Tag Archives: obfuscation

Making automatic calls from Android

Screen Shot 2013-10-24 at 11.52.01 PMSo apparently Android lets your app make outbound phone calls in multiple ways (as always), the most basic ones are either via activity with android.intent.action.CALL intent, which pulls up the dialer and fires off a phone call, or via ITelephony.call() library call. Both normally require android.permission.CALL_PHONE, unless you figure out a way to dodge the permission checks, but the former is harder to detect. While you can simply grep for the ITelephony case, the other one – action called with an intent – requires some control flow tracing, which gets messy fast. Of course, both can be obfuscated, but that is a different can of worms for another day.

Bottom line – every piece of information extracted from an Android APK carries some value – intents, activities, library calls, anything – because only the careful juxtaposition of all these types of facts lets us judge one way or another about an app.

fun new Android security tools and stats #VB2013

This is a great mix of research because it’s not just academic but a good half is coming from people who make a living off of helping their customers fight off malware:

Google and Apple markets: are their applications really secure?!

This one looks like yet another combing of the stores, mostly for privacy?

By analysing over 120,000 applications from the Google market and over 160,000 from the Apple market, we discovered a lot of security issues that can be found on an everyday app. Many popular applications from these markets hide a lot of security breaches, from sending data over an unsecured connection (such as user accounts or passwords) to GPS tracking or uploading highly sensitive data like contact lists or phone numbers. This behaviour may be intended or may result from the use of a third-party advertising framework employed by the author in order to increase the revenue of the application. This paper draws attention to the security flaws of applications in both the Android and Apple markets by providing statistics and well documented examples, as well as the methods used to extract this information.

Analysis of Android in-app advertisement kits

In this paper, we focus on the security risks and inefficiencies posed by ad-kits. And more particularly those embedded into malware. To this end, we study the Android platform, and 90,000 malware samples. We identify 10 representative ad-kits. We further develop a system called Droidlysis to examine potential risks, ranging from uploading sensitive information to remote servers, to downloading and executing untrusted code. We analyse ad traffic and identify sensitive data transmitted over the air.

Our results show that most ad-kits not only collect private information, but probe for data and permissions beyond the ones listed in their documentation. We discover how users can be tracked by an ad provider across applications, and by a network sniffer across ad providers. Finally, we discuss the financial implications for developers and ad providers.

The Droid Knight: a silent guardian for the Android kernel, hunting for rogue smartphone malware applications

Some very intense claims! Wonder if it works:

real-time malware detection framework for the Android platform that performs dynamic analysis of smartphone applications and detects the malicious activities through in-execution monitoring of process control blocks (PCB) in the Android kernel. We employ a novel scheme to mine the hidden execution patterns – from time-series PCB logs of Android applications – by using information theoretic measures, frequency component analysis and statistical analysis techniques. With the help of this novel scheme, this framework sits in the Android kernel as a loadable kernel module and is able to detect real-world malware applications for Android with very few false alarms. We have validated the framework using real-world Android malware (from well-known malware repositories) and popular benign applications taken from Google’s official app store for Android (i.e. Google Play Store). By carefully designing a series of experiments, we evaluate the detection and runtime performance of our framework. Our framework is able to detect zero-day (previously unseen) malicious applications with over 98% accuracy, while keeping the false positive rate below 1%. It has a runtime processing overhead below 4% on a low-end smartphone.

‘I am not the D’r.0,1d you are looking for’: an analysis of Android malware obfuscation

legitimate obfuscation tool ProGuard from android.com currently obscures class and method names in Android apps.

Nevertheless, it is code obfuscation which would complicate the detection strategy for Android malware, especially given memory footprint limitations. Code obfuscation in malicious apps or PUAs is not only possible, it is inevitable, GooglePlay restrictions notwithstanding. The Dalvik executable (.dex) byte-code instruction set supports registers, arithmetic operators, and even nops, thus providing scope for the insertion of junk polymorphic instructions and metamorphism.

This paper analyses the methods of obfuscation currently used by Android malware authors, and presents examples of .dex byte-code and data obfuscation techniques which are likely to be abused in the future.

GinMaster : a case study in Android malware

Android – practical security from the ground up
Some more info about this one here

The Android Security Team will discuss its approach for securing the Android platform against malware. … We will also give our view into the security of the Android ecosystem, based in part on worldwide data from our Verify Apps tool.