Analyzing Android Applications
A. DesnosG. Gueguen
ESIEA - Operational Cryptology and Virology [email protected]@esiea.fr
CSC 2011
A. Desnos, G. Gueguen 1 /179
Current section
Android
Malware
AnalysisStatic AnalysisDynamic AnalysisVisualization
Tools
Conclusion
A. Desnos, G. Gueguen 2 /179
Android
The platform
� Google purchased the initial developer of the software,Android Inc., in 2005
� The unveiling of the Android distribution on November 5,2007
� October 2008: Android Market
� 295.000 applications on the Android Market, 6 billionsdownloads
� Percentage of apps that are free : 60%
A. Desnos, G. Gueguen 3 /179
Android
The platform
� Android runs 52% of smartphones sold (Gartner)
A. Desnos, G. Gueguen 4 /179
Android
The platform
� Third party applications written in Java, executed on theDalvik Virtual Machine
� Java bytecode converted in Dalvik bytecode (stack-basedmachine vs register based machine)
� Applications are packaged in the APK format
� A virtual machine (Linux user-based protection) perapplication
� Permissions per application
A. Desnos, G. Gueguen 5 /179
Android
APK
� ZIP format
� classes.dex: Dalvik Executable Format
� ressources: images, strings ...
� assets: raw ressources
� native libraries
� manifest file: what to do with all the top-levelcomponents (specifically activities, services, broadcastreceivers, and content providers) and specifies whichpermissions are required in an application
A. Desnos, G. Gueguen 6 /179
Android
Disassembling Dalvik bytecode
� Instructions use registers,
� Impossible to change the bytecode on the fly,
� Less than 0xff instructions,� Instruction format:
� nop, move*, invoke*, goto*, cmp*, *-switch, add*, sub* ...
A. Desnos, G. Gueguen 7 /179
Android
Dalvik bytecode
A. Desnos, G. Gueguen 8 /179
Android
Manifest file
� Activities, services, content providers, and broadcastreceivers
� Permissions:� Camera functions� Location (GPS) functions� Bluetooth functions� Telephony functions� SMS/MMS functions� Network functions
� Before the installation of an application, all permissionsare asked and detailed to the end user
A. Desnos, G. Gueguen 9 /179
Android
Proctecting Your Applications
� Obfuscators like ProGuard (GPL), Dasho,
� Works mainly at the java bytecode level,� Techniques:
� names obfuscation,� optimization,� CFG obfuscation.
A. Desnos, G. Gueguen 10 /179
Android
Application Licensing
A. Desnos, G. Gueguen 11 /179
Android
Application Licensing
� Justin Case: Breaking The Library (aka The TechnicalMumbo Jumbo),
� Diassemble the application with baksmali,
� Find the LicenseValidator class,
� Edit the "verify" method in the class, to return a validlicense,
� Reassemble the application with smali, and re-sign it withany valid key.
A. Desnos, G. Gueguen 12 /179
Android
Problem
� A major problem in the Android market is the theft ofapplications:
� download an application (free or not) on the officialAndroid Market
� crack/re-package/infect it by usingsmali/baksmali/apk-tool
� push it (free or not) on the market
A. Desnos, G. Gueguen 13 /179
Android
Is it your application ? :)
� Kevin Baker (an android developer, Neolithic Software),interviewed by The Guardian about his application:Sinister Planet
� "I have a game on the market called Sinister Planet whichwas released about eight months ago"
� "One of my customers emailed me three weeks ago, andinformed me that another company was selling a versionof my app - pirated and uploaded as their own. Of course Icontacted Google right away. It took Google two days totake the app down. This publisher was also selling otherversions of pirated games. [...] You’d think [Google] mighthave a hotline for things like that!"
A. Desnos, G. Gueguen 14 /179
Android
Is it your application ? :)
A. Desnos, G. Gueguen 15 /179
Android
Is it your application ? :)
A. Desnos, G. Gueguen 16 /179
Android
Is it your application ? :)
� ElectricSleep (Jon Willis)
A. Desnos, G. Gueguen 17 /179
Android
Is it your application ? :)
A. Desnos, G. Gueguen 18 /179
Android
Is it your application ? :)
A. Desnos, G. Gueguen 19 /179
Android
Is it your application ? :)
� HTCHEN
A. Desnos, G. Gueguen 20 /179
Android
Is it your application ? :)
A. Desnos, G. Gueguen 21 /179
AndroidIs it your application ? :)
A. Desnos, G. Gueguen 22 /179
Android
Is it your application ? :)
A. Desnos, G. Gueguen 23 /179
AndroidIs it your application ? :)
A. Desnos, G. Gueguen 24 /179
AndroidIs it your application ? :)
A. Desnos, G. Gueguen 25 /179
Current section
Android
Malware
AnalysisStatic AnalysisDynamic AnalysisVisualization
Tools
Conclusion
A. Desnos, G. Gueguen 26 /179
Malware
Android malware
� New/Repackaged application :� Exploit embedded (native code) to gain root access,� Requested more permissions,� Execute dynamic code (DexClassLoader) (don’t break the
android permission system),� Install new applications,� Get private information,� Get (your) money,� Spyware,� Botnet like.
A. Desnos, G. Gueguen 27 /179
Malware
Exploit
� Embedded in a classical Android application,
� Execute native code (binary, shared library),
� No DVM exploit yet (to our knowledge),
� Mainly from "The Android Exploid Crew", Dan Rosenberg.
A. Desnos, G. Gueguen 28 /179
Malware
Exploit
� Exploid: "udev before 1.4.1 does not verify whether aNETLINK message originates from kernel space, whichallows local users to gain privileges by sending a NETLINKmessage from user space",
� Rageagainstthecage: "Exploits the Android Debug Bridgedaemon and the RLIMIT_NPROC value",
A. Desnos, G. Gueguen 29 /179
Malware
Exploit
� Zimperlich: "Its straight forward code just like the adbsetuid() one. Most of the time I spent getting the Makefileright and tricking zygote to spawn the right amount ofprocesses and calling setuid() once more when we arealready running.",
� GingerBreaker: "vold root exploit "mPartMinors[](NPARTS) out of bounds write (checked for upper limit butnot against negative values)",
� zergRush: "libsysutils root exploit use-after-free".
A. Desnos, G. Gueguen 30 /179
Malware
Exploit
� PowerVR SGX Privilege Escalation Exploit (Jon Larimer +Jon Oberheide):
� CVE-2011-1352 is a kernel memory corruptionvulnerability that can lead to privilege escalation. Anyuser with access to /dev/pvrsrvkm can use this bug toobtain root privileges on an affected device.
� CVE-2011-1350 allows leaking a portion of kernel memoryto user mode processes. This vulnerability exists becauseof improper bounds checking when returning data to usermode from an ioctl system call.
� Nexus S and Galaxy S, Android < 2.3.6
A. Desnos, G. Gueguen 31 /179
Malware
Exploit: Rooting the Motorola Droid 3 (Dan Rosenberg)
� "A vulnerability specific Motorola devices in the scriptparsed by the init thread":
� "The contents of /data/local are group shell andgroup-writable: modify the contents with ADB",
� "Replacing one of the sub-directories listed here with asymbolic link, then when the device reboots it will changethe ownership of the symlink target to group shell",
A. Desnos, G. Gueguen 32 /179
Malware
Exploit: Rooting the Motorola Droid 3 (Dan Rosenberg)
� "This can be used to edit property files to manipulate thebehavior of ADB to achieve root":
A. Desnos, G. Gueguen 33 /179
Malware
Exploit: Rooting the Motorola Droid 3 (Dan Rosenberg)
� Reboot the device by pressing the power button, and byusing adb shell:
� "ro.sys.atvc_allow_all_adb property is a Motorola-specificconfiguration that prevents ADB from dropping its rootprivilege".
A. Desnos, G. Gueguen 34 /179
Malware
Take my money
� Most common malware (russian/chinese markets),
� Send SMS to premium rate services,
� Use the SEND_SMS permission (it’s not hidden).
A. Desnos, G. Gueguen 35 /179
Malware
Take my money: Zsone (10.000 users affected)
A. Desnos, G. Gueguen 36 /179
Malware
Take my money: Zsone (10.000 users affected)
A. Desnos, G. Gueguen 37 /179
Malware
Take my money: FakeInstaller (boxer)
A. Desnos, G. Gueguen 38 /179
Malware
Take my money: FakeInstaller (boxer)
� When the user opens the application, he will see amessage asking him if he agrees to the terms of thedownload (in order to install the real application),
� "1. To gain access to the Service http://depositmobi.com/content to make payment by sending up to 3 SMSmessages.",
� Changed the prefix of the number to send SMS by usingthe mobile country code.
A. Desnos, G. Gueguen 39 /179
Malware
Information leak
� Steal private information about the user:� Phone state (IMEI, IMSI, ...)� Contacts� History bookmarks� GPS location� Account information
A. Desnos, G. Gueguen 40 /179
Malware
Information leak: Hongtoutou
A. Desnos, G. Gueguen 41 /179
Malware
Information leak: Hongtoutou
A. Desnos, G. Gueguen 42 /179
Malware
Information leak: Fakeneflic
� Fake Netflix application,
� Information stealing Trojan that targets accountinformation,
� No specific permissions (phishing).
A. Desnos, G. Gueguen 43 /179
Malware
A. Desnos, G. Gueguen 44 /179
Malware
Spyware: Geinimi (analyzed by Lookout)(1.000.000users affected)
� Infected real applications,
� Read and collect SMS messages,
� Send and delete selected SMS messages,
� Pull all contact information and send it to a remote server(number, name, the time they were last contacted),
� Silently download files,
� Launch a web browser with a specific URL.
A. Desnos, G. Gueguen 45 /179
Malware
Spyware: Nickispy.C (NickiBot)
� Collect the IMEI number and send it to a remote website,� Receives commands via SMS messages:
� phone calls monitoring,� SMS messages monitoring,� GPS location monitoring,� send contacts data,� record the sounds in the phone.
A. Desnos, G. Gueguen 46 /179
Malware
Spyware: GoneSixty
A. Desnos, G. Gueguen 47 /179
Malware
Spyware: GoneSixty
A. Desnos, G. Gueguen 48 /179
Malware
Spyware: GoneSixty
A. Desnos, G. Gueguen 49 /179
Malware
Spyware: GoneSixty
A. Desnos, G. Gueguen 50 /179
Malware
Political: Holy Fucking Bible (HFB)
� Send (SMS) private information,
� Register user to a political action committee calledColbertPAC,
� SMS the entire contact list,
� Reply back to any SMS.
A. Desnos, G. Gueguen 51 /179
Malware
Political: HFB
� May 21, 2011: send SMS to the entire contact list :� "Cannot talk right now, the world is about to end"� "Jebus is way over due for a come back"� "Its the Raptures,praise Jebus"� "Prepare to meet thy maker,make sure to hedge your bet
just in case the Muslims’ were right"� "Just saw the four horsemen of the apocalypse and man
did they have the worst case of road rage"� "Es el fin del mundo"
A. Desnos, G. Gueguen 52 /179
Malware
Political: HFB
� May 21, 2011: send SMS to the entire contact list,
� set your wallpaper with :
A. Desnos, G. Gueguen 53 /179
Malware
Political: HFB
� >= May 22, 2011: send SMS to the entire contact list :� "Looks like Jebus is a no show, maybe Judaism was on to
something"
A. Desnos, G. Gueguen 54 /179
Malware
Political: HFB
� >= May 22, 2011: send SMS to the entire contact list,
� set your wallpaper with:
A. Desnos, G. Gueguen 55 /179
Malware
Political: Dogwars
� Animal Rights protesters :� trojan in dog-fighting games� registration SMS to a animal protection organization
(PETA: People For the Ethical Threatment of Animals)� SMS to all contacts: "I take pleasure in hurting small
animals, just thought you should know that"
A. Desnos, G. Gueguen 56 /179
Malware
Botnet: AnserserBot (analyzed by Yajin Zhou, XuxianJian)
� Fake upgrade,
� Dynamical code loading (through the built-in Dalvik classloading capability),
� Anti-tampering to protect itself (check the currentsignature),
A. Desnos, G. Gueguen 57 /179
Malware
Botnet: AnserserBot (analyzed by Yajin Zhou, XuxianJian)
� Encrypts various types of data (modification of base64:custom index table),
� Detects the existence of three smartphone anti-virussoftware,
� Bot clients: public blog website to update the code,
� Receives premium numbers from remote C&C serversand dial calls or send out SMS messages to them,incurring fees for users.
A. Desnos, G. Gueguen 58 /179
DroidDream
Is it a dream ?
� 1s of March 2011 on the official Android market,
� malware writer(s) : "Kingmall2010", "we20090202", and"Myournet",
� spread the malware in more 50 official applications,
� it was the first time that a malware infects the officialandroid market.
A. Desnos, G. Gueguen 59 /179
DroidDream
Description
� Not specifically designed to infect users of Androidmarket (mainly due to how the exploits work),
� Around 260.000 devices have been infected1,
� Two stages malware : the first stage is a simple bootstrapinjected code, in order to root the telephone and to installa second (embedded) viral application.
1http://techcrunch.com/2011/03/05/android-malware-rootkit-google-response/
A. Desnos, G. Gueguen 60 /179
DroidDream
Analyze
� sample : Magic Hypnotik Spiral (sha1 :90f568425cfcdea3fe19b3de93601eddc6bdc0e5)
� analysis tool : Androguard(http://code.google.com/p/androguard)
A. Desnos, G. Gueguen 61 /179
DroidDream
Files
� Files in the application ( it’s a classical zip ).
A. Desnos, G. Gueguen 62 /179
DroidDream
Permissions
� Permissions used by the application
A. Desnos, G. Gueguen 63 /179
DroidDream
Entry Points
� Entry points of the application
� Activity, Receiver, Service
A. Desnos, G. Gueguen 64 /179
DroidDream
Entry Points
� com.android.root.main
� com.android.root.Setting
� com.android.root.AlarmReceiver
A. Desnos, G. Gueguen 65 /179
DroidDream
Com.android.root.Setting : onCreate
� decrypt a string which is the server destination,
� send private information to the remote server,
� try to gain root access with 2 exploits,
� install a new APK.
A. Desnos, G. Gueguen 66 /179
DroidDream
Com.android.root.adbRoot : crypt
� one parameter, field u, ([B), string of bytes
� Where and What is the value of this field ?
A. Desnos, G. Gueguen 67 /179
DroidDream
Com.android.root.adbRoot : crypt
� 94, 42, 93, 88, 3, 2, 95, 2, 13, 85, 11, 2, 19, 1, 125, 19, 0,102, 30, 24, 19, 99, 76, 21, 102, 22, 26, 111, 39, 125, 2,44, 80, 10, 90, 5, 119, 100, 119, 60, 4, 87, 79, 42, 52
� The crypt method decrypts a string by using Xoring withthe field KEYVALUE which is the key
A. Desnos, G. Gueguen 68 /179
DroidDream
A. Desnos, G. Gueguen 69 /179
DroidDream
A. Desnos, G. Gueguen 69 /179
DroidDream
Com.android.root.adbRoot : crypt
� The xor with the input string and the key gives us an url
� http://184.105.245.17:8080/GMServer/GMServlet
� Server located in USA
A. Desnos, G. Gueguen 70 /179
DroidDream
Com.android.root.Service$2
� A thread is started,
� The postURL from com.android.root.Service is called.
A. Desnos, G. Gueguen 71 /179
DroidDream
Com.android.root.Service
� This method is used to send private information (xmlformat) about the mobile phone to the previous remoteserver,
� IMEI : International Mobile Equipment Identification,
� IMSI : International Mobile Subscriber Identification,
� Device : The name of the industrial design,
� SDK_INT : The user-visible SDK version of the framework.
A. Desnos, G. Gueguen 72 /179
DroidDream
Com.android.root.udevRoot or exploid
� Gain root access !
� The runExploid launch the file exploid which is in factthe exploid exploit (need an event to be effective and thecode can obviously not ask the user to do that)
� The state (disable) of the wifi changeWifiState ischanged to raise an event !
� Source code (C and java) on internet :https://github.com/shakalaca/UniversalAndroot
A. Desnos, G. Gueguen 73 /179
DroidDream
Com.android.root.adbRoot or rageagainstthecage
� Gain root access !� The exploit is very limited.
� The mobile phone must have the usb debugging enabled(target : unofficial market)...
� ... and it has to be connected while the application is run.
A. Desnos, G. Gueguen 74 /179
DroidDream
Com.android.root.Setting : destroy
� Its responsibility is to infect the phone with theapplication stored in sqlite.db (it is not a sqlite databasebut a classical APK file),
� a new application DownloadProvidersManager.apk isinstalled and launched at the next boot of the phone,
� the current application exits.
A. Desnos, G. Gueguen 75 /179
DroidDream
sqlite.apk or DownloadProvidersManager.apk
� the analysis of second application has been very detailedby Lookout2,
� its role is only to silently install new applications from aremote server.
2http://blog.mylookout.com/droiddream/A. Desnos, G. Gueguen 76 /179
Current section
Android
Malware
AnalysisStatic AnalysisDynamic AnalysisVisualization
Tools
Conclusion
A. Desnos, G. Gueguen 77 /179
Android
Reverse Engineering
� Reverse engineering tools like IDA Pro (not free),Baksmali (free), Androguard (free)
� Decompiler better than DED, jd-gui ...
Plagiarism
� It is very time consuming and inefficient
� =⇒ Automated approaches ?
A. Desnos, G. Gueguen 78 /179
Outline
Android
Malware
AnalysisStatic AnalysisDynamic AnalysisVisualization
Tools
Conclusion
A. Desnos, G. Gueguen 79 /179
Analysis
Control Flow Graph
� In each method, you have a list of basic blocks� one entry point, meaning no code within it is the
destination of a jump instruction anywhere in theprogram;
� one exit point, meaning only the last instruction can causethe program to begin executing code in a different basicblock.
� Modification of the control flow :� "if*", "goto*", "return*", "packed*", "sparse*"� exceptions
A. Desnos, G. Gueguen 80 /179
Permissions
Where ?
� Useful to know where a specific permission is used in theapplication,
� You must search specific API in the bytecode,� Adrienne Porter Felt, Erika Chin, Steve Hanna, DawnSong, David Wagner (UC Berkeley): create a permissionmap:
� SEND_SMS: sendTextMessage
A. Desnos, G. Gueguen 81 /179
Permissions
Where ?
A. Desnos, G. Gueguen 82 /179
AndroidManifest.xml
What ?
