The missing link in the chain? Android network analysis. Rowland Yu Senior Threat Researcher II

Transcription

1 The missing link in the chain? Android network analysis Rowland Yu Senior Threat Researcher II

2 Facts

3 Facts Monthly Sample Doubled from 2015 to Monthly Android Malware Statistics: from September Million

4 Facts Google Play PHA: 1 out of every 10,000 downloads Cumulative number of apps downloaded from the Google Play as of May 2016 (in billions) 6.5 million PHA downloads Source : Android Developers Blog & Statista

5 Facts Possible PHAs Removed by Google Play Details of the collected apps Apps Free Paid Installs Developers Google Play ,502,180 1,278, , B 338,670 Google Play ,144, , , B 541,105 Details of the removed apps Apps Free Paid Installs Developers Removed Apps (Step1) 795, , , B 186,595 Removed Apps (Step2) 791, , , B 184,852 Source : Why are Android Apps Removed From Google Play? A Large-scale Empirical Study ~37% removed 5

6 Facts Malware on Google Play Reported by Researchers Family Apps Downloads BankBot Android.DownLoader.558.origin BANKBOT SonicSpy ANDROIDOS_BANKBOT ExpensiveWall DU Antivirus Android.Sockbot JSMINER AND CPUMINER Fake cryptocurrency trading app BankBot Bankbot

7 Facts Malware on Google Play Reported by Researchers Timeline malicious apps on Google Play since July new families ~280 million downloads 7

8 Evolution

9 Top 10 Android Threats: 2016 Andr/SMSSpy 4% Andr/Generic 4% Andr/Fakeplay 4% Andr/Axent 6% Andr/Dload 4% Andr/Fakeins 4% Andr/PornClk 30% Andr/SMSSend 11% Andr/Droidrt 14% Andr/CNSMS 19% 9

10 Top 10 Android Threats: September/ August/2018 Andr/ObfusAndr/SMSSend 3% 2% Andr/Axent 3% Andr/Slocker 2% Andr/FakeIns 2% Andr/Dloadr 1% Andr/Zniu 1% Andr/PornClk 21% Andr/Rootnik 41% Andr/Dropr 24% 10

11 Top 10 Android Threats Evolution Andr/SMSSpy 4% Andr/PornClk 30% Andr/SMSSend 2% Andr/PornClk 21% Andr/Rootnik 41% Andr/SMSSend 11% Andr/Droidrt 14% Andr/CNSMS 19% Andr/Dropr 24% 2016 Sep/2017 Aug/

12 Google Play Malware Categories Rogueware, 2 PremiumSMS, 1 Spyware, 10 Rootkit, 1 FakeApp, 2 Dropper, 1 Downloader, 6 Coinminer, 3 AdClicker, 6 Botnet, 2 ClickFraud, 3 Bankbot, 13 Category Timestamp Num of Apps Installs AdClicker AdClicker ,000,000-7,000,000 AdClicker ,500,000 AdClicker ,000 AdClicker ,500,000 AdClicker ,000 Bankbot N/A Bankbot ,000-5,000 Bankbot N/A Bankbot ,000-5,000 Bankbot N/A Bankbot ,000-5,000 Bankbot ,585,000-7,565,000 Bankbot Bankbot N/A Bankbot Bankbot Bankbot Botnet N/A Botnet ,000-5,000 ClickFraud ,904,511-21,101,567 ClickFraud ,200,000-17,400,000 ClickFraud ,000+ Coinminer ,000-50,000 Coinminer , ,000 Coinminer ,000 Downloader ,000,000 Downloader , ,000 Downloader N/A Downloader ,000 Downloader ,200,000 Downloader ,000+ Dropper ,500-12,000 FakeApp ,000-50,000 FakeApp N/A PremiumSMS ,000-5,000 Rogueware ,000, ,000,000 Rogueware ,000+ Rootkit N/A Spyware N/A Spyware ,000,000-50,000,000 Spyware Spyware , ,000 Spyware ,000,000-50,000,000 + Spyware , ,000 + Spyware N/A Spyware Spyware

13 Packers Packer in malware: Yearly distribution vs Packer distribution. Source : Things You May Not Know About Android (Un)Packers: A Systematic Study based on Whole-System Emulation 13

14 Obfuscators 25% obfuscated on Google Play Source : A Large Scale Investigation of Obfuscation Use in Google Play (2018) 14

15 Modern Android malware takes full advantage of the internet to execute remote tasks. Dealing with packed or obfuscated Android apps by using existing well-known analysis tools like JEB, apktool and Radare2 still remains a very challenging task. 15

16 State of the Art

17 Existing Packet Capture Tools External database Forensics friendly App based capture SSL decryption Open source Exportable pcap/file Android version Android tcpdump - bitshark and up tpacketcapture 4.0 and up SSL Packet Capture 4.0 and up Wicap 2. Sniffer 4.0 and up Root Packet Capture - CharlesProxy SSL Traffic Debug and up 17

18 Architecture

19 Web Server & Database Researchers Application level HTTP Protocol Packet Capturer read/write HTTPS Proxy Internet Tunnel Kernel level 19

20 Application-Based VPN Service Android 4.0+ Built-in VPN solution No root privileges 20

21 Application-Based VPN Service Declare a VPN in AnroidManifest.xml <service Android:name=".MyVpnService" Android:permission="Android.permission.BIND_VPN_SERVICE"> <intent-filter> <action Android:name="Android.net.VpnService" /> </intent-filter> </service> Prepare a VPN Intent intent = VpnService.prepare(this); Supply those parameters to a VpnService.Builder and establish a VPN interface Builder builder = new Builder(); builder.addaddress(" ", 32); builder.addroute(" ", 0); builder.setsession("myvpnservice"); this.mparcelfiledescriptor = builder.establish(); 21

22 Trusted CA (Certificate Authority) Certificate As long as the appropriate Certificate Authority (CA) certificate is installed in the trust credentials, many applications can't tell the difference between a connection to the original host and the intercepting proxy. Starting from Android 4.0, users can now easily add their own 'user' certificate. 22

23 Trusted CA (Certificate Authority) Certificate /** Generates a certificate for {@code hostname} containing {@code keypair}'s * public key, signed by {@code keypair}'s private key. // use the old Bouncy Castle APIs to reduce dependencies. public X509Certificate selfsignedcertificate(keypair keypair) throws GeneralSecurityException { X509V3CertificateGenerator generator = new X509V3CertificateGenerator(); X500Principal issuer = new X500Principal("CN=CA Certificate"); X500Principal subject = new X500Principal("CN=CA Certificate"); generator.setserialnumber(new BigInteger(BigInteger.valueOf(System.currentTimeMillis()))); generator.setissuerdn(issuer); generator.setnotbefore(new Date(notBefore)); generator.setnotafter(new Date(notAfter)); generator.setsubjectdn(subject); generator.setpublickey(keypair.getpublic()); generator.setsignaturealgorithm("sha256withrsaencryption"); return generator.generatex509certificate(keypair.getprivate(), "BC"); } /** This method will launch an intent to install the key chain */ Intent installintent = KeyChain.createInstallIntent(); installintent.putextra("cert", keystore.getcert()); installintent.putextra("name", "Capture CA Certificate"); startactivityforresult(installintent, INSTALL_KEYCHAIN_CODE); 23

24 HTTPS MiTM Proxy A simple proxy is created to act as man-in-the-middle (MiTM) HTTPS communication. The proxy allows for monitoring, modifying, and (if necessary) replaying of HTTP / HTTPS traffic that passes through it. 24

25 HTTPS MiTM Proxy App Proxy Server CONNECT HTTP/1.1 Socket/TLS Handshake Valid certificate Client Key Exchange TLS handshake Self-signed certificate Client Key Exchange GET GET index.html Closing the connection Encrypted index.html Closing the connection 25

26 Demo

27 Conclusion

28 Strong evidences show that Android threats increasingly take advantage of network traffic to execute additional payloads. Both legitimate and malicious apps are leveraging packing and obfuscating mechanisms to protect themselves against reverse engineer. Existing packet capture tools, such as Android tcpdump and SSL Packet Capture, have been released for network analysis in the last few years, but have some disadvantages in different aspects. External database Forensics friendly App based capture SSL decryption Open source Exportable pcap/file Android version New Packet Capturer

29 Limitations It is impossible for Android VPNService to capture all packets (like loopback packet data. Some apps such as Google Chrome may utilize secure techniques (i.e. Certificate Pinning) to avoid SSL proxy eavesdropping. The solution may not work very well in Emulator. From Android N onwards, it gets a little harder. 29

30 Q&A 30

31