Automated Identification of Installed Malicious Android Applications

Similar documents
Android Forensics: Automated Data Collection And Reporting From A Mobile Device

A Study of User Data Integrity During Acquisition of Android Devices

Categories of Digital Investigation Analysis Techniques Based On The Computer History Model

An Evaluation Platform for Forensic Memory Acquisition Software

File Classification Using Sub-Sequence Kernels

Unification of Digital Evidence from Disparate Sources

The Normalized Compression Distance as a File Fragment Classifier

Monitoring Access to Shared Memory-Mapped Files

Leveraging CybOX to Standardize Representation and Exchange of Digital Forensic Information

System for the Proactive, Continuous, and Efficient Collection of Digital Forensic Evidence

Extracting Hidden Messages in Steganographic Images

A Correlation Method for Establishing Provenance of Timestamps in Digital Evidence

Developing a New Digital Forensics Curriculum

Breaking the Performance Wall: The Case for Distributed Digital Forensics

File Fragment Encoding Classification: An Empirical Approach

On Criteria for Evaluating Similarity Digest Schemes

A Framework for Attack Patterns Discovery in Honeynet Data

Rapid Forensic Imaging of Large Disks with Sifting Collectors

Android Bootloader and Verified Boot

CAT Detect: A Tool for Detecting Inconsistency in Computer Activity Timelines

Multidimensional Investigation of Source Port 0 Probing

A Functional Reference Model of Passive Network Origin Identification

Fast Indexing Strategies for Robust Image Hashes

Designing Robustness and Resilience in Digital Investigation Laboratories

Honeynets and Digital Forensics

Embedded Android? Not so fast!

Privacy-Preserving Forensics

Rooting Android. Lecture 10. Security of Mobile Devices. SMD Rooting Android, Lecture 10 1/33

Can Digital Evidence Endure the Test of Time?

Digital Forensics Readiness PREPARE BEFORE AN INCIDENT HAPPENS

Design Tradeoffs for Developing Fragmented Video Carving Tools

BinComp: A Stratified Approach to Compiler Provenance Attribution

Quick Heal Mobile Security. Free protection for your Android phone against virus attacks, unwanted calls, and theft.

Ranking Algorithms For Digital Forensic String Search Hits

Reducing the Cost of Incident Response

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

DUAL OS INSTALLATION

SandBlast Agent FAQ Check Point Software Technologies Ltd. All rights reserved P. 1. [Internal Use] for Check Point employees

A Strategy for Testing Hardware Write Block Devices

ROM FLASHING INSTRUCTIONS FOR ONEPLUS 3 / 3T

Using Sensitive Information on Android Based Smartphone. Romke van Dijk

CYBER ANALYTICS. Architecture Overview. Technical Brief. May 2016 novetta.com 2016, Novetta

Hash Based Disk Imaging Using AFF4

Fast Incident Investigation and Response with CylanceOPTICS

Install ADB on Windows

Carbon Black PCI Compliance Mapping Checklist

RSA NetWitness Suite Respond in Minutes, Not Months

Agenda. Why we need a new approach to endpoint security. Introducing Sophos Intercept X. Demonstration / Feature Walk Through. Deployment Options

UnCovert: Evaluating thermal covert channels on Android systems. Pascal Wild

Deliver Strong Mobile App Security and the Ultimate User Experience

A Novel Approach of Mining Write-Prints for Authorship Attribution in Forensics

Quick Heal Total Security for Android. Anti-Theft Security. Web Security. Backup. Real-Time Protection. Safe Online Banking & Shopping.

Mobile memory dumps, MSAB and MPE+ Data collection Information recovery Analysis and interpretation of results

Surviving in the wilderness integrity protection and system update. Patrick Ohly, Intel Open Source Technology Center Preliminary version

BlackVault Hardware Security Platform SECURE TRUSTED INTUITIVE. Cryptographic Appliances with Integrated Level 3+ Hardware Security Module

Android Forensics. Presented By: Mohamed Khaled. Thanks to: Ibrahim Mosaad Mohamed Shawky

Windows 7, Enterprise Desktop Support Technician

Droid User Manual Pdf Samsung Galaxy S3 Mini Gt-i8190l

Changing face of endpoint security

CERT Development EFFECTIVE RESPONSE

UNCLASSIFIED R-1 ITEM NOMENCLATURE FY 2013 OCO

Securing Today s Mobile Workforce

Android Forensics. Investigation, Analysis, Google Android. and Mobile Security for. Andrew Hoog. John McCash, Technical Editor SYNGRESS

Mobile Phone Examiner Plus 5.8 Release Notes

INTRODUCING SOPHOS INTERCEPT X

Quick Heal Mobile Device Management. Available on

CSIRT in general CSIRT Service Categories Reactive Services Proactive services Security Quality Management Services CSIRT. Brmlab, hackerspace Prague

+ THE UFED ADVANTAGE DEVICE SUPPORT APPLICATION SUPPORT

Quick Heal Mobile Security. Free protection for your Android phone against virus attacks, unwanted calls, and theft.

User Guide. Version 2.1

<Partner Name> RSA NETWITNESS Intel Feeds Implementation Guide. Kaspersky Threat Feed Service. <Partner Product>

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

Windows Client, Enterprise Desktop Support Technician

Defend Against the Unknown

Cyber Resiliency & Agility Call to Action

Kaspersky Security for Windows Server

Tanium Endpoint Detection and Response. (ISC)² East Bay Chapter Training Day July 13, 2018

GUIDE. MetaDefender Kiosk Deployment Guide

CS 356 Operating System Security. Fall 2013

PALANTIR CYBERMESH INTRODUCTION

THE KERNEL. Our in-house professional team is highly skilled in delivering cutting-edge solutions to our clients.

Advanced Threat Hunting:

Question No: 1 After running a packet analyzer on the network, a security analyst has noticed the following output:

Developing on DragonBoard

Memory Analysis. CSF: Forensics Cyber-Security. Part II. Basic Techniques and Tools for Digital Forensics. Fall 2018 Nuno Santos

PROTECTION FOR WORKSTATIONS, SERVERS, AND TERMINAL DEVICES ENDPOINT SECURITY NETWORK SECURITY I ENDPOINT SECURITY I DATA SECURITY

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 8

Lamine Aouad, Tahar Kechadi, Justin Trentesaux and Nhien-An Le-Khac

Securing Software Updates for IoT Devices with TUF and Uptane. Ricardo Salveti Principal Engineer

Enabler Manual Device-Based Anonymization

MULTIVARIATE ANALYSIS OF STEALTH QUANTITATES (MASQ)

MEETING ISO STANDARDS

DS2 Products Auto-Update Tool BSP

Verizon Samsung Galaxy S3 Firmware Update Kies Probleme

Heavy Vehicle Cyber Security Bulletin

McAfee MVISION Mobile epo Extension Product Guide

Protection Levels, Holistic Approach. ISA-99 WG 3 TG 3 Protection Levels

Quick Heal Mobile Security. Anti-Theft Security. Real-Time Protection. Safe Online Banking & Shopping.

100% Signatureless Anti-ransomware

TRUSTED IT: REDEFINE SOCIAL, MOBILE & CLOUD INFRASTRUCTURE. Ralf Kaltenbach, Regional Director RSA Germany

Transcription:

DIGITAL FORENSIC RESEARCH CONFERENCE Automated Identification of Installed Malicious Android Applications By Mark Guido, Justin Grover, Jared Ondricek, Dave Wilburn, Drew Hunt and Thanh Nguyen Presented At The Digital Forensic Research Conference DFRWS 213 USA Monterey, CA (Aug 4 th - 7 th ) DFRWS is dedicated to the sharing of knowledge and ideas about digital forensics research. Ever since it organized the first open workshop devoted to digital forensics in 21, DFRWS continues to bring academics and practitioners together in an informal environment. As a non-profit, volunteer organization, DFRWS sponsors technical working groups, annual conferences and challenges to help drive the direction of research and development. http:/dfrws.org

Detecting Maliciousness Using Periodic Mobile Forensics Authors: Mark Guido, Jared Ondricek, Justin Grover, David Wilburn, Thanh Nguyen, Drew Hunt

Problem Use case Enterprise deployments Be proactive! Can we apply media forensics techniques to detect activities that are indicative of malicious behavior? Measure changes to block devices Organizations no longer own their phone infrastructure Centrally manage and audit phone usage We want to make use of a richer set of user data on a phone as compared to a laptop Page 2

Client, Server, Database, Analysis Framework, Forensic Tools Tractor Beam Page 3

Process Live Phone Forensics Reassemble forensic images TractorBeam Svc Run forensic tools Init Periodic Over the Air (OTA) transmission to server Store changed data Extract audit information All forensic techniques are performed offline on image snapshots Page 4

boot.img Reconstructing Images offset offset T + 1 T + 2 offset 7 7 7 recovery.img 7 7 7 system.img 512 512 512 /data 248 248 248 Page 5

Forensic Tools Modern phones run Fourth Extended Filesystem (ext4) Can apply forensic tools on reconstructed images The Sleuth Kit 4..b1 with experimental ext4 support Identify when.apks are installed Identify deleted files Reconstruct.apk file Fiwalk.6.15 Identify all file system Modified, Accessed, Created, Entry Modified (MACE) times Generate DFXML to feed analysis tools Page 6

Mobile Malware Certain phone partitions change continuously, others only when user initiates. System Partitions User Data bootloader recovery.img boot.img system.img /cache /data /mnt/sdcard /mnt/sdcard-ext Enterprise use case: We should only rarely see changes to blue system partitions Tractor Beam is already set up to easily identify when these changes occur Page 7

7 Detectors and Loggers Detector 1. Alerts on changes to boot.img Detector 2. Alerts on changes to recovery.img Detector 3. Alerts on changes to bootloader Detector 4. Alerts on changes to system.img Useful for establishing persistence, surviving a reboot Logger 5. Compares image, logs all timestamp MACE time changes since previous snapshot Logger 6. Identifies and logs all deleted files since previous snapshot Detector 7. Identifies newly installed.apks and parses AndroidManifest.xml for BOOT_COMPLETED registration Page 8

Experimentation Needed real mobile malware Android Malware Genome Project MITRE obtained dataset of 12 samples No source code Functionality of samples were not fully characterized Ran experiments in MITRE s Network Attack Investigations Laboratory (NAIL) No wireless, Faraday bag No SIM card in phone Used real phone Nexus S running Android 2.3.1 Page 9

Experimentation Round 1 2 malware apps Goal: Test effectiveness of detectors Round 2 1 apps 9 legitimate 1 malware Goal: Test the BOOT_COMPLETED detector Round 3 Custom malware app Goal: Test effectiveness against sophisticated malware Page 1

Round 3 Frozen Bubble Demo malware Have source code Targeted at Nexus S Gingerbreak exploit Contains malware-like capabilities Modifies boot.img for persistence Modifies system.img - root Phone emulates USB keyboard Page 11

Round 3 Screen is locked during gameplay dd over boot.img with new malicious version Reboots phone to start With new kernel Weaponized Gingerbreak Remount system.img Write SuperUser.apk To /system/app Sample Logged Detected Installed Exploit Dropped BOOT_COMPLETED system.img Change boot.img Change Detection Result 1 x x x x Success Application dropped no files and installed to /mnt/secure/asec. Page 12

Summary Project focused on mobile malware on the enterprise: Paper concluded that there are alternative methods that showed promise for identifying and classifying mobile malware on running phone We also developed: a method of extracting only changed blocks of data and reassembling an image from them Normalized storage and fast reassembly An analysis framework for running forensic detectors 7 detectors were developed This provides us a platform for future work New detectors are just Python scripts Page 13

Insider threat identifying events and patterns of events that are indicative of malicious behavior by the phone owners Masquerading users identifying when phones may be being used by someone other than the phone owner based upon observed behavior CERIAS collaboration 3 Samsung Galaxy SIII s Application of techniques for generalized forensics acquisition Forensics laboratory use case Page 14

Questions? Page 15

Backup Slides Page 16

Approach Observed Malicious Behavior deviation from profile. T Full Image Event Malicious App install T+x 1 2 3 4 5 6 7 Take initial full forensic image Periodically send only changed data Over The Air (OTA) to server Reconstruct images at collection times Run series of detectors that incorporate various best practice media forensic techniques Eventize the results Page 17

Masquerading Experimentation Arbitrator Swap phones between users Swap phones between users Phone1 Phone2 Phone3 Phone4 Phone5 Period1 Period2 Period3 A successful result would be to identify each user/phone combination based solely on behavioral usage information. Swap phones between users Period4 Page 18

BOOT_COMPLETED Applications can register to receive BOOT_COMPLETED event Triggered when the phone finishes its boot process Can use event notification to restart service 83% of samples in Android Malware Genome Project set registered for this event Must register to receive this event in the AndroidManifest.xml file.apk files typically installed in /data/app Page 19

Choosing Malware Narrowed sample set by filtering on mount o remount,rw /system This was what we thought was indicative of the sample establishing persistence Wrong!! Samples were then chosen randomly Page 2

Round 1 Test Tractor Beam Detectors Sample Logged Detected Installed Files Dropped BOOT_COMPLETED system.img Change Detection Result 1 x x x Success 2 x x x Success 3 x x x Success 4 x x Success 5 x x Fail 6 x x x Success 7 x x x Success 8 x x x Success 9 x x x Success 1 x x Success 11 x x x Success 12 x x x Success 13 x x x Success 14 x x x Success 15 x x x Success 16 x x Success 17 x x x Success 18 x x x Success 19 x x x Success 2 x x x Success Page 21

Round 2 BOOT_COMPLETED Detector Detected Malware Non-Malware Actual Malware 1 Non- Malware 29 61 Accuracy 71% Error 29% Precision 25.6% Recall 1% 3.apks were not observed installing installed to /mnt/secure/asec Page 22

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback