In April 2016 Google released 2015 Android security report. The report mentioned an interesting finding, a malware called Ghost Push Downloader attempted billions of installs on the devices and about 4 million devices were infected [1]. This malware was a Downloader, the downloaded payload in turn downloaded and installed other Trojans. Since then Android Ecosystem has seen growing number of multistage stage malware, which either download or drop malicious component only at the later stage of the malware execution. The Decoy app which drops or downloads the malicious component looks innocent to the user, the malicious activity only starts after the innocent looking decoy app is executed. In addition to exploiting vulnerabilities, these payloads contact compromised call home sources and use social Engineering techniques. In this research, We want to provide an insight into all the recent second stage malware payload that are successful in penetrating Google play and also in infecting users. We also want to investigate how these payloads are successful in evading advance detection techniques and discuss why existing OS defences are not sufficient. [1]. https://security.googleblog.com/2016/04/android-security-2015-annual-report.html

1. You don’t Need AV for Android??
How modern multi stage Android
malware is succeeding to infect
Android devices
Jagadeesh Chandraiah
Threat Researcher
AVAR 2016

2. Who am I
2
• Threat Researcher at Sophos, UK
• Interested in Windows, Mobile Malware Analysis and Research
• Spoken at Deepsec, Virus Bulletin in the past
AVAR 2016

3. Agenda
3
• You don’t need AV for Android
• Android Security services
• Infection timeline
• Multi-Stage Android Malware
• Why we need AV on Android platform
AVAR 2016

4. You Don’t Need Android AV !!

5. Mobile Antivirus is not needed - Google
5
https://nakedsecurity.sophos.com/2014/07/09/googles-android-security-chief-dont-bother-with-anti-virus-is-he-serious/

6. Security Software firms are Scammers
6
http://www.smh.com.au/technology/security/charlatans-and-scammers-googler-slams-security-software-firms-20111123-1ntpu.html

7. Android Security Services

8. Security Services
8AVAR 2016
https://static.googleusercontent.com/media/source.android.com/en//security/reports/Google_Android_Security_2015_Report_Final.pdf

9. Security Services
9AVAR 2016

10. Scoring Engine
10AVAR 2016
https://static.googleusercontent.com/media/source.android.com/en//security/reports/Android_WhitePaper_Final_02092016.pdf
• Apps are classified on the scale of Safe to Harmful
• Harmful apps are sent for Human review

11. Security Services
11AVAR 2016
https://static.googleusercontent.com/media/source.android.com/en//security/reports/Android_WhitePaper_Final_02092016.pdf

12. Potentially Harmful Applications (PHA)

13. PHA
13AVAR 2016

14. 14AVAR 2016
https://static.googleusercontent.com/media/source.android.com/en//security/reports/Google_Android_Security_PHA_classifications.pdf
PHA

15. 15AVAR 2016

16. Android Fragmentation

17. Android Fragmentation
17
https://developer.android.com/about/dashboards/index.html , Data from 7 day period ending on Nov 7, 2016
AVAR 2016
GingerBread
Ice Cream
Sandwich
JellyBean
KitKat
Lollipop
Marshmallow
Nougat
Gingerbread(2.3.x) 1.3%
Lollipop(5.x) 34.1%
KitKat(4.4) 25.2%
Jelly Bean (4.1-4.3) 13.7%
Marshmallow(6.0) 24.0%
Ice Cream Sandwich(4.0) 1.3%
Nougat(7.0) 0.3%

18. Android Fragmentation
18AVAR 2016
• Slow pace of adaptation of new Android versions
• Many users with outdated software with lots of security Vulnerabilities.
• Latest security fixes are not rolled out quickly
• Cannot force manufacturers to roll out security updates.
• Business model forces users to buy new phones than update.

19. Android Fragmentation? Fix
19AVAR 2016
• Google has started rolling out its own devices , PIXEL series.
• Updated some features and updates through Google play services
• Does Google look like solving Fragmentation ? Probably not
• Android is still very popular…
• Developers are writing more apps ….

20. Android Malware Infections

21. Android Malware Infections
21AVAR 2016

22. Google play Infections
22AVAR 2016
~10-12 malware occurrences in
Google play store in 2015
Malware seen pretty much
every month in 2016

23. Google play Infections
23AVAR 2016
- Brain Test2
- Turk
Clicker
- Xiny
Jan 2016
Feb
2016
Porn
Clickers
(500k)
InstaAgent2
(100-500k)
Mar 2016
May 2016
-Viking
Horde
(50-100k)
- Clicker
-Valeriy
-Level
Dropper
(5k)
Jun
2016
Aug
2016
Dress
Code1
-Call Jam
-Embassy
Spyware
-
Dresscode2
(100-500k)
Sep 2016
Nov 2016
Multiple
Accounts
(1-5Mil)
Many Apps with
100-500k Install
Count
Millions of
devices infected
2016

24. Noteworthy Malware

25. Ghost Push

26. Ghost Push
26AVAR 2016
https://static.googleusercontent.com/media/source.android.com/en//security/reports/Google_Android_Security_2015_Report_Final.pdf

27. Ghost Push
27AVAR 2016
https://static.googleusercontent.com/media/source.android.com/en//security/reports/Google_Android_Security_2015_Report_Final.pdf

28. Ghost Push
28AVAR 2016
https://static.googleusercontent.com/media/source.android.com/en//security/reports/Google_Android_Security_2015_Report_Final.pdf
3.5 Billion Installation Attempts
New variants spotted in Sep/Oct 2016

29. Ghost Push
29AVAR 2016
• Downloader which downloads other malware and aggressive adware.
• Also known as ‘Rootnik’ , ‘Shedun’ etc,
• An OTA company update infrastructure and Application Install service was
causing several Ghost push installations
• Several variants of Ghost push were seen
• Highly Persistent

30. Ghost Push
30AVAR 2016

31. 31AVAR 2016
Ghost Push

32. Ghost Push
32AVAR 2016

33. Ghost Push
33AVAR 2016

34. Brain Test

35. Brain Test
35
• Employed Anti analysis
• Anti analysis like IP checking , Time Bomb and Dynamic Loading
• Persistence methods used to avoid uninstalling
• Appeared multiple times on Google play
AVAR 2016

36. Brain Test
36AVAR 2016
http://blog.checkpoint.com/2015/09/21/braintest-a-new-level-of-sophistication-in-mobile-malware/

37. Brain Test
37AVAR 2016
Check if hostname contains ‘google ‘or ‘android’
Check IP ranges for Google servers
216.58.192.0 - 216.58.223.255
209.85.128.0 - 209.85.255.255

38. Brain Test
38AVAR 2016
Persistence
Modification
Script

39. Many variants with similar execution model
39
• Viking Horde - Botnet
• Godless - Exploit kit, Downloader
• Xiny - Hides payload in Image, Downloader, Ad network
• Rooting exploits and Rooting services used
• Watchdog modules for persistence
• Ad revenue, Click Fraud, Botnets ..
AVAR 2016

40. Feabme

41. Feabme
41
• Popular Game on Google play -Up to 1 Million install count
• Had a working game with Phishing code
AVAR 2016

42. Feabme
42AVAR 2016
• Uses open source cross platform Dotnet framework
• Dll’s inside assemblies folder had malicious code

43. Feabme
43AVAR 2016

44. Feabme
44AVAR 2016

45. Feabme
45AVAR 2016

46. Feabme
46AVAR 2016

47. InstaAgent

48. InstaAgent
48AVAR 2016
• App found on both Google play and ios store
• Was very popular app with up to 100k install count
• Simple credential stealing app with big Impact
• Similar apps appeared multiple times
• Injects JS code into web page to steal data

49. InstaAgent
49AVAR 2016

50. InstaAgent
50AVAR 2016
http://peppersoft.net/hacking-the-hacker/

51. InstaAgent
51AVAR 2016

52. Dress Code

53. Dress Code
53AVAR 2016

54. Dress Code
54
• Lots of Infected Apps found on Google Play
• Some of the apps were installed 100k-500k times
• About 400 Infected apps were found in Google play
• Malware appeared multiple times on Google play
• Creates botnet when user executes infected app.
• Traffic is rerouted to help attacker.
AVAR 2016
http://blog.trendmicro.com/trendlabs-security-intelligence/dresscode-potential-impact-enterprises/

55. Dress Code
55AVAR 2016

56. Dress Code
56AVAR 2016

57. Sophistication and Breaking Security
Services

58. Increased Sophistication
58
• Leave the payload for later stage
• Pretend as Clean app
• Target Popular apps and Games
• Use Exploits, Rooting tools and services
AVAR 2016

59. Anti Analysis
59
• Detect analysis Environment
• Obfuscation
• Encrypt and Hide Payloads
• Dynamic/Runtime Code
• Detection Evasion using smaller simpler modules and tricks
AVAR 2016

60. Why do we need Security Software?

61. So, how big is the malware risk ??
61
• Malware occurrences is still relatively low compared to Windows.
• Risk of infection is also low
AVAR 2016

62. Need for Security Software
62
• Google have done many Improvements but NOT ENOUGH !!
• Variants have appeared again and again on play store ( Dress Code,
Brain Test, Insta care/Agent…)
• Popularity means more Risk !!
• Many threats on Google play found by AV/security firms
• Global AV community, security Researchers , Multiple Solutions
• Alert users about undetected Threats by Google
• Many AV apps are free and also provide extra security features
AVAR 2016

63. Work Together
63
• Google can’t provide 100% security
• Can’t Detect all Threats like any other Security software
• Google should Join hands with AV community
• Share samples and information for better Eco System
AVAR 2016
AntivirusGoogle

64. References/Further Read
64
• https://nakedsecurity.sophos.com/2014/07/09/googles-android-security-chief-dont-bother-with-anti-virus-is-he-serious/
• https://static.googleusercontent.com/media/source.android.com/en//security/reports/Android_WhitePaper_Final_02092016.pdf
• https://static.googleusercontent.com/media/source.android.com/en//security/reports/Google_Android_Security_2015_Report_Final.pdf
• https://static.googleusercontent.com/media/source.android.com/en//security/reports/Google_Android_Security_PHA_classifications.pdf http://blog.checkpoint.com/2016/05/09/viking-
horde-a-new-type-of-android-malware-on-google-play/
• http://blog.trendmicro.com/trendlabs-security-intelligence/godless-mobile-malware-uses-multiple-exploits-root-devices/
• http://news.drweb.com/show/?i=9803&lng=en&c=5
• http://blog.trustlook.com/2015/07/08/most-successful-malware-on-google-play/
• http://peppersoft.net/hacking-the-hacker/
• http://blog.checkpoint.com/2015/09/21/braintest-a-new-level-of-sophistication-in-mobile-malware/
• http://blog.trendmicro.com/trendlabs-security-intelligence/dresscode-potential-impact-enterprises/
AVAR 2016

65. @jag_chandra