Monitoring Real Android Malware

Andreas Bauer and Jan-Christoph Küster
RV 2015

Hypothesis

Runtime Verification suitable for Mobile Security

Our Android Monitoring App

Demo

MonitorMe

(http://kuester.multics.org/MonitorMe/)

MonitorMe

Combines advantages of app- and platform-centric monitoring

MonitorMe

(Requires root and Linux kernel with kprobes)
  • Truly modular: can be loaded into running Android system
  • Neither modifications of apps nor platform
  • Not deploying custom Android (interrupts user experience)
  • Portable and efficient
  • Any app interceptable (incl. Google, system or hidden apps)
  • Not breaking license agreement , or original signature
  • Difficult to be bypassed

Android Event Interception

Existing Approaches

Platform-centric
What they modify Android platform components:
  • Android API, Dalvik VM, System services,C/C++ libraries, OS kernel
Strengths
  • Cannot be bypassed
  • No limitation to what can be monitored
Weaknesses
  • Platform modifications
  • Only for experienced users (compile/deploy custom firmware)
  • Higher effort of porting to various Android OS version and hardware
Example tools
  • TaintDroid [EGC10]
  • LogicDroid [GT13]
  • Apex [NKZ10]

Android Event Interception

Existing Approaches

App-centric
What they modify Only apps, e.g.:
  • rewrite Java bytecode
  • redirect function pointers of libc
Strengths
  • No platform modifications
  • Easy to install on “off the shelf” devices
Weaknesses
  • Vulnerable to bypassing
  • Violate the license agreement
  • Destroy original signature
  • Google or system apps cannot be rewritten
Example tools
  • Aurasium [XSA12]
  • AppGuard [BGH13]
  • Dr. Android [JMV11]

Android's Binder

  • An IPC mechanism for developing object-oriented OS services on top of Linux

Interfaces Observed in the Wild (> 100)

Nexus 5, Android Version 5.0.1

Interface # of events
IMountService1164
android.accessibilityservice.IAccessibilityServiceConnection223
android.accounts.IAccountManager727
android.app.IActivityContainer118
android.app.IActivityManager88940
android.app.IAlarmManager1974
android.app.IApplicationThread60211
android.app.INotificationManager429
android.app.ISearchManager8
android.app.IUiModeManager117
android.app.admin.IDevicePolicyManager14
android.app.backup.IBackupManager8
android.bluetooth.IBluetooth42
android.bluetooth.IBluetoothA2dp1
android.bluetooth.IBluetoothHeadset1
android.bluetooth.IBluetoothManager17
android.content.IBulkCursor8632
android.content.IClipboard2
android.content.IContentProvider12941
android.content.IContentService10483
android.content.ISyncContext19
android.content.pm.IPackageManager15996
android.database.IContentObserver87
android.drm.IDrm42
android.gui.DisplayEventConnection38724
android.gui.IProducerListener156
android.gui.SensorEventConnection1151
android.gui.SensorServer399
android.hardware.ICamera50
android.hardware.ICameraService48
android.hardware.display.IDisplayManager11369
android.hardware.input.IInputManager248
android.location.ILocationManager507
android.media.IAudioFlinger478
android.media.IAudioPolicyService34837
android.media.IAudioService68
android.media.IAudioTrack456
android.media.IMediaCodecList1463
android.media.IMediaMetadataRetriever2092
android.media.IMediaPlayer850
android.media.IMediaPlayerService417
android.media.IMediaRouterService35
android.media.session.ISession273
android.media.session.ISessionManager36
android.net.IConnectivityManager14195
android.net.INetworkStatsService91
android.net.wifi.IWifiManager1042
android.nfc.INfcAdapter7
android.os.IMessenger113
android.os.IPowerManager2620
android.os.IServiceManager43057
android.os.IUserManager344
android.os.IVibratorService50
android.ui.IGraphicBufferAlloc57
android.ui.ISurfaceComposer165
android.utils.IMemory115
android.utils.IMemoryHeap5
android.view.IAssetAtlas198
android.view.IWindowManager17710
android.view.IWindowSession2930
android.view.accessibility.IAccessibilityInteractionConnectionCallback1
android.view.accessibility.IAccessibilityManager20611
android.webkit.IWebViewUpdateService71
com.android.internal.app.IAppOpsService744
com.android.internal.appwidget.IAppWidgetService365
com.android.internal.os.IResultReceiver3
com.android.internal.telecom.ITelecomService34722
com.android.internal.telephony.IPhoneSubInfo225
com.android.internal.telephony.ISms1
com.android.internal.telephony.ISub2861
com.android.internal.telephony.ITelephony480
com.android.internal.telephony.ITelephonyRegistry22
com.android.internal.textservice.ISpellCheckerSession15
com.android.internal.textservice.ISpellCheckerSessionListener11
com.android.internal.textservice.ITextServicesManager264
com.android.internal.view.IInputContext2121
com.android.internal.view.IInputContextCallback262
com.android.internal.view.IInputMethodManager1419
com.android.internal.view.IInputMethodSession686
com.android.internal.view.IInputSessionCallback86
com.android.vending.billing.IInAppBillingService64
com.facebook.fbservice.observer.IBlueServiceObserver2
com.facebook.fbservice.service.IBlueService2
com.facebook.fbservice.service.ICompletionHandler2
com.google.android.auth.IAuthManagerService35
com.google.android.finsky.services.IMarketCatalogService1
com.google.android.gms.ads.identifier.internal.IAdvertisingIdService650
com.google.android.gms.ads.internal.gservice.IGservicesValueService10
com.google.android.gms.ads.internal.request.IAdRequestService23
com.google.android.gms.analytics.internal.IAnalyticsService129
com.google.android.gms.appdatasearch.internal.IAppDataSearch153
com.google.android.gms.clearcut.internal.IClearcutLoggerService196
com.google.android.gms.common.internal.IGmsServiceBroker373
com.google.android.gms.fitness.internal.IGoogleFitnessService14
com.google.android.gms.http.IGoogleHttpService466
com.google.android.gms.location.internal.IGoogleLocationManagerService863
com.google.android.gms.location.reporting.internal.IReportingService25
com.google.android.gms.maps.auth.IApiTokenService2
com.google.android.gms.mdm.internal.INetworkQualityService16
com.google.android.gms.people.internal.IPeopleService17
com.google.android.music.net.IDownloadabilityChangeListener1
com.google.android.music.net.INetworkChangeListener5
com.google.android.music.net.INetworkMonitor4
com.google.android.music.net.IStreamabilityChangeListener1
com.google.android.music.playback.IMusicPlaybackService87
com.google.android.music.preferences.IPreferenceChangeListener3
com.google.android.music.preferences.IPreferenceService5
com.google.android.music.store.IStoreService798
com.google.android.now.INowAuthService2
syscall1959

MonitorMe

Architecture

1. Intercepting System Calls in the Kernel

Why?

  • Cannot be bypassed by apps
  • Unlikely to change in the future

How?

  • We use the Linux kernel’s internal debugging facility (kprobes)
  • Probes dynamically inserted at almost arbitrary kernel addresses
  • Handler routines specified in kernel module

Which ones?

  • sys_open(const char user *filename, ...) opens files for read/write
  • sys_connect(int sockfd, const struct sockaddr *addr, ...) establishes internet connections
  • do_execve(char *filename, char user * user *argv, ...) exclusively used to execute binaries/shell commands
  • ioctl() to talk to kernel drivers (e.g., Binder driver)

2. Unmarshalling

Algorithm

1) Unmarshall interface name (ISms)

  • Create Parcel object from *buffer
  • Read it from the Parcel object via readString()

2) Unmarshall method name (sendText)

  • Use reflection to find the variable name with value code

3) Unmarshall method arguments (“12345”, null, “Hello!”, ...)

  • Access order and types of method arguments via reflection
  • Apply Parcel’s read methods according to the type and order

2. Unmarshalling

Stub and Proxy

3. Kernel/User Space Communication

Problem: Android doesn’t provide built-in solution

  • Solution: We use netlink (efficient and bidirectional)
  • Communication endpoints placed into kernel module and MonitorMe (no platform modification)
  • Custom netlink endpoint for app using the Netlink Protocol Library (inside droidtracer.so)

Kernel module $\rightarrow$ DroidTracer Service (Java)

  • Forward intercepted low-level events (no polling)

DroidTracer Service (Java) $\rightarrow$ Kernel module

  • Switch event interception on/off for apps
  • Blacklist uninteresting services

Specifying Malware Behaviour

Our Specification Language

LTLFO

  • Modelling observed behaviour
    • $\big\{$ sys_connect@syscall( "ispgateway.de") $\big\}\big\{$ deviceId@ITelephony() $\big\}\big\{$ sendText@ISms( "12345", null, "Hello!", null, null) $\big\}$
  • Specifying unwanted behaviour
    • G $\forall($$dest, \_, txt, \_, \_$)$ : sendText@ISms.\ $ $inContactBook($$dest$$)$
  • Monitor semantics

Specified Malware Behaviour

Information StealingPrivilege Escalation
Launching Malicious PayloadsFinancial Charges
4 categories of malware behaviour derived from
Android Malware Genome Project [ZJ2011]