� "Every application must have an AndroidManifest.xml file(with precisely that name) in its root directory",
� Essential information about the application :� activities, services, broadcast receivers,� permissions,� package name...
� XML file converted in a specific binary xml file.
A. Desnos, G. Gueguen 83 /179
AnalysisSignature
� Create a signature in order to identify a particularmethod in a set of methods (not exactly the samemethod, but also variants of this method),
� Based on a paper of Silvio Cesare: Fast AutomatedUnpacking and Classification of Malware,
� It’s a simple grammar which used: Control Flow Graph,Fields, Packages, Strings and Exceptions.
A. Desnos, G. Gueguen 84 /179
Analysis
Signature
� Severals signatures :� V0: no specific information about string, packages, fields,� V1: V0 + but with the size of strings,� V2: V0 + filtering android packages names,� V3: V0 + filtering java packages names,� V4: V0 + filtering android/java packages.
A. Desnos, G. Gueguen 85 /179
AnalysisSignature Example
A. Desnos, G. Gueguen 86 /179
Analysis
Signature Example
A. Desnos, G. Gueguen 87 /179
Analysis
Signatures Similarity
� How to know if two strings are similar ?
Signatures Similarity
� Hamming distance,
� Levenshtein distance,
� Jaccard distance,
� Cosine similarity,
� Locality sensitive hashing,
� Normalized compression distance.
A. Desnos, G. Gueguen 88 /179
Analysis
NCD
� Designed to be an effective approximation of thenoncomputable but universal Kolmogorov complexitybetween two strings.
� The NCD of two elements A and B is defined asdNCD(A,B). We can compute
� C(A) and LA = L(C(A));� C(B) and LB = L(C(B));� C(A|B) and LA|B = L(C(A|B));
� where A|B is the concatenation of A and B, C is thecompressor, and L is the length of a string.
A. Desnos, G. Gueguen 89 /179
Analysis
NCD
� Then dNCD(A,B) is defined by :
dNCD(A,B) =LA|B −min(LA, LB)
max(LA, LB). (1)
A. Desnos, G. Gueguen 90 /179
Analysis
NCD
� A compressor C is normal if the following four axioms aresatisfied up to an additive O(log n), where n is themaximal binary length of the elements involved in theinequalities:1. Idempotency: C(xx) = C(x), and C(ε) = 0, where ε is the
empty string.2. Monotonicity: C(xy) � C(x).3. Symmetry: C(xy) = C(yx).4. Distributivity: C(xy) + C(z) � C(xz) + C(yz).
A. Desnos, G. Gueguen 91 /179
Analysis
NCD
� If you take three elements:� X ("HELLO WORLD") and the length of the compression Y
= C(X) = 6,� X’ ("HELLO WOORLD") and the length of the compression
of Y’ = C(X’) = 7,� X” ("HI !!!") and the length of the compression of Y” =
C(X”) = 3.
� the compression of C(XX’) will be similar to C(X) whereasthe compression of C(XX”) will not be similar to C(X).
A. Desnos, G. Gueguen 92 /179
Analysis
NCD
� The compression rate is not a determining factor for thechoice of the compressor if it complies with the followingrules:1. C respects the four inequalities,2. C(x) is calculated within an acceptable amount of time.
A. Desnos, G. Gueguen 93 /179
Analysis
NCD: compressor ?
� Compressor: compressed datas, time (s)
� LZMA: 900, 1.45565796
� XZ: 1824, 0.72005010
� ZLIB: 894, 0.00037599
� BZIP2: 1294, 0.00088286
� Snappy: 1208, 0.00010705
A. Desnos, G. Gueguen 94 /179
Analysis
NCD: Snappy compressor
� Snappy is a compression/decompression library (Google),
� It does not aim for maximum compression, orcompatibility with any other compression library; instead,it aims for very high speeds and reasonable compression,
� Based on text by Zeev Tarantov,
� LZ77-type compressor with a fixed, byte-orientedencoding,
� Fast: Compression speeds at 250 MB/sec and beyond,with no assembler code,
� Stable: Over the last few years, Snappy has compressedand decompressed petabytes of data in Google’sproduction environment.
A. Desnos, G. Gueguen 95 /179
Analysis
Similarity
� Identify identical methods,
� Identify exact/similar methods,
� Identify new methods,
� Identify deleted methods.
A. Desnos, G. Gueguen 96 /179
Analysis
Similarity: attributes associated with a method
� the entropy, based on the raw binary data,
� a buffer which represents the sequence of instructions,with useless information removed from it,
� a unique checksum (or hash) based on the previousbuffer,
� a signature.
