Detección conjunta de malware entre usuarios y dispositivos a partir de la validación de firmas digitales y/o la correlación de eventos en dispositivos Android

Para la detección de software malicioso que compromete aplicaciones en teléfonos inteligentes con sistema operativo Android, los controles convencionales, utilizados entre el año 2012 y hasta el primer semestre del año 2018, requieren de una muestra de malware para realizar la detección. Estos controles de seguridad ejecutan el análisis de aplicaciones en la nube y no localmente en el dispositivo. La mayoría de los controles se limitan a las aplicaciones ofrecidas en la tienda de Google (Play Store) y, para que la neutralización sea efectiva, la mayoría de ellos requiere de habilidades especiales que no todo usuario final de Android posee. En este proyecto se hizo un análisis de estas técnicas, se compararon sus formas de detección y se registraron sus falencias. Con la información obtenida, se diseñó e implementó una aplicación para sistemas operativos Android en dispositivos móviles llamada CAM (Control de Aplicaciones Móviles), para asegurar la integridad de las aplicaciones y revisar si han sido intervenidas con malware, por medio de la validación de firmas digitales y la correlación de eventos. CAM propone una estrategia de corresponsabilidad entre los desarrolladores de aplicaciones para móviles y la comunidad de usuarios del sistema operativo, basada en defensa activa para que la seguridad se convierta en un atributo del sistema y no complemento. La estrategia de corresponsabilidad busca que los desarrolladores y usuarios publiquen bases de datos de listas blancas de los principales eventos operativos de sus aplicaciones, para contrastarlas con la información que generen dichos eventos, con el fin de detectar y mitigar amenazas cibernéticas como el espionaje, la fuga de información, la suplantación de identidad, el robo de contraseñas y el control remoto del dispositivo por medio de troyanos (bots). También pretende brindar educación en materia de ciberseguridad a los usuarios, apoyándose en la entrega de alertas eficientes. Para el desarrollo de este trabajo de grado, se utilizaron los registros estadísticos de dispositivos móviles con sistema operativo Android más usado entre el 2015 y el 2018 y se realizó un laboratorio de máquinas virtuales para simular dichas distribuciones de Android, se examinaron sus principales características y eventos operativos tales como: permisos, firmas y tráfico, se intervino las aplicaciones seleccionadas con el paquete de Meterpreter para Android del framework Metasploit. Para la detección de los indicadores de compromiso en las aplicaciones infectadas se usaron aplicaciones como: Package Info, RL Permissions y Network Connections entre otras. Estos resultados hicieron posible el desarrollo de la plataforma CAM para Android con arquitectura cliente-servidor. La plataforma CAM se encarga de almacenar y correlacionar los eventos operativos validos de las aplicaciones legítimas, en una lista blanca y posteriormente brindar al usuario un informe eficiente que le permita evitar e identificar cuando una aplicación móvil genera una ciber-amenaza en un teléfono inteligenteFor malicious software detection that compromises applications in smartphones with Android Operating System, conventional controls, used between 2012 the first half of 2018, require a sample of malware to perform the detection. Most security controls run the applications analysis in the cloud, and not locally on the device. Other controls are limited to the applications offered in the Google Play Store. In addition, for the neutralization to be effective, most controls require special abilities most end user of Android doesn’t have. In this project, an analysis of these techniques is made, their forms of detection are compared, and their shortcomings are recorded. With the information obtained from these analyses, an application for Android operating systems is designed and implemented on mobile devices: CAM (Control for Mobile Applications). To ensure the applications integrity, it is checked if they have been intervened with malware, through the digital signatures' validation and events’ correlation. CAM proposes a strategy of co-responsibility between the mobile application developers and the operating system community users, based on active defense, so that security becomes systems attribute instead of just being a complementary service. The co-responsibility strategy aims for developers and users publishing their application main operational events white-list databases, to contrast them with the information generated by those applications' events. That way, the collected information may improve detection and mitigation of cyber threats such as espionage, information leakage, identity theft, password stealing, and remote device control through trojans (bots). The co-responsibility strategy also aims to provide education on cyber security to users, based on the delivery of efficient alerts. For the development of this degree work, statistical records of mobile devices with the most used Android operating system between 2015 and 2018, and a laboratory of virtual machines, were made to simulate said distributions of Android, its main features and operational events such as: permits, signatures, and traffic were examined. The selected applications were intervened with the Meterpreter for Android Package of the Metasploit framework. For the commitment indicators detection in the infected applications, applications such as Package Info, RL Permissions and Network Connections, among others were used. The results of these experiments made possible the development of the CAM platform for Android with client-server architecture development. The CAM platform is responsible for storing and correlating the legitimate applications valid operational events in a white list. This white list is used to provide efficient reports to users, so they are able to identify and avoid when a mobile application generates a cyber-threat on a smartphoneMagister en Seguridad Informátic

