BG - Discovering Dark Matter Towards Better Android Malware Heuristics - Jimmy Shah, David Shaw & Ma

[Music] all right uh hey everyone uh hello uh welcome to uh discovering dark matter for better Android malware characteristics um we're going to go over a couple of things today uh we're going to try to teach you how to perform basic Android malware analysis um I'm going to focus on APK analysis uh runtime analysis of Android caps and then static code analysis and how those two things in conjunction can basically take you from not knowing a whole lot about Android analysis to being able to do some more serious stuff U Matt's going to talk about uh deeper understanding of the do virtual machine as well as Dex Cod um it's pretty interesting um and then uh Jimmy is

going to talk about how our tool can help but since he's not here we're going to go ahead and do the best we can uh with this tool so uh you know we'll just Dive Right In and do our best uh so my name is David sha I'm the senior director of engineering at redbin small computer security company in Santa Barbara uh traditionally I've specialized in application and network security assessments I was a technical editor of the mmap 6 Network exploration and security auditing cookbook um which is a pretty good primer for uh you know the M scripting engine and I'm on Twitter at dsha uh now you might notice that my background as well as sort of my

specialties aren't around Android malare analysis and that's actually pretty important for this talk so that we can actually take someone who doesn't have a whole lot of experience doing that and uh and teach them some stuff uh so I'm not a professional malare researcher I'm not a reverse engineer I'm definitely not an Android expert I actually have an iPhone I don't even have a physical Android device it's pretty embarrassing um and I'm not a jva developer so you know so let's start in the beginning we're just going to define the problem of mobile malware because it's actually a little bit different than uh conventional malware in a couple different ways uh so there's a big block

of text and don't worry about that we're going to Define malicious software as any software that either through the abuse of granted permissions or via traditional exploitation conducts activity that may be considered malicious or mishandled uh or maybe said more programmatically permissions abuse or exploitation or security misconfiguration yield something that we would say is malicious in some way now the reason that this is different than conventional malware is that if we have say an app that reads through your address book um uploads all your contacts to some arbit oh J MaDee to some arbitrary server um and then periodically sends blast out text messages to all of your contacts saying hey we got some photos for you to view

look at my new bikini pictures um um you know would we consider that malware if it's propagating itself now conventionally we would this is pretty much exactly what the Melissa virus did back in the day examp email rather than text messages um so we'd say okay it's propagating itself it's it's malware um but we don't say that if it's a social network that has 10 million users um and yes we know that this is an iPhone app but it's the most recent example of okay well we've given this app permissions we thinks it's it's something that we want and it's actually using those permissions and it's you know texting the entire phone book at 6 a.m. or doing

something uh that we would say is bad and the way that it can do this is that it's abusing permissions that you've actually given it you're saying yeah you can read my contacts yeah you can send out text for me yeah you can do all this for maybe somewhat legitimate purposes at the time uh but it turns out that it's actually abusing those permissions so we have a screenshot of an app that uh has all of these permissions um it can access your personal information it it can send text messages which which is actually labeled as services that cost you money um it can access your fine GPS location um it can delete things on your

us storage it can basically do everything now traditionally we need to actually exploit a device or an operating system to give these permissions but as we found out with say uh SSL problems uh users will generally just clip yes unless they see something that's really a big red flag so since everything sort of a social network these days de said oh yeah I'll give it internet access oh yeah I'll let it search through my contacts I'll let it do all these different things then really it probably shouldn't do um so now that we know that there are different permissions that can be abused uh we need to basically find need in a Hast stack we have you know about a

million apps more than that now uh currently on the Google Play store which is a lot you know and we know that many of those apps legitimately need the permissions that they request um so where do we start how can we begin this first phase of analysis uh we generally start with a really big list of apks and in order to start with Apk analysis we need to understand a little bit about how an APK is structured um basically it's a zip fop um it contains a bunch of information um about the app itself um and it can easily be ated and read which is of course pretty helpful in particular we're going to talk about

Android manifest.xml which is basically an XML file that that tells Android iOS what the apps called what permissions it's going to request what it's going to do um and more specifically the Manifest permission lines which is saying I'm going to ask for these permissions now for this talk we're going to be looking at permissions that relate to to data re read and write access on the phone uh data at rest and network your access um over the network which is just data and Transit so this is a big lock of text and I'd like to point out at this point that at the end of the talk um or at the end of my part of the talk there is a

URL for all of the on liners and shell scripting and this big block of text um that you can download um so you don't need to do anything weird with it but if you look at this you know reading the phone logs um internet access uh write to the social stream send and then write write and then send SMS um persistent activity install packages you know there's a lot of really potentially bad permissions here that you want to make sure that you're looking at but so this is a lot and it's sort of out of scope for the whole talk we narrowed it down to six and we're going to call this perm. Tex we'll actually be using that a

little bit later so we're we're looking at read contacts call phone install packages write and then send SMS and unrestricted internet access so we have this large dis case that I was talking about and now we have perm. text for what we're looking to find and we need to parse the data out of Android manifest.xml well fortunately it's pretty easy to do that using combination of Open Source tools um as well as a little bit of shell scripting um APK tool is freely available Java tool you can run it pretty much anywhere we've done analysis on uh Linux Windows and Mac so uh you know you can get it anywhere it's really easy to use because

we're pretty much only using one function there the decompile function to take an APK and break it down into its components uh so basically we're just using it as unzip on steroids uh so knowing that we can actually go ahead and go through our directory and again these these lines are on the net afterwards um so for each element in our APK directory we run uh the Java jar APK tool. jar with the decompile command for that element and that yields a bunch of directories of decompiled apks um from there we can actually say for each element in perm. text that we went over earlier um and see if they're if they're present um in each of those folders

Android Android manifest.xml files um so from there you can actually get a list of okay we went from let's say 1,000 apps which is about what we used for our original sample size um and then now we know okay which ones are using these permissions that we're actually to focus on and obviously if you're looking for particular things you want to change the contents of terms. text the reasoning behind this is that you can't abuse permissions that aren't granted and you can't Grant permissions if they don't ask for it at a certain point so we've gone from this large list of potentially abusive apps to a shorter list of app tunes back more closely which is really helpful when you're

trying to do sort of broad spectrum uh malware analysis and to see what apps are doing things that they shouldn't be um as a side note this works for not just uh malware but like I said in the first slide misconfigured software that maybe they think it's okay to take your contact list and shoot it out somewhere PL text but if you do that on an open wireless network or you don't know what's actually happening or it doesn't in the background um then you actually are at at risk so now that we have the short list we can actually move into part two which is runtime analysis um we're actually running the apps and seeing what it's

doing at the time um so the Android uh sdp comes with an emulator which is great you don't need to have a hardware device it's basically designed so that when you're writing apps you can test it um it's really easy set up uh Android create AV with the name test type Android 17 and at first for our first layer of sort of inspecting this a man in the middle is unnecessary um because Android actually lets us capture all the traffic so our sort of methodology here is going to be to run run the emulator install the APK uh capture the packets and then perform analysis on that so you can see here you run it with just the

TCP D flag pretty straightforward and it actually dumps out pcap you can then use ad to install uh in this case we did Instagram 106 um and then you want to use the app normally for greater than five minutes the five minute thres rle is you want to make sure that if someone's writing a malicious app intentionally malicious app they're going to wait more than 5 minutes to do anything really bad if it's on the Google Play Store because Google bouncer actually analyzes these apps for 5 minutes to see if anything is going on there so it's actually pretty interesting that you know we know that now and they know that now so it's you

know diminishing returns on the effectiveness of of Google bouncer at that point and from there you have a p the peap created and once the pcap is created you can actually use a more more standard uh set of tools like for example tcpo um so here you can see that we're running TCP up and reading from the file that we just created um and we're saying that the source is the Android device and the destination that is not the Android device so in other words okay what what host is it connecting to and using a and then sort and unique to say we want a list of unique combinations of remote hosts and remote protocols in the time that we

analyze this so we came out with um a couple ec2 servers um a couple Google servers uh a random ntp server I don't know why that was there and a cloudfront l Bal so at this point this is pretty benign but some malware you'll see oh wow why is it connecting to you know 18 hosts in China why is it you know connecting to arbitrary host every minute what's happening is it doing something weird um now at this stage we didn't see that um but this is the first layer of oh something might be might be really wrong uh if you use a little bit of redx here and yeah I know that's not super