Specifying Malware Behaviour

3. Category: Launching Malicious Payloads

  • Malicious services often start after ...
    • system boot (via registering to broadcast BOOT_COMPLETED)
    • an SMS is received (via registering to broadcast SMS_RECEIVED)
  • SMS_RECEIVED gives access to incoming SMS ($\rightarrow$ check information stealing)
  • We prefix events of Android system (UID 1000) with "system#"
$\psi_{16}$$\exists (intent, txt,\_):$system#scheduleReceiver@IApplicationThread.
$regex(intent,$''.*BOOT_COMPLETED.*''$) \land regex(txt,$''.*< pkg> .*''$)$
$\psi_{17}$$\exists (intent, txt,\_):$system#scheduleReceiver@IApplicationThread.
$regex(intent,$''.*SMS_RECEIVED.*''$) \land regex(txt,$''.*< pkg> .*''$)$

Specifying Malware Behaviour

1. Category: Information Stealing

  • Sensitive information (source) is requested and sent out of app's sandbox (sinks)
Refinement Formulae Pattern
$G \neg$$\psi_i$Absence globally
1st$G ($$\psi_i$$\rightarrow \neg F $$\psi'$)Absence after
2nd$G ($$\psi_i$$\land \neg $$\psi'$$\rightarrow (\neg $$\psi'$$W (\text{N/A@ISurfaceComposer} \land \neg $$\psi'$$)))$Existence between
$\psi^{'}$$(\exists (\_): \text{sys_connect@syscall}.\ true) \lor (\exists (\_):\text{sendText@ISms}.\ true) \lor$
$ (\exists (x,intent,\_):\text{startActivity@IActivityManager}.\ regex(intent, \text{''action.SEND''})$

Specifying Malware Behaviour

1. Category: Information Stealing

Helper formulae
$\psi_1$getDeviceId@IPhoneSubInfo
$\psi_2$getSubscriberId@IPhoneSubInfo
$\psi_3$getIccSerialNumber@IPhoneSubInfo
$\psi_4$getLine1Number@IPhoneSubInfo
$\psi_5$getDeviceSvn@IPhoneSubInfo
$\psi_6$$\exists (uri,\_):\text{QUERY@IContentProvider}.\ regex(uri,$''.*calls.*''$)$
$\psi_7$$\exists (uri,\_):\text{QUERY@IContentProvider}.\ regex(uri,$''.*contacts.*''$)$
$\psi_8$$\exists (uri,\_):\text{QUERY@IContentProvider}.\ regex(uri,$''.*phones.*''$)$
$\psi_9$$\exists (uri,\_):\text{QUERY@IContentProvider}.\ regex(uri,$''.*bookmarks.*''$)$
$\psi_{10}$$\exists (uri,\_):\text{QUERY@IContentProvider}.\ regex(uri,$''.*preferapn.*''$)$
$\psi_{11}$$\exists (uri,\_):\text{QUERY@IContentProvider}.\ regex(uri,$''.*sms.*''$)$
$\psi_{12}$$(\exists (\_):$getInstalledPackages@IPackageManager$.\ true) \lor$
$(\exists (\_):$getInstalledApplications@IPackageManager $.\ true)$
$\psi_{13}$$\exists (args):$do_execv@syscall$.\ regex(args,$''.*logcat.*''$)$
$\psi_{14}$$(\exists (\_):$notifyCellLocation@ITelephonyRegistry$.\ true) \lor$
$(\exists x:$getLastKnownLocation@ILocationManager $.\ regex(x,$''.*gps.*''$)$

Specifying Malware Behaviour

2. Category: Privilege Escalation

  • 36.7% of samples in Android Malware Genome Project exploit vulnerability
    (e.g., of Linux kernel) to gain root access
  • We monitor what happens if an app has root access
 G$\forall($$args$)$ : do\_execv@syscall.\ $ $regex($$args$$, \text{''.*su} \vert \text{pm (un)?install} \vert \text{am start.*''}$$)$

Possible attacks

  • Secretly start/install/remove other apps via activity or package manager (am/pm)
  • Replace real banking apps with fake one for phishing attacks

Specifying Malware Behaviour

3. Category: Financial Charges

  • Google labels permissions to call or send an SMS with “services that cost you money”
  • $\geq$Android 4.2: notification if app attempts to send SMS to short codes
  • $<$Android 4.4: malware was able to block incoming SMS messages
    • confirmations received from premium services
    • mobile banking TANs
 G $\forall($$dest, \_, txt, \_, \_$)$ : sendText@ISms.\ $ $inContactBook($$dest$$)$

G $(\psi_{SMS\_RECEIVED} \rightarrow \neg F$
$\exists ($$w, x, y, z, abort$)$ : finishReceiver@IActivityManager.\ $ $regex($$abort, \text{"true"}$$)$)

