On Mobile Malware Infections N. Asokan

Size: px

Start display at page:

Download "On Mobile Malware Infections N. Asokan"

Helen Poole
6 years ago
Views:

1 On Mobile Malware Infections N. Asokan (joint work with Hien Thi Thu Truong, Eemil Lagerspetz, Petteri Nurmi, Adam J. Oliner, Sasu Tarkoma, Sourav Bhattacharya)

2 Mobile malware alarm bells Google Search 40 pages 19 pages pages

3 Mobile malware alarm bells Google Trends 3

4 Research focus: analysis of malware Google Scholar 100 pages 4

5 How prevalent is mobile malware? NDSS 2013? 5

6 Outline Gather data directly from devices Accurately estimate malware infection rate Identify risk factors, cheaply 6

7 Outline Gather data directly from devices Accurately estimate malware infection rate Identify risk factors, cheaply 7

8 Data Gather data directly from devices Piggyback on a popular package Need to be lightweight and unobtrusive

9 Data Carat (devices by continents) Android devices: geography distribution, (April 2, 2014) 9

10 Data What kind of data? How to estimate infection rate? Identify a package on device; check for match with known malware How to identify an Android package? 10

11 Data Structure of an Android Package <package, versioncode> tuples (<p,v>) should be unique but not enforced 11

12 Data Structure of an Android Package Packages are (self-)signed by developers. Developer certs (dc) are statistically unique. 12

13 Identifying a (malicious) package Coarse-grained: Use <developercert> only <dc> for short upper bound for infections Fine-grained: Use <developercert, package, versioncode> <dc, p, v> for short lower bound for infections Data 13

14 Data time Carat dataset set of tuples: <dc, p, v> (<developercert,pkgname,versioncode> Device 1 Device

15 Data Carat dataset Type Mar 2013 May 2014 Count Distinct devices 99,414 Unique developer certificates <dc> 108,482 Unique <dc, p, v> tuples 512,342 15

16 Data Malware datasets Type Mobile Sandbox McAfee Malware Genome Total Unique devcerts <dc> Unique packages <dc, p, v> Unique package (.apk) files 3,879 1, ,809 16,743 3, ,094 96,500 5, ,

17 Outline Gather data directly from devices Accurately estimate malware infection rate Identify risk factors, cheaply 17

18 Estimates time Carat dataset: identifying infection malware dataset Device 1 Device 2... infected clean 18

19 Estimates Incidence of infection Mar 2013 May 2014 # Infected Devices Mobile Sandbox McAfee Union coarse-grained: dc match 37,355 (38%) 32,323 (33%) 40,334 (40%) fine-grained: <dc,p,v> match 263 (0.26%) 255 (0.26%) 477 (0.48%) Data collected from devices over one year 19

20 Estimates Coarse- vs. fine-grained Mar 2013 May 2014 Mobile Sandbox McAfee Coarse-grained: <dc> matching Fine-grained: <dc,p,v> matching Discrepancy is several orders of magnitude 20

Estimates Re-use of signing keys Mar 2013 May 2014 Mobile Sandbox McAfee Widespread (ab)use of test keys: 544 malwares, 1948 innocuous packages signed with Android Open Source Project (AOSP) test key

21 Estimates Re-use of signing keys Mar 2013 May 2014 Mobile Sandbox McAfee Widespread (ab)use of test keys: 544 malwares, 1948 innocuous packages signed with Android Open Source Project (AOSP) test key 1 Same key signing malware and non-malware: Brightest Flashlight Free v17 is malware 2, other versions are not. Use fine-grained (<dc,p,v>) matching from now on

22 Estimates Malware datasets revisited 22

23 What is malware? Number of AV tools flagging this package as malware (Total ~50 AV tools) Estimates Mar 2013 May 2014 Package name No. Infected devices Flagged by Description Source it.evilsocket.dsploit Monitoring MC com.noshufou.android.su Rooting MC Reasons for classification as malware ty.com.android.smsservice Trojan MB com.mixzing.basic Adware MC pl.thalion.mobile.battery Adware MC com.bslapps1.gbc Adware MC com.android.antidroidtheft Monitoring MB com.androidlab.gpsfix 7 9 Adware MC com.adhapps.qesaselanbiaa 7 18 Adware MC download.youtube.downloader.pro Adware MB com.android.settings.mt 5 12 Monitoring MC Treat each dataset separately MC: McAfee MB: Mobile Sandbox 23

