SlideShare ist ein Scribd-Unternehmen logo

Slide Intervento Zanero Giornata del Perito 2015

L
LegolasTheElf

Le slide dell'intervento del Prof. Stefano Zanero alla Giornata del perito 2015 di Modena dal titolo "Mobile malware tra mito e realtà: quante volte possiamo gridare al lupo?"

Internet
1 von 35
Downloaden Sie, um offline zu lesen
Stefano Zanero, Politecnico di Milano Collaboration work with: - Technical University of Vienna (TUV) - FOundation for Research & Technology Hellas (FORTH) Wolf, Wolf! So much malware. So little malware.
Low infection rates? • The Core of the Matter (NDSS13) 0.0009% • The Company You Keep (WWW14) 0.28% Google: Android Security From The Ground Up (VirusBulletin 2013)
AV vendors paint a different picture… Fortinet 2014 Threat Landscape Report TrendMicro TrendLabs 1Q 2014 Security Roundup McAfee Labs Threats Report June 2014
Motivation • How are malicious apps distributed? - Official Google Play Store - Torrents, One-Click Hosters - Websites, Blogs, … - Alternative App Markets • How wide-spread are malicious apps, how often are they downloaded? • Do alternative markets employ security measures? • Collect metadata for malware analysis - Andrubis, AndroTotal
Metadata • Malware for traditional devices (desktop) - No metadata - Best case: we know the website that tried to perform a drive-by download infection • Malware for mobile devices - Internal metadata • App name, developer pseudonym • Package name • Resources (e.g., assets, images) - External metadata • App name (as on the market) • Description, comments, rating • Popularity
Market Metadata: Google Play
Market Metadata: Google Play
Outline • Market Characterization • Android Market Radar (AndRadar) • Evaluation and Case Study • Future Work and Conclusion MST Workshop 2015
Market Characterization • Alternative markets are popular because of … - Country gaps (e.g. no paid apps in Google Play China) - Promotion - Specific needs and specialization • Sometimes, too specific: check removedapps.com … • Preliminary study on 8 alternative marketplaces - Crawled them entirely between July and Nov 2013 - Downloaded 318,515 apps
(1) Distribution of Unwanted Apps Do markets distribute known, unwanted apps? • Yes, they do! • 5-8% malicious apps in whole dataset • (10+ AV detections, excluding adware) • Some markets specialize in adware/”madware”
(2) Publication of malicious apps Do markets allow the publication of malicious apps? • Yes, they do! • Ranking based on number • of published apps • Well visible and known to • market operators • Top authors publish both • benign and malicious apps andapponline camangi opera pandaapp slideme 0 50 100 150 1 2 3 4 5 1 2 3 4 5 1 2 3 4 5 1 2 3 4 5 1 2 3 4 5 Top 5 authors per market Number of apps published Malware Goodware
(3) Distinctive metadata Do malicious apps have distinctive metadata? • Yes, they do! • Malicious apps are downloaded more often •  Inflation of ranking with app rank boosting services • Malicious apps slightly larger than goodware •  Additional malicious code in repackaged apps
How are markets related to each other? • Markets share up to 47% MD5s, 75% package names (4) Market Overlap andapponline opera getjar blackmart pandaapp slideme fdroid camangi 59% 38% 15% 19% 12% 22% 12% 36% 16% 15% 13% 63% 32% 16% 31% 12% 75% 26% 41% 21% 26% 22% Intersection by MD5 Intersection by package name
Outline • Market Characterization • Android Market Radar (AndRadar) • Evaluation and Case Study • Future Work and Conclusion
AndRadar Design Goals • Discover apps in markets in real-time • Track distribution of apps across markets • Increasing space and time requirements • Meta data is dynamic: regular crawling of apps • Crawling of complete markets becomes infeasible • Plethora of alternative markets • ~ 196 in October 2011 (Vidas et al. CODASPY13) • ~ 500 in Juniper Threats Report March 2012/2013 - ~ 89 in our market study in June 2013
AndRadar Architecture Metadata  Scraper Downloader Search App Metadata Market  Specifications Tracker Seed
App Discovery • Lightweight identifier to select target apps • Package name uniquely identifies app on device • Package name identifies app in markets • Part of an app’s “Branding”
App Discover: AppChina
App Discovery: Appszoom
APP MATCHING WORKFLOW
Speed for a full market scan
Collected Metadata • Continuous monitoring of discovered apps • Harvest meta information from market listing - Upload date - Description - Screenshots - Number of downloads - User ratings - Reviews - Other apps by the same author - Delete date
Outline • Market Characterization • Android Market Radar (AndRadar) • Evaluation and Case Study • Future Work and Conclusion
Overall performance • Track tens of thousands of apps per market/day • Tracked 20,000 malicious apps perfect match + deleted = market-deleted malware weak match + non-deleted = benign app used as host (same package name)
Application Lifecycles Normal Lifecycle (90.75%): Market deletes app after it is detected by AVs
Application Lifecycles Malware Hopping: (7.89%) App republished after detection “Failover” strategy
Application Lifecycles Market Self-Defense (1.56%): Market deletes app before it is detected by AVs
Community Reaction Time Google Play others
Market Reaction Time
Outline • Market Characterization • Android Market Radar (AndRadar) • Evaluation and Case Study • Future Work and Conclusion
Future Current Work • Automated notification system for markets • Extend app discovery in markets based on - Application name - Image characteristics (icon, screenshots) - Description of functionality • Versioning of malicious apps • Identify fraud in markets (“App rank boosting”) - Inflated download numbers - Fake ratings and reviews Want to play? The system is online at: - http://admire.necst.it
ADMIRE Intelligence platform Rank marketplaces Distinguish between malicious and benign developers Evaluate goodness of applications
Data collection Seed collected: 87.115 Marketplaces crawled: 11 Apps collected: 191.851 Developers found: 25.512 Malicious sources Seed Crawler DB Search Collect APK and metadata
Conclusions • In-depth measurement on 8 alternative markets • AndRadar to discover malicious apps in real-time • Tracking of app distribution across markets • Collect metadata about apps - Branding - Updates - Download numbers - Ratings & reviews • Expose publishing patterns of malware authors - “Failover” strategies to migrate between markets
THANKS! Questions? stefano.zanero@polimi.it - @raistolo http://zanero.org

Empfohlen

IMPAKT: Verdediging aangaan t.o.v. (on)bekende ransomware:
IMPAKT: Verdediging aangaan t.o.v. (on)bekende ransomware:IMPAKT: Verdediging aangaan t.o.v. (on)bekende ransomware:
IMPAKT: Verdediging aangaan t.o.v. (on)bekende ransomware:Nancy Nimmegeers
 
Android security
Android security Android security
Android security Hassan Abutair
 
Mobile Apps Security Testing -3
Mobile Apps Security Testing -3Mobile Apps Security Testing -3
Mobile Apps Security Testing -3Krisshhna Daasaarii
 
Mobile Trends And The New Threats - Is Your SAP System Vulnerable to Cyber At...
Mobile Trends And The New Threats - Is Your SAP System Vulnerable to Cyber At...Mobile Trends And The New Threats - Is Your SAP System Vulnerable to Cyber At...
Mobile Trends And The New Threats - Is Your SAP System Vulnerable to Cyber At...Virtual Forge
 
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.com
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.comMobile Application Security Testing, Testing for Mobility App | www.idexcel.com
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.comIdexcel Technologies
 
FRAppE Detecting Malicious Facebook Applications
FRAppE Detecting Malicious Facebook ApplicationsFRAppE Detecting Malicious Facebook Applications
FRAppE Detecting Malicious Facebook ApplicationsNagamalleswararao Tadikonda
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile ApplicationsDenim Group
 
Security testing of mobile applications
Security testing of mobile applicationsSecurity testing of mobile applications
Security testing of mobile applicationsGTestClub
 

Empfohlen

IMPAKT: Verdediging aangaan t.o.v. (on)bekende ransomware:
IMPAKT: Verdediging aangaan t.o.v. (on)bekende ransomware:IMPAKT: Verdediging aangaan t.o.v. (on)bekende ransomware:
IMPAKT: Verdediging aangaan t.o.v. (on)bekende ransomware:Nancy Nimmegeers
 
