Using Apklab.io Mobile Threat Intel Platform to Fight Banking Threats

Thanks everyone. I want to thank the organizers for having you here and my team for the amazing job that we together did the past two years with our integration with AVG and for the implementation of our Threat Intelligence platform that we succeeded in making. So what do we talk about today? We talk about what is Threat Intelligence in general and what's the architecture of our mobile Threat Intelligence that we made together How we collect information, what are the key components for apklab.io, how we do family tracking, labeling and notifications, and how all of those can help the analysts to change malware, mobile malware. And then we talk about a case for a bankbot. It's a malware that was found last year in Google Play Store

and how we discovered it through apklab. So, what is threat intelligence? The concept is an illusion concept. It's something difficult to achieve in the beginning because of a lot of data that you need to process in order to achieve this, like this lady. You need a lot of variety of data sources that need to be also diverse, global. So the same is from China, same is from India, etc. from many stores. A network of sensors, so our clients, that our clients are the target of the mobile actors. And machine learning and putting all of those for the analyst. We can create context and reliably track the threat of evolution and react quickly into discovering them.

So what are the key components of a solid threat intelligence platform?

is a strong dataset of the diverse suspicious assemblies that we are collecting from our clients. Our clients, the clients that have the mobile antivirus installed and we are collecting the suspicious assemblies from them. Reliable and fast automate classifiers. Classified models that we are training every two months with all of our new assemblies. Expert supervision from the beginning, so our experts, our analysts, that they need to train or create new features for the models. Up-to-date training using all of the latest malware and coherent dynamic and static analysis flow. So what's the architecture? First of all, we need to have all of the sources. So we have sources from our partners, we have sources from our mobile AV clients that are collecting, the suspicious, and

third-party feeds, VirusTotal and third-party stores globally. This is the diverse that is very needed to have. Then we need to take all of the samples and check if they are suspicious because we don't want to overload our systems and re-input the same samples inside. And depending on if we will start analysis or not, we'll insert them into APK Lab.io and we'll start analysis. By this, we'll do dynamic analysis using our sandbox. It's called Shadron. and static analysis. With this we collect all of the extracted features and handmade that we made, custom made from our experts, and we will use our machine learning classifiers to see if the sample is malicious or not. Sorry. Then we'll apply the family, we'll apply the intelligence, what we call is labels, leveling

of family, category, and various other characteristics. And then we will decide, the system itself will decide if we will detect the assembly itself. The last step is to collect all of those data, the threat intelligence, as the APK intelligence, so all of the data from the assembly itself, and all of the data from the URLs. So we are collecting every kind of URL that we can, and we store it inside our databases in order to provide good threat intelligence. All of those features are indexable and searchable so you can search by a specific feature like if it hides the icon from the device. We collect also the Detect Assemblies feed and all of the labels.

We want also a bit to make bad actors' life a bit more miserable by this. Yes, I'm talking to you.

How to build a third-endless platform? So we need a dynamic analysis angle that will do automatic behavior of suspicious angles. Studying analysis tools that is handmade from experts and they will break down the same feature-wise and the actual analysis will understand immediately what it looks. Yeah, from in the system. Then we need good scripting, family tracking and labels. This is how it looks like. You can have all the same inside with the labels. I don't know if you can see a little bit, but we have deep barbarous kind of labels like Bunker or the family itself, that's Bankbot or other kind of banking malware for mobile. And you can search everything from inside the platform.

Each sample provides all of the main features that the analysts need to see in the beginning to have a very clear overview of what this is exactly. So we have classifiers and classifiers also models from specific regions like China because the samples are totally different. And certificate and other stuff. Moreover, the static features we are trying also by here

Most of the samples are packed or protected through various packers and protectors. So we are dumping them from the memory, most of them are full compatible with this and we are extracting all of the features from the main APK and from the payload and we are integrating each one sample in order to use it for a better detection from our systems.

