Archive for the ‘Android’ Category

MobileSandbox @ Springer IJIS

Sunday, August 3rd, 2014

Our MobileSandbox paper from SAC2013 got an update. It has been accepted as an journal article for the upcoming edition of the International Journal of Information Security.

Here is the abstract:

Mobile-Sandbox: combining static and dynamic analysis with machine-learning techniques

Smartphones in general and Android in particular are increasingly shifting into the focus of cyber criminals. For understanding the threat to security and privacy, it is important for security researchers to analyze malicious software written for these systems. The exploding number of Android malware calls for automation in the analysis. In this paper, we present Mobile-Sandbox, a system designed to automatically analyze Android applications in novel ways: First, it combines static and dynamic analysis, i.e., results of static analysis are used to guide dynamic analysis and extend coverage of executed code. Additionally, it uses specific techniques to log calls to native (i.e., “non-Java”) APIs, and last but not least it combines these results with machine-learning techniques to cluster the analyzed samples into benign and malicious ones. We evaluated the system on more than 69,000 applications from Asian third-party mobile markets and found that about 21 % of them actually use native calls in their code.

The whole paper can be found here.

Android RAM Analysis @ IMF2014

Saturday, May 17th, 2014

Our paper Post-Mortem Memory Analysis of Cold-Booted Android Devices has been accepted at IMF’14 and was presented there last week.

Here is the abstract:

As recently shown in 2013, Android-driven smartphones and tablet PCs are vulnerable to so-called cold boot attacks. With physical access to an Android device, forensic memory dumps can be acquired with tools like FROST that exploit the remanence effect of DRAM to read out what is left in memory after a short reboot. While FROST can in some configurations be deployed to break full disk encryption, encrypted user partitions are usually wiped during a cold boot attack, such that a post-mortem analysis of main memory remains the only source of digital evidence. Therefore, we provide an in-depth analysis of Android’s memory structures for system and application level memory. To leverage FROST in the digital investigation process of Android cases, we provide open-source Volatility plugins to support an automated analysis and extraction of selected Dalvik VM memory structures.

The full paper can be read here.

Our Android Malware Summary for the Year 2013

Friday, February 21st, 2014

In 2013 our Mobile-Sandbox analyzed over 150,000 Android applications that were submitted by mostly anonymous users, Anti-Virus-Companies and by our own. Within this huge amount of data our system detected a bunch of malicious and unwanted applications belonging to 44 different and newly discovered malware families.

Most of these malicious applications had been downloaded from Third-Party markets, but we also found 4 malware families with samples that had been downloaded from the official Google-Play market. When looking at the malicious and unwanted applications and the corresponding families, one can see the following distribution of malicious behavior:

Characteristics Share in 2013 Difference to 2012
Families that steal personal information 61,4 % + 10,1 %
Families with characteristics of a Botnet 25,0 % + 1,5 %
Families that send premium rated SMS messages 18,2 % - 11,9 %
Families that install additional applications 11,4 % + 1,0 %
Families downloaded from the Google-Play Market 9,1 % - 2,2 %
Families that contain Root-Exploits 9,1 % - 9,2 %
Families that steal location related data 9,1 % + 0,4 %
Potentially unwanted applications 9,1 % + 1,3 %
Online-Banking Trojans 6,8 % + 3,3 %
Families which are able to infect a connected Windows PC 4,5 % + 4,5 %
Commercial Trojans or Spy-Kits 2,3 % + 2,3 %

More than 60% of all malware families try to steal personal information from the smartphone like IMSI, IMEI and contact entries. Even if this action doesn't harm the smartphone user directly the information can be sold on the underground market or used for targeted Spam campaigns. This kind of threat has increased by more than 10% as compared to 2012.

Last year´s second most common threat -- sending premium rated SMS messages -- has lost nearly half of its share within newly discovered malware families. We assume that it has to do with the security features of Android 4.x as well as the awareness of telephony and service providers.

The most dangerous malicious samples are those that come with their own root exploit. If this exploit works properly, the attacker can do nearly everything with the infected device without the knowledge of the smartphone user. This kind of malicious behavior was found in more than 9 % of the 44 new malware families (which is also half as common as compared to 2012).

Within 2012 a huge amount of banks switched from the common TAN procedure to the mobile TAN (mTAN) for additional security. This trend can also be seen when looking at the malware families. In 2012 we detected 4 different families (3,5 %) that try to intercept and modify this mTAN messages. In 2013 it went up to 6,8 % of newly analyzed malware families. This kind of malicious Android apps are extremely dangerous: If the computer and the smartphone of an online banking user are infected with this kind of malware, the attacker can modify each transaction without the knowledge of the infected user.

There were two newly discovered kinds of malware in 2013: Commercial trojans/spy-kits (which are -- more or less -- legally sold on the Internet) and trojans that are able to infect a connected Windows PC. Both kinds of malware were distributed very seldomly with only 2 - 5 %.

With Android.Chuli we have also seen the first publicly known targeted attack where Android smartphones were involved as main entity in the attack.

ContrOWL: A new security app based on crowed intelligence

Thursday, February 7th, 2013

ContrOWL

One of our students has built a great security app for the Android platform with support for crowed intelligence - ContrOWL.

ContrOWL is a security app that helps you find potential threads among your installed apps. It can also check freshly added apps on the fly and notify you if an app is rated as suspicious. ContrOWL also gives you information about top used permissions and broadcast intents of malware apps which should help you to evaluate them.

Please support him and test his app!

Get it on Google Play

Our Android Malware Summary for the Year 2012

Wednesday, January 2nd, 2013

In 2012 our Mobile-Sandbox analyzed over 300,000 Android applications that were submitted by mostly anonymous users, Anti-Virus-Companies and by our own. Within this huge amount of data our system detected nearly 43,000 malicious and unwanted applications belonging to 115 different malware families.

Most of these malicious applications were downloaded from Asian and Russian Third-Party markets, but we have also found 13 malware families with samples that had been downloaded from the official Google-Play market. When looking at the malicious and unwanted applications and the corresponding families, one can see the following distribution of malicious behavior:

Families that steal personal information 51,3 %
Families that send premium rated SMS messages 30,1 %
Families with characteristics of a Botnet 23,5 %
Families that contain Root-Exploits 18,3 %
Families downloaded from the Google-Play Market 11,3 %
Families that install additional applications 10,4 %
Families that steal location related data 8,7 %
Potentially unwanted applications 7,8 %
Online-Banking Trojans 3,5 %

Looking at this table and the amount of more than 43,000 malicious applications that were submitted to our analysis system, it becomes clear that there is a real threat for bona fide Android users.

More than 50% of all malware families try to steal personal information from the smartphone like IMSI, IMEI and contact entries. Even if this action doesn't harm the smartphone user directly the information can be sold on the underground market or used for targeted Spam campaigns.

The second most often threat harms the infected user directly: 30 % of all malware families send premium rated SMS messages that cost the user between $1 and $5 for each SMS message and, of course, these applications send more than one SMS message.

Nearly as dangerous as this set of applications are the malware families that come with their own root exploit. If this exploit works properly, the attacker can do nearly everything with the infected device without the knowledge of the smartphone user. This kind of malicious behavior was found in more than 18 % of all malware families.

Within 2012 a huge amount of Banks switched from the common TAN procedure to the mobile TAN (mTAN) for additional security. This trend can also be seen when looking at the malware families. In 2012 we detected 4 different families (3,5 %) that try to intercept and modify this mTAN messages. When the computer and the smartphone of an online banking user is infected with this kind of malware, the attacker can modify each transaction without the knowledge of the infected user.