THIS IS DeepERENT: Tracking App Behaviors with (Nothing Changed) Phone for Evasive Android Malware

Presented at Black Hat USA 2015, Aug. 5, 2015, 5:30 p.m. (30 minutes).

Malwares on Android platform are increasing every year by explosive growth over the years and it is a serious threat on Android platform. Many tools have been released in order to quickly analyze these malicious code. Depending on the appearance of analysis tools, Android Malwares have been applied to the anti-analysis techniques, such as packing, environment detection, cryptography, and anti-debugging. These technique can hide the malicious behaviors, as well as prevent the analysis. Various obfuscation techniques is also applied to Android applications and malwares. For this reason, we take a long time to analyze the app. In addition, it makes difficult to find a vulnerability and to carck through analysis of the app in attacker's perspective. To analyze the Android application and evasive malware, we need to overcome following challenges: Fast code analysis (It's always challenge) Environment detection (Emulator detection, Device detection and Rooting detection) Obfuscation Dynamic code loading(in file/on memory) Anti-analysis techniques (anti-ptrace, anti-disassembly, self-modification check, etc) Behaviors in native level In this talk, we will introduce new powerful tool tracking method to monitor behaviors of evasive Android malware without OS modification. We used a different concept to analyze the Android application fast and deeply. The tools can track all methods you want to monitor, such as User-defined classes/methods, 3rd-Party libraries, and Java/Android APIs. Furthermore, the tool can monitor functions in native level like JNI(Java Natvie Interface), Functions in libc and Binder on nothing-changed phone. We are going to present base techniques for implementation and demonstrate on how to analyze very complicated evasive and advanced Android malware.

Presenters:

  • Yeongung Park - ETRI
    Yeongung Park works as a Security Researcher at ETRI, Korea.
  • Jun Young Choi
    Jun Young Choi works as a Security Researcher at ETRI, Korea.

Links:

Similar Presentations: