THIS IS DeepERENT: Tracking App Behaviors with (Nothing Changed) Phone for Evasive Android Malware

Presented at Black Hat USA 2015, Aug. 5, 2015, 5:30 p.m. (30 minutes)

Malwares on Android platform are increasing every year by explosive growth over the years and it is a serious threat on Android platform. Many tools have been released in order to quickly analyze these malicious code. Depending on the appearance of analysis tools, Android Malwares have been applied to the anti-analysis techniques, such as packing, environment detection, cryptography, and anti-debugging. These technique can hide the malicious behaviors, as well as prevent the analysis. Various obfuscation techniques is also applied to Android applications and malwares. For this reason, we take a long time to analyze the app. In addition, it makes difficult to find a vulnerability and to carck through analysis of the app in attacker's perspective. To analyze the Android application and evasive malware, we need to overcome following challenges: Fast code analysis (It's always challenge) Environment detection (Emulator detection, Device detection and Rooting detection) Obfuscation Dynamic code loading(in file/on memory) Anti-analysis techniques (anti-ptrace, anti-disassembly, self-modification check, etc) Behaviors in native level In this talk, we will introduce new powerful tool tracking method to monitor behaviors of evasive Android malware without OS modification. We used a different concept to analyze the Android application fast and deeply. The tools can track all methods you want to monitor, such as User-defined classes/methods, 3rd-Party libraries, and Java/Android APIs. Furthermore, the tool can monitor functions in native level like JNI(Java Natvie Interface), Functions in libc and Binder on nothing-changed phone. We are going to present base techniques for implementation and demonstrate on how to analyze very complicated evasive and advanced Android malware.

Presenters:

• Jun Young Choi
  Jun Young Choi works as a Security Researcher at ETRI, Korea.
• Yeongung Park - ETRI
  Yeongung Park works as a Security Researcher at ETRI, Korea.

Links:

• https://www.blackhat.com/us-15/briefings.html#this-is-deeperent-tracking-app-behaviors-with-nothing-changed-phone-for-evasive-android-malware
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2015/video/Black Hat USA 2015 - THIS IS DeepERENT Tracking App Behaviors With Nothing Changed Phone.mp4
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2015/video/Black Hat USA 2015 - THIS IS DeepERENT Tracking App Behaviors With Nothing Changed Phone.srt (subtitles)
• https://www.youtube.com/watch?v=QqBjE4BCxAI
• https://www.blackhat.com/docs/us-15/materials/us-15-Park-This-Is-DeepERENT-Tracking-App-Behaviors-With-Nothing-Changed-Phone-For-EvasiveAAndroid-Malware.pdf

Similar Presentations:

• Summercon 2010 / Android Hax
• Black Hat USA 2018 / Unpacking the Packed Unpacker: Reverse Engineering an Android Anti-Analysis Native Library
• ToorCon San Diego 14 (2012) / {Malandroid} - The Crux of Android Infections