In April 2016 Google released 2015 Android security report. The report mentioned an interesting finding, a malware called Ghost Push Downloader attempted billions of installs on the devices and about 4 million devices were infected [1]. This malware was a Downloader, the downloaded payload in turn downloaded and installed other Trojans. Since then Android Ecosystem has seen growing number of multistage stage malware, which either download or drop malicious component only at the later stage of the malware execution. The Decoy app which drops or downloads the malicious component looks innocent to the user, the malicious activity only starts after the innocent looking decoy app is executed.
In addition to exploiting vulnerabilities, these payloads contact compromised call home sources and use social Engineering techniques. In this research, We want to provide an insight into all the recent second stage malware payload that are successful in penetrating Google play and also in infecting users. We also want to investigate how these payloads are successful in evading advance detection techniques and discuss why existing OS defences are not sufficient.
[1]. https://security.googleblog.com/2016/04/android-security-2015-annual-report.html
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
You don’t Need AV for Android?? How modern multi stage Android malware payload is succeeding to infect Android devices
1. You don’t Need AV for Android??
How modern multi stage Android
malware is succeeding to infect
Android devices
Jagadeesh Chandraiah
Threat Researcher
AVAR 2016
2. Who am I
2
• Threat Researcher at Sophos, UK
• Interested in Windows, Mobile Malware Analysis and Research
• Spoken at Deepsec, Virus Bulletin in the past
AVAR 2016
3. Agenda
3
• You don’t need AV for Android
• Android Security services
• Infection timeline
• Multi-Stage Android Malware
• Why we need AV on Android platform
AVAR 2016
5. Mobile Antivirus is not needed - Google
5
https://nakedsecurity.sophos.com/2014/07/09/googles-android-security-chief-dont-bother-with-anti-virus-is-he-serious/
6. Security Software firms are Scammers
6
http://www.smh.com.au/technology/security/charlatans-and-scammers-googler-slams-security-software-firms-20111123-1ntpu.html
17. Android Fragmentation
17
https://developer.android.com/about/dashboards/index.html , Data from 7 day period ending on Nov 7, 2016
AVAR 2016
GingerBread
Ice Cream
Sandwich
JellyBean
KitKat
Lollipop
Marshmallow
Nougat
Gingerbread(2.3.x) 1.3%
Lollipop(5.x) 34.1%
KitKat(4.4) 25.2%
Jelly Bean (4.1-4.3) 13.7%
Marshmallow(6.0) 24.0%
Ice Cream Sandwich(4.0) 1.3%
Nougat(7.0) 0.3%
18. Android Fragmentation
18AVAR 2016
• Slow pace of adaptation of new Android versions
• Many users with outdated software with lots of security Vulnerabilities.
• Latest security fixes are not rolled out quickly
• Cannot force manufacturers to roll out security updates.
• Business model forces users to buy new phones than update.
19. Android Fragmentation? Fix
19AVAR 2016
• Google has started rolling out its own devices , PIXEL series.
• Updated some features and updates through Google play services
• Does Google look like solving Fragmentation ? Probably not
• Android is still very popular…
• Developers are writing more apps ….
22. Google play Infections
22AVAR 2016
~10-12 malware occurrences in
Google play store in 2015
Malware seen pretty much
every month in 2016
23. Google play Infections
23AVAR 2016
- Brain Test2
- Turk
Clicker
- Xiny
Jan 2016
Feb
2016
Porn
Clickers
(500k)
InstaAgent2
(100-500k)
Mar 2016
May 2016
-Viking
Horde
(50-100k)
- Clicker
-Valeriy
-Level
Dropper
(5k)
Jun
2016
Aug
2016
Dress
Code1
-Call Jam
-Embassy
Spyware
-
Dresscode2
(100-500k)
Sep 2016
Nov 2016
Multiple
Accounts
(1-5Mil)
Many Apps with
100-500k Install
Count
Millions of
devices infected
2016
29. Ghost Push
29AVAR 2016
• Downloader which downloads other malware and aggressive adware.
• Also known as ‘Rootnik’ , ‘Shedun’ etc,
• An OTA company update infrastructure and Application Install service was
causing several Ghost push installations
• Several variants of Ghost push were seen
• Highly Persistent
35. Brain Test
35
• Employed Anti analysis
• Anti analysis like IP checking , Time Bomb and Dynamic Loading
• Persistence methods used to avoid uninstalling
• Appeared multiple times on Google play
AVAR 2016
37. Brain Test
37AVAR 2016
Check if hostname contains ‘google ‘or ‘android’
Check IP ranges for Google servers
216.58.192.0 - 216.58.223.255
209.85.128.0 - 209.85.255.255
39. Many variants with similar execution model
39
• Viking Horde - Botnet
• Godless - Exploit kit, Downloader
• Xiny - Hides payload in Image, Downloader, Ad network
• Rooting exploits and Rooting services used
• Watchdog modules for persistence
• Ad revenue, Click Fraud, Botnets ..
AVAR 2016
48. InstaAgent
48AVAR 2016
• App found on both Google play and ios store
• Was very popular app with up to 100k install count
• Simple credential stealing app with big Impact
• Similar apps appeared multiple times
• Injects JS code into web page to steal data
54. Dress Code
54
• Lots of Infected Apps found on Google Play
• Some of the apps were installed 100k-500k times
• About 400 Infected apps were found in Google play
• Malware appeared multiple times on Google play
• Creates botnet when user executes infected app.
• Traffic is rerouted to help attacker.
AVAR 2016
http://blog.trendmicro.com/trendlabs-security-intelligence/dresscode-potential-impact-enterprises/
58. Increased Sophistication
58
• Leave the payload for later stage
• Pretend as Clean app
• Target Popular apps and Games
• Use Exploits, Rooting tools and services
AVAR 2016
59. Anti Analysis
59
• Detect analysis Environment
• Obfuscation
• Encrypt and Hide Payloads
• Dynamic/Runtime Code
• Detection Evasion using smaller simpler modules and tricks
AVAR 2016
61. So, how big is the malware risk ??
61
• Malware occurrences is still relatively low compared to Windows.
• Risk of infection is also low
AVAR 2016
62. Need for Security Software
62
• Google have done many Improvements but NOT ENOUGH !!
• Variants have appeared again and again on play store ( Dress Code,
Brain Test, Insta care/Agent…)
• Popularity means more Risk !!
• Many threats on Google play found by AV/security firms
• Global AV community, security Researchers , Multiple Solutions
• Alert users about undetected Threats by Google
• Many AV apps are free and also provide extra security features
AVAR 2016
63. Work Together
63
• Google can’t provide 100% security
• Can’t Detect all Threats like any other Security software
• Google should Join hands with AV community
• Share samples and information for better Eco System
AVAR 2016
AntivirusGoogle