Wild mobile malware detection

Smartphones are increasingly penetrating our lives, for many people they have become an indispensable everyday companion. These gadgets give us a connection with other people and entertain us. We trust them with more and more confidential and personal information, and therefore it is not surprising that attackers are paying more and more attention to the mobile segment. Since 2004, when Kaspersky Lab discovered the first network mobile worm Cabir, more and more new malware samples appear annually. Accordingly, the development of malware detection methods “in the wild”, that is, in mobile app stores, is becoming increasingly relevant.

What is malware?

Malicious software (malware) is called an application designed to commit all kinds of illegal actions. This includes viruses, botnets, worms, trojans, etc. Today, malware is very widely used for profit in all kinds of ways, from theft of bank accounts to direct extortion. And in this shadow business a lot of money is spinning, which attracts more and more new participants.

Malware detection technologies in "large" operating systems are already quite diverse and highly effective. However, the mobile segment in the information security industry is still in its infancy.

In addition to malware, two other categories of threats for mobile devices should be mentioned - spyware (spyware) and conditional malware (grayware). Spyware applications secretly from the user collect information about his movements, SMS correspondence, call history, etc. In the strict sense, if spyware does not send the information collected somewhere, then it cannot be called illegal. But the fact of installing such an application without the user's knowledge cannot be called ethical.

Conditionally malicious software is much more harmless than “classic”, but at the same time quite annoying. For example, a program belonging to such a class can change system fonts or their color, or produce all kinds of ridiculous and mocking messages. In general, by analogy with human society, conditionally malicious software is a petty bully, a dirty trick. We can say that grayware is on the verge of legality: authors usually do not hide their intentions and describe the functionality of their software, but users usually click the “Agree” button without reading the terms of the license agreement.

Many security professionals prefer to classify malware based on behavioral patterns and the motivation of their authors. The following are the most important views:

• Offering users all kinds of news and entertainment. Typically, such software is designed to entertain the author himself and demonstrate his skills, mainly through meaningless destructive actions on the victim’s device. Example: Android.Walkinwat
• Trading user information. Such applications secretly collect data about the user's location, installed applications, download history and the contents of the contact list. There is a steady demand for this information from advertisers and marketers. Example: DroidDreamLight
• Stealing financial information. Most often these are accounts for bank accounts. Text messages are intercepted, all pressed buttons are recorded, phishing attacks are applied. Example: Ikee.B
• Manipulating the delivery of various content. Such software is intended for making personal calls and sending SMS with offers of technical support, exchange reports, intimate services, etc. Example: FakePlayer
• Sending SMS spam. The victim’s number starts sending spam, which usually contains advertisements and phishing links. Example: Geinimi
• Manipulating search results. Various sites are artificially raised in search results. Example: Hong Tou Tou

Methods for detecting malware

Each of the existing methods for determining mobile malware has its own advantages and disadvantages.

Static code analysis
This is a quick and inexpensive way. It consists in searching for malicious characteristics or suspicious pieces of code without launching the application. The techniques described below are widely used for preliminary analysis, when you need to first check a suspicious application for the most obvious malicious functionality.



The first two branches are typical for determining malware in Symbian OS and iOS, so we will omit its description. We are interested in the third branch of the scheme, which describes the algorithm of actions for Android. Using a decompilerapplication source code is generated. Then it is subjected to static analysis with tools from the Fortify SCA software package . The disadvantages of this technique include the fact that in general it is only suitable for analyzing applications with a relatively small number of access rights and API calls.

Dynamic code analysis
Unlike static code analysis , dynamic analysis involves application execution in an isolated environment. For example, inside a virtual machine or emulator so that you can track the behavior of the application. Most often, dynamic analysis is used when tracing system calls or taint tracking.

For dynamic system-wide taint analysis, you can use the TaintDroid tool. The illustration below shows how an application is first sent to a virtual machine, where it is evaluated at four levels: variables, methods, messages, and files. During taint tracking, any data requests from the geolocation module, microphone, camera, etc. This method implies that all native libraries are called only from the virtual machine, and not directly. Finally, dynamic analysis identifies potential data leaks before information is transferred from the system to the network interface.



Testing of many popular Android applications from third-party developers showed that a significant number of them send information about the location of users to advertising firms. Some even send telephone identifiers to remote servers. However, TaintDroid can produce both false negative and false positive analysis results. Moreover, this toolkit allows you to analyze only one type of vulnerability - data streams.

The second part of the illustration presents a two-stage analysis system for Android applications using the sandbox (AASandbox). In it, binary files are first disassembled, and in the resulting codeSearch for specific patterns. Then, during the dynamic analysis, the application is executed in the Android emulator, and all system calls are recorded in the log. If it is not possible to take real input data generated by users, then you can use the Android Monkey tool (ADB Monkey).

Analysis of application access rights
In mobile applications, access rights play a key role: they show the user the intent of the application and the activity of the backend. In smartphones, access rights are set explicitly, so application authors must also explicitly request them. However, some people intentionally hide the rights used by the application, which leads to vulnerabilities.

Below is a diagram of the work of the tool for analyzing the access rights of Android applications, Kirin. During the installation of the application under study, it retrieves the security settings and compares them with the existing security policy. If the application fails verification, then Kirin warns the user, or even deletes the application.



Example Kirin security policy:

An application must not have PHONE_STATE,RECORD_AUDIO, and INTERNET permission labels’

This rule prevents the application from recording audio or accessing the Internet while the user is talking on the phone. This avoids wiretapping.

2011 research100 paid and 856 free Android applications showed that about 93% of free and 82% of paid ones request at least one potentially dangerous access right. Among them, the most common was a request for access to the network, even if the purpose of the application did not imply its use.

The disadvantages of Kirin include the fact that the analysis of requests for rights is not enough to detect malware, it is an auxiliary tool that must be used simultaneously with static or dynamic code analysis.

Cloud Services Analysis
Obviously, the smartphone will not be able to fully analyze suspicious applications due to the limited resources of the device itself. A simple file scan will take a lot of time and “eat” a noticeable fraction of the battery charge. One way to solve this problem is through cloud analysis.

The following illustration shows how Paranoid Android, a cloud-based anti-malware service, works. The advantage is obvious - all computational and analytical operations are carried out not on the user device, but in emulators on remote servers. Only a tracer works on the smartphone, which records all the information necessary for the analysis of the operation of the application. Then the tracer sends data to the cloud emulator. It can perform several different checks, including dynamic analysis, memory scanning, detection of suspicious system calls, and anti-virus scanning.



Paranoid Android uses a proxy to temporarily store incoming traffic, which saves the battery power of the smartphone and does not send the same data to the server. He can directly turn to the proxy and get the necessary data to emulate the analyzed application. Nevertheless, the use of RA for the analysis of "heavy" applications still significantly increases energy consumption and CPU load. And since the tracer operates in a user environment, system calls load the processor much more heavily than native code execution. By convention, the read () system call trace takes 0.7 milliseconds in the user environment, and 0.1 in the kernel.

The right half of the previous illustration shows a diagram of the operation of Crowdroid, a tool for analyzing application behavior. This is a lightweight client application that monitors system calls initiated by the observed application, pre-processes them and sends them to the cloud. And there, with the help of clustering, it determines whether the application is malicious or not. Unfortunately, Crowdroid has false positive results if there is very little data to analyze.

Battery Consumption Monitoring
A higher energy consumption compared to analogs when running an application may be an indirect evidence of harmfulness. Of course, this works if user behavior, battery status, signal strength, amount of network traffic and other parameters are well known.

Mobile Malware Protection Tips
Given the limited computing and energy resources of smartphones, we can assume that in the future the protective functionality will be mainly represented by cloud services. With the development of NFC-based payment systems, one can also expect the appearance of malware aimed specifically at stealing payment data through this channel. Surely there will be attempts to get bank card details using reverse engineering applications for payments through NFC. Such threats must be prevented in advance, for example, by using strong encryption and allowing a limited number of developers to create payment software.

But despite the development of tools to detect malware and protect their devices, it is best to avoid infection and its consequences. After all, our own negligence and lack of caution can lead to very disastrous results. Therefore, it is better to follow the tips below:

• Install a good security application that protects against attacks and alerts you when suspicious activity is detected.
• Download applications only from trusted sources.
• Before installing, it is better to read reviews and see the rating, even if you have heard a lot of good things about the author of the application.
• Always carefully read the list of requested permissions. If you have any suspicions, it is better to refuse the installation. You can also leave a comment that will alert other users.
• If you do not currently need Wi-Fi, Bluetooth, or other wireless modules, turn them off. It will be safer and the battery will last longer. Be careful when connecting to public access points: activate the firewall in advance, disable file sharing and use SSL or VPN.
• Regularly update used applications, as well as smartphone firmware.
• Use encryption to store all important data stored on your smartphone. Also do not forget to make regular backups. Make sure that critical information is not cached anywhere.
• Wherever possible, set passwords to access important files and applications.
• Do not follow suspicious or untrusted links. If you still really need it, then it’s better to type the address manually, rather than copy and paste into the browser. This will protect against shadow boot attacks.
• Regularly monitor battery consumption, sent SMS and call log. Any oddities should be regarded as a reason to check the entire system, especially recently installed applications.
• And finally, if the smartphone was lost or stolen, remotely erase all applications, contacts and confidential information. Also lock the device itself.

In general, it is highly unlikely that truly serious malware will be evaluated falsely positively. So following the above tips will certainly protect you from various troubles, be vigilant and careful in the vastness of the network. We, in turn, are preparing various solutions for the information protection of our smartphones, read about this in one of the next publications.