And the dynamic analysis consists of the network traffic, live hooking of various... Thank you. We are hooking the crypto APIs in order to get the decrypted strings live and show it to the user in order to understand what is being decrypted, etc. And most of the entry points are running inside the like activities, receivers, etc., and services. We collect also the screenshots. So everything here is my most important thing. The analyst, it says, needs to have, as an overview, the most important features, and then it can dive deep into each table and see what it does. So this is what we do. And the use case. Why you should be concerned about banking threats, mobile

banking threats? So we did a survey back on February for MWC, an online survey with 40,000 people from 12 countries. And globally, a generic issue, a generic problem is that most of the people, like half of the people, identify the official app interface as fraud. So social engineering still works, and social engineering will still work in the future. People are more concerned about having money stolen from their checking accounts, than from losing their wallet. This is because of the new era of mobile and integrating into this. Statistics about banking threats, mobile banking threats. From last April 17th, now March 18th, we see a CD rise with total 1.3 million unique detections and the three regions that have the highest rates are Europe, Russia

and Australia for a reason. I would like to set more for it. And what is a banking threat? Banking threat is mainly extracting sensitive financial data through SMS. Through SMS like the two-factor authentication puzzle that can come to the SMS, different various of colleagues and credit card info. What it does is putting up a fake layout from the original main interface of the bank and it tries to fish the data from the user. And of course it uses some other bank data that uses more interesting social engineering techniques in order to achieve this.

Bank Botrosan. Bank Botrosan was found last year, one of the varieties. In Google Play Store there were two campaigns in October and November 2017.

15 services at Google Play Store, so the bot actors are continuously uploading their applications. They were tagging 160 financial applications. The payload was being downloaded from this site or was being dropped from this site.

Tracking BankBot main payload. So the analysts using the system itself, the mobile 3D intelligence platform, APK Lab.io, they were very easily see new samples coming on from the automatic labeling, like bunker, dropper, dropper is this specific group is dropping something, and the family itself, including various scores from our machine learning classifiers. This is the static analysis of the payload, so the analysts can see very fast what the payload is doing. So the payload of this bugging set was checking if it is running inside an emulator, checking specific fingerprints. And it was also putting the ringer mode to mute in order for the user not to hear that a new message comes in order to exfiltrate any data that it

comes. And hiding the application icon from the launcher in order to hide it from the user. And last one, adding it as a device admin in order to be more persistent and the user to have more difficulty in order to remove it. And it also wanted to be the main SMS application in order to have first priority in getting the messages.

In the platform you can search using IPs, all of the static features like MiletoCheck for known fingerprints and Another one is banking upstream. So a lot of malware, a lot of banking threads, they were including inside a lot of package names from a lot of banks. So checking only by this as a feature, and if those strings are more than 10 or more than 15, you can consider this as suspicious. And URL intelligence collects every kind of URL that you can find inside from the web traffic, from the static analysis and we use it in order to track the sample itself and to track also the domains that are being registered to this IP and

how many samples are being connected there. One interesting thing is that bad actors, you can see on some IPs that some bad actors they try to push outside different kind of families like Bumpot, Red Alert and Mazarbot. So they are trying to see what works better for them in order to have financial gains.

Conclusion. What do you want to have a good threat intelligence base? You need to have diverse data sources. So you need to assemble from all over the world, especially from Asia, because it's a very difficult region, because also from the language, and because of the of the difficulty to find analysts and cooperate with them. Automation and easy to use tools for the analysts in order to go immediately and find the malware signals. Also, the analysts and I think the directors from every kind of threat intelligence platform,

they need to seek for new opportunities in order to improve their feeds with new partnerships with other companies that maybe they're doing more deeper investigation, some specific things that you are not doing. So this is always a good thing to do. From new data types and sources, like the same thing, like regions, different kind of regions, etc. and expanding the coverage region. And I would like to finish with Security Conversations, which is a very good podcast. And this one, Ryan Naren Guerrero-Sadeh, They talk about third intelligence, that third intelligence is not a combination of Fiosys and Yara rules. Those are just data. Context matter to build strong intelligence about your samples and how you can move on and detect the samples. So

by this, I want to conclude my presentation. And Epic Lab.io will be open as an invite only for security researchers. I would like to keep it like this, obviously to have out all of my malware access that I will try to sneak in for sure. And I would request for you, if you can join, to send me an email to this, chrisadis.avaz.com or edklab.avaz.com. And you can find me also in Twitter, BigDroid. Thank you.