human basically what I'm trying to do here is get a protocol count so I'm saying for each of the requests made during this probably about a 10minute period that I was testing uh what protocols are being used um to connect a remote host and we came out with this okay we have 13 HTTP requests 532 HPS request and then that random ntp request um okay so if you're going to do standard traffic analysis you'll probably notice the problem here because you have you know this packet capture but what can you really do with it when in this example 97.43% of the requests are are SSL en crypted because crypto is great big proponent of crypto but for the same

reason that I can't read your you know SSH Tunnel right here at bides um I also can't see if these requests are sending sensitive data or if they're just you know updating or checking for news or whatever so in order to do that we need to do some SSL interception and Android doesn't play along in the same way that it does with TCP on or TCP on flag um it's basically becomes irrelevant once you notice that the traffic is all encrypted and notic that probably for 99% of the Malicia traffic is going to be encrypted we we think that malware authors do the do the easiest thing first and if the easiest thing is going

to be PL Tech sometimes we'll get a hit there but overall not so good for that um and installing a CA is in feasible for quick analysis because again we're trying to do this iterative process but we will get to that a little bit later what we can do um is basically use DNS redirection in combination with an intercepted proxy to sort of fool the uh Android devices of thinking that uh it has a valid s sser when it doesn't um so there's a tool to do this it's open source it's called Android proxy again crossplatform it's only requirement is the Twisted Library um and it basically uses DNS tricker to allow SSL SSL interception so taking from the Google

project page you can see that the emulator is basically making a DNS request for google.com Android proxy is sending back an arbitrary IP address that is keep that it's keeping track of saying oh yeah google.com is you know 1.1 1.3 um then when the emulator sends the connect request it's actually rewriting that connection to our intercepting proxy which both in the screenshot and in our analysis with with ruite so doing that we can basically run the emulator again all these commands will be online um point the HTTP proxy flag to um Android proxy as well as specified to use the Local Host DNS server obviously you need to turn off any other DNS server you may have

running um and then burp Suite or another intercepting propy listening on Local Host K8 so from here you can see that I'm at encrypted google.com searching for ponies uh they're small horses they're cute I and and you know it's great okay that worked you can see Android proy in the background actually rewriting those DNS requests and then connect request forwarding to the intercepting proxy which yields basically in the end uh you can see oh well there's B reading my my imprinted uh connection or allegedly encrypted connection here's the problem though because that sounds great um it often pops up a warning like this and it says hey something's wrong you want to uh you want to continue cuz I don't

think the certificate is what you think it is um here's the good news when you see this error things are great it means that you can you can hit continue you can just keep going um and it's fine it'll actually let you do that here's the problem when we were talking about our suspicious permissions earlier uh we noted you know running a background process but what if a process is running in the background and it actually doesn't give you the choice of doing this you know maybe you do your analysis and you click continue a couple times times you don't notice anything strange but you're pretty sure that the app is doing something suspicious um how how

are you going to figure that out or even if you can detect that it's running a background process um well from there it gets it gets a little bit uh more tricky and you actually need to install uh your own your own SSL certificate um so again Google sort of helps us out in maybe a backhanded way um by having to make St guard command um we can basically create an image file for an SD card uh mount it with the- SD card command um and then ad to push the C onto the phone then install it manually and that persists post reboot so you only need to do it once um and then that works a lot better

and you can just run the hgp proxy directly to whatever your intercepting proxy is um again we we use B so loob host 88 so here you can see uh that we have the ports rer CA installed but it's a little bit uh it's a little bit alarming that Android does make the different the differentiation that it is a user installed Ser now so far we haven't seen uh malware or malicious programs that are declining user installed SS but we're thinking that's probably going to happen down the road for now it's fine um once it's not then it's going to have to go back to actually figuring out a way to push that into a system installed

sir even though it really isn't okay so now we've seen basic runtime analysis and we're saying all right again we're focusing on the network so what's it connecting to is it doing anything suspicious is the traffic that is sent that may be selling cricked is that is that you know is it your contact list is it you know your your pictures is it your passwords is it the contents of your USB storage device what is it um and we can actually see that um but it doesn't always it doesn't always happen that during the time that you happen to be running the analysis um that you're seeing anything suspicious so from there we're going to go into

some brief uh static code analysis and keep in mind that this was never you know my specialty um so we're going to look at at basically de files D executables that run on the DI virtual machine Matt's going to talk about that in uh more significant detail in a couple minutes but the important thing about a de file is that it's easily convertible to the Java jar format which allows us to use our more standard tool Suite when we're actually performing that uh analysis uh so we can use a free open source tool called Dex to jar to basically say okay we're going to run that against this spy you malware um it's it basically just

spits out a jar file super easy to use um then we use jgy to open the jar save all the sources which saves as a zit file um and on zip that now from here we can actually search for remote hosts that may be hardcoded um even if Dynamic an analysis failed to detect them so this can be useful if certain actions trigger a predesignated uh network connection or maybe uh it only checks for CNC on you know at midnight on the first of every month or something like that because unless you happen to get lucky and you're you're using the the uh runtime analysis at that particular time you wouldn't have seen that in the in

the dynamic analysis so using this grab statement it's a recursive grab case insensitive to look for any um four numbers that are that are separated by by dots basically an IP address um or HTTP with an optional s uh colon in any of the source files so in this particular piece of malware we saw okay um well copy9.com is hardcoded a bunch of times um and that's about it no no hard credit IPS just this one URL which seems a little bit weird maybe it maybe it's going to pop up in order we didn't really know um and this as I mentioned can feasibly locate hardcoded uh back doors command controls um but we trying

to to make it a little bit more uh more automated since right now using JD GUI as the name implies it's a graphical U graphical tool um and it's really irritating when you're running everything via shell scripts and and in an automated fashion and then you have to JD go it so it's not just hardcoded IP addresses you can actually look for anything that's really sensitive that's going on for example uis of different things on the phone um so we looked for the content URI and we found okay well this app that we already seen had requested the permission to go through your text is actually parsing through um the content of SMS inbox which is

basically saying it's reading your text messages um so we're saying okay now we know that not only did they request the permission they're actually going to use it and this is actually an important differentiation because a lot of the false positives that we've seen are asked that really just request permissions thinking well you know maybe one day down the line we'll we'll need this maybe uh you know maybe we'll want to make it a social network next year and we'll just request it now so people get used to that which is you know really irritating when you're trying to find malicious apps um this also works for you know a lot of a lot of important

keywords like the SMS uh URI uh phone keyword socket keyword Etc um basically you're going to go through the the the Java Android docs and see how that works so where we actually ended up finding sort of the the key element here was on the SMS manager um tool so we saw that not only is it a suspicious meth method name which is send data of SMS to website we actually saw it is basically going through the SMS inbox taking that posting it to a website to the we logs log SMS post. aspects um and basically every time you you get or you receive or send a text message it's actually posting that somewhere now this

particular piece of malware is is one of those commercial malware for sale it's hey uh you know is your spouse cheating on you download this and see everyone they're texting so it's it's commercial now where we knew that it was going to do things that were malicious and we just had to figure out exct how it was doing that but it's a perfect example of our methodology of APK analysis looking at permissions uh to runtime analysis then finally to the static analysis you really say okay where do we start let's narrow down is it doing anything immediately bad and then finally to the static code analysis and as I promised all of the uh all of the uh texts and on

liners and all that are online in d.net Android um so with that I'll go ahead and turn it over to Matt who will talk about Dex analysis hey guys so uh I'm at MCD I'm here to talk to you today about Dex analysis um basically what I do uh for ma is I do mobile malare analysis uh first engineering malare detection uh basically anything having to do with analyzing uh Android applications I pretty much do that uh I also have a specialization in xa6 and add system now so um moving forward um I'm just going to jump straight into it and start talking about the deex file format um basically what we have here it's pretty much the same as the Java

file format uh we're going to be looking at headers string IDs method IDs um anything anything that to do with string data that's all in the uh that's all the Dex file so using uh using using this data we can figure out what the index file is actually doing um in this talk I'm mostly to be focusing on on methods method IDs because that will actually tell us what objects are being used within ja So reading jic as I said we're going to talk about methods um here's the package there the package name the object name and then the method name as you'll see here there are three eyes um what do those mean well uh those mean

attributes so you know for each method name there's going to be a certain number of attributes associated with such and then then there will of course be some type of value at the end our value here is z which is brant we'll talk about that next um and then we're and then we have some fields which are basically the same thing but it's more pointing to the jav fields so ring dalic so these are all the different types we have voids buan uh chars integers floods so on and so forth think to get the picture um so very first thing that we're going to discuss is Hello World this is uh this is probably the

first xile I think that anyway will ever look at hopefully um so that you have some type of idea of what's going on okay so basically creates the object of Hello World um that's the string hello world is going to be the string that's going to be displayed um invokes the stack method which is which is make text um you can't actually see those last letters over there um but then then it removes that results object um into into the register b0 and then invokes the virtual method which is fully and Sh okay and then returns void I didn't actually include any of the other invoking code within the uh within the Android de but basically what

happens is it invokes the terminal program which actually shows the world as soon as this is run nowles Gore okay so I'm just going to jump straight into talking about my now now that we have some kind of clue of what the de file looks like when when you're actually analyzing it um the the main differences well actually there are no diffic um malware for both xa6 and malware on doic are both the same types of things okay um they're mostly out to make money okay uh these are these are uh you know rant someware all different types of stuff that also goes on the Android platform so who wants to uh wants to steal steal

data steal data and then uh send it send it via HTTP post or to Json okay so data Stealers come in all different types of uh all types of uh you know packages sometimes they're CNC sometimes they're not sometimes uh sometimes it's just like back and for communication between the server um premium service of users are pretty much the same thing um except this one is just going to be calling a number and then uh and then just basically just charging you you know 250 or whatever and then that you know that bill is actually given to you by whichever provider um so mostly these two these two types of M are usually connected um you know if

it's stealing your data it might as well also numbers make some more money um permissions so in this particular piece of malware that I that I analyzed I'm about to talk about in a second um it had access to send smss receive sms's uh right to external storage which is your SD card um install packages delete packages off the phone I mean you're pretty much dealing with something that has full capability over your phone um you have roots of course so um and I I know I know in the recent version of Android they said you cann't mount they said it it doesn't give you root privileges automatically well that's kind of a it's kind of another

thing I can talk about later um you can actually just remount it um anyway but you can call phones do whatever um contact stealing so basically what this code does if you can see it uh follow along um the top it does it doesn't move to next so we know it's going to be looping it's going to be looping this code um it's going to it's going to uh get strings which are which are actually the contact names and then is going to use the string Builder to create create phone colon and then number for that um and then it's going to you know move that result object to a string and then it's going to print it out to another

place called phonebook which will we're about to talk about in a second this is actually where it sends the contacts so now that we've created the phone book with all the contacts in it the phone numbers the names um um now it's going to use the film book it's going to uh get the default parameters which are actually set by which were actually set by the CNC server now in this particular piece of malware the malware is dead um meaning that when I got to the malware all the domains were actually giving you uh were was actually giving you the settings it didn't exist anymore so um unfortunately we shut down but but as we can see here though just

we doing stack analysis on this one piece of the malare because it was obviously a two- stage so what they were going to do was send more configuration data possibly install more packages to the phone to do other malicious uh to do other malicious activities so as soon as we as soon as we have the settings in there it's going to send those contacts via post method as we can see here um and then it's going to you know do the it's it's going to set the it's going to move the objects into into the uh uh into the packets and then it's going to uh get the response code from the server and say boom

disconnect done okay this is actually where this is actually a creation creation of those uh those sms's where it actually gives the where it actually gives the uh CNC server some important information about the phone um it gives it the iei it gives it the inssi Sid and the uh in the verion uses the string Builder to you know push this into a text message and then it sends it out it pens all those things to text method message and then sends out of your strings so um another piece of this malware it had ability to make calls from your phone um this is everywhere uh you can you can seriously pull this from anywhere on the

net um and everybody pretty much uses the same the same method to make a call um so the funniest part about a lot of this m is that it could simply be a copy paste M um it really doesn't take a lot of skill to build this kind of stuff and then have people installs their fun because people know what they're installing you're not looking at the permissions um so basically what this does is it uh does an Android intent action call and then it initializes the call using a uh using a number which is which it actually parses here and then uh and it initializes the call unfortunately I wasn't able to get that number um

because that was actually never sent those domains were dead by the time I got unfortunately but uh yeah that's uh that's prettyy much what I need to talk about in regards to Dex analysis um doing some static code analysis uh there is there's a lot of malware to look at out there and uh you know I can probably list like 10 or 20 different uh malware malware repositories like off the my head so going on to talk about htics here's Jimmy so uh we covered data analysis network analysis uh tearing apart um various of malware statically dynamically see what it does and now we're going to talk about what happens move back to we're going to move back to

so with hour with math the same kind of stuff analyzing now taking apart and finding automations is much the same mobile now analysis I don't do job anymore than you these guys do and let's see back to the actual problem uh so we're looking at million apps right we don't know if any of them are good necessar all all of them are good so how how would we find out we can do it by hand and a million app is a heck of a what do you call a Time sync also a giant giant really giant H teack uh so we can do it manually it'll take us forever or we can automate it and actually save some time

um so is what are we looking at we're looking at ristics some ways deciding how do I know that this particular AP I'm looking at is something I should worry about I mean say some of those social apps if look at all your permissions to get everything and pull everything off your phone and send it off to who knows where uh they want all your pictures they want all your emails they want your SMS bad things um so one idea is okay if it asks for a lot of permissions it's probably bad but uh David covered that how that's a bad thing that at some point certain apps are U overly uh seeking of permission

they want all permissions they want to be able to do whatever they want in your phone they may want to Future um what features is that what we're calling them I I don't want to call them features but you know they want the information they want the ads they want it now instead of waiting till they actually do the work and build it build it out um so is it true that bad apps use a whole particular set of information yes so the good apps so it's not necessarily the best areas to can use to find out we took a look at a bunch of apps and it's like okay there's nothing really incredibly unique about a

particular bad app versus a good app and it's very easy to false positive on a a good app or in in cases of say a social application um it just asks for all permission we probably tag on that and we take off a whole bunch of users or take off the company I mean we don't want to do that I mean people like their social networ um but yeah what we do do look at is this what can we do do for permissions in general if we're looking at a bad bad acting uh bad acting malware um I I put together a tool called dump XML it will dump um pretty much everything from the Android

manifest XML file that David was talking about earlier um so that's like a it's like a file all XML and you could walk through the whole thing or you can just par and say I want all the intent to like say okay what can I fire off to this APK and make it do something or mod if I want all the permissions in this case permissions you feeded the um our scan for permissions it will give you a uh a listing what you have in this case we're looking at a particular um a phone book U inspector steal or whatever but basically data stealing up like talking about it seals up the information and send it back to theer uh what kind of

perion you it's using the internet access it's using uh uh your GPS just find location I there's course location which is just whatever Wi-Fi whatever location whatever ever feels good enough to figure out where you are and find is GPS course so it's using GPS using send stuff back and know te starting first getting all your contacts sending your that back out and sending your location kind of suspicious but also could be used by something else we would then send this basically just giv an idea how to look at this particular app and of course since these aren't incredbly unique it isn't the best way to do it but it's usually IDE what you do with

them Sor sorry uh okay U another idea is uh let's look at the developer certificates every APK on Android is U ass signed by the developer uh this isn't like a one location like in your browser youve got an SSL certificate it's not like one particular server signs everything said this is good this is like the proper app these are basic just self signed certificates you can do on yourself on sign your app and push it out there and it's good to go the only thing this actually does is verify that whatever updates you push to the uh user phone they they'll be uh they came from you as a developer that they they are yours

that that's what it does so what that really means is so we can't necess say that a particular app is good or bad the certificate we can say if we found a bad app from from veler we can Blacklist his developer certificate his her developer certificate and say okay that's bad why don't we block all the apps in that developer because they probably just as that I mean they could be innocent I mean that that's one one technique attackers use they'll put out an innocent app get a whole bunch of followers and then users and all of a sudden the next version or the update or the next app release because they have such a good reputation will be the one

who does the bad app does the it's stealing your context writing things over I it's what you too uh so me the the one catch is I where we come to we looking at fistic is okay what are the these are all the good things what are the things that causes the false positive uh with certificates um they're good if if the L is using the same certificant writing like a 100 Mil 100 different pieces of M and then do different things they're likely not they're going to do one and we're probably going to catch them and detect them and then boom and people will detect and will see okay we're going to block these our developers account and