24 Estimates What is malware? Curiously, AV vendors do take labeling by other vendors into account! Sometimes leads to false positives propagating... and staying undetected! 24

25 Estimates Propagation of False Positives Google Security Tool, signed by test key Google Security Tool, signed by legitimate Google key

26 Estimates Deployment of AV tools Mar 2013 May

27 Estimates AV tools vs. infection Mar 2013 May devices have some AV tool installed (25.3%) None are infected according to any of our malware datasets 28

28 Estimates Information revealed by set of apps Package names can be revealing: language of device user Can also reveal user traits: Indicative of user behaviour? 29

29 Estimates Summary: infection rate estimates infection rate estimate (%) 4,5 4 3,5 3 2,5 2 1,5 1 0, % % 0.12% 0.26% 0.26% Mar 2013 May % Our measurement 30

30 Outline Gather data directly from devices Accurately estimate malware infection rate Identify risk factors, cheaply Separately for each malware dataset See if we can detect susceptibility for infection! 31

31 Risk Factors The Company You Keep time Can the list of apps used on device detect susceptibility for infection?? Device 1 Device 2... infected clean 34

32 Risk Factors Classifying based on set of apps Identifying new malware requires extensive analysis of candidates Baseline: random sampling Low infection rates imply that baseline is costly Using set of apps to detect susceptibility for infection is cheap Lightweight instrumentation: at virtually no cost Application: Help anti-malware vendors in the search for new malware 37

33 Risk Factors Classifying based on set of apps Mar 2013 May 2014 Datasets Precision Baseline Improvement Detecting infection (new malware) McAfee 1.2% 0.26% 4.5X Mobile Sandbox 0.9% 0.25% 3.5X Detecting infection (undetected malware) McAfee 0.16% 0.05% 3.5X Mobile Sandbox 0.12% 0.05% 2.6X 38

34 Detecting infection: the Real-life case Original malware set used for training; Training set labeled using Original malware set only New set used for testing See how well we can detect infection by New malware set Risk Factors Mar 2013 May 2014 Datasets Precision Baseline Improvement McAfee 0.7% 0.19% 3.5X Mobile Sandbox 0.3% 0.08% 4X Multinomial Naïve Bayes 39

35 Risk Factors Taking timestamps into account Carat records have timestamps Mar 2013 Oct 2013 At least 155 devices changed state from clean to infected during data collection period can we predict likelihood of eventual infection? 40

36 Risk Factors Identify vulnerable devices before they are infected? Application: Help enterprise IT admin identify users for training 41

Summary 5 4 3 2 1 0 0.0009% 0.12% 0.26% 0.28% 2.6% 4.

can aid in search for new malware set of apps indicative of user

37 Summary % 0.12% 0.26% 0.28% 2.6% 4.3% Measure Android malware infection rates directly No common agreement of what is malware False positives and re-classifications are common Identify inexpensive risk factors can aid in search for new malware set of apps indicative of user behaviour/traits Datasets available for research use on request 43

38 Risk Factors Detecting infection (new) malware: Old (80%) New (20%) devices: label Clean (80%) Clean Clean (20%) inf (old) inf (new) Training set Test set 44

39 Risk Factors Detecting infection (unknown) malware: Known (80%) unknown (20%) devices: 80% 20% label i(k) i(u) flip i(k) i(u) i(k) i(u) Training set Test set 45

Advanced Threat Defense Certification Testing Report. Trend Micro Incorporated Trend Micro Deep Discovery Inspector

Advanced Threat Defense Certification Testing Report Trend Micro Deep Discovery Inspector ICSA Labs Advanced Threat Defense July 12, 2016 Prepared by ICSA Labs 1000 Bent Creek Blvd., Suite 200 Mechanicsburg,