When Malware Becomes Creative: A Survey of Advanced Android Detection Evasion Tactics

right hi everyone thank you for joining thank you for having us here uh my name is demitrios I'm from Greece uh and with me this is presentation and I'm and I'm accompanying him with uh the talk so here a few things about me so I'm engaged in computer security since 2002 I was member of one of the first R engineering groups back in Greece I started my career as a network security engineer for about 10 years years then I moved into developing for almost 5 years and the last six years I focused M on mobile security while before enjoying Microsoft's threat intelligence team as a senior security researcher I was leading another team actually was his

manager so who was which was contacting malware used for Google Play store besides that I'm a father of two a boy and a girl and my free time I try at Leist to write and play music all right now it's my turn um my name is jolong I like to wear Robert DUIs at weddings um I'm engaged since on security since 2019 Demetrius is my previous boss then uh We've managed a team together currently I'm leading a 100 plus Android reverse Engineers team at cognizant here in Europe and a few more in offshore also like theit I'm a father of one but it's a four-legged creature and on my free time I'm a surfer and a rock

climber all right so let's jump right into the outline of this briefing so first of all we're going to talk about uh uh the core principle of understanding is defending and here we're going to see how important is getting to know how the malware Works since this can help us to defend against it and uh then we're going to take a look at the Modern Android malware landscape we're going to see what's new in the Android ecosystem when it comes to malware after that we're going to see some uh Dynamic analysis evion techniques uh uh we're going to see how malware tries to identify if it's being watched and we're going to go through the most

uh creative ones not necessarily the most technical ones the most creative ones as you're going to see after that we're going to S to do about the same about static analysis Vision techniques uh we're going to go through a specific showcase which is very interesting at least for us and uh we're going to wrap up with uh conclusions and takeaways right uh so I won't lie to you writing is a form of art right a form of Dark Art but it takes quite a lot of skills for someone to be good at this and I'm not talking of course about clicking a couple of buttons in malware generation utility in order to do such a thing what I mean is

writing something which is uh unique something which is uh clever sneaky for us to detect and now on the other side uh ask the malware researchers security researches we have to be one step ahead from the malware developers so in many cases we have we have to think as they do but most importantly is uh that we have to understand what they do and how they do it so the key word here is understanding and when it comes to understanding it's an ongoing process where we continually continuously have to go through uh have to dive into the malware mechanics and see how it works how it does what it does uh we have to recognize potential evasion techniques

in order to improve our detection systems we have to learn about exploitation tactics because in many cases adversaries are using them in order to compromise system and user data and do what we are doing uh here I mean engage with the cyber security community in order to exchange info about threats and defense strategies and AO say is going to work you through the modern I mean a picture of the modern Android malware landscape yeah so let's talk about how the modern malware looks like currently there's two main categories first one malware in the market market these applications where you can get them on Play Store or Amazon store or other official marketplaces created by manufacturers Samsung xiaomi

Etc these Android malware tend to hide to hide the malicious behavior in a bit uh Advanced ways more advanced ways than the off market now the off Market these are applications that you can get well anywhere else uh on a website a link in an SMS a friend send you be careful with those I have plenty of them um or even through ADB directly through ADB uh in our opinion off-market malware tends to be easier to detect why they don't have to survive the market places uh evaluation process and if they get caught they don't really have much to lose so why burn highing techniques right um they typically use Packers offis cators protectors to make the

reverse engineering part bit more difficult but they don't have to rely on these that much or they'll ra raise red flags and those red flags for us are honey we smell it a mile away so they don't want that um basically on the operation side what they do is abuse Services accessibility Services notification listener even root access to spy on you or to collect financial information data that they can use now let's see how the market malware looks like uh what's the phases that it goes from start to end first one is motivation commonly profit and that's why the most prevalent malware in the Play Store is some sort of building fraud SMS fraud tll fraud uh

call fraud anything that can subscribe you to a service that you don't want or don't even know of um next one is the development phase now this is not a one of just drop the malware and go away no this is a continuous process they have teams huge teams of Engineers fighting for the users's money the stealthier ones and the most innovative ones win now the publishing phase and this is a cool one they have certain tricks among amongst themselves one of them is for example they publish a

unweeded users depends on their targets once they've reached their goal they update a new version and infect all the collected users so this is one of the most used tactics last year Google introduced a new defense mechanism against this um they need new developers to have at least 20 testers for 14 consecutive days before they can pish publish an app cool right so malware developers adapted they started buying old accounts and believe me they have money let me say this again believe me they have money sorry okay and finally the unpublished phase which culminates on the app being detected and banished don't worry they'll be back again real real soon all right now for uh the sake of

completeness let's go through some uh basic malware categories and when it comes to classification and the virus vendors are using different are classifying them differently but we're going to do our best in in order to get some common points so we have of course back doors when it comes to mobile a back door may allow an adversary to remotely connect to your device and start running a wanted code we have downloaders again when it comes to mobile there are apps which have their main purpose purpose to download and install other kind of malware usually they are something like a service they are offered like a service which other malware developers can use in order to

distribute their own malware we have ransomware a type of malware which takes partial full control of the device and demand some dat some uh Ransom in order to release this control now the difference with uh between the mobile ransomware and the PC ransomware is that mobile Ransom doesn't have to encrypt the devices data so what they do usually is uh using some kind of a privileged API like the administrator API so they log your device or they might use some kind of an overlay in order to cover the screen so the user will lose access to the device and has to pay their Ransom in order to get back uh the specific access when it comes to

fishing I guess it's pretty much trivial so what uh they pretend to be some kind of trustworthy Source while they uh are after your credentials your financial data private info and so on and then we have troons which is a type of malware which hides pretends to be innocent while it has some kind of a malicious module now Google Play and then finally we have the Google Play categories uh they're not the same as the other ones they have their own uh and these are the most known or most prevalent first building fraud smos fraud call fraud toll fraud get my money uh then spyware and Commercial spyware they tend to get your contacts your SMS information your

calendar information or spy on your actions then you have spam which is well you all know spam you'll either spam you or your friends and finally masquare which is kind of a new C category um these categor is something like the application says it's something a game but then depending on the country in or who you are it will show something completely different like a casino right so all right now let's assume that you are some kind of modware developer you manag to as before said publish your app to the Play Store you manag to get some uh thousands of users so now it's time to weaponize your app in order to start making some profit and

here is where the actual struggle comes due to the fact that uh apps usually go through ongoing Dynamic and static analysis because especially in large marketplaces these apps are going through this process repeatedly so we're going to move now to the main part of this briefing which is dynamic analysis as I said before we're going to see the most clever ones the most creative ones that we choose according to us of course and once again they don't have to be very uh technical so I guess I hope everyone will uh get them so when it comes to Dynamic analysis the main objective is to understand the malware developers to understand if their malware is being watched and if it's

being watched somehow don't expose the malary behavior so that's the main point and the first one is one of the simplest tricks and has to do with uh excluding some certain libraries so what I mean by that you probably know that uh mobile devices come with different CPUs supporting different uh instruction sets so being an Android developer who works with native code means that you have to compile your APK in a way that supports all these libraries uh all these architectures now here's a simple trick uh due to the fact that uh anivirus vendors are mostly using I mean it's common to use x86 VMS in order to perform the tests so what they do they

simply exclude the specific libraries and if you try to run such an APK to an x86 VM for example you're are going to get um the following error especially in older Android versions while even in newer Android versions you're going to get crashes or you're going to get some uh error or something so your whole pipeline collapses with just a simple trick just excluding some certain libraries and the whole thing just collapses and the next one comes or should come at no surprise for anyone here which is detecting the testing devices right they collect uh some of these things here in the screen and evaluate them either locally or send it to a command um and control server so