they're no longer making anym a apps under that certificate so it's good if they're doing like a big blast of all these apps out there they're doing one or two apps and just goinging a hidden run um not as useful so we would FP on that but it is okay by itself it's not really unique enough the game is you have something you have indicate something it's really something you use an additional indicator of B this app Tad um so let's actually look at another idea so that certificates how about um actually let me show you an example first what that looks like uh in case they have done 100 in variant say like the uh typical M family fake variant

which is a potentially be a sorry a fake installer which pretends to be a uh an installer for various legitimate applications but it really doesn't install them it pretends to be still hand fake installer we run about 25 sorry is that sorry are stretching and what not I mean people coming through like long flights you know so you stretch um so F and solar picks up basically the the we have a list in in the tool itself of basically a whole bunch of uh current listing is about 250 odd um certificates from from bad apps or actual number that we've identify so we know that if it has that certificate and it was by the same

same person it's probably a variant of that or from that same Al very likely because he catch everything no no once again can or can be become useless because of on texting but we we move on to that another idea multiple indicators more than one of these these juristic I mean okay if we have okay say uh like if you were looking for for a cook okay so we know that it's a dude so it's it's okay he's male he's got uh okay and we know he's got like a long hair boom okay we can identify this person has a bunch of indicators and you just say okay he's a he's a man and we have like an entire

L of people useless we're not going to find anybody but the more indicators we have the more unique like okay he has like an eye patchel because he had one ey missing that's more helpful we can find that a easier uh the concept is we add more and more unique indicators or that can be relatively unique or or a mix of slightly less unique indicators together the combination can be less unique and I forget exact the percentages aren't exact because once again the aren't totally exact so you can't to say okay this is the percent for a detection for that one it's the fail rate for for that particular herti and we just multiply them and get a good

an answer it's more I se in that um okay so once again if we mix couple things like the matching like permissions put them all together we come with something like this you're running a to you run heris sixs against another particular sample well actually the same sample fake installer again what do we have we have both the permissions and we have the vared it's very likely VAR because it has saic this is really really really likely going to be something bad and something we we run it against say a thousand apps we know nothing about and this comes up for like three of them we're going to take a look at those quickly and say okay Mark those all

sayos thinking that they start is it likely it's not yeah because we've seen one or two apps that are like from authors where they've different or they a download they a um like a like a data stealer so you two different types of apps and uh they had a same certificate so this would be one of those cases where you can detect the nice thing is it tells you something's bad you also the permission toiz what should I be looking for what should I be worried about and then you have so once again you get the the sex of the offender you have the the any scars and marks and whatever whatever it's got on

and you have a better IDE who did the crime or who's like to offend well not offend but I mean you get the idea me the analogy breaks down move forward a with that um the actual tool itself is a du XML it should be on I think assem I might have to release it uh might be still private uh the to pretty straightforward it'll it'll either uh you dump out a printable version of the Android manifest XML since uh if you take if you just um unzip an APK just by itself you end up with a binary version a binary XML version of Android man XML if you use tools like the D like APK

tool AFK tool will convert it from U using an from the binary for X text and you can read look at everything there um so what we have there is you can also dump out a the spring table from from there you can pull out anyy string which is nice uh some or you can use the later to U options permissions and intents so you can figure out what the permissions are and intents for a particular APK would do and other B give like two minutes Pro that's that's what I'm looking okay maybe maybe not I'll something else and then theistic thing is the last one which one the multics we'll be adding more of that as you go along but I think

that's that's Tosh sorry question did you you the

question is that is is D XML doing theing itself or is it relying on on a tool like APK tool does to convert the binary and sorry binary Android manifest exal to text uh it does internal so you just W this one to against and you got I needed one of these and like I didn't want to run APK tool like just one of no and so I did that um actually I think do we have any any questions now for all any of

