CS

155 Spring 2016

Mobile Malware

John Mitchell
 Outline
• Mobile malware
• Identifying malware
– Detect at app store rather than on platform
• Classification study of mobile web apps
– Entire Google Play market as of 2014
– 85% of approx 1 million apps use web interface
• Target fragmentation in Android
– Out-of-date Apps may disable more recent
security platform patches
Malware Trends
W
 Based on FairPlay vulnerability

• Requires malware on user PC, installation of malicious app in App Store

• Continues to work after app removed from store
• Silently installs app on phone
Android malware 2015
 Current Android Malware
Description
AccuTrack
This application turns an Android smartphone into a GPS tracker.
Ackposts
This Trojan steals contact information from the compromised device and uploads
them to a remote server.
Acnetdoor
This Trojan opens a backdoor on the infected device and sends the IP address to a
remote server.
Adsms
This is a Trojan which is allowed to send SMS messages. The distribution channel ...
is through a SMS message containing the download link.
Airpush/StopSMS
Airpush is a very aggresive Ad-Network.
…
BankBot
This malware tries to steal users’ confidential information and money from bank and
mobile accounts associated with infected devices.
http://forensics.spreitzenbarth.de/android-malware/
Trends 2014-15
 Android free antivirus apps …
1. Comodo Security &
Antivirus
2. CM Security Antivirus
AppLock
3. 360 Security -
Antivirus Boost
4. Sophos Free Antivirus
and Security
5. Malwarebytes Anti-
Malware
6. Bitdefender Antivirus
Free

http://www.androidcentral.com/top-free-antivirus-apps-android
• “Even security companies know the risk is low — that's why apps
are packaged with other selling points.” - AndroidCentral
• Kevin Haley, Symantec's Director of Symantec Security Response:
– "Symantec sees an important role to play in helping to protect
data and mobile devices from being exposed to risk," …
– "While Symantec sees its purpose in the mobile landscape as
providing security against malware, fraud and scams; we also
protect devices against loss and theft — loss of the device itself,
as well as the information on it. In addition, Symantec helps
businesses protect and manage their data being stored or
transmitted through the mobile devices of their employees."
http://www.androidcentral.com/antivirus-android-do-you-need-it
Android malware example
Install malicious “conference app”
Malware behavior triggered by C&C
server (Chuli)
 Outline
• Mobile malware
• Identifying malware
– Detect at app store rather than on platform
• Classification study of mobile web apps
– Entire Google Play market as of 2014
– 85% of approx 1 million apps use web interface
• Target fragmentation in Android
– Out-of-date Apps may disable more recent
security platform patches
 STAMP Admission System
Static Analysis
More behaviors,
fewer details
Static

STAMP

Dynamic Alex Aiken,

Dynamic Analysis John Mitchell,
Fewer behaviors, Saswat Anand,
Jason Franklin
more details Osbert Bastani,
Lazaro Clapp,
Patrick Mutchler,
Manolis Papadakis
 Abstract program execution

• States: mapping of variable names to values

• Transitions: relation on pairs of states
• Traces: sequence of states or state, transition pairs
Analysis
Step 1
Convert bytecode to intermediate
format (called Quads)

Step 2 Compute call graph using Class

Hierarchy Analysis

Build an edge-labeled graph G by

Step 3
processing Quads of each class

Add new edges to G as per a set

Step 4
of rules until no rules apply
 Data Flow Analysis

Source: sendSMS()
getLoc() Sink: SMS
Location

sendInet() Sink: Internet

Location SMS Location Internet

• Source-to-sink flows
o Sources: Location, Calendar, Contacts, Device ID etc.
o Sinks: Internet, SMS, Disk, etc.
Data Flow Analysis in Action

• Malware/Greyware Analysis
o Data flow summaries enable enterprise-specific policies
• API Misuse and Data Theft Detection
Source: Send
FB API Sink: Internet
FB_Data Internet

• Automatic Generation of App Privacy Policies

o Avoid liability, protect consumer privacy Privacy Policy
This app collects your:
Contacts

• Vulnerability Discovery
Phone Number
Address

Source:
Web SQL Stmt Sink: SQL
Untrusted_Data
Challenges
• Android is 3.4M+ lines of complex code
o Uses reflection, callbacks, native code

• Scalability: Whole system analysis impractical

• Soundness: Avoid missing flows

• Precision: Minimize false positives

STAMP Approach
Too expensive!

