Websense SecurityLabs Agenda 1 Goal & Objectives 2 Services in the Cloud 3 Tracker Web Portal 4 Next Step To Do Websense SecurityLabs Goal & Objectives • Crawl and Build Android App Repository • Profile Android Apps • Create databases for Apps and associating data. • Auto classific for Android Apps Websense SecurityLabs Analytic Workflow Websense SecurityLabs Cloud Services 1 APK Crawler & Parser 2 Static Profile 3 Dynamic Profile (Security Classifier) (On-line Emulator) Websense SecurityLabs Apps Crawler Market Auto-Crawling • Google Play (Eng.) • SlideME (Eng.) Crawler • Gfan (Chinese) Real-life • GoAPK (Chinese) • Mumayi (Chinese) .apk Web Request Stats (GEO IP) ThreatSeeker Websense SecurityLabs .APK Parser 3rd party Parsing tools • Apktool: decode resources from apk files, such as AndroidMainifest.xml, classes.dex • Dex2jar: reads embedded .dex file from apk files and generates .jar file In-house scripts • parsing automation • database insert Websense SecurityLabs APK Profile • Security Classifier • Dynamic Profile – auto APK runner – Interactive emulator Websense SecurityLabs Security Classifier Objective • Create a classifier for malicious android app detection • A static analysis approach • A machine learning approach Data training • Mysql queries to retrieve raw data from AppTracker database • Analytic features conversion to binary vectors The R code components • Preprocessing: convert variables into factor variables or numeric variables accordingly • Load R RandomForest library Prediction • Import R environment • Load R model, read in input (test case) and write out output (classification response) Websense SecurityLabs R Module •Environment for statistical data analysis, inference and visualization. •Ports for Unix, Windows and MacOSX •Highly extensible through user-defined functions •Generic functions and conventions for standard operations like plot, predict etc. • >1200 add-on packages contributed by developers from all over the world •e.g. Multivariate Statistics, Machine Learning, Natural Language Processing, Bioinformatics (Bioconductor), SNA, . •Interfaces to C, C++, Fortran, Java Websense SecurityLabs Analytic Results Confidence 0.5 0.6 0.7 0.8 Websense SecurityLabs 0.9 Dynamic Profile How It Works? Steps: 1. Load emulator 2. Install and run APK file 3. System output profile 4. Show on web portal Websense SecurityLabs Run APK • emulator -avd avdname -no-snapshot-save • adb install apkfile • aapt dump badging apkfile • adb shell am start -n packagename/mainActivity Websense SecurityLabs Auto Input • adb shell input keyevent "value" 7 KEYCODE_0 16 KEYCODE_9 29 KEYCODE_A 54 KEYCODE_Z • adb shell sendevent [device] [type] [code] [value] example: adb shell sendevent /dev/input/event0 3 0 40 adb shell sendevent /dev/input/event0 3 1 210 // touch screen (x=40,y=210) Websense SecurityLabs Monkey “The Monkey is a command-line tool that that you can run on any emulator instance or on a device. It sends a pseudo-random stream of user events into the system, which acts as a stress test on the application software you are developing.” adb shell monkey –p package.name -v 500 Websense SecurityLabs Network Monitoring adb shell tcpdump -v 'tcp port 80 and (((ip[2:2]-((ip[0]&0xf)<<2))-((tcp[12]&0xf0)>>2))!=0' Websense SecurityLabs SMS & Call adb logcat -b radio -s "AT:*" AT Commands PDU SMS messages Decode '0001000a81016681859200000539590c1b03' Suspicious number '1066185829' Message '@9@2@' Websense SecurityLabs Interactive Emulator Browser-based for end users Example: 50 users have tested this app, average time 3 minutes per user • suspicious SMS found • no phone call made • 1 active network access Websense SecurityLabs App Tracker Front page to users • Web portal support • Top 20 profiles: Malware vs. Benign • Real-time crawler status • Real-time virus status report • Built-in app emulation Back end in cloud • ThreatSeeker service • Automatic static data analysis • Dynamic profile support Websense SecurityLabs Demo Time • Security Classifier POC • Web Portal Framework Websense SecurityLabs Mobile Solution ThreatSeeker Cloud real-time analytics: • Advance Detection (AR) result > Mobile Malware Triton classifications: • Mobile Malware • Unauthorized Mobile Marketplaces Websense SecurityLabs Next Step • Hierarchy Viewer Automation? • Robotium? Websense SecurityLabs Robotium Limitation • Activity • Service • Broadcast Receiver • Content Provider Websense SecurityLabs Websense SecurityLabs