Automated Remote Repair for Mobile Malware

Download Report

Transcript Automated Remote Repair for Mobile Malware 

Automated Remote Repair for
Mobile Malware
Yacin Nadji, Jonathon Giffin,
Patrick Traynor
Georgia Institute of Technology
ACSAC’ 11
Outline
•
•
•
•
•
•
•
Introduction
Related Work
Mobile Malware
Airmid Architecture
Implementation
Discussion
Conclusion
Introduction
• 70000 new mobile malware samples per day
Introduction
• Cellular providers will not be able to rely solely
upon the rapid identification and removal of
malware by mobile market operators
Introduction
• A system for automated detection of and
response to malicious software infections on
handheld mobile devices – Airmid
• Airmid: the goddess of healing
Introdution
• We developed laboratory samples of mobile
malware
▫ Leak private data
▫ Dial premium numbers
▫ Participate in botnet activity
And…
▫ Detect the presence of an emulated environment
▫ Change their behavior, create hidden background
process, scrub logs, and restart on reboot
Introduction
• Contribution
▫ Identification of current remediation shortcomings
▫ Design and implementation of advanced prototype
malware
▫ Cooperatively neutralize malware on infected
mobile phones
Related Work
• Traynor et al. On Cellular Botnets: Measuring
the Impact of Malicious Devices on a Cellular
Network Core
• Xu et al. Stealthy Video Capturer: A New Videobased Spyware in 3G Smartphones
• TaintDroid
• PiOS
Mobile Malware
• In the wild…
▫
▫
▫
▫
Privilege escalation to root (DroidDream)
Bots (Drad.A)
Data exfiltration (DroidKungFu, StreamyScr.A)
Backdoor triggered via SMS (Bgyoulu.A)
• Jailbroken iPhone
▫ iKee.B Bot
Mobile Malware
• Deficiencies of marketplaces:
▫ Malware authors can write their apps with logic to
evade detection of analysis
▫ The Android platform allows users to install apps
from third-party marketplaces
Mobile Malware
• Enhanced prototype malware
▫ Loudmouth
 a Twitter client that leaks private data
▫ 2Faced
 A Facebook client sync app that dials premium
numbers
▫ Thor
 A mobile bot
Mobile Malware
• Loudmouth
▫ Malicious mobile functionality
 Data exfiltration
▫ Evasive functionality
 Malware analysis environment detection
▫ Benign host app
 Twitter client
Mobile Malware
• 2Faced
▫ Malicious mobile functionality
 Premium number dialer
▫ Evasive functionality
 Log sanitization and a hidden native process
▫ Benign host app
 Facebook sync
Mobile Malware
• Thor
▫ Malicious mobile functionality
 Bot client
▫ Evasive functionality
 Persistence across reboot
▫ Benign host app
 Weather display
Mobile Malware
• Permissions use:
Architecture
• Threat model
▫ Install malware via a variety of usual mechanisms
 Drive-by downloads or automated propagation
 Distribution on marketplaces
▫ Attackers can subvert the correct execution of a
benign app
 Exploiting a security defect in the app’s design
Architecture
• Assume…
▫ A protected software layer on the device lower
than the level at which the malware executes
 Kernel (if kernel-level malware can be prevented)
 Hypervisor (if virtualized environments can be
created on a mobile device)
▫ A communication channel between the network
and each device
▫ Detectable malicious behavior in the network
Architecture
• Remote repair
Architecture
• Side-effects:
▫
▫
▫
▫
▫
▫
Process termination
On-device traffic filtering
App update
Device update
File removal
Factory reset
Architecture
• Authenticated communication
▫
▫
▫
▫
[UMTS Security Wiki]
[REF]
[SPEC]
[AKA Mechanism RFC]
Implementation
• Hardware
▫ HTC Dream with Android 1.6
Implementation
• Network component
▫ Snort
▫ Airmid Server by using Python packet creation
library Scapy
Implementation
• Device component
▫ A modified Linux kernel 2.6.29
▫ Disable dynamically load kernel modules
▫ 1200 lines of C
Implementation
• Infection provenance
Implementation
• Infection provenance
Implementation
• Remediation strategies
▫
▫
▫
▫
▫
Block the malicious traffic
Termination of process
Removal of the apk owned by the UID
Removal of all files owned by the UID
UID < 10000  system user ID
 Only block the malicious traffic
▫ UID ≧ 10000
 Terminate & Remove
▫ Any native ARM processes?
 If yes  full scan !
Implementation
• Performance evaluation
Discussion
• Airmid control
▫ Some may not trust a cellular network provider
▫ Airmid is not a “one size fits all” solution
▫ Proxied via VPN
▫ Roaming?
▫ Relaying on IDS
Discussion
• Device hardening
▫ Disable LKM
▫ Virtualization?
 L4Android