Android Malware: they divide, we conquer

Size: px

Start display at page:

Download "Android Malware: they divide, we conquer"

Dennis Burns
6 years ago
Views:

1 Android Malware: they divide, we conquer Igor Muttik *, Irina Mariuca Asavoae ** J. Blasco ***, T.M. Chen ***, H.K. Kalutarage *****, H.N. Nguyen ****, M. Roggenbach **, S.A. Shaikh **** * - Intel Security; ** - Swansea University, UK; *** - CIty University, UK; **** - Coventry University, UK, ***** - Belfast University, UK

2 Agenda 2 What is apps collusion? Inter-app communications Overt Covert Deploying collusions Scale of the problem Detecting collusions with software model checking Demo Conclusions

3 App collusion History of the project Android security model Permission-based AndroidManifest.xml declarations Android 6.0 allows dynamic permissions Permissions system is badly polluted with ad libraries Nearly all apps want Internet permission

Definition Soundcomber information theft collusion example 1 st app: RECORD_AUDIO 2 nd app: INTERNET Permission re-delegation attack App opens access to a restricted

4 Definition Soundcomber information theft collusion example 1 st app: RECORD_AUDIO 2 nd app: INTERNET Permission re-delegation attack App opens access to a restricted resource Relies on a careless developer (a bug creating a vulnerability) But what if this is deliberate? Then it is a collusion! Cooperation vs collusion tricky to determine

5 Act of cooperation between two or more apps to share their access to protected resources so they can execute a harmful action which they could not perform separately with their own privileges.

Inter-app communication Open (overt) channels Intents Content Providers (store data in a table like DB) External storage (SD card) Shared Preferences Hidden

6 Inter-app communication Open (overt) channels Intents Content Providers (store data in a table like DB) External storage (SD card) Shared Preferences Hidden (covert) channels Audio settings, settings broadcast Wake lock, file lock Enumeration of processes and sockets Free space in RAM and in storage CPU utilization Etc.

Deploying collusions Malware authors User has to permit installations of each app Awkward and unreliable Unlikely Advertisement libraries and

7 Deploying collusions Malware authors User has to permit installations of each app Awkward and unreliable Unlikely Advertisement libraries and general-purpose SDKs Present in many apps They can auto-discover collusion partners Very likely Pre-installation by manufacturers, shops or previous owners

8 Scale of the problem P er m is si o n s Permissions No collusion May collude

Dealing with exponential search space The set of all mobile apps is large and grows lager daily Payload distributed between colluding apps Precise collusion detection - undecidable Backup

9 Dealing with exponential search space The set of all mobile apps is large and grows lager daily Payload distributed between colluding apps Precise collusion detection - undecidable Backup solutions? Permission-based filters to eliminate non colluding sets of apps Statistic analysis App communication patterns Does this suffice? Followed by indepth inspection of the potentially colluding apps

10 Collusion Detection

11 Workflow of indepth collusion detection apktool baksmali

12 Workflow of indepth collusion detection K parser

13 Workflow of indepth collusion detection K compiler

14 Workflow of indepth collusion detection K run with Maude backend

15 Model checking for data dependency public int exp(int a, int b) { int d = 0; int i = a; while (0 < i){ d = d + b; i--; } } return d;

16 Model checking for data dependency public int exp(int a, int b) { int d = 0; int i = a; a b while (0 < i){ d = d + b; i--; } } return d;

17 Model checking for data dependency public int exp(int a, int b) { int d = 0; int i = a; while (0 < i){ d = d + b; i--; } a b (i,a) b d } return d;

18 Model checking for data dependency public int exp(int a, int b) { int d = 0; int i = a; a b } while (0 < i){ d = d + b; i--; } return d; (i,a) b d no loop (i,a) b d

19 Model checking for data dependency public int exp(int a, int b) { int d = 0; int i = a; a b } while (0 < i){ d = d + b; i--; } return d; (i,a) b d loop once no loop (i,a)(d,b) (i,a) b d

20 Model checking for data dependency public D exp(a a, B b) { D d = new D(0); A i = a; a b } while (i!= null){ d.plus(d, b); i = i.inc(); } return d; (i,a) b d loop once no loop (i,a)(d,b) (i,a) b d

21 Classified invokes App Sandbox App Sandbox Access Protected Resource Receive Send Publish Info

22 App communication App Sandbox App Sandbox Access Protected Resource Receive Send Publish Info Stage reached also by the logic programming based filter

23 Data flow abstraction Access Protected Resource Receive Abstract objects to the name of their type/class Send Publish Info Abstract API calls to parameter dependence relations

24 Data flow abstraction mod Strings Access Protected Resource Receive Abstract objects but keep any String as is Send Publish Info Abstract API calls but execute APK calls

25 Tracing the gossip in sandboxes Access Protected SECRET Resource Receive App spawns some SECRET constant Send Publish Info Tracing the SECRET becomes constant propagation

26 Tracing the gossip in sandboxes Access Protected SECRET Resource Receive The SECRET reaches some conversation Send Publish Info

27 Tracing the gossip in sandboxes Access Protected SECRET Resource Receive The SECRET reaches some conversation Send Publish Info The SECRET gets passed to a trusted friend, e.g., another app on the device

28 Tracing the gossip in sandboxes Access Protected SECRET Resource Receive The SECRET gets passed to a trusted friend Send Publish Info who receives the SECRET

29 Tracing the gossip in sandboxes Access Protected SECRET Resource Receive The SECRET gets passed to a trusted friend Send Publish Info who receives the SECRET and processes it

30 Tracing the gossip in sandboxes Access Protected SECRET Resource Receive The SECRET gets passed to a trusted friend, Send Publish Info who receives the SECRET and processes it and discloses it!

31 Collusion pattern Access Protected SECRET Resource Receive Info Theft Send Publish Info

32 Non colluding case (I) Access Protected SECRET Resource Send Receive Publish Info The SECRET doesn t get passed to the trusted friend even though they communicate

33 Non colluding case (II) Access Protected SECRET Resource Receive The trusted friend doesn t disclose the SECRET Send Publish Info

34 Non colluding case (III) Access Protected SECRET Resource Receive No communication, e.g., due to non matching Intents Send Publish Info

35 Demo

Alternatives to model checking Checking apps to witness collusion is not reliable Distributed systems make difficult having total input coverage Runtime analysis (as add-on to Android OS) is not

37 Alternatives to model checking Checking apps to witness collusion is not reliable Distributed systems make difficult having total input coverage Runtime analysis (as add-on to Android OS) is not exhaustive Suitable for device deployment Static analysis is efficient but not transparent Gives Yes/No answers w.r.t. collusion In case of collusion gives no insight about reasons Model checking an abstraction suitable for collusion.

38 Conclusions Android OS has a design problem App collusions are real and discovered in the wild Tools to detect collusions are required Model checking is a useful method of proving colluding behaviours The project work continues -

39 The project work continues -

Security Philosophy. Humans have difficulty understanding risk

Security Philosophy. Humans have difficulty understanding risk Android Security Security Philosophy Humans have difficulty understanding risk Safer to assume that Most developers do not understand security Most users do not understand security Security philosophy