let's see what they most want to collect the model self self-explanatory the fingerprint where they check if the device is signed with debug Keys then manufacturer and brand so let's say you're a malware developer you want to publish in the Play Store you assume that because it's Google they're going to test it with pixel devices just remove it from your Target and we're good to go oh that's also me yeah uh and then the seam operator so the card you get from your provider you can use these API calls here to understand more where the user is from based on that particular codes uh and then you can either Target or avoid specific countries sometimes

you want to avoid I don't know China or some sometimes you want to Target like this example here South Africa and this is exactly what you're doing they're launching a campaign on a South Africa uh seam operator all right and uh this one is one of my favorites I guess from the point of creativity so what you see in the specific screen are devices which devices are connected to a cable so how someone can use this kind of info in order to let's say evade Dynamic analysis or something like that so the fact that this device are connected to a cable maintains their power level their battery level is always full right so if you think about

it your devices the device that you have in your your pockets can be always full so as I said this is exploited by malware developers in a clever way from the point that Android operating system from time to time sends an intent a broadcast actually which uh in order to inform the the apps which are installed in the device to inform them about the battery levels if they device is plugged it has actually a lot of uh useful info there so what they do in the specific case is just register a broadcast receiver which listens for this kind of uh broadcast this kind of intents they get the intent they check if the device is plugged they check if they can check

the battery level combined it with other type of info in order to be more let's say precise and do all that before they expose as I said before some kind of a malicious behavior and then another creative one are we published so again malware developers know there's a process an evaluation process every time you publish an application to the Play Store it's not immediately accepted so what they do is they try to check if your their own app is already published or not so for example here this method here triggers the malicious behavior but first they need to go through a check and that check is saying a request with their own package name to the Play Store saying

are we published if not then why display the malicious behavior why take the risk of getting banned even before they published so let's just stay idle if not then trigger the all and here we've talk about Demetri's favorite battery let's talk about my favorite mobile measurement Partners or referrals these are legitimate ways to find out where you install the application from um if you install the application through Google Play feature of invite a friend or clicked a particular marketing campaign ad that's a nonorganic event if you discovered the application by yourself clicking by your on your own on the Play store or installed through ADB that's an organic event so by now you already know where

I'm going with right if you click an ad which is nonorganic event you're already inside their trap so just launch the malware developer uh malware Behavior if it's a non-organic event let's just stay idle keep it on the shadows and don't waste the the the time we have an example of this um yeah so first one register referral listener in this case it's a naps flyer conversional listener which listens to marketing ad campaigns then we listen to the action a call back with multiple things of information who you are what's your country is it non-organic or organic and finally the real code if it's a nonorganic event let's go to the malicious behavior if it's an organic event stop just go to

a decoy application Deco activity just do your normal job and that's it so yeah next one all right and uh Dynamic content and when it comes to Dynamic content the first thing that comes to my mind is web views why web views because they are really powerful uh so you can imagine that uh even development Frameworks like uh react native or ionic are literally based on web use someone can build a hold up with just just this single a single component so a web view has another powerful let's say feature which is called JavaScript interface which can allow uh the web content which is loaded to this component to trigger to invoke Java methods so that's very once again

very powerful and once again it's exploited by malware developers in a clever way so what they do is usually uh combine it with some kind of uh device fingerprint or something so gather everything send it to a command and control server and depending on this data the command and control server will send something else to be loaded to the specific web view so if let's say the decision is that the devic is testing device the web content that is going to be sent is going to be something innocent or if it is an actual device a user device then it's going to send something which supposed to be malicious and perform some kind of malicious

behavior now the last one which uh we choose although it's not some kind of dynamic analysis evasion techniques it's something more I would say social engineering and is used by of Market apps so what they try to do in this Cas is try to convince the users for their origin for their legitimacy so what you see here is just pretending that uh they originate from a play store for example for uh trustful Marketplace while everything that you see in the specific screen is uh simple screenshots uh the reviews are fake everything is fake so be aware of these kind of tricks because despite the fact that it seems to originally like I said from Play Store

it's not and uh I can spend the rest of this briefing talking about this kind of stuff about uh Dynamic analysis Vision techniques and what they are doing in order to bypass our defenses toout what we said so far we have root detection of course they going to check if the device is rooted because usually testing devices are rooted uh debugging detection if their app is debugged or some kind of a hooking uh uh hook detection like some kind of a binary instrumentation framework like Freda or something or even Network and what they do when it comes to network they Implement their own pinning or add some kind of custom uh encryption layer so they hide the communication between the

client and the server but the most clever ones the ones that uh it's also hard for us to overcome are the ones that have to do with user Interac action so they they we saw them checking the device if it has some files or if it has some uh uh photographs or something or they might expose the malicious behavior after going through some kind of a complex user interaction right they might ask the user to create an account or something which is uh something which is hard for us to overcome from the point that all these things that you saw before I mean the dynamic analysis part belongs to usually to some kind of an

pipeline so it should be automated simply said so it is hard to interact with the malware in a clever way and be able to uh bypass all this kind of stuff all right so let's now move to the second part which is starting analysis and when it comes to starting analysis malware developers have to to bypass a couple of defenses including uh signature based detection simply said you give a file this file is checked for nonn bite patterns that have been previously identified malware we have theistic analysis we give some characteristics including some suspicious API calls or if the app is packed or if it's uh opusc somehow and we can come up with some

kind of decision regarding uh if it's malware or no we have machine learning and artificial intelligence where once again AI models are trained in order to uh identify malware based on some uh specific characteristics and if everything let's say fails if there's no decision made so far then a verse engineer a marwel analyst can take the call and combine these two uh let's say type of analysis in order to come up with a decision all right so the first one when it comes to static analysis is about entry points and when we talk about entry points in malicious Cod where I'm referring to the line where the malicious code will start to get executed so for those who are not

familiar with uh Androids so Android Android apps usually have one main entry point which is the main activity we can identify this main entry point from uh an entry in the Android manifest once again every Android app has a manifest where declares components activities and all this kind of stuff and this is very characteristic for the main activity so it was some kind of um uh let's say uh common practice from us to search for malicious entry points within the life cycle of this main activity although since then we've seen many many few uh new sorry uh entry points including Services they start a malicious code from some kind of broadcast receiver or a content provider and more and more

often from the application subass despite the fact that it is not that common I would say for developers to uh extend uh the application uh subclass due to the fact that um Android use the uh default base base one now in one case we spotted the following when it comes once again to the application subass so we saw this call here which loads a native Library that's what it does nothing more so it Lads a native Library although if you check the specific application for Native calls from the Java site you won't be able to find any and actually you don't need it due to the fact that uh when a libr is loaded using this way I mean using

specific API and it will call the jni on load the J on lo jni I on load will run everything that is uh within the specific app uh sorry method and you have your entry point uh now the next one is very interesting from the point uh I'm going to explain so it was discovered from researchers at maafi and what uh was happening was the following so imagine that you are a a malware researcher and you want to identify what is wrong with a specific entry what is wrong with the specific let's say provider so what you are going to do of course is uh de compile the provider and try to see what's wrong

there if you do such a thing you won't be able to find something because everything was empty return now or something I mean everything was empty nothing interesting there so where's the catch so the cut in this case is the specific entry and up to this point this entry was ignored I mean I don't at least I don't know someone that would would pay attention to this specific metadata entry so what this entry will do is uh trigger a Java uh call I mean Android from the Andro framework which will do the following it will perform a query to the specific content provider cont providers though are Dynamic components they have to be created somehow they don't they're