Identifying Malware Behaviour

Suspicious behaviour detected for 46 (93.9%) out of 49 families
Families Information stealing Privelege Escalation Launching Malicious Payload Financial charges
ADRD ✔✔✔
AnserverBot ✔✔✔✔✔✔✔ !
Asroot !
BaseBridge ✔✔ ! ! !
BeanBot ! !
Bgserv ✔✔✔✔ !
CoinPirate ✔✔ ! !
CruseWin ! !
DogWars !
DroidCoupon ✔✔✔✔✔✔ !
DroidDeluxe !
DroidDream ✔✔ !
DroidDreamLight
DroidKungFu1 !
DroidKungFu2
DroidKungFu3 ✔✔✔ !
DroidKungFu4 ✔✔✔✔
DroidKungFuSapp !
DroidKungFuUpdate✔✔✔✔
Endofday !
FakeNetflix
FakePlayer
GamblerSMS (H)
Geinimi ✔✔✔✔ ! !
Families Information stealing Privelege Escalation Launching Malicious Payload Financial charges
GGTracker ✔✔✔ ! !
GingerMaster ✔✔✔✔✔ !
GoldDream !
Gone60 ✔✔✔✔✔
GPSSMSSpy (H) !
HippoSMS ✔✔ !
Jifake
jSMSHider ✔✔✔ ! !
KMin ! !
LoveTrap ! !
NickyBot ✔✔✔ !
NickySpy (H) '
Pjapps ! !
Plankton
RogueLemon ✔✔✔ ! !
RogueSPPush ✔✔✔ ! !
SMSReplicator (H)
SndApps ✔✔
Spitmo (H) !
Tapsnake (H)
Walkinwat ✔✔✔
YZHC ✔✔✔✔ ! !
zHash ✔✔✔✔✔✔✔ !
Zitmo
Zsone (H) !

Identifying Malware Behaviour

False Positives

  • monitored 61 benign apps on Nexus 5, Version 5.0.1 in the following categories
    • social ( Facebook, Twitter, LinkedIn, etc.)
    • communication (Whatsapp, Facebook messenger, etc.)
    • transportation (Uber, etc.)
    • travel & local (Yelp, TripAdvisor, etc.)
    • games (Cut the rope, Road crossing, etc.)
  • We discovered suspicious behaviour for 17 (28%) apps
    • 11 apps requested device or subscriber id (not recommended by Google developer guidelines)
    • among those a soccer news and Yoga app
    • also private taxi app Uber, criticised for collecting personal data without the user’s permission

Performance

Nexus 7 (1st Gen.), quad-core CPU, 1GB RAM

Interface Method Android Kprobes DroidTracer
(in ms) (in ms) Overhead (in ms) Overhead
IPhoneSubInfo getDeviceId 5309 $\pm$ 15 5517 $\pm$ 18 3.92% 5811 $\pm$ 11 9.46%
IPhoneSubInfo getIccSerialNumber 5346 $\pm$ 16 5524 $\pm$ 16 5817 $\pm$ 7 8.81%
LocationManager getLastKnownLocation 3516 $\pm$ 13 3562 $\pm$ 13 4126 $\pm$ 5 17.35%
ISms sendText 9166 $\pm$ 13 9396 $\pm$ 13 2.51% 10216 $\pm$ 10 11.46%
IPackageManager getInstalledApplications 15730 $\pm$ 204 15514 $\pm$ 202 15422 $\pm$ 172
IConnectivityManager getAllNetworkInfo 5769 $\pm$ 53 5841 $\pm$ 60 5671 $\pm$ 7
syscall sys_open 15360 $\pm$ 72 15531 $\pm$ 67 15455 $\pm$ 38
  • Execution of Android method calls (100 runs, each up to 10,000 times)
  • Margin of error for 95% confidence interval
  • MonitorMe: highest overhead 38.6% for system event sendText@Isms
  • Aurasium: ~35% for getDeviceId() and getLastLocation()
  • AppGuard: 0.8% - 21.4%

Portability

Device Nexus S Nexus 7 Nexus 5
Android version 2.3.6 4.3 5.0.1
Events Total 102,545 107,977 449,429
Interfaces Unique 58 89 108
Methods Unique 804 378 474
Unmarshalled 368 236 326
Success rate 45.77% 62.43% 68.78%
Events
with arguments		 Total 54,596 70,746 264,058
Unmarshalled (totally) 43,318 67,866 227,708
Success rate 79.34% 95.93% 86.23%
Unmarshalled (partially) 47,923 69,474 255,263
Success rate 87.78% 98.20% 96.67%

THE END