Habo SecBox: run and monitor malware on real Android device (sponsor presentation)

Presented at VB2017, Oct. 5, 2017, 4:30 p.m. (30 minutes)

Malware attacks have become a serious threat due to the harm of privacy leakage and loss of digital assets. Current mobile security software usually detects malware through a remote cloud database after collecting its static characteristics. Under this anti-virus architecture, criminals who make malware can easily bypass security software and prevent the processes from being killed through code encryption, social engineering and so on. In this case, security vendors and users are always in a passive position. This paper proposes an innovative solution, as follows: it provides an isolated execution environment for suspicious samples on a real *Android* device. The environment is able to execute malware independently, monitor behaviour dynamically, and provide fake privacy data. Once a dangerous behaviour is triggered, it will be blocked or 'virtually executed', and the user will receive a friendly alert. Instead of analysing malware in emulators on a computer, the solution executes malware in a real *Android* device where a variety of test scenarios exist, and the user can participate in monitoring the malware and getting more detail in the white-box. There is a notable advantage to digging into hidden malware, such as those malicious programs which pretend to be harmless apps, or which perform malicious behaviours only at specific times or under certain circumstances. Generally, the solution focuses on dynamic behaviour analysis, which is least affected by code encryption and virus variation. Based on the solution mentioned above, *Tencent Anti-virus Laboratory* has developed a tool named *Habo SecBox*. By means of simulating the core services in the *Android* framework, *Habo SecBox* isolates the data and code execution of malware from other apps and the *Android* system, so that the malware can only run in a limited-access sandbox. Then, the tool monitors the malware behaviour in real time by hooking some pivotal APIs of the *Android* system. Finally, a set of appropriate defence strategies are developed for different levels of risky behaviours with the help of our policy library. Following a series of optimizations and adaptations, *Habo SecBox* is compatible with *Android* 2.x - 7.0 without root privilege. Over 60 different kinds of malware on the *Android* platform were collected, and 90% of malicious behaviours can be detected and blocked.

Presenters:

• Wang Bin - Tencent
  Wang Bin Wang Bin is a security engineer in Tencent's anti-virus laboratory, and currently focuses on Android internal security (especially Android Framework and kernel) and Android malware analysis. Habo SecBox is one of his recent projects, which is an innovative Android anti-virus framework that can run and monitor malware on a real Android device.
• Song Lanqi - Tencent
  Song Lanqi Song Lanqi is a senior security engineer at Tencent. He joined Tencent in 2010, and has focused on the field of Windows and Android security during the past seven years. Song is the Major Designer of Habo Android Analysis Environment, a behaviour analysis honeypot for suspected samples. He is interested in honeypot system building and malicious behaviour mining.

Links:

• https://www.virusbulletin.com/conference/vb2017/abstracts/habo-secbox-run-and-monitor-malware-real-android-device-sponsor-presentation

Similar Presentations:

• Nuit du Hack 2015 / Criminal Profiling: Android Malware
• ekoparty 14 (2018) / To Execute or Not to Execute. How to Build a Malware Execution Lab
• ToorCon San Diego 14 (2012) / {Malandroid} - The Crux of Android Infections