Hack.lu edition 2012 A forensic analysis of Android Malware

More documents

Recommendations

Info

$\H1B%-12345X@PJL JOB “HackingPrinters”$

The prize of the country that developed themost malware is for ...This ranking is built from applications identified as malware by Dr. WebCountry Nb of malware Distinct Cert. App. by certUSA 765 116 6.6China 303 50 6.1India 297 60 4.95Italy 190 19 10UK 127 14 9.1Russia 88 12 7.3France 64 7 9.1And the prize for most motivated malware developer is for ...ItalyK. Allix, Q. Jerome (SnT) Hack.lu Hack.lu 2012-24-10 29 / 33
The mystery of leaked certificateWanted : EMAILADDRESS=android@android.com, CN=Android,OU=Android, O=Android, L=Mountain View, ST=California, C=USWhy a malicious author would like to use such a certificate ?Because they can use applications signed by the same certificatewithout asking permissions. Can lead to Application level privilegeescalation !Why a non rogue developer would like to use such a certificate ?We do not know ...Application like : com.custom.lwp.sexybooty3.apk have beensigned by such a certificate and it does not seem to be a Googleapplication28 apps signed by this cert. on our snapshot of Google Play (notdetected as malicious)K. Allix, Q. Jerome (SnT) Hack.lu Hack.lu 2012-24-10 30 / 33
Page 1 and 2: Hack.lu edition 2012A forensic anal
Page 3 and 4: The Starting PointA dataset of Andr
Page 5 and 6: Crawling for apps. . . IIMarkets wa
Page 7 and 8: The Metadata Approach IAndroid Appl
Page 9 and 10: Timestamps160Total number of appsNu
Page 11 and 12: Timestamps: Fun Facts IIMalware Aut
Page 13 and 14: Distribution over hoursPercent87654
Page 15 and 16: InterludeThe Question. . .We collec
Page 17 and 18: InterludeThe Question. . .We collec
Page 19 and 20: But then. . . What are those certif
Page 21 and 22: Who cares anyway?Developers don’t
Page 23 and 24: Further experimentsQuestionIs it po
Page 25 and 26: Graph 2NoteIf there is still malwar
Page 27 and 28: ResultsResultsWe isolated 6,186 app
Page 29 and 30: QuestionWe have what we are looking
Page 31: The best android programmer ever se
Page 35 and 36: Open questionsWhy a ’normal’ de

Hack.lu edition 2012 A forensic analysis of Android Malware

Create successful ePaper yourself

Delete template?

Save as template?