zygote] fstat64 ( 0x13 , 0xbef7f910 ) = 0x0 [c1c18000 - 293 - 293 - zygote] mprotect( 0x40008000, 0x1000, 0x3 ) = 0x0 [c1c18000 - 293 - 293 - zygote] mprotect( 0x40008000, 0x1000, 0x1 ) = 0x0 [c1c18000 - 293 - 293 - zygote] write ( 0x13 - /acct/uid/0/tasks, 0xa24c0 "'0'", 0x1 ) = 0x1 [c1c18000 - 293 - 293 - zygote] close ( 0x13 ) = 0x0 [c1c18000 - 293 - 293 - zygote] prctl( 0x8, 0x1, 0x0, 0x0, 0x0 ) = 0x0 [c1c18000 - 293 - 293 - zygote] setgroups32( 0x2, 0xbef7fa20 ) = 0x0 [c1c18000 - 293 - 293 - zygote] setgid32( 0x2722 ) = 0x0 [c1c18000 - 293 - 293 - zygote] open( /acct/uid/10018/tasks, 0x20242, 0x1b6 ) = 0xfffffffe Group as one action: File Access 39
  • 65. Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions SAMPLE COPPERDROID OUTPUT [c5b02000 - 35 - 35 - zygote] fork( ) = 0x125 [c5b02000 - 35 - 35 - zygote] getpgid( 0x41 ) = 0x23 [c5b02000 - 35 - 35 - zygote] setpgid( 0x125, 0x23 ) = 0x0 [c1c18000 - 293 - 293 - zygote] getuid32( ) = 0x0 [c1c18000 - 293 - 293 - zygote] open (/acct/uid/0/tasks, 0x20242, 0x1b6) = 0x [c1c18000 - 293 - 293 - zygote] fstat64 ( 0x13 , 0xbef7f910 ) = 0x0 [c1c18000 - 293 - 293 - zygote] mprotect( 0x40008000, 0x1000, 0x3 ) = 0x0 [c1c18000 - 293 - 293 - zygote] mprotect( 0x40008000, 0x1000, 0x1 ) = 0x0 [c1c18000 - 293 - 293 - zygote] write ( 0x13 - /acct/uid/0/tasks, 0xa24c0 "'0'", 0x1 ) = 0x1 [c1c18000 - 293 - 293 - zygote] close ( 0x13 ) = 0x0 [c1c18000 - 293 - 293 - zygote] prctl( 0x8, 0x1, 0x0, 0x0, 0x0 ) = 0x0 [c1c18000 - 293 - 293 - zygote] setgroups32( 0x2, 0xbef7fa20 ) = 0x0 [c1c18000 - 293 - 293 - zygote] setgid32( 0x2722 ) = 0x0 [c1c18000 - 293 - 293 - zygote] open( /acct/uid/10018/tasks, 0x20242, 0x1b6 ) = 0xfffffffe Recreates file "tasks" with path /acct/uid/0/tasks and "0" written to it 39
  • 66. Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions APPS STIMULATION .. .. (Android) malware needs to be properly stimulated to trigger additional behaviors and increase coverage of dynamic analysis. CopperDroid Ad-Hoc Stimuli 1. Identifies events the target reacts to (mostly contained in the Manifest file) 2. During the analysis, injects custom events (of those identified as useful) 40
  • 67. Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions APPS STIMULATION ... CopperDroid Emulator . Android OS . Dalvik VM . Linux Kernel .. CopperDroid Analysis . System Call Tracking . Binder Analysis . Dalvik Method Tracking . RSP .. To inject events CopperDroid leverages MonkeyRunner 41
  • 68. Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions EVALUATION 1,200 malware from the Android Malware Genome Project, 395 from the Contagio repository, and 1,300+ from McAfee.. 28% additional behaviors on 60% of Genome samples 22% additional behaviors on 73% of Contagio samples 28% additional behaviors on 61% of McAfee samples # Malware Stim. Samples w/ Behavior Incr. Behavior Family Add. Behav. w/o Stim. w/ Stimuli 1 ADRD 3.9 17/21 7.24 4.5 (63%) 2 AnserverBot 3.9 186/187 31.52 8.2 (27%) 3 BaseBridge 2.9 70/122 16.44 5.2 (32%) 4 BeanBot 3.1 4/8 0.12 3.8 (3000%) 5 CruseWin 4.0 2/2 1.00 2.0 (200%) 6 GamblerSMS 4.0 1/1 1.00 3.0 (300%) 7 SMSReplicator 4.0 1/1 0.00 6.0 (⊥) 8 Zsone 5.0 12/12 16.67 3.8 (23%) 42
  • 70. Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions BEHAVIORAL MINDMAP ..Behavior. Exec external application .. Shell . Generic . Privilege escalation . Install APK . Access Personal Info. . . SMS . Contacts . Phone Info. . Location . Network Access . . HTTP . DNS . Other .SMS Send . . Make Call . . Alter FS . 44
  • 71. Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions Behavior Class No Stimulation Stimulation FS Access 889/1365 (65.13%) 912/1365 (66.81%) Access Personal Info. 558/1365 (40.88%) 903/1365 (66.15%) Network Access 457/1365 (33.48%) 461/1365 (33.77%) Exec. External Appf. 171/1365 (12.52%) 171/1365 (12.52%) Send SMS 38/1365 (2.78%) 42/1365 (3.08%) Make/Alter Call 1/1365 (0.07%) 55/1365 (4.03%) Table: Overall behavior breakdown of McAfee samples. 45
  • 72. Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions Behavior Class Subclass No Stim Stim Network Access Generic 483 489 HTTP 309 318 DNS 416 416 FS Access Write 889 912 Access Personal Info. SMS 32 266 Phone 510 559 Accounts 51 672 Location 143 147 Exec. External App. Generic 132 132 Priv. Esc. 103 103 Shell 73 73 Inst. APK 8 8 Send SMS --- 38 42 Make/Alter Call --- 1 55 Table: Detailed behavior breakdown of McAfee samples. 46
  • 75. Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions CONCLUSIONS CopperDroid Goal Automatically reconstructs the behaviors of Android malware Unified system call-centric analysis that avoid 2-level VMIs → All the behaviors are eventually achieved via system interactions Automatic unmarshalling of Android objects → Online/offline Oracle analysis Dynamically stimulates Apps to disclose additional behaviors Extensive evaluation on 2,900+ Android malware (28% additional behaviors on 60% of Genome samples) (22% additional behaviors on 73% of Contagio samples) (28% additional behaviors on 61% of McAfee samples) 49
  • 76. Royal Holloway University of London . . . S2 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . CopperDroid Observed Behaviors Demo Conclusions CONCLUSIONS CopperDroid Goal Automatically reconstructs the behaviors of Android malware Unified system call-centric analysis that avoid 2-level VMIs → All the behaviors are eventually achieved via system interactions Automatic unmarshalling of Android objects → Online/offline Oracle analysis Dynamically stimulates Apps to disclose additional behaviors Extensive evaluation on 2,900+ Android malware (28% additional behaviors on 60% of Genome samples) (22% additional behaviors on 73% of Contagio samples) (28% additional behaviors on 61% of McAfee samples) .. 1. Available at http://copperdroid.isg.rhul.ac.uk 2. Ongoing project, basic step of the EPSRC-funded MobSec 2.1 Behavioral attribution 2.2 Information leak detection (no taint-tracking!) 2.3 Benign / Malicious Android malware detection 2.4 Automatic clustering and classification 2.5 UI-driven/aided symbolic execution 2.6 … 49