App App • Model Android/Java

o Sources and sinks
o Data structures
o Callbacks
Models
o 500+ models
Android
• Whole-program analysis
o Context sensitive

OS

HW
Building Models
• 30k+ methods in Java/Android API
o 5 mins x 30k = 2500 hours

• Follow the permissions

o 20 permissions for sensitive sources
§ ACCESS_FINE_LOCATION (8 methods with source annotations)
§ READ_PHONE_STATE - (9 methods)
o 4 permissions for sensitive sinks
§ INTERNET, SEND_SMS, etc.
Identifying Sensitive Data

android.Telephony.TelephonyManager: String getDeviceId()

• Returns device IMEI in String

• Requires permission GET_PHONE_STATE

@STAMP(
SRC ="$GET_PHONE_STATE.deviceid",
SINK ="@return"
)
Data We Track (Sources)

• Account data
• Audio
• Calendar
• Call log 30+ types of
• Camera sensitive data
• Contacts
• Device Id
• Location
• Photos (Geotags)
• SD card data
• SMS
Data Destinations (Sinks)

• Internet (socket)
• SMS
• Email 10+ types of
• System Logs exit points
• Webview/Browser
• File System
• Broadcast Message
Currently Detectable Flow Types

396 Flow Types

Unique Flow Types = Sources x Sink

 Example Analysis
Contact Sync for Facebook (unofficial)

Description:
This application allows you to synchronize
your Facebook contacts on Android.

IMPORTANT:
* "Facebook does not allow [sic] to export phone
numbers or emails. Only names, pictures and
statuses are synced."
* "Facebook users have the option to block one or all
apps. If they opt for that, they will be EXCLUDED
from your friends list."

Privacy Policy: (page not found)

Chuli source-to-sink flows
 Contact Sync Permissions
Category Permission Description

Your Accounts AUTHENTICATE_ACCOUNTS Act as an account authenticator

MANAGE_ACCOUNTS Manage accounts list

USE_CREDENTIALS Use authentication credentials

Network Communication INTERNET Full Internet access

ACCESS_NETWORK_STATE View network state

Your Personal Information READ_CONTACTS Read contact data

WRITE_CONTACTS Write contact data

System Tools WRITE_SETTINGS Modify global system settings

WRITE_SYNC_SETTINGS Write sync settings (e.g. Contact sync)

READ_SYNC_SETTINGS Read whether sync is enabled

READ_SYNC_STATS Read history of syncs

Your Accounts GET_ACCOUNTS Discover known accounts

Extra/Custom WRITE_SECURE_SETTINGS Modify secure system settings

Possible Flows from Permissions
Sources Sinks
READ_CONTACTS INTERNET

READ_SYNC_SETTINGS
WRITE_SETTINGS

READ_SYNC_STATS WRITE_CONTACTS

GET_ACCOUNTS WRITE_SECURE_SETTINGS

INTERNET WRITE_SETTINGS
Expected Flows
Sources Sinks
READ_CONTACTS INTERNET

READ_SYNC_SETTINGS
WRITE_SETTINGS

READ_SYNC_STATS WRITE_CONTACTS

GET_ACCOUNTS WRITE_SECURE_SETTINGS

INTERNET WRITE_SETTINGS
Observed Flows

Source: Write Sink:

FB API Contacts
FB_Data Contact_Book

Read Source:
Send Internet Sink: Internet
Contacts Contacts
 Outline
• Mobile malware
• Identifying malware
– Detect at app store rather than on platform
• Classification study of mobile web apps
– Entire Google Play market as of 2014
– 85% of approx 1 million apps use web interface
• Target fragmentation in Android
– Out-of-date Apps may disable more recent
security platform patches
 A Large-Scale Study of
Mobile Web App Security
Patrick Mutchler, Adam Doupe,
John Mitchell, Chris Kruegel, Giovanni Vigna
Mobile Apps
Mobile Apps
Mobile Apps
 Mobile Web Apps

• Mobile web app: embeds a fully functional

web browser as a UI element
 JavaScript Bridge
Obj foo = new Object();
addJavascriptInterface(foo, ‘f’);

Java
JavaScript
 JavaScript Bridge

f.bar();

Java
JavaScript
 Why?

• Full-featured mobile web apps

• Expose phone functionality to JavaScript

 Security Concerns

• Who can access the bridge?

– Everyone
Isolated in Browser
No origin distinction in WebView

f.bar();

Java

JavaScript
 Static Analysis

• How many mobile web apps?

• How many use JavaScript Bridge?

• How many vulnerable?

 Experimental Results

• 737,828 free apps from Google Play (Oct ’13)

• 563,109 apps embed a browser

• 219,404 use the JavaScript Bridge

• 107,974 have at least one security violation

 Most significant vulnerabilities
1. Loading untrusted web content

2. Leaking URLs to foreign apps

3. Exposing state changing navigation to

foreign apps
1. Loading untrusted web content

2. Leaking URLs to foreign apps

3. Exposing state changing navigation to

foreign apps
“You should restrict the web-pages that
can load inside your WebView with a
whitelist.”

- Facebook
“…only loading content from trusted
sources into WebView will help protect
users.”

- Adrian Ludwig, Google

1. Navigate to untrusted content
// In app code
myWebView.loadUrl(“foo.com”);
<!-- In HTML -->
<a href=“foo.com”>click!</a>
<!-- More HTML -->
<iframe src=“foo.com”/>
// In JavaScript
window.location = “foo.com”;
public boolean shouldOverrideUrlLoading(
WebView view, String url){

// False -> Load URL in WebView

// True -> Prevent the URL load

}
public boolean shouldOverrideUrlLoading(
WebView view, String url){

String host = new URL(url).getHost();

if(host.equals(“stanford.edu”))
return false;
log(“Overrode URL: ” + url);
return true;
}
 Reach Untrusted Content?

• 40,084 apps with full URLs and use JavaScript

Bridge

• 13,683 apps (34%) can reach untrusted

content
 Use HTTPS?
• 152,706 apps with partially computed URLs
• 87,968 apps (57%) with HTTP URLs
 Handling SSL Errors
onReceivedSslError

1. handler.proceed()
2. handler.cancel()
3. view.loadUrl(...)
 Mishandling SSL Errors
• 117,974 apps implement
onReceivedSslError
• 29,652 apps (25%) must ignore errors
 Primary results

Vulnerability % Relevant % Vulnerable

Unsafe Nav 15 34

HTTP 40 56

Unsafe HTTPS 27 29
Popularity
Outdated Apps
 Libraries

29% 51% 53%

unsafe nav HTTP unsafe HTTPS
 Additional security issues
Based on 998,286 free web apps from June 2014
 Takeaways
• Apps must not load untrusted content into
WebViews

• Able to identify violating apps using static

analysis

• Vulnerabilities are present in the entire app

ecosystem
 Outline
• Mobile malware
• Identifying malware
– Detect at app store rather than on platform
• Classification study of mobile web apps
– Entire Google Play market as of 2014
– 85% of approx 1 million apps use web interface
• Target fragmentation in Android
– Out-of-date Apps may disable more recent
security platform patches
Target Fragmentation in
Android Apps
Patrick Mutchler Yeganeh Safaei
John Mitchell Adam Doupe
 Takeaways

Android apps can run using outdated OS behavior

- The large majority of Android apps do this
- Including popular and well maintained apps

Outdated security code invisibly permeates the app ecosystem

- “Patched” security vulnerabilities still exist in the wild
- “Risky by default” behavior is widespread
 Roadmap

What is target fragmentation?

Target fragmentation statistics

Security consequences
 Roadmap

What is target fragmentation?

Target fragmentation statistics

Security consequences
“If the device is running Android 6.0 or higher… [the app] must
request each dangerous permission that it needs while the app is
running.

- Android Developer Reference

“If the device is running Android 6.0 or higher and your app's
target SDK is 6.0 or higher [the app] must request each
dangerous permission that it needs while the app is running.

- Android Developer Reference

“If the [operating system version of the device] is higher than the
version declared by your app’s targetSdkVersion, the system may
enable compatibility behaviors to ensure that your app continues to
work the way you expect.”

- Android Developer Reference

 Roadmap

What is target fragmentation?

Target fragmentation statistics

Security consequences
 Dataset

1,232,696 Android Apps

Popularity, Category, Update, and Developer metadata

Collected between May 2012 and Dec 2015

Broken into five datasets by collection date

 Outdatedness

Android Android Android App

5.0 5.1 6.0 Collecte
Released Released Released d
 Negligent Outdatedness

Outdatedness

Android Android App Android App

5.0 5.1 Updated 6.0 Collecte
Released Released Released d
 Roadmap

What is target fragmentation?

Target fragmentation statistics

Security consequences
 Fragment Injection
Vulnerable App
Malicious Intent
PreferenceActivity

Extra.SHOW_FRAGMENT
“Attacked Fragment”

Extra.SHOW_FRAG_ARG
Attacked
Fragment
Other
Data
Extras

securityintelligence.com/new-vulnerability-android-framework-fragm ent-injection/
 Fragment Injection

Fixed in Android 4.4

Developers implement isValidFragment to authorize fragments

// Put this in your app

protected boolean isValidFragment(String fName){
return MyFrag.class.getName().equals(fName);
}
 Fragment Injection

Vulnerable if:
- Targets 4.3 or lower (31%)
- Some class inherits from PreferenceActivity (4.8%)
- That class is exported (1.1%)
- That class does not override isValidFragment (0.55%)

4.2% of apps vulnerable if no fix was ever implemented

Mixed Content in WebView
 Mixed Content in WebView

Major web browsers block Mixed Content

In Android 5.0, WebViews block Mixed Content by default

Can override default with setMixedContentMode()

 SOP for file:// URLs in WebView

Android 4.1 separate file:// URLs are treated as unique origins

Can override with setAllowFileAccessFromFileURLs()

 Recap

Android apps can run using outdated OS behavior

- The large majority of Android apps do this
- Including popular and well maintained apps

Outdated security code invisibly permeates the app ecosystem

- “Patched” security vulnerabilities still exist in the wild
- “Risky by default” behavior is widespread
 Summary
• Mobile malware
• Identifying malware
– Detect at app store rather than on platform
• Classification study of mobile web apps
– Entire Google Play market as of 2014
– 85% of approx 1 million apps use web interface
• Target fragmentation in Android
– Out-of-date Apps may disable more recent
security platform patches