Presented at
BruCON 0x0A (2018),
Oct. 4, 2018, 5:30 p.m.
(60 minutes).
In this research, we propose a novel technique to identify malicious Android applications through the use of analyzing the HEAP of Android applications at runtime.
Android malware is a continuing problem in the Android ecosystem, even after 8 major Android releases. Android currently relies on implicit and explicit user participation to identify malicious applications, both on the Playstore and on devices. Currently multiple techniques exist to identify malware such as code signatures, hashes, permission analysis and manual static analysis. These techniques rely on the premise that who or what is performing the analysis, is required to have access to the Android application (APK). However, performing these analysis techniques on devices is resource intensive, time consuming and also dependent on access to the APK.
What if no access to the APK is required to identify if an application is malicious? Currently no capability exists to scan for malicious applications at runtime on Android devices, at best there is static analysis on the application and its permissions. Additionally there is the Android Attestation framework, which attempts to provide information on the state of the device but does not provide information on the state of running applications.
In this research, we propose a novel technique to identify malicious Android applications through the use of analyzing the HEAP of Android applications at runtime. The technique proposed does not require access to the contents of the APK nor does it require write access to the application sandbox or memory, only read access to the process HEAP. The analysis of the HEAP allows for the proposed technique to identify the instantiated objects for a particular application. The indentification and analysis of instantiated objects for Android applications can be used to effectively identify applications that are making use of, and implementing dangerous functionality such as DexClass loaders and other well known objects that exhibit malicious behaviour.
The results of this research are showcased as a PoC, which shows how the technique can be bundled into the Android ecosystem as part of the Android Attestation Framework. The inclusion of this research as a system service via the Attestation Framework can enable the Android operating system or user to identify malicious applications at runtime via any Android application.
Presenters:
-
Christopher Le Roy
Chris is a security researcher based in London. He has not had an unusual entrance to infosec coming from a Computer Science background which led him to dabble in software development for sometime. This resulted in Chris realising he is a terrible dev and prefers breaking things which led him to breaking things full-time. The breaking of things full-time has allowed Chris to share his ramblings at multiple conferences in the USA and Europe where he enjoys sampling local beers. In his spare time, Chris attempts to make sauerkraut and make sense of Dalvik opcodes.
Links:
Similar Presentations: