1 / 37

Automated Remote Repair for Mobile Malware

Automated Remote Repair for Mobile Malware. Yacin Nadji , Jonathon Giffin , Patrick Traynor Georgia Institute of Technology ACSAC’ 11. Outline. Introduction Related Work Mobile Malware Airmid Architecture Implementation Discussion Conclusion. Introduction. Introduction.

senona
Télécharger la présentation

Automated Remote Repair for Mobile Malware

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Automated Remote Repair for Mobile Malware YacinNadji, Jonathon Giffin, Patrick Traynor Georgia Institute of Technology ACSAC’ 11

  2. Outline • Introduction • Related Work • Mobile Malware • Airmid Architecture • Implementation • Discussion • Conclusion

  3. Introduction

  4. Introduction • 70000 new mobile malware samples per day

  5. Introduction • Cellular providers will not be able to rely solely upon the rapid identification and removal of malware by mobile market operators

  6. Introduction • A system for automated detection of and response to malicious software infections on handheld mobile devices – Airmid • Airmid: the goddess of healing

  7. Introdution • We developed laboratory samples of mobile malware • Leak private data • Dial premium numbers • Participate in botnet activity And… • Detect the presence of an emulated environment • Change their behavior, create hidden background process, scrub logs, and restart on reboot

  8. Introduction • Contribution • Identification of current remediation shortcomings • Design and implementation of advanced prototype malware • Cooperatively neutralize malware on infected mobile phones

  9. Related Work

  10. Related Work • Traynor et al. On Cellular Botnets: Measuring the Impact of Malicious Devices on a Cellular Network Core • Xu et al. Stealthy Video Capturer: A New Video-based Spyware in 3G Smartphones • TaintDroid • PiOS

  11. Mobile Malware

  12. Mobile Malware • In the wild… • Privilege escalation to root (DroidDream) • Bots (Drad.A) • Data exfiltration (DroidKungFu, StreamyScr.A) • Backdoor triggered via SMS (Bgyoulu.A) • JailbrokeniPhone • iKee.B Bot

  13. Mobile Malware • Deficiencies of marketplaces: • Malware authors can write their apps with logic to evade detection of analysis • The Android platform allows users to install apps from third-party marketplaces

  14. Mobile Malware • Enhanced prototype malware • Loudmouth • a Twitter client that leaks private data • 2Faced • A Facebook client sync app that dials premium numbers • Thor • A mobile bot

  15. Mobile Malware • Loudmouth • Malicious mobile functionality • Data exfiltration • Evasive functionality • Malware analysis environment detection • Benign host app • Twitter client

  16. Mobile Malware • 2Faced • Malicious mobile functionality • Premium number dialer • Evasive functionality • Log sanitization and a hidden native process • Benign host app • Facebook sync

  17. Mobile Malware • Thor • Malicious mobile functionality • Bot client • Evasive functionality • Persistence across reboot • Benign host app • Weather display

  18. Mobile Malware • Permissions use:

  19. Architecture

  20. Architecture • Threat model • Install malware via a variety of usual mechanisms • Drive-by downloads or automated propagation • Distribution on marketplaces • Attackers can subvert the correct execution of a benign app • Exploiting a security defect in the app’s design

  21. Architecture • Assume… • A protected software layer on the device lower than the level at which the malware executes • Kernel (if kernel-level malware can be prevented) • Hypervisor (if virtualized environments can be created on a mobile device) • A communication channel between the network and each device • Detectable malicious behavior in the network

  22. Architecture • Remote repair

  23. Architecture • Side-effects: • Process termination • On-device traffic filtering • App update • Device update • File removal • Factory reset

  24. Architecture • Authenticated communication • [UMTS Security Wiki] • [REF] • [SPEC] • [AKA Mechanism RFC]

  25. Implementation

  26. Implementation • Hardware • HTC Dream with Android 1.6

  27. Implementation • Network component • Snort • Airmid Server by using Python packet creation library Scapy

  28. Implementation • Device component • A modified Linux kernel 2.6.29 • Disable dynamically load kernel modules • 1200 lines of C

  29. Implementation • Infection provenance

  30. Implementation • Infection provenance

  31. Implementation • Remediation strategies • Block the malicious traffic • Termination of process • Removal of the apk owned by the UID • Removal of all files owned by the UID • UID < 10000  system user ID • Only block the malicious traffic • UID ≧ 10000 • Terminate & Remove • Any native ARM processes? • If yes  full scan !

  32. Implementation • Performance evaluation

  33. Discussion

  34. Discussion • Airmid control • Some may not trust a cellular network provider • Airmid is not a “one size fits all” solution • Proxied via VPN • Roaming? • Relaying on IDS

  35. Discussion • Device hardening • Disable LKM • Virtualization? • L4Android

  36. Conclusion

More Related