Wednesday, September 9, 2015

Mobile malware steroid: Android evasion techniques – We Live Security (blog)

The mobile security landscape suggests steady progress in the complex mobile malicious code, including those aimed at compromising especially families devices Android stand . And we discussed some time ago about the high incidence of the Trojans in the world of malware for this platform, presenting possible scenarios of evolution.

Let us now, plus obfuscation, what techniques are most used by cyber criminals to protect their creations in their eagerness to complicate the analysis to security professionals, in order to prepare for quick identification.

anti-emulation

As expected, Android emulators have some unique attributes that distinguish them from real devices. In particular, some attributes belonging to the class Build OS denote the string “ SDK ‘, which allow cybercriminals know they are acting in an emulated environment and thus evade execution of the real malicious activity

.  public boolean checkEmulation ()         return (Build.PRODUCT.contains ("SDK") || Build.MODEL.contains ("SDK"));  }  

The properties of the operating system can also be analyzed in order to identify emulation. Through the android.os.SystemProperties class properties that can be accessed by reflection, if a cybercriminal finds the ro.hardware saves the string " goldfish " that ro.product.device " generic ', or ro.kernel.qemu is set to 1 , then you know that is in an emulated environment

  public boolean checkEmulation () {         Context context = getApplicationContext ();         if ("goldfish" .equals (getProperty (context, "ro.hardware")) // where getProperty method is responsible for reflection                 || "Generic" .equals (getProperty (context, "ro.product.device"))                || "1" .equals (getProperty (context, "ro.kernel.qemu"))         ) {                return true;         }         return false;  }  

As you can imagine, the functions that make communication with the telephone operator also mutate to work on the emulator. Methods getSimOperatorName () and getNetworkOperatorName () of the class TelephonyManager return the string " Android "if the application runs on an emulator

  public boolean checkEmulation () {         TelephonyManager mng = (TelephonyManager) getApplicationContext () getSystemService ("phone.");         if (mng.getSimOperatorName (). equals ("Android") || mng.getNetworkOperatorName (). equals  ("Android")) {                return true;         }         return false;  }  

Of course, there are many other ways to detect emulation. For example, if the file / proc / cpuinfo contains the text " Goldfish " if there are files like /init.goldfish.rc or / sys / qemu_trace , or the devil qemu ( qemud ) running between system processes, execution of the application is detected could be altered to evade detection.

Antidebugging

Just as with executable compiled for other platforms, the easiest way to assess if the application being debugged is using the class android.os . .debug system and invoke the method isDebuggerConnected ()

  public boolean checkDebugging () {         if (Debug.isDebuggerConnected ()) {                 return true;         }         return false;  }  

Two other methods provided in this class that can help detect debugging are waitForDebugger () and waitingForDebugger () , because this way you can handle one thread to alert immediately after the debugger was attached.

Of course there are obfuscated packages provide these and other features in combination creators of malware , so that one need not worry about using these features. Packages as described can be observed in samples as Android / Secmider.B .

It is also possible to detect debuggers through the method Debug.threadCpuTimeNanos () . The procedure is to invoke such a method and store the result; then perform some CPU intensive operation; invoking the method again and calculate the difference: if the range is greater than expected in a run in native mode, this suggests the presence of a debugger. However, this method can cause errors to a high processing load on the system.

AntiAV

Among the techniques of malicious code protection implemented by cybercriminals, it is common effort by skip protection provided by security solutions installed on the devices.

The easiest way to notice the presence of these tools in the detection system is the appropriate package by denomination. So, we have signs like Android / Jagonca.C and Android / Jagonca.D , which after winning administrator permissions on the system run through a list of active processes and try destroy that correspond to those packages known safe houses.

  img_av  

Ultimately, if ever these techniques do not provide results always subtract the possibility to leave the odd message from the dark side.

 img_1

AntiLVL

To check the licensing of developed applications, Android provides a mechanism known as License Verification Library ( LVL ). This allows application developers a license check to determine access to their use. Such protection can be violated by cybercriminals to alter adding genuine issues illicit content and then redistribute them through unofficial markets.

This is the case of the above firm, Android / Secmider.B . In this package we are added, obfuscated, designed to overwrite the license of a particular application through the use of reflection for hooks responsible methods of obtaining data as the device ID or signature.

img_2

avoid this type of attack it is advisable to create custom policies and work to create robust protection schemes.

How do these techniques affect us?

It is a fact that malicious code samples have increasing mechanisms for analysis evasion Android. It is important to understand that, in the not too distant future, the understanding of these and other techniques will be key to the detection of malware and study its behavior.

analisis_de_malware

Image Credits: © Jenn and Tony Bot / Flickr

Author Denise Giusto Bilić, We Live Security

LikeTweet

No comments:

Post a Comment