not somewhere uh they don't stay somewhere so they have to be created so in order to do such a thing uh the operating system will trigger the application subass and the application subclass will do everything in order to create the content provider now so let's go through the full chain so what happened is we have a metadata entry which as I said was usually ignored and from this metadata entry you were you are able to run your native code and this is exactly what happens here uh I guess many of you have installed already some kind of Android app in your Android device you don't have just to install an app you have to click on it in order to run right so in

the specific case uh the only thing that you need is just to install the app and the app will auto start by itself right yeah that that's it I mean it's not something uh but it is impressive from the point that the only thing that you have to do just to install the app no click on it nothing no other user interaction that's

it let's not talk about reflection we had the speaker yesterday talking about reflection he made it seem like it was really hard and he was 100% on on points uh it's still one of my favorites it enables so many crazy ideas legitimately in a gray zone or even malware so reflection is on this package here and allows you to get access to the class of any object to dynamically create instances of classes and access fields and methods and uh get classes interfaces Fields Methods at run time so let me explain this in a way that everyone can understand with this example here this is how typically you get reflection for example this here is the class for name basically you just

pick a string text character any text format you send it to this method and it will run a class a method an instance that's been developed by you or it's in the Android system so that allows magic to happen you don't have to have the code preone before shipping the app you can do it dynamically you can uh encrypt the string to make our life the reverse Engineers even harder let's go for an example for you to perfectly understand this this code Le here not using reflection it's a simple feline code has a string you get the character at a certain position you get a string Builder and you append it to it right this is a reverse engineer

dream I would be out of a job if everything was like this then let's see the same exact thing with reflection has a pain in the ass there we go now we're going for a coffee uh we'll let you see this and we'll come back real real soon so basically this is what we see but I've been a good boy and not even encrypt the the strings and if you've noticed this isn't even Java this is on the native side this is C so you can do it on Java you can use it on C and it's really hard to read even plain text all right so I guess uh this one doesn't need much of introduction when

it comes to cryptography I guess cryptography has been used abused by malware developers and malware families for a lot of years I would say so cryptograph cryptography apparently has been abused due to the fact that you can't use it in order to hide things right so we saw them uh hiding strings using some kind of a custom encoding combination with a simple soring operation or something in order to hide strings or even to hide payloads or as I said before to protect the communication between the server and the client and so on so marw developers are not always that clever so uh take a look at this specific code snippet so what the guy I

guess a guy did in the specific case so he used the as as encryption in order to uh encrypt the strings encrypt API calls everything through reflection everything through encryption and something so you were in simple War you weren't able to find a suitable let's say string in order to create some kind of a signature to cut it leave a specific sample right although if you search a little bit more more uh you will find the key and there which is as you say is very unique so you can simply create a signatures based on this right so the next one is seog graphy and uh once again seog graphy I guess it could be absent from the

adversarial toolbox so especially when it comes to Android the Android packaging is very convenient to do such a thing it's simply a zip file and you can hide whatever you want inside it it's just signed with by the developer to protect the Integrity nothing more so here is an interesting case uh we indeed to compile the specific file and we found this image here so now if you open the specific image you won't be able to see something malicious or something even scary or something until a specific date comes it was uh something like 2019 it's an old sample but once again it's very interesting it's one of the hardest to uh at least analyze so at

that point this malware will load the library which Library will do whatever it takes in order to extract a payload from the image that you saw before now this payload is a downloader is will just communicate with the command control server download the Bing banking Troon which will actually handun for your credentials and the next section is headaches sorry Dynamic code loading uh which is basically why Joker uh the very known malicias uh codes is the most prevalent malware in the in various markets so what does dynamic code loading do it enables you it enables you to download or extract a payload and then run it in the application's memory we could do it like for the St

tonography that Demitri show you you can do it for uh files such as text files Java byte codes dvic bite code native files and even JavaScript so it allows you to do pick codes that it's not shipped within your app and run it that's basically it now obfuscation and packing and this is not only used for M it can be legitimately used to protect intellectual codes right intellectual property and code um this serves the sole purpose of hiding code from from static analysis tool automated static analysis tools or reverse Engineers it can scramble the uh classes names it can insert garbage code into the application or like this sample here it can include uh difficult math

