Slides - ruxcon 2012

Download Report

Transcript Slides - ruxcon 2012

Websense SecurityLabs
Agenda
1
Goal & Objectives
2
Services in the Cloud
3
Tracker Web Portal
4
Next Step To Do
Websense SecurityLabs
Goal &
Objectives
• Crawl and Build Android App Repository
• Profile Android Apps
• Create databases for Apps and associating data.
• Auto classific for Android Apps
Websense SecurityLabs
Analytic
Workflow
Websense SecurityLabs
Cloud
Services
1
APK Crawler & Parser
2
Static Profile
3
Dynamic Profile
(Security Classifier)
(On-line Emulator)
Websense SecurityLabs
Apps
Crawler
Market Auto-Crawling
• Google Play (Eng.)
• SlideME (Eng.)
Crawler
• Gfan (Chinese)
Real-life
• GoAPK (Chinese)
• Mumayi (Chinese)
.apk Web Request
Stats
(GEO IP) ThreatSeeker
Websense SecurityLabs
.APK Parser
3rd party Parsing tools
• Apktool: decode resources from apk files, such as
AndroidMainifest.xml, classes.dex
• Dex2jar: reads embedded .dex file from apk files
and generates .jar file
In-house scripts
• parsing automation
• database insert
Websense SecurityLabs
APK Profile
• Security Classifier
• Dynamic Profile
– auto APK runner
– Interactive emulator
Websense SecurityLabs
Security
Classifier
Objective
•
Create a classifier for malicious android app detection
•
A static analysis approach
•
A machine learning approach
Data training
•
Mysql queries to retrieve raw data from AppTracker database
•
Analytic features conversion to binary vectors
The R code components
•
Preprocessing: convert variables into factor variables or numeric variables accordingly
•
Load R RandomForest library
Prediction
•
Import R environment
•
Load R model, read in input (test case) and write out output (classification response)
Websense SecurityLabs
R Module
•Environment for statistical data analysis, inference and visualization.
•Ports for Unix, Windows and MacOSX
•Highly extensible through user-defined functions
•Generic functions and conventions for standard operations like plot, predict etc.
• >1200 add-on packages contributed by developers from all over the world
•e.g. Multivariate Statistics, Machine Learning, Natural Language Processing,
Bioinformatics (Bioconductor), SNA, .
•Interfaces to C, C++, Fortran, Java
Websense SecurityLabs
Analytic
Results
Confidence 0.5
0.6
0.7
0.8
Websense SecurityLabs
0.9
Dynamic
Profile
How It Works?
Steps:
1. Load emulator
2. Install and run APK file
3. System output profile
4. Show on web portal
Websense SecurityLabs
Run APK
• emulator -avd avdname -no-snapshot-save
• adb install apkfile
• aapt dump badging apkfile
• adb shell am start -n packagename/mainActivity
Websense SecurityLabs
Auto Input
• adb shell input keyevent "value"
7
KEYCODE_0
16
KEYCODE_9
29
KEYCODE_A
54
KEYCODE_Z
• adb shell sendevent [device] [type] [code] [value]
example:
adb shell sendevent /dev/input/event0 3 0 40
adb shell sendevent /dev/input/event0 3 1 210
// touch screen (x=40,y=210)
Websense SecurityLabs
Monkey
“The Monkey is a command-line tool that that
you can run on any emulator instance or on a
device. It sends a pseudo-random stream of user
events into the system, which acts as a stress test
on the application software you are developing.”
adb shell monkey –p package.name -v 500
Websense SecurityLabs
Network
Monitoring
adb shell tcpdump -v 'tcp port 80 and (((ip[2:2]-((ip[0]&0xf)<<2))-((tcp[12]&0xf0)>>2))!=0'
Websense SecurityLabs
SMS & Call
adb logcat -b radio -s "AT:*"
AT Commands
PDU SMS messages
Decode '0001000a81016681859200000539590c1b03'
Suspicious number '1066185829'
Message '@9@2@'
Websense SecurityLabs
Interactive
Emulator
Browser-based for end users
Example:
50 users have tested this app,
average time 3 minutes per user
• suspicious SMS found
• no phone call made
• 1 active network access
Websense SecurityLabs
App Tracker
Front page to users
•
Web portal support
•
Top 20 profiles: Malware vs. Benign
•
Real-time crawler status
•
Real-time virus status report
•
Built-in app emulation
Back end in cloud
•
ThreatSeeker service
•
Automatic static data analysis
•
Dynamic profile support
Websense SecurityLabs
Demo
Time
• Security Classifier POC
• Web Portal Framework
Websense SecurityLabs
Mobile
Solution
ThreatSeeker Cloud real-time analytics:
• Advance Detection (AR) result > Mobile Malware
Triton classifications:
• Mobile Malware
• Unauthorized Mobile Marketplaces
Websense SecurityLabs
Next Step
• Hierarchy Viewer Automation?
• Robotium?
Websense SecurityLabs
Robotium
Limitation
• Activity
• Service
• Broadcast Receiver
• Content Provider
Websense SecurityLabs
Websense SecurityLabs