Android Malware: Aktuelle Gefahren und Einblicke in eines der bekanntesten Analysesysteme

Hakin9

Da sich Mobiltelefone immer größerer Beliebtheit erfreuen, rücken sie auch immer weiter in den Fokus von Kriminellen. Waren vor ein bis zwei Jahren nur einige hundert bösartige Applikationen für mobile Endgeräte in der freien Wildbahn bekannt, sind es heute schon weit über 200.000 und es kommen täglich neue Schädlinge hinzu. Der Funktionsumfang dieser Schädlinge reicht vom Versenden von einfachen premium SMS, über Banking-Trojaner bis hin zu ausgereiften Exploits, die das infizierte Telefon zu einem fernsteuerbaren Bot verwandeln. In diesem Artikel wird ein Überblick darüber gegeben wie die aktuelle Bedrohungslage für Android Telefone aussieht. Darüber hinaus wird eines der bekanntesten Analysesysteme für schadhafte Android Applikationen vorgestellt

Den ganzen Artikel gibt es hier.

Our Android Malware Summary for the Year 2012

In 2012 our Mobile-Sandbox analyzed over 300,000 Android applications that were submitted by mostly anonymous users, Anti-Virus-Companies and by our own. Within this huge amount of data our system detected nearly 43,000 malicious and unwanted applications belonging to 115 different malware families.

Most of these malicious applications were downloaded from Asian and Russian Third-Party markets, but we have also found 13 malware families with samples that had been downloaded from the official Google-Play market. When looking at the malicious and unwanted applications and the corresponding families, one can see the following distribution of malicious behavior:

Families that steal personal information 51,3 %
Families that send premium rated SMS messages 30,1 %
Families with characteristics of a Botnet 23,5 %
Families that contain Root-Exploits 18,3 %
Families downloaded from the Google-Play Market 11,3 %
Families that install additional applications 10,4 %
Families that steal location related data 8,7 %
Potentially unwanted applications 7,8 %
Online-Banking Trojans 3,5 %

Looking at this table and the amount of more than 43,000 malicious applications that were submitted to our analysis system, it becomes clear that there is a real threat for bona fide Android users.

More than 50% of all malware families try to steal personal information from the smartphone like IMSI, IMEI and contact entries. Even if this action doesn’t harm the smartphone user directly the information can be sold on the underground market or used for targeted Spam campaigns.

The second most often threat harms the infected user directly: 30 % of all malware families send premium rated SMS messages that cost the user between $1 and $5 for each SMS message and, of course, these applications send more than one SMS message.

Nearly as dangerous as this set of applications are the malware families that come with their own root exploit. If this exploit works properly, the attacker can do nearly everything with the infected device without the knowledge of the smartphone user. This kind of malicious behavior was found in more than 18 % of all malware families.

Within 2012 a huge amount of Banks switched from the common TAN procedure to the mobile TAN (mTAN) for additional security. This trend can also be seen when looking at the malware families. In 2012 we detected 4 different families (3,5 %) that try to intercept and modify this mTAN messages. When the computer and the smartphone of an online banking user is infected with this kind of malware, the attacker can modify each transaction without the knowledge of the infected user.

Mobile-Sandbox @ SAC2013

Our paper Mobile-Sandbox: Having a Deeper Look into Android Applications got accepted at SAC’13 and will be presented there at 18-22 March 2013.

Here is the abstract:

Smartphones in general and Android in particular are increasingly shifting into the focus of cybercriminals. For understanding the threat to security and privacy it is important for security researchers to analyze malicious software written for these systems. The exploding number of Android malware calls for automation in the analysis. In this paper, we present Mobile-Sandbox, a system designed to automatically analyze Android applications in two novel ways:

  • it combines static and dynamic analysis, i.e., results of static analysis are used to guide dynamic analysis and extend coverage of executed code, and
  • it uses specific techniques to log calls to native (i.e., “non-Java”) APIs.

For this paper we evaluated the system with more than 36,000 applications from Asian third-party mobile markets and found that 24% of them actually use native calls in their code.

New Mobile-Sandbox-System

Over the last few weeks we did a lot of research and development in the filed of mobile malware analysis. As a result, the new and improved Mobile-Sandbox is now online. Over the next few weeks, we are trying to implement some more features, so stay tuned!

–> Mobile-Sandbox.com