A. Desnos, G. Gueguen 97 /179
Analysis
Signature Example
A. Desnos, G. Gueguen 98 /179
Analysis
Similarity: remove identical methods by using hash
A. Desnos, G. Gueguen 99 /179
Analysis
Similarity: find exact/similar methods between twoapplications
A. Desnos, G. Gueguen 100 /179
AnalysisSimilarity: Identify new methods between twoapplications
A. Desnos, G. Gueguen 101 /179
Analysis
Plagiarism/Rip-Off indicator
� By using previous algorithms:� we can calculate an indicator (between 0.0 to 100.0) to
indicate whether the application has been stolen
� 0.0 to a perfect identical method,
� value of the NCD for a partial identical method,
� value of the NCD for the general information of theapplication (strings, constants, etc.).
A. Desnos, G. Gueguen 102 /179
Analysis
Plagiarism/Rip-Off indicator: two different applications
A. Desnos, G. Gueguen 103 /179
Analysis
Plagiarism/Rip-Off indicator: identical applications
A. Desnos, G. Gueguen 104 /179
Analysis
Plagiarism/Rip-Off indicator: quite identical applications
A. Desnos, G. Gueguen 105 /179
Analysis
Plagiarism/Rip-Off indicator: stolen application
A. Desnos, G. Gueguen 106 /179
Analysis
Plagiarism/Rip-Off indicator: The Wars
A. Desnos, G. Gueguen 107 /179
Analysis
Plagiarism/Rip-Off indicator: The Wars
A. Desnos, G. Gueguen 108 /179
AnalysisPlagiarism/Rip-Off indicator: DailyMoney(HTCHEN)
� Timothy Armstrong (Kasperksy Lab):� Pay-Per-Install library was added to the original code,� The library comes as part of an SDK from a company
called AirPush.
A. Desnos, G. Gueguen 109 /179
Analysis
Plagiarism/Rip-Off indicator: DailyMoney(HTCHEN)
� Timothy Armstrong (Kasperksy Lab):� different types of advertisements to end users
� The developer is paid every 1.000 impressions (CPM: CostPer Mille, "It is used in marketing as a benchmark tocalculate the relative cost of an advertising campaign oran ad message in a given medium").
A. Desnos, G. Gueguen 110 /179
Analysis
Plagiarism/Rip-Off indicator: DailyMoney(HTCHEN)
A. Desnos, G. Gueguen 111 /179
Analysis
Plagiarism/Rip-Off indicator: DailyMoney(HTCHEN)
A. Desnos, G. Gueguen 112 /179
Analysis
Evaluation of Android obfuscators
� Problem: transformation of the source code in bytecode,
� Android developers use obfuscators frequently such asproguard or dasho to prevent the reverse engineering oftheir software,
� It can be easily reversed by using a classical decompilerlike jad, jd-gui or dava, with varying degrees of reliability,
� Moreover virtual machines do not allow code modificationon the fly (but dynamic code loading) and it is a realproblem for classical packers.
A. Desnos, G. Gueguen 113 /179
Analysis
Evaluation of Android obfuscators
� the obfuscator can use several techniques to protect aJava/Android application:1. change names of classes, methods, fields,2. modify the control flow,3. code optimization,4. dynamic code loading,5. change instructions with metamorphic technique.
A. Desnos, G. Gueguen 114 /179
Analysis
Evaluation of Android obfuscators
� Blackbox evaluation with our previous similarityalgorithms
� If this distance is close to 100 then the obfuscator did apoor job ...
A. Desnos, G. Gueguen 115 /179
Analysis
Evaluation of Android obfuscators
A. Desnos, G. Gueguen 116 /179
Analysis
Malware
� We can extract automatically new methods: it is the caseof an injected malware in the Android official or unofficialmarkets,
� The malware writer injects his "evil" code in theapplication and propagates the new application indifferent markets.
� It is possible to isolate the malware quickly if we know theoriginal application, which is an easy task because themalware writer does not generally modify it.
A. Desnos, G. Gueguen 117 /179
Analysis
Malware
A. Desnos, G. Gueguen 118 /179
Analysis
Axelle Apvrille(Fortinet): Clarifying Android DroidKungFuvariants
A. Desnos, G. Gueguen 119 /179
Analysis
Diffing
� Calculate the differences between two versions of anapplication to identify modifications:
� security bugfix,� reverse engineering.
� The idea is to detect classical modifications in a methodincluding:
� modification of codes in a basic block,� addition of new basic blocks.
� Bindiff, patchdiff2, ...
A. Desnos, G. Gueguen 120 /179
Analysis
Diffing
� Isomorphism problem: graph comparing� Find identical/similar methods in order to extractmodifications of instructions from basic blocks
� Identification of identical basic blocks by using NCD,� Extraction of added/removed instructions by using the
longest common subsequence algorithm.
A. Desnos, G. Gueguen 121 /179
Analysis
Diffing: Identification of basic blocks
� It is the similarity algorithms but it is just a different levelof granularity
A. Desnos, G. Gueguen 122 /179
Analysis
Diffing: Find exactly/partially the same basic blocksbetween two methods
A. Desnos, G. Gueguen 123 /179
Analysis
Diffing: Find new basic blocks between two methods
A. Desnos, G. Gueguen 124 /179
AnalysisDiffing: Find added/removed instructions from a basicblock
A. Desnos, G. Gueguen 125 /179
Analysis
Diffing: Skype android application
� The 15th April 2011, AndroidPolice released a newsecurity vulnerability in Skype (version 1.0.0.831) forAndroid,
� This vulnerability exposes the users’ name, phonenumber, and chat logs to all installed applications,
� The security bug is very simple, it is an incorrect usage ofpermissions to open files,
� A few days after this vulnerability, Skype release a newversion (1.0.0.983) which fixed this security bug.
A. Desnos, G. Gueguen 126 /179
Analysis
Diffing: Skype android application
� exactly identical: 8038,
� partialy identical: 165,
� new: 14,
� delete: 7.
A. Desnos, G. Gueguen 127 /179
Analysis
Diffing: Skype android application
� searching methods related to file permissions (by usingthe Java API or directly with chmod program)
� most of them are related to simple constant modificationbut we can identify a method really close to another one(with the same name) which manipulate files:
� Lcom/skype/ipc/SkypeKitRunner; run ()V withLcom/skype/ipc/SkypeKitRunner; run ()V 0.269383959472
A. Desnos, G. Gueguen 128 /179
Analysis
Diffing: Skype android application
� This method has four modified basic blocks, but onlythree basic blocks merit further investigation.
A. Desnos, G. Gueguen 129 /179
Analysis
Diffing: Skype android application
� An integer value (it is the operating mode) of the methodopenFileOutput, public abstract FileOutputStreamopenFileOutput (String name, int mode) has beenchanged from 3 to 0
A. Desnos, G. Gueguen 130 /179
Analysis
Diffing: Skype android application
� In another basic block, the first argument of chmod hasbeen changed from 777 to 750
A. Desnos, G. Gueguen 131 /179
AnalysisDiffing: Skype android application
� And in the last modified basic block, there is a new call toa new method which fixes all files in the context directoryof the application:
� Lcom/skype/ipc/SkypeKitRunner; ([Ljava/io/File;) VfixPermissions]
� which fixes all permissions (patch permissions from theprevious version) to:
� RWX — — for a directory,� RW- — — for a file.
A. Desnos, G. Gueguen 132 /179
Analysis
Decompilation
� Current ways to decompile are not good enough.
� Source code unreadable
� Doesn’t compile back
� Decompilation fail
A. Desnos, G. Gueguen 133 /179
Analysis
A. Desnos, G. Gueguen 134 /179
Analysis
A. Desnos, G. Gueguen 135 /179
Analysis
A. Desnos, G. Gueguen 136 /179
Analysis
DecompilationDifferent phases (optimizations/compilation) :
� Intermediate representation
� Semantic analysis� CFG generation
� each node represent a basic block
� Dataflow analysis
� Control flow analysis
� Code generation
A. Desnos, G. Gueguen 137 /179
AnalysisControl flow analysis
� Number nodes of graph in reverse post-order:� number given when visited for the last time
A. Desnos, G. Gueguen 138 /179
Control flow analysis
� Goal of control flow : identify structures
� Build intervals to detect loops
� Switch and Conditionnal structures detected bytraversing the graph in reverse (from last to first node)
A. Desnos, G. Gueguen 139 /179
Analysis
A. Desnos, G. Gueguen 140 /179
Analysis
� Need to find the next element of a structure� E.g: next of a conditionnal structure is the first common
node of both branches� Special case with short circuit
� Write the code of the nodes by traversing it� nodes are flagged : type of node, of loop, head of loop, . . .
A. Desnos, G. Gueguen 141 /179
Analysis
Extending algorithms of similarity
� Detecting a piece of code in a set of applications (withvariants):
� Antivirus� Plagiarism
A. Desnos, G. Gueguen 142 /179
Analysis
Antivirus: Open Source database of android malwares
� NCD is very time consuming even if the compressor isvery fast
� You must reduce the number of comparisons� N Methods� S Signatures� O(N * S)� example: 10.000 * 1000 = 10.000.000
� Clustering: entropies on the signature (android/javapackages, binary raw, exceptions, signatures),
� Similarity distance (NCD) on each cluster with thesignature (thresholds).
A. Desnos, G. Gueguen 143 /179
Analysis
Antivirus: Open Source database of android malwares
� Signature can be done on methods, classes,
� Choose correctly a signature (length, entropy ...),
� Boolean expression.
A. Desnos, G. Gueguen 144 /179
Analysis
Antivirus: Open Source database of android malwares
� Description (JSON format) of a signature:
A. Desnos, G. Gueguen 145 /179
Analysis
Antivirus: Open Source database of android malwares
� Signature is extracted and written in the database:
A. Desnos, G. Gueguen 146 /179
Analysis
Antivirus: Open Source database of android malwares
� Check a repository of applications:
A. Desnos, G. Gueguen 147 /179
Analysis
Android Antivirus: Clamav
� Clamav supports Android malware ?
A. Desnos, G. Gueguen 148 /179
Analysis
Android Antivirus: Clamav
A. Desnos, G. Gueguen 149 /179
Analysis
Android Antivirus: Clamav
A. Desnos, G. Gueguen 150 /179
Analysis
Android Antivirus: Clamav
A. Desnos, G. Gueguen 151 /179
Analysis
Android Antivirus: Clamav vs Androguard
A. Desnos, G. Gueguen 152 /179
Analysis
Android Antivirus: Clamav vs Androguard
A. Desnos, G. Gueguen 153 /179
Outline
Android
Malware
AnalysisStatic AnalysisDynamic AnalysisVisualization
Tools
Conclusion
A. Desnos, G. Gueguen 154 /179
Analysis
Dynamic Analysis
� Patrik Lantz (Honeynet project, google summer of code2011, GPL)
� Modification of the Dalvik Virtual Machine forinterception:
� Incoming/outgoing network data,� File read and write operations,� Loaded classes through DexClassLoader,� Information leaks via the network, file and SMS,� Cryptography operations performed using Android API,� Sent SMS and phone calls.
A. Desnos, G. Gueguen 155 /179
Outline
Android
Malware
AnalysisStatic AnalysisDynamic AnalysisVisualization
Tools
Conclusion
A. Desnos, G. Gueguen 156 /179
Application
Control Flow Graph
� Export like a classical graphviz picture,
� Export the CFG in Cytoscape.
A. Desnos, G. Gueguen 157 /179
ApplicationControl Flow Graph
A. Desnos, G. Gueguen 158 /179
Application
Control Flow Graph
A. Desnos, G. Gueguen 159 /179
Application
Control Flow Graph
A. Desnos, G. Gueguen 160 /179
Application
Control Flow Graph
A. Desnos, G. Gueguen 161 /179
Application
Control Flow Graph
A. Desnos, G. Gueguen 162 /179
Application
Methods Call Graph
� Export methods call graph in .gexf format:� Information about each node� Add specific nodes (permissions, activities, ...)
A. Desnos, G. Gueguen 163 /179
Application
Methods Call Graph
A. Desnos, G. Gueguen 164 /179
Application
Methods Call Graph
A. Desnos, G. Gueguen 165 /179
ApplicationMethods Call Graph
A. Desnos, G. Gueguen 166 /179
ApplicationMethods Call Graph
A. Desnos, G. Gueguen 167 /179
Application
Methods Call Graph
A. Desnos, G. Gueguen 168 /179
ApplicationMethods Call Graph
A. Desnos, G. Gueguen 169 /179
ApplicationMethods Call Graph
A. Desnos, G. Gueguen 170 /179
Application
Methods Call Graph
A. Desnos, G. Gueguen 171 /179
Diffing� Aureliano Calvo: Showing differences betweendisassembled functions
A. Desnos, G. Gueguen 172 /179
Diffing
A. Desnos, G. Gueguen 173 /179
Current section
Android
Malware
AnalysisStatic AnalysisDynamic AnalysisVisualization
Tools
Conclusion
A. Desnos, G. Gueguen 174 /179
Tools
� IDA Pro, support of Dalvik,
� Smali/Baksmali,
� Dex2jar,
� DED,
� Androguard,
� Droidbox,
� =⇒ Virtual Machine for Android Reverse Engineering(Honeynet).
A. Desnos, G. Gueguen 175 /179
Current section
Android
Malware
AnalysisStatic AnalysisDynamic AnalysisVisualization
Tools
Conclusion
A. Desnos, G. Gueguen 176 /179
Conclusion
Androguard
� LGPL framework/tools3
� Python/C(++)
� You’re Welcome !
3http://code.google.com/p/androguard/A. Desnos, G. Gueguen 177 /179
Conclusion
Future Works
� Improve DroidBox Project,
� Improve plagiarism algorithm,
� Emulation of android bytecodes,
� Data tainting,
� Optimization phases of the decompiler.
A. Desnos, G. Gueguen 178 /179
Conclusion
!
� Thanks to "Congreso Securidad en Computo" 2011,Ruben Aquino Luna and Celica Martinez Aponte
� Questions ?
A. Desnos, G. Gueguen 179 /179