MaMaDroid: Detecting Android malware by building markov chains of behavioral models (extended version)

As Android has become increasingly popular, so has malware targeting it, thus motivating the research community to propose different detection techniques. However, the constant evolution of the Android ecosystem, and of malware itself, makes it hard to design robust tools that can operate for long periods of time without the need for modifications or costly re-training. Aiming to address this issue, we set to detect malware from a behavioral point of view, modeled as the sequence of abstracted API calls. We introduce MaMaDroid, a static-analysis based system that abstracts app’s API calls to their class, package, or family, and builds a model from their sequences obtained from the call graph of an app as Markov chains. This ensures that the model is more resilient to API changes and the features set is of manageable size. We evaluate MaMaDroid using a dataset of 8.5K benign and 35.5K malicious apps collected over a period of six years, showing that it effectively detects malware (with up to 0.99 F-measure) and keeps its detection capabilities for long periods of time (up to 0.87 F-measure two years after training). We also show that MaMaDroid remarkably overperforms DroidAPIMiner, a state-of-the-art detection system that relies on the frequency of (raw) API calls. Aiming to assess whether MaMaDroid’s effectiveness mainly stems from the API abstraction or from the sequencing modeling, we also evaluate a variant of it that uses frequency (instead of sequences), of abstracted API calls. We find that it is not as accurate, failing to capture maliciousness when trained on malware samples that include API calls that are equally or more frequently used by benign apps

Security and privacy of users\u27 personal Information on smartphones

 This research investigated the proliferation of malicious applications on smartphones and a framework that can efficiently detect and classify such applications based on behavioural patterns was proposed. Additionally the causes and impact of unauthorised disclosure of personal information by clean applications were examined and countermeasures to protect smartphone users’ privacy were proposed

Measuring and Mitigating Security and Privacy Issues on Android Applications

Over time, the increasing popularity of the Android operating system (OS) has resulted in its user-base surging past 1 billion unique devices. As a result, cybercriminals and other non-criminal actors are attracted to the OS due to the amount of user information they can access. Aiming to investigate security and privacy issues on the Android ecosystem, previous work has shown that it is possible for malevolent actors to steal users' sensitive personal information over the network, via malicious applications, or vulnerability exploits etc., presenting proof of concepts or evidences of exploits. Due to the ever-changing nature of the Android ecosystem and the arms race involved in detecting and mitigating malicious applications, it is important to continuously examine the ecosystem for security and privacy issues. This thesis presents research contributions in this space, and it is divided into two parts. The first part focuses on measuring and mitigating vulnerabilities in applications due to poor implementation of security and privacy protocols. In particular, we investigate the implementation of the SSL/TLS protocol validation logic, and properties such as ephemerality, anonymity, and end-to-end encryption. We show that, despite increased awareness of vulnerabilities in SSL/TLS implementation by application developers, these vulnerabilities are still present in popular applications, allowing malicious actors steal users' information. To help developers mitigate them, we provide useful recommendations such as enabling SSL/TLS pinning and using the same certificate validation logic in their test and development environments. The second part of this thesis focuses on the detection of malicious applications that compromise users' security and privacy, the detection performance of the different program analysis approach, and the influence of different input generators during dynamic analysis on detection performance. We present a novel method for detecting malicious applications, which is less susceptible to the evolution of the Android ecosystem (i.e., changes in the Android framework as a result of the addition/removal of API calls in new releases) and malware (i.e., changes in techniques to evade detection) compared to previous methods. Overall, this thesis contributes to knowledge around Android apps with respect to, vulnerability discovery that leads to loss of users' security and privacy, and the design of robust Android malware detection tools. It highlights the need for continual evaluation of apps as the ecosystem changes to detect and prevent vulnerabilities and malware that results in a compromise of users' security and privacy