Android security
Android security Android security
Android security Hassan Abutair
 
Mobile Apps Security Testing -3
Mobile Apps Security Testing -3Mobile Apps Security Testing -3
Mobile Apps Security Testing -3Krisshhna Daasaarii
 
Mobile Trends And The New Threats - Is Your SAP System Vulnerable to Cyber At...
Mobile Trends And The New Threats - Is Your SAP System Vulnerable to Cyber At...Mobile Trends And The New Threats - Is Your SAP System Vulnerable to Cyber At...
Mobile Trends And The New Threats - Is Your SAP System Vulnerable to Cyber At...Virtual Forge
 
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.com
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.comMobile Application Security Testing, Testing for Mobility App | www.idexcel.com
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.comIdexcel Technologies
 
FRAppE Detecting Malicious Facebook Applications
FRAppE Detecting Malicious Facebook ApplicationsFRAppE Detecting Malicious Facebook Applications
FRAppE Detecting Malicious Facebook ApplicationsNagamalleswararao Tadikonda
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile ApplicationsDenim Group
 
Security testing of mobile applications
Security testing of mobile applicationsSecurity testing of mobile applications
Security testing of mobile applicationsGTestClub
 
18-mobile-malware.pptx
18-mobile-malware.pptx18-mobile-malware.pptx
18-mobile-malware.pptxsundar110567
 
I haz you and pwn your maal
I haz you and pwn your maalI haz you and pwn your maal
I haz you and pwn your maalc0c0n - International Cyber Security and Policing Conference
 
I haz you and pwn your maal
I haz you and pwn your maalI haz you and pwn your maal
I haz you and pwn your maalHarsimran Walia
 
Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malwa...
Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malwa...Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malwa...
Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malwa...Thanasis Petsas
 
I haz you and pwn your maal whitepaper
I haz you and pwn your maal whitepaperI haz you and pwn your maal whitepaper
I haz you and pwn your maal whitepaperHarsimran Walia
 
AppCoins @ Kyber event in Seoul (20 Jan 2018)
AppCoins @ Kyber event in Seoul (20 Jan 2018)AppCoins @ Kyber event in Seoul (20 Jan 2018)
AppCoins @ Kyber event in Seoul (20 Jan 2018)AppCoins
 
Assessing the Effectiveness of Antivirus Solutions
Assessing the Effectiveness of Antivirus SolutionsAssessing the Effectiveness of Antivirus Solutions
Assessing the Effectiveness of Antivirus SolutionsImperva
 
Hii assessing the_effectiveness_of_antivirus_solutions
Hii assessing the_effectiveness_of_antivirus_solutionsHii assessing the_effectiveness_of_antivirus_solutions
Hii assessing the_effectiveness_of_antivirus_solutionsAnatoliy Tkachev
 
Android malware analysis
Android malware analysisAndroid malware analysis
Android malware analysisJason Ross
 
Appstores imc13
Appstores imc13Appstores imc13
Appstores imc13Thanasis Petsas
 
Application Explosion How to Manage Productivity vs Security
Application Explosion How to Manage Productivity vs SecurityApplication Explosion How to Manage Productivity vs Security
Application Explosion How to Manage Productivity vs SecurityLumension
 
Create a Unified View of Your Application Security Program – Black Duck Hub a...
Create a Unified View of Your Application Security Program – Black Duck Hub a...Create a Unified View of Your Application Security Program – Black Duck Hub a...
Create a Unified View of Your Application Security Program – Black Duck Hub a...Denim Group
 
E is for Endpoint II: How to Implement the Vital Layers to Protect Your Endpo...
E is for Endpoint II: How to Implement the Vital Layers to Protect Your Endpo...E is for Endpoint II: How to Implement the Vital Layers to Protect Your Endpo...
E is for Endpoint II: How to Implement the Vital Layers to Protect Your Endpo...Lumension
 
Cazando Cibercriminales con: OSINT + Cloud Computing + Big Data
Cazando Cibercriminales con: OSINT + Cloud Computing + Big DataCazando Cibercriminales con: OSINT + Cloud Computing + Big Data
Cazando Cibercriminales con: OSINT + Cloud Computing + Big DataChema Alonso
 