[Music]

us um most definitely there there are a lot of there are a lot of apks uh currently that are encrypted um back back made this talk um ridiculously enough this was only about a month ago um and now there are actually now there are actually commercial crypter um for for apks which actually will next like that um so you actually have to figure out yourself how to how to decrypt uh how to decrypt those those apks um I think I think there's like three widely used commercial cryptors and there are also a lot cryts that build on their own time and you know you know en Cryptor for that matter just you know just moves buy values one just

makes it really difficult to read it you know and sometimes uh sometimes we'll have some serde poly polymorphism which is mutates just mutates the APK the same malware it just mutates it justes cou values every time the uh every time new power is created Talking lot about

that you can you can use okay you can definitely uh you can definitely use small um but at the same time though sometimes uh sometimes the malware will break small okay so if if you're actually if you're actually doing with a with a with a complex piece of malware uh in a bre SMY you can't it doesn't run um so once it once SMY tries to actually interpret the code it uh the code actually breaks um like like any any other type of program there are there are certain vulnerabilities that can be used um even even in even in great commercial uh even in great commercial decompilers and things like that there are things that will Brak

this you know even like ID Pro or you know what have you there are certain there are certain type of code that will break dis at those yeah but uh but you know on that note small great honestly um for for most for most of the malware that you're going be looking at you know in case you want to do this small is great for sure i' used it a loty

sorry oh yeah [Laughter] that's you get really upset it's uh it's a problem here's here's the good news and then here's the bad news uh the good news is okay the bad news is there's not really a whole lot you can do if it's implemented correctly best of my knowledge the good news is that um we looked at for sort of researching this talk and trying to find good examples we probably looked at at least at least 100 known malware samples um and I don't think we found like actual SSL fitting on any of them we did find we did find um something like a check that would push out basically that same era that I was showing when we were

going over Android proxy but fortunately the ones that we saw were on the front end and we could literally just put continue and everything was fine um but a a very well implemented uh as something you have to probably pass it back to to Mad to talk about like runtime injection because you'd have to do some crazy stuff to make that work correctly um that I don't have experience with do you have an answer because that'd be awesome canest please do

right yeah that's what I was I was going to turn over the map basically that was the same idea if you can if you can hook it that way then that's basically what you'd have to

do did you did did did you hear that anyway uh any other questions yeah Focus

um are you talking about the tool that that Jimmy [Music]

[Music]

sort of we've kind of seen app we to do bad things uh the closest thing we've seen so far are downloaders so they'll we'll have one piece of downloads and and after does more things or we'll have a backr sits down those things after that but not necess Things That Go pulled together and like okay this one does one thing and does another thing and they put them together and use match and do something much worse not quite yet in that man but currently we're seeing downloaders and additional functionality coming in but not the fancy type they all come together store your machine or store your phone yeah there there there is lots yeah I'm sorry I had trouble heing first

like three it's still early uh anyway that's why I'm blaming uh but yeah that's actually what we call stare where where it'll grab the first part which will actually just download and when you're actually looking through the do code it can be really hard to point it out um be like where is this thing where it's actually going to download but we can always tell when the piece uh when the piece of code says install packages when it says install packages and you're looking at the code and it you know looks like looks like it's mostly ads or the program doesn't work you know it just does a bunch of it just does a bunch of junk but it also has this

ability to install packages you might want to look the doic a little bit more deeper to figure out figure out if it's actually downloading it's actually downloading an APK from the third party and then it's able to install an APK so uh any more questions anybody one more where did you get a million AP where do you get a million apks ask Google really nicely no ask I guess um Google Play

store okay so you can scrap the Google Play Store um you can uh find other websites that may be hosting those and we found that if we're looking for known malware you know obviously malware repositories malware Loop stuff like that um have a lot of Android mware that we can actually look through um further than that uh since a lot of these apps are actually distributed through third party uh app stores finding uh sort of illicit uh uh app stores in like China and Russia and stuff like that where they're basically just hey use our app store and then you don't have to pay 99 Cents for this app um has a significantly higher infection rate as

you might imagine I mean they're going in and cracking it anyway it's they're like well I'll just Harvest some some data too um so so we did use various sources um I wish it were I wish it were easier for you know researchers to say hey Google could I get this I promise I won't fire them but uh I don't think they would have necessarily let us do that and I mean and and seriously it's just as easy to you know uh take Python and write a 50 you know a 50 wi script to actually just crawl uh to actually just crawl a APK APK websites yep yeah we had a and there are seriously

hundreds of them out there um yeah we did did it we did it with a WG just downloading everything then from from an app store just had it wait like one second dur your cross anything else guys okay I couldn't tell [Applause]