operations to further confuse you remember that they want to confuse you as long as you're confused you're looking for something else rather than the actual malware and on the packing we have an example here when they pack an application if you decompile the APK you won't see much you will see maybe if you're lucky empty classes or most likely nothing at all you'll see a file um what happens is there you go um everything starts from the entry point the application class that we've talked about once the application class jumps in the code will be load into the application's memory using Dynamic code loading and the only way to get the two only ways to get the

code is by either manually unpacking it which I don't recommend to anyone or dumping the application memory using freether or other tool of your choice go ah and now we're going to jump to the Showcase yeah there all right so yeah and now we're going to go through uh showcase to see everything in action try to follow me at least so this uh app has about three stages and um it's a very interesting sample I think I I present it once again although I was focusing on totally different uh aspect it's simply said um a toll FR up which tries to uh once again charge the user without uh the user consent of course so this uh

the malicious flow let's say starts in the application subass that we said already and what actually is happening here is that the app will start another thread besides the the main thread so what this thread will do is just perform an HTP request to uh the Play Store to verify that the app is published or no the trick that we already talked about if it is published then will start the following so we will call this method J and this method J what we do just just go through the applications assets and try to find the file which ends with 355 so it's this asset here after that it will uh create another file a

temporary file to the cash directory and from there it will just copy the asset file to the cash directory nothing more next step is to comp to create actually a short key out of strings which are let's say spread here and there so it will create key and finally create another file a temporary file which is empty and send everything to this method J here so it will send the application context uh the encrypted file the key that we said about and the empty temp temporary file this method J will do the following once again we'll uh first of all we will uh uh calculate the Shan digest of the key that we saw before and out of this

digest it will create an as key you will use this as key to to uh decrypt the file that you saw before and using this file actually this file is a native Library so it will load it using the system load load method and finally will trigger a native method which is this one here uh passing the shore key right so let's let's uh summarize what we have have as a first stage first stage uh first of all create the key the way that we saw before and then take you know get the file from the assets directory in order to decrypt it and create an L file a native file which is loaded now in the application memory so

that was the first stage second stage something similar a little bit different uh go again once again through the assets of the app and try now to find another file which is uh which ends with 3 this is the second uh payload we will get this payload it will s it with the key that we saw before and what will happen here is uh the second stage which is an APK so it will expore the file once again it will create an APK and this APK will be loaded using uh Dex class loader or something so now this APK will communicate with a command control server in order to download another payload so this payload will be saved in

uh the cash directory yeah and then this star SDK method we use once again Dynamic code loading in order to load uh specific class and call a specific method which method will communicate once again with a command and control server in order to now load another payload so we have already three stages two payloads from the asset directory another two payloads that they were downloaded from u a Commando control server and here's the summary yeah this is the summary so basically you're very lucky for to see this application this is a handpicked one you don't normally get everything that you see here don't get the DCL together with the r publish together with the steganography it's

hard to get so summarizing everything that you've seen here application entry point where everything starts then the execution guard l are republished dcls three um three two payloads and and and three stages stenography cryptography Dynamic code loading ausc still the same app native codes uh and this is all we can get in one app which is normally spread among apps so let me is going to do the wrap up now yeah actually this yeah even the newest uh apps that they have been reviewing recently they use about the same flow so it's seems to be very successful just pay attention all right so let's wrap up everything so I I can Str out more how

important is you know to what what is the actual danger here when it comes to mobile apps and uh mobile devices it's an ongoing struggle that we are we have to be one step ahead from the malware developers always and uh it's uh although everyone should be on board including uh researchers from other fields and most importantly users who must inform themselves about these kind of threats so thank you very much for your attention if you have any questions we'll be happy to to [Applause] answer thank you so much