Are free Android app security analysis tools effective in detecting known vul...
Are free Android app security analysis tools effective in detecting known vul...Are free Android app security analysis tools effective in detecting known vul...
Are free Android app security analysis tools effective in detecting known vul...Venkatesh Prasad Ranganath
 
Catch Me If You Can- Evaluating Android Anti-Malware Against Transformation A...
Catch Me If You Can- Evaluating Android Anti-Malware Against Transformation A...Catch Me If You Can- Evaluating Android Anti-Malware Against Transformation A...
Catch Me If You Can- Evaluating Android Anti-Malware Against Transformation A...Papitha Velumani
 
Anti-tampering in Android and Take Look at Google SafetyNet Attestation API
Anti-tampering in Android and Take Look at Google SafetyNet Attestation APIAnti-tampering in Android and Take Look at Google SafetyNet Attestation API
Anti-tampering in Android and Take Look at Google SafetyNet Attestation APIArash Ramez
 
Malware Detection in Android Applications
Malware Detection in Android ApplicationsMalware Detection in Android Applications
Malware Detection in Android Applicationsijtsrd
 
The modern-malware-review-march-2013
The modern-malware-review-march-2013 The modern-malware-review-march-2013
The modern-malware-review-march-2013 Комсс Файквэе
 
The Modern Malware Review March 2013
The Modern Malware Review March 2013The Modern Malware Review March 2013
The Modern Malware Review March 2013- Mark - Fullbright
 
一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理F
 
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查ydyuyu
 

Weitere ähnliche Inhalte

Ähnlich wie Slide Intervento Zanero Giornata del Perito 2015

18-mobile-malware.pptx
18-mobile-malware.pptx18-mobile-malware.pptx
18-mobile-malware.pptxsundar110567
 
I haz you and pwn your maal
I haz you and pwn your maalI haz you and pwn your maal
I haz you and pwn your maalHarsimran Walia
 
Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malwa...
Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malwa...Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malwa...
Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malwa...Thanasis Petsas
 
I haz you and pwn your maal whitepaper
I haz you and pwn your maal whitepaperI haz you and pwn your maal whitepaper
I haz you and pwn your maal whitepaperHarsimran Walia
 
AppCoins @ Kyber event in Seoul (20 Jan 2018)
AppCoins @ Kyber event in Seoul (20 Jan 2018)AppCoins @ Kyber event in Seoul (20 Jan 2018)
AppCoins @ Kyber event in Seoul (20 Jan 2018)AppCoins
 
Assessing the Effectiveness of Antivirus Solutions
Assessing the Effectiveness of Antivirus SolutionsAssessing the Effectiveness of Antivirus Solutions
Assessing the Effectiveness of Antivirus SolutionsImperva
 
Hii assessing the_effectiveness_of_antivirus_solutions
Hii assessing the_effectiveness_of_antivirus_solutionsHii assessing the_effectiveness_of_antivirus_solutions
Hii assessing the_effectiveness_of_antivirus_solutionsAnatoliy Tkachev
 
Android malware analysis
Android malware analysisAndroid malware analysis
Android malware analysisJason Ross
 
Application Explosion How to Manage Productivity vs Security
Application Explosion How to Manage Productivity vs SecurityApplication Explosion How to Manage Productivity vs Security
Application Explosion How to Manage Productivity vs SecurityLumension
 
Create a Unified View of Your Application Security Program – Black Duck Hub a...
Create a Unified View of Your Application Security Program – Black Duck Hub a...Create a Unified View of Your Application Security Program – Black Duck Hub a...
Create a Unified View of Your Application Security Program – Black Duck Hub a...Denim Group
 
E is for Endpoint II: How to Implement the Vital Layers to Protect Your Endpo...
E is for Endpoint II: How to Implement the Vital Layers to Protect Your Endpo...E is for Endpoint II: How to Implement the Vital Layers to Protect Your Endpo...
E is for Endpoint II: How to Implement the Vital Layers to Protect Your Endpo...Lumension
 
Cazando Cibercriminales con: OSINT + Cloud Computing + Big Data
Cazando Cibercriminales con: OSINT + Cloud Computing + Big DataCazando Cibercriminales con: OSINT + Cloud Computing + Big Data
Cazando Cibercriminales con: OSINT + Cloud Computing + Big DataChema Alonso
 
Are free Android app security analysis tools effective in detecting known vul...
Are free Android app security analysis tools effective in detecting known vul...Are free Android app security analysis tools effective in detecting known vul...
Are free Android app security analysis tools effective in detecting known vul...Venkatesh Prasad Ranganath
 
Catch Me If You Can- Evaluating Android Anti-Malware Against Transformation A...
Catch Me If You Can- Evaluating Android Anti-Malware Against Transformation A...Catch Me If You Can- Evaluating Android Anti-Malware Against Transformation A...
Catch Me If You Can- Evaluating Android Anti-Malware Against Transformation A...Papitha Velumani
 
Anti-tampering in Android and Take Look at Google SafetyNet Attestation API
Anti-tampering in Android and Take Look at Google SafetyNet Attestation APIAnti-tampering in Android and Take Look at Google SafetyNet Attestation API
Anti-tampering in Android and Take Look at Google SafetyNet Attestation APIArash Ramez
 
Malware Detection in Android Applications
Malware Detection in Android ApplicationsMalware Detection in Android Applications
Malware Detection in Android Applicationsijtsrd
 
The Modern Malware Review March 2013
The Modern Malware Review March 2013The Modern Malware Review March 2013
The Modern Malware Review March 2013- Mark - Fullbright
 

Ähnlich wie Slide Intervento Zanero Giornata del Perito 2015 (20)

18-mobile-malware.pptx
18-mobile-malware.pptx18-mobile-malware.pptx
18-mobile-malware.pptx
 
I haz you and pwn your maal
I haz you and pwn your maalI haz you and pwn your maal
I haz you and pwn your maal
 
I haz you and pwn your maal
I haz you and pwn your maalI haz you and pwn your maal
I haz you and pwn your maal
 
Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malwa...
Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malwa...Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malwa...
Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malwa...
 
I haz you and pwn your maal whitepaper
I haz you and pwn your maal whitepaperI haz you and pwn your maal whitepaper
I haz you and pwn your maal whitepaper
 
AppCoins @ Kyber event in Seoul (20 Jan 2018)
AppCoins @ Kyber event in Seoul (20 Jan 2018)AppCoins @ Kyber event in Seoul (20 Jan 2018)
AppCoins @ Kyber event in Seoul (20 Jan 2018)
 
Assessing the Effectiveness of Antivirus Solutions
Assessing the Effectiveness of Antivirus SolutionsAssessing the Effectiveness of Antivirus Solutions
Assessing the Effectiveness of Antivirus Solutions
 
Hii assessing the_effectiveness_of_antivirus_solutions
Hii assessing the_effectiveness_of_antivirus_solutionsHii assessing the_effectiveness_of_antivirus_solutions
Hii assessing the_effectiveness_of_antivirus_solutions
 
Android malware analysis
Android malware analysisAndroid malware analysis
Android malware analysis
 
Appstores imc13
Appstores imc13Appstores imc13
Appstores imc13
 
Application Explosion How to Manage Productivity vs Security
Application Explosion How to Manage Productivity vs SecurityApplication Explosion How to Manage Productivity vs Security
Application Explosion How to Manage Productivity vs Security
 
Create a Unified View of Your Application Security Program – Black Duck Hub a...
Create a Unified View of Your Application Security Program – Black Duck Hub a...Create a Unified View of Your Application Security Program – Black Duck Hub a...
Create a Unified View of Your Application Security Program – Black Duck Hub a...
 
E is for Endpoint II: How to Implement the Vital Layers to Protect Your Endpo...
E is for Endpoint II: How to Implement the Vital Layers to Protect Your Endpo...E is for Endpoint II: How to Implement the Vital Layers to Protect Your Endpo...
E is for Endpoint II: How to Implement the Vital Layers to Protect Your Endpo...
 
Cazando Cibercriminales con: OSINT + Cloud Computing + Big Data
Cazando Cibercriminales con: OSINT + Cloud Computing + Big DataCazando Cibercriminales con: OSINT + Cloud Computing + Big Data
Cazando Cibercriminales con: OSINT + Cloud Computing + Big Data
 
Are free Android app security analysis tools effective in detecting known vul...
Are free Android app security analysis tools effective in detecting known vul...Are free Android app security analysis tools effective in detecting known vul...
Are free Android app security analysis tools effective in detecting known vul...
 
Catch Me If You Can- Evaluating Android Anti-Malware Against Transformation A...
Catch Me If You Can- Evaluating Android Anti-Malware Against Transformation A...Catch Me If You Can- Evaluating Android Anti-Malware Against Transformation A...
Catch Me If You Can- Evaluating Android Anti-Malware Against Transformation A...
 
Anti-tampering in Android and Take Look at Google SafetyNet Attestation API
Anti-tampering in Android and Take Look at Google SafetyNet Attestation APIAnti-tampering in Android and Take Look at Google SafetyNet Attestation API
Anti-tampering in Android and Take Look at Google SafetyNet Attestation API
 
Malware Detection in Android Applications
Malware Detection in Android ApplicationsMalware Detection in Android Applications
Malware Detection in Android Applications
 
The modern-malware-review-march-2013
The modern-malware-review-march-2013 The modern-malware-review-march-2013
The modern-malware-review-march-2013
 
The Modern Malware Review March 2013
The Modern Malware Review March 2013The Modern Malware Review March 2013
The Modern Malware Review March 2013
 

Kürzlich hochgeladen

一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理F
 
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查ydyuyu
 
一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理F
 
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...kumargunjan9515
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC
 
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查ydyuyu
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge GraphsEleniIlkou
 
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency""Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency"growthgrids
 
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsMonica Sydney
 
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...kajalverma014
 
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu DhabiAbu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu DhabiMonica Sydney
 
Call girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girlsCall girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girlsMonica Sydney
 
Trump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts SweatshirtTrump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts Sweatshirtrahman018755
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样ayvbos
 
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsRussian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsMonica Sydney
 
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdfMatthew Sinclair
 
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样ayvbos
 
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...meghakumariji156
 
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call GirlsMira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call GirlsPriya Reddy
 
20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdfMatthew Sinclair
 

Kürzlich hochgeladen (20)

一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理
 
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
 
一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理
 
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
 
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
 
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency""Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
 
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
 
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
 
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu DhabiAbu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
 
Call girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girlsCall girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girls
 
Trump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts SweatshirtTrump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts Sweatshirt
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
 
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsRussian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
 
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
 
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
 
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
 
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call GirlsMira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
 
