SESSION ID: MBS-R02
How to Analyze an Android Bot
Nokia Threat Intelligence Lab @KevMcNamee
Copyright By PowCoder代写 加微信 powcoder
Introduction Tools
The Lab Demo
Why Analyze Android Malware
We monitor mobile traffic for malware infections
Malware C&C Exploits DDOS Hacking
Need accurate detection
Forensic Analysis
MOBILE NETWORK SECURITY ANALYTICS
Alert Aggregation & Analysis
Malware Detection Sensor
Developing Malware Detection Rules
MALWARE SAMPLES
TRAFFIC POLICY
ZERO DAY BEHAVIORAL RULES
VIRUS VAULT • 120K+ ANALYZED
• 30M+ Active samples
MALWARE TRAFFIC LIBRARY
RULES DEVELOPMENT
RULES REPOSITORY
RULES LIBRARY
RULE ACTIVATION
DEPLOYMENT-SPECIFIC RULE SETS
QUALITY TESTING
FEEDBACK FROM FIELD TESTS
FIELD TESTING IN LIVE NETWORKS
Android Malware Analysis
So, we built our own Android malware analysis lab
You will learn
What tools are required
How to set up the network environment How they are used
Analysis allows you to:
Know what the malware does Understand its threat level
Detect and remediate the infection
Android App
Contained in APK file (zip format)
Main components include: Manifest
Dalvik byte code (classes.dex file) Resources
Basic Analysis Process
Explore what’s in APK file
Decompile DEX and review source
Run app on phone or AVD & capture network activity
Tools – Android Studio
If you are going to analyze apps you have to know a bit about how they are made…
Also provides many of the tools needed for analysis…
ADB (debugging)
AVD (simulated phones)
Tools – Apktool
Tool for reverse engineering Android packages (apk files)
Extract components
Manifest, Resources, Libraries, Assets, Byte-code (Smali)
Can edit and modify components
Rebuild modified app
Tools – ADB
Android Debug Bridge
Comes with Android Studio
Shell access
Access to file system Scripted remote control Application Install/Uninstall
Tools – dex2jar
Converts Dalvik byte code to Java byte code
First step in de-compiling an Android app.
Tools – Java Decompiler
Converts Java byte code to source code.
Doesn’t always work
Options include: JD-GUI
Luyten (Procyon)
Tools – WireShark
Capture and network traffic Analyze network traffic
Help develop detection rules
Control Server
Packet Capture
Using a Real Mobile Network
Some malware may only function on a real mobile network You can build your own mobile network.
Linux OpenBSC OsmoSGSN OpenGGSN
Automation
We have automated the analysis process using: Web based user interface
Real phones and AVDs Malware database APKtool/Dex2Jar/GD-GUI ADB scripting
Monkey Script WireShark
Interface to Virus Total
Provides a name
Information from Manifest
Run Sample in AVD
Analyze Network Traffic
Manual Demo – NotCompatible Proxy Bot
Disassemble APK
Directory structure created by apktool
Disassembled Dex in Smali format
View Manifest
Permissions
Unzip APK file
Convert to JAR
View the Java source
Config file is encrypted using AES
C&C Decoder
It can be modified If you don’t like Java and the APK can be you can look at the rebuilt using Smali code. apktool
C&C Decoder
Ping/ Request
C&C packet capture
NotCompatible – Overview
Web Proxy Bot ported from Windows to Android environment.
Allows remote miscreants to anonymously browse the web through the victim’s phone.
Consumes lots of bandwidth, for example 165MB in two hours over 300K TCP sessions
NotCompatible – Infection
Phishing spam is used to lure the victim to an infected web site.
Web site tells you the browser is “not compatible” and provides an update.
The user downloads and installs update.apk
Malware has no icon or user interface. It is automatically started on BOOT.
You can get rid of the infection by uninstalling the application.
NotCompatible – Operation
Opens an encrypted configuration file containing the address and port number of the server.
The bot connects to the server via TCP.
Sophisticated command and control protocol is then used to multiplex Web proxy services over that connection.
This provides an anonymous web browsing services to clients.
NotCompatible – Command & Control
Simple command/response packet format contains both commands and data.
Channel number can multiplex many connection at once.
The ping and pong are used as a heartbeat when there is no proxy work to be done.
Once a proxy request is issued the “raw data” commands are used to transfer the data in either direction.
Packet format:
NotCompatible – Uses & Impact
Anonymous Web Browsing Service
Providing Access to Restricted Foreign Content Ad-Click Fraud
Web Site Optimization Fraud
APT Probing and Exfiltration
One user from Finland, roaming in the US, used over 165MBytes in less than two hours of airtime.
In the lab it averages 100MBytes per hour. Causes huge data bills
Caused the battery to run down quickly
Who knows what sites your phone in visiting!!!
Android malware analysis enables you to: Know what the malware does
Understand the threat level
Detect and remediate the infection
You should now know:
What tools are required
How to set up the network environment How to use the tools
Email: Twitter: @KevMcNamee
Questions?
程序代写 CS代考 加微信: powcoder QQ: 1823890830 Email: powcoder@163.com