Automatically Dissecting Android Malware
Valérie Viet Triem Tong & Jean-François Lalande, from CIDRE research team
The Android galaxy is plagued with a host of fake apps solely devised to rob smartphone users of their ID, their data or their money. Studying this type of infection vector, a group of French scientists is coming up with a string of innovative test and visualization tools meant to help security analysts investigate suspicious software, explore its inner-structure, force sleeping code out of dormancy and produce an intuitive graph representation of what the malware is really up to.
Well over three millions mobile applications now populate GooglePlay and other Android download outlets throughout the world. The cornucopia runs the gamut from morpion games to stock market watchers, not to mention selfie editors and fitness trackers. But it didn't take long for scammers of all ilk to join the party and ship a flurry of inventive malware masquerating as innocuous legit apps. Wrong pick...
Once installed, some start sending premium SMS messages, thus fraudulently charging the user's account. Others methodically encrypt all the user's files before demanding a ransom in exchange for the dicephering key. Gone are last summer's pictures.
This cyber-nuisance proves all the more annoying that sifting the wheat from the chaff is both tricky and time-consuming. “It takes three weeks to manually dissect one single malware, so obviously the process must be automated,
” says Valérie Viet Triem Tong
. For the last three years, the scientist has led a malware analysis project called Kharon
Everyone wishing to automate malware analysis is faced with several daunting challenges, the first one being code obfuscation. “Malware developers go to great lengths to hide their malicious payload hither and thither within the bytecode. ” This arcane set of instructions might even be laying low in an encrypted fashion or fragmented into bits and pieces that will be downloaded at a later day. Classical static code analysis can hardly sniff out such sophisticated camouflage. “That's why we are interested in dynamic analysis. Instead of merely scrutinizing the code, we execute the application in order to observe its behavior. We think it's the best way to catch the malware and understand how it works. There happens to be a number of actions that usual software wouldn't normally perform and which are tell-tale signs of malevolent intent. ”
Dual Dynamic Analysis
However, to get a full grasp of what is going on, security analysts first need an efficient visualization tool. And that's where flow monitor Blare comes into play. “Have a look, says scientist Jean-François Lalande while plugging one of his two dozen smartphones into his laptop. What we have on the left part of the computer screen is a graph representation of the information flows induced by the execution of an Android Package. See this red arrow? It signals that a file is being accessed at this very moment. Now, look at what happens next. The application writes a tor.rc file. Now it reads it and proceeds to connect to a bunch of IPs. Lo and behold, the software accesses this image_0001.jpg file in the smartphone and adds an new extension to it: .jpg.enc ” Enc? “Yes. Like ‘encrypted’. What used to be a photo in jpg format is now completely unaccessible except if you shell out some money, courtesy of a ransomware called SimpleLocker. And as you can see right here, the malware now goes back to the Tor network in order to anonymously notify its master of the successful attack. ”
Icing on the cake, this visualization of dynamic analysis is actually dual. “Not only can a security analyst watch the system flow graph and thus get an instant understanding of the situation, but we can also simultaneously display the portion of code that is involved in the execution, which is what now appears on the right part of the computer screen. ”
Triggered by GroddDroid
Having said that, to be of any avail, such dynamic analysis must first of all overcome yet another problem.“In order to avoid detection by automated platforms, malware does not start execution right away, Viet Triem Tong explains. It remains dormant until one very particular condition is met. It might well activate itself... say when the battery starts reloading, or when the player reaches a certain level in the game, or on Friday 13th or what not. Thus, dynamic analysis is not going to spot any suspicious behavior for the simple reason that there is none to be observed until this very moment. So we must also find a way to automatically trigger this malware. And that's the purpose of GroddDroïd. This tool will simulate the graphic user interface and test one by one the differents buttons, the different links, so on and so forth. The goal is not to exhaustively explore all the possible states of the application but rather to focus on the paths a real user is more likely to go through.” GroddDroid also forces the execution of branching conditions if need be. It is complemented by GPFinder. Using static analysis, “this framework generates a big graph which is actually a map of all possible execution paths within the application.”
The Kharon platform and the results of malware analysis is hosted in the LHS, a high security laboratory
funded by Inria, CentraleSupelec, the French defense procurement agency (DGA) and the Brittany Region. “We believe this work will be of great use to security analysts. Despite our software still being a research prototype, we have endeavored to bring it to near-production level, paying a lot of attention to code quality, so on and so forth.
Although it is not yet an off-the-shelf product, the novel toolkit is already gaining traction within the industry. “We are currently contemplating a first technology transfer to a cyber security company and we are talking with several others. Having said that, this research is still ongoing. We have a number of ideas for further improving our solution. ”
These articles could interest you:
Valérie Viet Triem Tong and Jean-François Lalande are associate professors at CentraleSupelec. They are also members of CIDRE research prpject-team , common with Inria, CNRS, CentraleSupelec and University of Rennes 1.
Based in Rennes, Brittany, in the heart of the French cyber security cluster , the Kharon project involves CentraleSupélec, Inria and Insa Centre Val de Loire through Cidre and Celtique , two prominent research teams in the field.
Kharon is funded by CominLabs , an IT laboratory sponsored by the French Government.