Malware Sandbox Evasion Techniques in Mobile Devices

The mobile platform is where it's at. There are currently very few professionals who dispute this view. Because of the rapidly increasing number of smartphones and other devices powered by the Android operating system all over the world, there has been a corresponding surge in the number of mobile apps, particularly harmful mobile apps.  This form of malware is very new, but it is rapidly changing, and it brings hazards that have not been seen before. As a part of Check Point’s ongoing efforts against the rising tide of mobile dangers, we, the Malware Research Team, want to learn as much as we can about the constantly shifting Android malware landscape. This requires understanding the internal operation of as many malicious apps as we can, so we can learn as much as we can. Manual malware analysis has always been a difficult operation, taking days or even weeks to complete for each sample. Because of this, the work is impracticable even for a small sample pool because of the amount of time it takes. Following the successful application of this strategy to mobile malware, our response is to automate as much of the analysis process as is practically practicable. Idan Revivo and Ofer Caspi from Check Point’s Malware Research Team were tasked with developing a system that would take an application and produce a report describing exactly what it does when it is run, specifically pointing out anything "fishy." This would enable us to perform an initial analysis with no human intervention, which is exactly what they have done. The popular CuckooDroid sandbox and a few other open-source projects form the basis of this automated, cross-platform emulation and analysis framework, which allows for static and dynamic APK inspection in addition to evading some VM-detection techniques, encryption key extraction, SSL inspection, API call trace, basic behavioral signatures, and more.  It is easy to make changes and add new features to the framework, and it draws heavily on the expertise of the current Cuckoo community

Survey on detecting and preventing web application broken access control attacks

Web applications are an essential component of the current wide range of digital services proposition including financial and governmental services as well as social networking and communications. Broken access control vulnerabilities pose a huge risk to that echo system because they allow the attacker to circumvent the allocated permissions and rights and perform actions that he is not authorized to perform. This paper gives a broad survey of the current research progress on approaches used to detect access control vulnerabilities exploitations and attacks in web application components. It categorizes these approaches based on their key techniques and compares the different detection methods in addition to evaluating their strengths and weaknesses. We also spotted and elaborated on some exciting research gaps found in the current literature, Finally, the paper summarizes the general detection approaches and suggests potential research directions for the future

Aprimorando a segurança do Android através de detecção de malware e geração automática de políticas

Orientadores: Paulo Lício de Geus, André Ricardo Abed GrégioTese (doutorado) - Universidade Estadual de Campinas, Instituto de ComputaçãoResumo: Dispositivos móveis têm evoluído constantemente, recebendo novas funcionalidades e se tornando cada vez mais ubíquos. Assim, eles se tornaram alvos lucrativos para criminosos. Como Android é a plataforma líder em dispositivos móveis, ele se tornou o alvo principal de desenvolvedores de malware. Além disso, a quantidade de apps maliciosas encontradas por empresas de segurança que têm esse sistema operacional como alvo cresceu rapidamente nos últimos anos. Esta tese aborda o problema da segurança de tais dispositivos por dois lados: (i) analisando e identificando apps maliciosas e (ii) desenvolvendo uma política de segurança que pode restringir a superfície de ataque disponível para código nativo. Para tanto, foi desenvolvido um sistema para analisar apps dinamicamente, monitorando chamadas de API e chamadas de sistema. Destes traços de comportamento extraiu-se atributos, que são utilizados por um algoritmo de aprendizado de máquina para classificar apps como maliciosas ou benignas. Um dos problemas principais de sistemas de análise dinâmica é que eles possuem muitas diferenças em relação a dispositivos reais, e exemplares de malware podem usar essas características para identificar se estão sendo analisados, impedindo assim que as ações maliciosas sejam observadas. Para identificar apps maliciosas de Android que evadem análises, desenvolveu-se uma técnica que compara o comportamento de uma app em um dispositivo real e em um emulador. Identificou-se as ações que foram executadas apenas no sistema real e se a divergência foi causada por caminhos de código diferentes serem explorados ou por algum erro não relacionado. Por fim, realizou-se uma análise em larga escala de apps que utilizam código nativo, a fim de se identificar como este é usado por apps legítimas e também para se criar uma política de segurança que restrinja as ações de malware que usam este tipo de códigoAbstract: Mobile devices have been constantly evolving, receiving new functionalities and becoming increasingly ubiquitous. Thus, they became lucrative targets for miscreants. Since Android is the leading platform for mobile devices, it became the most popular choice for malware developers. Moreover, the amount of malicious apps, found by security companies, that target this platform rapidly increased in the last few years. This thesis approaches the security problem of such devices in two ways: (i) by analyzing and identifying malicious apps, and (ii) by developing a sandboxing policy that can restrict the attack surface available to native code. A system was developed to dynamically analyze apps, monitoring API calls and system calls. From these behavior traces attributes were extracted, which are used by a machine learning algorithm to classify apps as malicious or benign. One of the main problems of dynamic analysis systems is that they have many differences compared to real devices, and malware can leverage these characteristics to identify whether they are being analyzed or not, thus being able to prevent the malicious actions from being observed. To identify Android malware that evades analyses, a technique was developed to compare the behavior of an app on a real device and on an emulator. Actions that were only executed in the bare metal system were identified, recognizing whether the divergence was caused by different code paths being explored or by some unrelated error. Finally, a large-scale analysis of apps that use native code was performed, in order to identify how native code is used by benign apps and also to generate a sandboxing policy to restrict malware that use such codeDoutoradoCiência da ComputaçãoDoutor em Ciência da Computação23038.007604/2014-69, 12269/13-1CAPE

Isolated Mobile Malware Observation

The idea behind Bring Your Own Device (BYOD) it that personal mobile devices can be used in the workplace to enhance convenience and flexibility. This development encourages organizations to allow access of personal mobile devices to business information and systems for businesses operation. However, BYOD opens a firm to various security risks such as data contamination and the exposure of user interest to criminal activities. Mobile devices were not designed to handle intense data security and advanced security features are frequently turned off. Using personal mobile devices can also expose a system to various forms of security threats like malware. This research aims to analyze mobile network traffic from suspicious mobile applications and investigate data accessible to malicious applications on mobile devices. The research is further intended to observe the behavior of malware on mobile devices. A network with a wireless communication over a centralized access control point was built. The control access point serves as the centralized location for data monitoring, capturing and analyzing of transmitted data from all the devices connected to it. The research demonstrates a procedure for data capturing for analysis from a data collection point which does not require access to each application and allows for the study of potential infections from the outside of the mobile device

GUIDE FOR THE COLLECTION OF INSTRUSION DATA FOR MALWARE ANALYSIS AND DETECTION IN THE BUILD AND DEPLOYMENT PHASE

During the COVID-19 pandemic, when most businesses were not equipped for remote work and cloud computing, we saw a significant surge in ransomware attacks. This study aims to utilize machine learning and artificial intelligence to prevent known and unknown malware threats from being exploited by threat actors when developers build and deploy applications to the cloud. This study demonstrated an experimental quantitative research design using Aqua. The experiment\u27s sample is a Docker image. Aqua checked the Docker image for malware, sensitive data, Critical/High vulnerabilities, misconfiguration, and OSS license. The data collection approach is experimental. Our analysis of the experiment demonstrated how unapproved images were prevented from running anywhere in our environment based on known vulnerabilities, embedded secrets, OSS licensing, dynamic threat analysis, and secure image configuration. In addition to the experiment, the forensic data collected in the build and deployment phase are exploitable vulnerability, Critical/High Vulnerability Score, Misconfiguration, Sensitive Data, and Root User (Super User). Since Aqua generates a detailed audit record for every event during risk assessment and runtime, we viewed two events on the Audit page for our experiment. One of the events caused an alert due to two failed controls (Vulnerability Score, Super User), and the other was a successful event meaning that the image is secure to deploy in the production environment. The primary finding for our study is the forensic data associated with the two events on the Audit page in Aqua. In addition, Aqua validated our security controls and runtime policies based on the forensic data with both events on the Audit page. Finally, the study’s conclusions will mitigate the likelihood that organizations will fall victim to ransomware by mitigating and preventing the total damage caused by a malware attack

Análisis de malware en Android

Trabajo de Fin de Grado en Grado en Ingeniería Informática, Facultad de Informática UCM, Departamento de Arquitectura de Computadores y Automática, Curso 2020/2021In the XXI century, the world has witnessed the creation, development and proliferation of mobile devices until the massive usage apparent nowadays. The portability, instantaneity and ease of use that these devices offer has encouraged the great majority of the population to have one of them at arm’s length. Thus, these devices have become a coveted target for malicious developers. This is the reason why the security of mobile devices has become a vital topic that must be addressed, since a suitable solution has yet to be found. From this necessity arises the present work, in which we elaborate the beginning of a response that serves as a starting point to promote further development that achieves the desired objective. With Android being the most representative Operating System among mobile devices, we are going to study the analysis of malware on Android and develop a static and dynamic antivirus based on signatures, permissions and logs, since they will prove useful when trying to detect malicious applications.En el siglo XXI se ha podido apreciar la aparición, desarrollo y proliferación de los dispositivos móviles hasta llegar a la masificación que tiene lugar en la actualidad. La portabilidad, instantaneidad y facilidad de uso que ofrecen ha hecho que la mayoría de la población tenga uno siempre al alcance de su mano. Es por ello que se han convertido en un objetivo codiciado por los desarrolladores de programas maliciosos. Así pues, la seguridad de estos dispositivos se ha convertido en un punto clave que debe ser abordado, ya que hasta la fecha no se ha encontrado una solución apropiada. De esta necesidad surge el presente trabajo, en el que elaboramos el comienzo de una respuesta que sirve como punto de partida para fomentar un posterior desarrollo que alcance el objetivo deseado. Siendo Android el sistema operativo más representativo entre los dispositivos móviles, vamos a hacer un estudio del análisis del malware en Android y a desarrollar un antivirus estático y dinámico basado en firmas, permisos y logs, pues estas evidencias serán de gran ayuda en la labor de detección de aplicaciones maliciosas.Depto. de Arquitectura de Computadores y AutomáticaFac. de InformáticaTRUEunpu

Towards transparent and secure IoT: Device intents declaration, and user privacy self awareness and control

In recent years, we have seen a growing wave of integration of new IoT (Internet of Things) technologies into society. The massive integration of these technologies has led to the emergence of several critical issues which have consequently created new challenges, for which no obvious answers have yet been found. One of the main challenges has to do with the security and privacy of information processed by IoT devices present in our daily life. At present there are no guarantees from the manufacturers of such IoT devices, which are connected on our networks, as regards the collection and sending of personal information, nor an expected behavior. Thus, in this work, we developed and tested a solution that aims to increase the privacy and security of information in Networks of IoT devices, from the perspective of controlling the communication of smart devices on the network. To include one tool capable of analyzing packets sent by IoT devices and another capable of defining and allowing the application of network traffic control rules to the packets in question. These tools were indispensable for investigation of the two central aspects of this dissertation, which are investigating how the declarations of communication intentions of the IoT devices specified by the manufacturers are used, in order to facilitate control of communication by consumers and enable them to detect violations of those intentions, and how to give users/consumers control over IoT communication, so that they can define what they do and do not want their devices to communicate.Nos últimos anos, assistimos a uma onda de crescimento da integração de novas tecnologias IoT (Internet Of Things) na sociedade. A integração massiva destas tecnologias levou ao aparecimento de vários aspetos críticos que, consequentemente, criou novos desafios, para os quais ainda não foram dadas respostas óbvias. Um dos principais desafios diz respeito à segurança e privacidade da informação dos dispositivos IoT presentes no nosso dia-a-dia. Atualmente, não existem quaisquer garantias por parte dos fabricantes destes equipamentos IoT, que estão conectados nas nossas redes, relativamente à recolha e envio de informação pessoal realizada pelos mesmos, bem como um comportamento expectável. Assim, neste trabalho, desenvolvemos e testamos uma solução que cujo objetivo é aumentar a privacidade e segurança da informação em redes de dispositivos IoT, na perspetiva do controlo da comunicação dos dispositivos inteligentes na rede. Para incluir-se uma ferramenta capaz de efetuar análise dos pacotes enviados pelos dispositivos IoT e uma outra capaz de definir e permitir a aplicação de regras de controlo de tráfego de rede aos pacotes mencionados. Estas ferramentas foram indispensáveis para a investigação dos dois aspetos centrais desta dissertação, que são a investigação de como as declarações de intenções de comunicação dos dispositivos IoT especificados pelos fabricantes são utilizadas, para facilitarem o controlo de comunicação destes pelos consumidores e permitir-lhes detetar violações dessas intenções e como atribuir ao utilizador/consumidor controlo sobre a comunicação IoT, para que este possa explicitar o pretende e não pretende que os seus dispositivos comuniquem