1 I C R O Securing Your Joufn to the Cloud APK File Infection on Android System Bob Pan Mobile Security Research Engineer July 27, 2012 Who is Bob? clex2j Tools to work w ar with android .dex and java .class files Industry Trends Malware increasing on "App Stores" TREND MICRO News Google throws 'kill switch 1 on Android phones Automatically deletes more than m a Iwa re-infected apps downloaded by users By Grecjg Keizer March 7. 2011 02:24 PM ET C^3 Comments i[19) ✓ Recommended [41) H Like 4l4Q Computerworld - For only the second time, Google last weekend remotely deleted Android apps from users' phones. Google made the move to erase ma Iwa re-infected applications that users had downloaded from the Android Market, the company's official e-store. Last Wednesday, Google removed more than 50 infected apps published by three different developers from its marketplace, but didn't trigger automatic uninstalls until several days later. In many cases, the malicious apps were bogus versions of legitimate programs that had been recompiled to include malware, or as a Symantec researcher said last week, "Trojanized." ■oid r attacks, Google vows to hy Android store igti-end Motorola phones to ■ f r i H i _ u L" According to San Francisco-based smartphone security firm Lookout, between 50,000 and 200,000 copies of the apps were downloaded by users before Google yanked them from the Android Market. Chris Di Bona from Google, November 2011: "virus companies are playing on your fears to try to sell you bs protection software for Android, RIM and IOS. They are charlatans and scammers. IF you work for a company selling virus protection for android, rim or IOS you should be ashamed of yourself." "The barriers to spreading such a program from phone to phone are large and difficult enough to traverse when you have legitimate access to the phone, but this isn't independence day, a virus that might work on one device won't magically spread to the other." All the major vendors have app markets, and all the major vendors have apps that do bad things, are discovered, and are dropped from the markets. MICRO ndustry Trends Google's Bouncer Go gle Google Mobile Blog News and notes from the Google Mobile team Android and Security Thursday, February 2, 2012 1 12:03 PlUl By Hiroshi Lockheimer. VP of Engineering, Android The last year has been a phenomenal one for the Android ecosystem, Device activations grew 250% yea r-on -year, and the total number of app downloads from Android Market topped 11 billion. As the platform continues to grow, we're focused on bringing you the best new features and innovations - including in security. Adding a new layer to Android security Today we're revealing a service we've developed, code named Bouncer, which provides automated scanning of Android Market for potentially malicious software without disrupting the user experience of Android Market or requiring developers to go through an application approval process. The service performs a set of analyses on new applications, applications already in Android Market, and developer accounts, Here's how it works, once an application is uploaded, the service immediately starts analyzing it for known malware. spyware and trojans. It also looks for behaviors that indicate an application might be misbehaving, and compares it against previously analyzed apps to detect possible red flags. We actually run every application on Google's cloud infrastructure and simulate how it will run on an Android device to look for hidden , malicious behavior. We also analyze new developer accounts to help prevent malicious and repeat-offending developers from coming back. Android malware downloads are decreasing The service has been looking for malicious apps in Market for a while now, and between the first and second halves of 2011 . we saw a 40% decrease in the number of potentially- malicious downloads from Android Market. This drop occurred at the same time that companies who market and sell anti -malware and security software have been reporting that Android on Google+ Circle + And raid ,J Search This Blog Blog Archive Blog Archive Subscribe Ste Feed + 1 Gooflle™ | [ BY FEEDBURNER Or subscribe by emaiJj Subscribe Tell us what you think MICRO gle's Bouncer effective? May 1 7 Bad Mobile Apps Still Up, 700,000+ Downloads So Far 2:53 pm (UTO?) by Bob Fan (Mobi Is Sacurity Eng ina«rj f ShH» 97 76 We've r epo r tec previously that malicious apps were discovered in die official Android app store, which is now known as Google Play, While those reported apps were removed, more malicious apps have been seen in the official marketplace and appear to be still victimizing users. This is just one of the important reasons why we feel that a technology like our T r end Mic r o Mobi e App Reputation is crucial in users' overall mobile experience and security. In total, we have discovered 17 malicious mobile apps still freely downloadable from Google Play. 10 apps using AlrPusf} to potentially deliver annoying and obtrusive ads to users and 6 apps that contain Plankton malware code. Application Name Package Name App Developer i Brief Behavior Description Spy Phone PRQ+ com .spinXbacku p . backu p App Krishan | Sends out GPS location. SMS and call log aB6«*I.ll com . anion io.smiley, free Antonio Tonev Connects to C&C server and waits for the command com.antonio. wardrobe.apps . lite Antonio Tonev Connects to C&C server and waits for the command com . ch ristmasganne . bal loon I Ogre Games I Connects to C&C server and waits for the command com . macte J ig s a wPuzzle . Av ati on I i Macte! Labs Connects to C&C server and waits for the command i com.macte. JigsawPuzzle.Hi lis Macte! Labs Connects to C&C server and waits for the command com . macte. JigsawPuzzIe. Food Macte! Labs Connects to C&C server and waits for the command NBA SQUAD RE PUZZLE GAME co m . beslpuzzlesg a mes . N BA 1 Crisver Pushes applications and advertisements to user NFL Puzzle Game com . bestpuzzlesgames . nfl Crisver Pushes applications and advertisements to user com .made. JigsawPuzzIe . I ndians I Macte! Labs Pushes applications and advertisements lo user mm ■ mm com.m acte J igsawP uzzl e . Ne wYorkCity I Macte! Labs Pushes applications and advertisements to user Android Malware http://blog.trendmicroxom/how-big-will-the-android-malware-threat-be-in-2012/ Where's the challenge? The Inside of an APK File • AndroidManifest.xml contains the meta information; - Package name & version - Activities - Services • classes.dex contains all the code for Dalvik Virtual Machir • META-INF/ contains the certificate and signature. e. File Action Settings Help Heuworia-aeDug.. New Open 3 Add File Add Folder Name v ; - V, META-INF T-fel CERT.RSA :« CERT.SF H:- MANIFEST.MF l»' res >-|:j' drawable >-[:>' layout £gj AndroidManifesLxml :* classes.dex resources. arse Compresse 605 B 295 B 264 B 508 B 1.5 KiB 1.0 KiB APK are signed zip files MICRO The Android Man if est File Google's Binary xml File • Format is not documented • Tools for reading Binary xml files are readily available • Tools for writing Binary xml files are limited The Dex File Dalvik Executable Format • Format is well documented • Many modification tools available - asmdex - smali/baksmali - Dexmaker • APKs can only use 1 6 to 32MB of memory so a separate Dalvik VM should be started MICRO The META-INF/ Folder Certificate & Signature • Format is well documented • Many creation tools available • jarsigner from JDK • signapk from Android Source • Minor modifications must be done to run on an Android device Infection Demonstration Architecture of the Virus The "Loader" of the Virus • Extract & load Part B • Initiate Part B The "Payload" of the Virus Locate uninfected APK file Inject Part A into classes.dex and AndroidMainfest.xml • Copy itself to the APK file • Sign the APK file Prompt the User to install the APK file Infection Cycle APK Infected Part A Begins TREND MICRO mm Thank You! Feel free to contact me anytime at bob_pan@trendmicro.com.cn