PDA

View Full Version : Android Malware

mansourweb
March 4th, 2014, 12:23
Dear Friends,

Since the rise of Android malware is in progress, Let's start a new discussion about it.

Android malware such as FakeInstaller, GoldDream tend to communicate with sending and receiving SMS. DroidKungFu try to get sensitive information from the device by calling for example getSubscriberId API. GingerMaster want to use a root exploit.

So in general, for analyzing an Android malware, there are a list of features that can be applied and they are divided into 2 parts :

1) Analyse the AndroidManifest.XML :
Extract Hardware components which are used in an app, requested permission, App components such as activities, services, content providers & broadcast receivers, and Filtered intents.

2) Disassemble the dex code :
Extract API calls and find the restricted API calls, suspicious API calls and network addresses which is used in network API call.

These features can show rich information about Android malware.

Can you add some other useful features that are discriminative between malware and benign.

Thanks for continuing the discussion.
Shub-nigurrath
March 9th, 2014, 15:45
there's are these alternatives

instrumentation of the system for example through this method
http://conference.hitb.org/hitbsecconf2013kul/materials/D1T1%20-%20Collin%20Mulliner%20-%20Android%20DDI%20-%20Dynamic%20Dalvik%20Instrumentation%20of%20Android%20Applications.pdf

and pattern matching for example see this paper:
http://www.st.cs.uni-saarland.de/chabada/CHABADA.pdf
mansourweb
March 10th, 2014, 03:54
Quote:
[Originally Posted by Shub-nigurrath;96210]there's are these alternatives

instrumentation of the system for example through this method
http://conference.hitb.org/hitbsecconf2013kul/materials/D1T1%20-%20Collin%20Mulliner%20-%20Android%20DDI%20-%20Dynamic%20Dalvik%20Instrumentation%20of%20Android%20Applications.pdf

and pattern matching for example see this paper:
http://www.st.cs.uni-saarland.de/chabada/CHABADA.pdf



Thank you for the links.

They are very helpful
Shub-nigurrath
March 13th, 2014, 07:17
There are a lot of other alternatives you can use beside those two I mentioned above..

you also can use one of the several online apk analyzer, opensource or hosted by some AV company. For example these:
- http://www.apk-analyzer.net/
- Andrubis, http://anubis.iseclab.org/
- MobiWORM, http://blog.mobworm.de/
- mobile sandbox, http://mobilesandbox.org/

or use one of the static analysis frameworks like SAAF (http://code.google.com/p/saaf/) or dexter (http://dexter.dexlabs.org/)

or even “MoCFI - A Framework to Mitigate Control-Flow Attacks on Smartphones” by Davi et al., NDSS 2012.. find it on your own..

Look also at the papers here:
- http://www.malgenomeproject.org/
- http://www.csc.ncsu.edu/faculty/jiang/pubs/index.html

BR,
Shub
mansourweb
March 14th, 2014, 04:05
Quote:
[Originally Posted by Shub-nigurrath;96226]There are a lot of other alternatives you can use beside those two I mentioned above..

you also can use one of the several online apk analyzer, opensource or hosted by some AV company. For example these:
- http://www.apk-analyzer.net/
- Andrubis, http://anubis.iseclab.org/
- MobiWORM, http://blog.mobworm.de/
- mobile sandbox, http://mobilesandbox.org/

or use one of the static analysis frameworks like SAAF (http://code.google.com/p/saaf/) or dexter (http://dexter.dexlabs.org/)

or even “MoCFI - A Framework to Mitigate Control-Flow Attacks on Smartphones” by Davi et al., NDSS 2012.. find it on your own..

Look also at the papers here:
- http://www.malgenomeproject.org/
- http://www.csc.ncsu.edu/faculty/jiang/pubs/index.html

BR,
Shub



The links are very good.
Thank you so much Shub.