Hack.lu edition 2012 A forensic analysis of Android Malware

More documents

Recommendations

Info

$\H1B%-12345X@PJL JOB “HackingPrinters”$

Partial conclusionIt does not seems to scale to build a detection mechanismThis metric does not seem to generalize enough malware.We can use this to isolate a subset where we have more chances tofind ’malicious’ applicationsUsing the packaged apps by certificate metric we were able to isolate :A set where the probability to find malware is almost 2 timeshigher than a random selection in the marketThis technique can be used as a first step to find malwareBy analyzing data we can observe strange ’programming’ patterns ...K. Allix, Q. Jerome (SnT) Hack.lu Hack.lu 2012-24-10 27 / 33
The best android programmer ever seenThe first and second placeThe 29th of february, 2008 between 10am and 11amEMAILADDRESS=android@android.com, CN=Android, OU=Android, O=Android,L=Mountain View, ST=California, C=US signed 615 appssha1 : 61ED377E85D386A8DFEE6B864BD85B0BFAA5AF81Damn it seems to be leaked certificate !The same day between 8am and 9amThe same certificate signed 369 apps. Very tough morning for a developer.The 25th of May, 2012 between 3pm and 4pmCN=Emin KURA, OU=Development, O=TRISTIT, L=Istanbul, ST=Bahcesehir, C=TRsigned 229 appssha1 : 952F56BCA55EE75B64CBF0B245E9E6D334D45C42K. Allix, Q. Jerome (SnT) Hack.lu Hack.lu 2012-24-10 28 / 33
Page 1 and 2: Hack.lu edition 2012A forensic anal
Page 3 and 4: The Starting PointA dataset of Andr
Page 5 and 6: Crawling for apps. . . IIMarkets wa
Page 7 and 8: The Metadata Approach IAndroid Appl
Page 9 and 10: Timestamps160Total number of appsNu
Page 11 and 12: Timestamps: Fun Facts IIMalware Aut
Page 13 and 14: Distribution over hoursPercent87654
Page 15 and 16: InterludeThe Question. . .We collec
Page 17 and 18: InterludeThe Question. . .We collec
Page 19 and 20: But then. . . What are those certif
Page 21 and 22: Who cares anyway?Developers don’t
Page 23 and 24: Further experimentsQuestionIs it po
Page 25 and 26: Graph 2NoteIf there is still malwar
Page 27 and 28: ResultsResultsWe isolated 6,186 app
Page 29: QuestionWe have what we are looking
Page 33 and 34: The mystery of leaked certificateWa
Page 35 and 36: Open questionsWhy a ’normal’ de

Hack.lu edition 2012 A forensic analysis of Android Malware

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?