Hunting Android Malware: A novel runtime technique for identifying malicious applications

Presented at TROOPERS18 (2018), March 14, 2018, 1:30 p.m. (Unknown duration).

In this research, we propose a novel technique to identify malicious Android applications through the use of analyzing the HEAP of Android applications at runtime.

Android malware is a continuing problem in the Android ecosystem, even after 8 major Android releases. Android currently relies on implicit and explicit user participation to identify malicious applications, both on the Playstore and on devices. Currently multiple techniques exist to identify malware such as code signatures, hashes, permission analysis and manual static analysis. These techniques rely on the premise that who or what is performing the analysis, is required to have access to the Android application (APK). However, performing these analysis techniques on devices is resource intensive, time consuming and also dependent on access to the APK.

What if no access to the APK is required to identify if an application is malicious? Currently no capability exists to scan for malicious applications at runtime on Android devices, at best there is static analysis on the application and its permissions. Additionally there is the Android Attestation framework, which attempts to provide information on the state of the device but does not provide information on the state of running applications.

In this research, we propose a novel technique to identify malicious Android applications through the use of analyzing the HEAP of Android applications at runtime. The technique proposed does not require access to the contents of the APK nor does it require write access to the application sandbox or memory, only read access to the process HEAP. The analysis of the HEAP allows for the proposed technique to identify the instantiated objects for a particular application. The indentification and analysis of instantiated objects for Android applications can be used to effectively identify applications that are making use of, and implementing dangerous functionality such as DexClass loaders and other well known objects that exhibit malicious behaviour.

The results of this research are showcased as a PoC, which shows how the technique can be bundled into the Android ecosystem as part of the Android Attestation Framework. The inclusion of this research as a system service via the Attestation Framework can enable the Android operating system or user to identify malicious applications at runtime via any Android application.


Presenters:

  • Chris Le Roy
    Chris Le Roy is a hacker and security researched based in London. A regular BlackHat trainer, he's got both a building (CompSci and many a year working as a software engineer) and tearing apart all things Internet and cyber perspective. The fruits of both sides have been enjoyed at multiple BlackHat Arsenal sessions in Las Vegas, Europe and BSides Cape Town. He's recently co-developed and presented one of the first SecDevOps courses at the prestigious BlackHat USA.

Links:

Similar Presentations: