Transcription
François y.qc.ca/cybersecuriteAnalyse statique AndroidCSET 2017, VancouverFrédéric MassicotteCanadian Cyber Incident Response Centre (CCIRC)Public Safety Canada
CCIRC – Canadian Cyber Incident Response CenterCCIRC is Canada's national coordination centre responsible forreducing the cyber risks faced by Canada’s key systems andservices. These systems, such as banks or phone serviceproviders, are known as critical infrastructure.CCIRC works within Public Safety Canada in partnership withprovinces, territories, municipalities, private sector organizationsand international counterparts. It also coordinates the nationalresponse to any serious cyber security incident.2
Plan IntroObjectives/ResultsAndroid Static AnalysisExperimentDatasetExploring Data:Statistics & numbersConclusionRelated work3
Introduction
Intro - Android static analysis Objectives : Revisit previous static analysis results Dataset (bigger, more recent) Features (more) Measure difference between legit andmalicious apps Find correlation between malware Find information regarding malware productionpractices Provide insights for cyber incident responders5
Intro - Android static analysis Results : Confirmed some previous findings, updatedothers. General observations (statistics) for malwarevs legitimate samples. Specific observations of weird practices inmalware production.6
Intro - Android static analysis APK archiveWhat is inside an APK ? A lot of files .dex Manifest X509 Certificate7
Stats - Experiment
Experiment- ,221Google PlayLegit10,007Malware VirusTotalGooglePlay VirusTotalnbAVDetections nbApksnbAVDetectionsnbApks08,301 (83%)0144 (0.1%)1 to 41,299 (13%)1 to 44,659 (2%)5 to 9189 (2%)5 to 99,830 (5%)10 or more218 (2%)10 or more191,611 (92%)N/A0 (0%)N/A1,977 (1%)The dataset has not been pre-filtered.9
Experiment- DatasetMalwareYearnbLegitimate%nb% 7%201720.00%00.00%10
Experiment - Extracted InformationManifestX509 CertificateFileListpermissions freq.nbCertFilesnbFilesduplicate tDateappPackagecertEndDateappLabelsubject & 11
Stats - Manifest
Stats - Manifest - geNb“com.yongrun.app.sxmn”33,729prefix of “com.ym.ref.package.jxyq”7,22313
Stats - Manifest - appPackage14
Stats - Manifest - 2malware9,7570.048appVersionCodeNb MalwareNb Legit 2 147 483 6473.5%0% (1) 2 100 000 0004%0% (6) 1 000 0008%7% 1054%47% 142%14%15
Stats - Manifest - (min/target)SDKVersionminSDKVersion25 samples 251 sample 999minSDKVersiontargetSDKVersion16
Stats - Manifest - duplicatePermissionsNb MalwareNb Legithas duplicatePermissions65%7.6%avg duplicatePermissions170.2CONJECTURE: Repackaging process17
Stats - Certificates
Stats - Certificates - re126,0240.605Same certificate signs more than X samplesNb MalwareNb Legit10,000101,00080100590Same certificate Same originDifferent certificates Different origins19
Stats - Certificates - publicKey 9 malware samples have distinct signatures butstill the same public key. Most likely same e8822712927248111f8fCONJECTURE: Generate a new certificate for each sample, but always reuse the samekey for all those certificates.20
Stats - Certificates - ,1598,496malware62,093126,024Most Popular Subjects in Malware Dataset21
Stats - Certificates - 50.086Popular certificate file names NbDistinctSignaturesNb MalwareNb LegitCERT.RSA89,330 (42.9%)8,379 (83.7%)ZZW.RSA36,232 (17.4%)0 (0%)Android.RSA13,505 (6.5%)10 (0%)2,249 malware samples have a file namefollowing the pattern “8 digits”.RSA1,594 of those have a creation date thatexactly matches the fileNameyyyymmdd22
Stats - Certificates - fileName23
Stats - Certificates - (start/end)DateIt is not entirely clear to me what is the impact ofthose dates in Android. An app can be updated only if it’s certificate isnot expired To be accepted on Google Play: The certificate of an app must not expirebefore 2033-10-22 The certificate must have started its validity. But they could still be installed on a device This info is harder to leverage. 24
Stats - Certificates - (start/end)Date Two strategies:a. Delta between end and start date(validityPeriod)b. Delta between start date and APK packagingdateMalwareLegitmin value1 day18 yearsnb with validity 1 year13,568 (6.5%)0 (0%)avg value10 years189 yearsOpenSSL:-in days-default 30AndroidStudio:-in years-default 2525
Stats - CreationDate
Stats - Dates - creationDate Now, let’s observe delta between creationDateand certStartDate (with second-level precision): To get insight on the creation process.Deltas tend to be grouped righton the hour.CONJECTURE: certificate and apk are created on different machines indifferent timezones27
Stats - FileList
Stats - FileList - miscMalwareLegitavg number of files inside APK247606number of samples containing a specific DEX file[DEX file md5: cfdba92d344b57fecabadab26296f84c]8,2500number of samples containing an APK inside13,2119729
Conclusion
Conclusion Malware creation is automated but still careless Many artifacts Easy correlation/identification for low hangingfruitsRevisiting is good as some things evolveSome interesting weird stuff: APKs inside APKs Time delta (12h) between cert creation and apkpackaging31 Duplicate permissions
Conclusion – Related Work Scope 5 feature vs 25 most 5,000 malware vs 200,000 most used older malware.[8]: malware appVersion benign appVersion just for appVersion 1 appVersionName instead of appVersionCode[12]: malware request more permissions[10&15]: most requested permissions mal vs ben mal vs benign profiles are still different changes on most popular permissions32
Conclusion – Related Work [9] used serial number to distinguish certificates signature should be used instead 5 groups of distinct certificates (signature,public key) have the same serial number[9] number of distinct certificates seen 622/4,554 (0.14) vs 126,024/208,221 (0.61)[3] malware are created on a Mon-Fri schedule33
CCIRC - Canadian Cyber Incident Response Center CCIRC is Canada's national coordination centre responsible for reducing the cyber risks faced by Canada's key systems and services. These systems, such as banks or phone service providers, are known as critical infrastructure.