20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf
 

Slide Intervento Zanero Giornata del Perito 2015

  • 1. Stefano Zanero, Politecnico di Milano Collaboration work with: - Technical University of Vienna (TUV) - FOundation for Research & Technology Hellas (FORTH) Wolf, Wolf! So much malware. So little malware.
  • 2. Low infection rates? • The Core of the Matter (NDSS13) 0.0009% • The Company You Keep (WWW14) 0.28% Google: Android Security From The Ground Up (VirusBulletin 2013)
  • 3. AV vendors paint a different picture… Fortinet 2014 Threat Landscape Report TrendMicro TrendLabs 1Q 2014 Security Roundup McAfee Labs Threats Report June 2014
  • 4. Motivation • How are malicious apps distributed? - Official Google Play Store - Torrents, One-Click Hosters - Websites, Blogs, … - Alternative App Markets • How wide-spread are malicious apps, how often are they downloaded? • Do alternative markets employ security measures? • Collect metadata for malware analysis - Andrubis, AndroTotal
  • 5. Metadata • Malware for traditional devices (desktop) - No metadata - Best case: we know the website that tried to perform a drive-by download infection • Malware for mobile devices - Internal metadata • App name, developer pseudonym • Package name • Resources (e.g., assets, images) - External metadata • App name (as on the market) • Description, comments, rating • Popularity
  • 8. Outline • Market Characterization • Android Market Radar (AndRadar) • Evaluation and Case Study • Future Work and Conclusion MST Workshop 2015
  • 9. Market Characterization • Alternative markets are popular because of … - Country gaps (e.g. no paid apps in Google Play China) - Promotion - Specific needs and specialization • Sometimes, too specific: check removedapps.com … • Preliminary study on 8 alternative marketplaces - Crawled them entirely between July and Nov 2013 - Downloaded 318,515 apps
  • 10. (1) Distribution of Unwanted Apps Do markets distribute known, unwanted apps? • Yes, they do! • 5-8% malicious apps in whole dataset • (10+ AV detections, excluding adware) • Some markets specialize in adware/”madware”
  • 11. (2) Publication of malicious apps Do markets allow the publication of malicious apps? • Yes, they do! • Ranking based on number • of published apps • Well visible and known to • market operators • Top authors publish both • benign and malicious apps andapponline camangi opera pandaapp slideme 0 50 100 150 1 2 3 4 5 1 2 3 4 5 1 2 3 4 5 1 2 3 4 5 1 2 3 4 5 Top 5 authors per market Number of apps published Malware Goodware
  • 12. (3) Distinctive metadata Do malicious apps have distinctive metadata? • Yes, they do! • Malicious apps are downloaded more often •  Inflation of ranking with app rank boosting services • Malicious apps slightly larger than goodware •  Additional malicious code in repackaged apps
  • 13. How are markets related to each other? • Markets share up to 47% MD5s, 75% package names (4) Market Overlap andapponline opera getjar blackmart pandaapp slideme fdroid camangi 59% 38% 15% 19% 12% 22% 12% 36% 16% 15% 13% 63% 32% 16% 31% 12% 75% 26% 41% 21% 26% 22% Intersection by MD5 Intersection by package name
  • 14. Outline • Market Characterization • Android Market Radar (AndRadar) • Evaluation and Case Study • Future Work and Conclusion
  • 15. AndRadar Design Goals • Discover apps in markets in real-time • Track distribution of apps across markets • Increasing space and time requirements • Meta data is dynamic: regular crawling of apps • Crawling of complete markets becomes infeasible • Plethora of alternative markets • ~ 196 in October 2011 (Vidas et al. CODASPY13) • ~ 500 in Juniper Threats Report March 2012/2013 - ~ 89 in our market study in June 2013
  • 17. App Discovery • Lightweight identifier to select target apps • Package name uniquely identifies app on device • Package name identifies app in markets • Part of an app’s “Branding”
  • 21. Speed for a full market scan
  • 22. Collected Metadata • Continuous monitoring of discovered apps • Harvest meta information from market listing - Upload date - Description - Screenshots - Number of downloads - User ratings - Reviews - Other apps by the same author - Delete date
  • 23. Outline • Market Characterization • Android Market Radar (AndRadar) • Evaluation and Case Study • Future Work and Conclusion
  • 24. Overall performance • Track tens of thousands of apps per market/day • Tracked 20,000 malicious apps perfect match + deleted = market-deleted malware weak match + non-deleted = benign app used as host (same package name)
  • 25. Application Lifecycles Normal Lifecycle (90.75%): Market deletes app after it is detected by AVs
  • 26. Application Lifecycles Malware Hopping: (7.89%) App republished after detection “Failover” strategy
  • 27. Application Lifecycles Market Self-Defense (1.56%): Market deletes app before it is detected by AVs
  • 30. Outline • Market Characterization • Android Market Radar (AndRadar) • Evaluation and Case Study • Future Work and Conclusion
  • 31. Future Current Work • Automated notification system for markets • Extend app discovery in markets based on - Application name - Image characteristics (icon, screenshots) - Description of functionality • Versioning of malicious apps • Identify fraud in markets (“App rank boosting”) - Inflated download numbers - Fake ratings and reviews Want to play? The system is online at: - http://admire.necst.it
  • 32. ADMIRE Intelligence platform Rank marketplaces Distinguish between malicious and benign developers Evaluate goodness of applications
  • 33. Data collection Seed collected: 87.115 Marketplaces crawled: 11 Apps collected: 191.851 Developers found: 25.512 Malicious sources Seed Crawler DB Search Collect APK and metadata
  • 34. Conclusions • In-depth measurement on 8 alternative markets • AndRadar to discover malicious apps in real-time • Tracking of app distribution across markets • Collect metadata about apps - Branding - Updates - Download numbers - Ratings & reviews • Expose publishing patterns of malware authors - “Failover” strategies to migrate between markets