SlideShare una empresa de Scribd logo
1 de 49
Malware in Mobile Platform from
  Panoramic Industrial View




             Antiy Labs
Contents
introduction
               •a piece of “news” + a mobile phone

phenomenon
               •new threat

  solution
               •Is everything under control?

  analysis
               •the history of confrontation

 conclusion
               •conclusion
INTRODUCTION:
A PIECE OF “NEWS”+ A MOBILE PHONE
Talking From A Piece of “News”
Analysis
Taking from a Grey Mobile Phone

                               Customize
            Extra Expenses
                             Extra Services

                               Download
                             Other Software
  恶意行为      Network Flows
                              Website Hits


                             Steal Message,
               Privacy
                              Contacts list
Information
                                             Analysis on Malware
Name             com.google.android.providers.enhancedgooglesearch
Chinese Name
Original Name    a.apk
URL Source
Collection
Source
System
                 Android
Platform
Format           apk
MD5 Value        BFBB58D0F8B487869393A0244AE71AFC
CRC32 Value      C1C12A99
SHA1 Value       59EE114166CDBCDDB88B38299934021080053D86
Bytes

                           Malware Information
 Name              Trojan/Android.droiddg.a[rmt,sys]
 CNCERT Name       a.remote.droiddg.a
 Chines Name
 Other Names       None
 Original/Tied     Firmware embedding
 Threat type       remote system
A Truely Funny Story




                             A sexy E-market




A grey Android mobile                          Genuine mobile




                             Real E-market
Diverted Industrial Chain
INTERPRETATIONS OF NEW THREATS
Crossing the System Platform(Zitmo)


                                          Android
                                          RIM OS
Windows    Zeus              Zitmo
                                          Symbian
           account/        random
           password    identifying code
                                          WinCE


                  attacker

                  Net Bank
Steal Message and Contacts List (SW.Spyware)

 Propagation Means
    –   Disguise as Tax Amount Calculating Software Package Calculating
 Procedure
    –   Installation
    –   Model as QQ Loginform to Lure Uses
    –   Get the Account and Password of QQ and Send to Some Specific Mobile Phone

 Object system
    –   Android
 Harm
    –   Steal Message Contetns
    –   The SW.Spyware.B Variant Can Even Monitor the Communication Record of User

 Damage Range
    –   First version of Android virus
 Propagaton Time
    –   July, 2010
Spycall (Nickispy)
• Spycall and send back
• Disguise as Google+
   in the First Time




2011/09/17                                  第13页
Form Control System(Adrd)
• Trojan/Android.Adrd.a[exp]
                               Issue the control command
                               and the malware trigger
                               command

                                Provide the data-accessing
                                 address URL needed by
                                    malware behavior


                                Provide the parameter data
                               needed by malware behavior


                               Provide updating service for
                                      malware files
the interdisciplinary use of leak and social engineering

                                     1. Replace normal application
                                     by means of Google
                                     application download bug

                                     2. Consumers download bootleg
                                     applications which are actually
                                     malware, with 200 thousand
                                     victims.

                                     3.Google clears out malware by
                                     remote upgrade interplay and
                                     provides security software


                                     4.The malware attacker
                                     disguises as Google security
                                     software
SOLUTION:
IS EVERYTHING UNDER CONTROL
Traditional view

              Host                             SIS
             format                            APK
                                               PE
                                               ………




            Malware                          Mobile
                                             malware
                                                       Android
Spreading                System                        SymbOS
  media                 entrance   Various
                                                       Windows
                                   media                Mobile
Major Spreading Approaches

• Official                                        • GPRS/3G
  market/network
                                                  • Wi-Fi
• Third-party market
                                                  • PC shared network
• Message/multimedia                  Internet
                       User
  message              installation   download


                          PC          Inserting
                       penetration      ROM
• Flash memory share                              • User Flash
• USB communication                               • Vendor pre-setting up




                                                                        第18页
Dalvik Disassembling: IDA Pro




                                第19页
Static Analysis: ARM Disassembling




                                     第20页
Static Analysis: Java Decompilation




2011/09/20                                     第21页
Dynamic Analysis: SDK Simulator




                                  第22页
Dynamic Analysis: Behavior Monitor




                                     第23页
Network Analysis




                   第24页
Automatic Analysis




                     第25页
Disassembling Dalvik Code




                            第26页
Disassembling Dalvik Code




                            第27页
Disassembling ARM Code




                         第28页
Decompilation as Java




                        第29页
System Simulation




                    第30页
Network Data Analysis




                        第31页
Dynamic Behavior Monitor




                           第32页
Automatic Comprehensive Analysis




                                   第33页
Visualized Comprehensive Analysis




                                    第34页
ANALYSIS:
THE HISTORY OF CONFRONTATION
Those Forgotten Grey Faces ?




 CIH             Melisa        Sasser
1998             1999           2004
Those Forgotten Red Alert ?
A Cross-Platform Contrast

   2001         2010
Winux(2001)
Cross Platform-Mobile + PC Bimorphism

SymbianUpdateSrv.exe              912812352001_3rd.sisx


start and update
new module                                              0xe61caca0.dat
                                                        (jar)
 symbianDL.exe         dlinstall.dat
                       (sisx)                           Function disguising      class files
   download                                             module
   module                                               install.dat20
                                                        (sisx)



                                                            symbianStarter.exe
                                       symbianSrv.exe
                                                              clearing module
                                       service-monitoring                         symbianChkServer.exe
                                       module
                                                                                 heartbeat telecontrol
                                                                                 module
The Confrontation History Since 1988



                                Industrial
                                Confrontation
                Systematical
                Confrontation
Normalized
Confrontation
Notable Event and Typical Method of Normalized Confrontation


• Bouncing Ball Virus             • Pattern Matching Penetrated
                                  • Difficulty Promoted
• Encrypted Virus
                                  • Direct Attack Mechanism
• Metamorphic Virus
                                  • Disrupting the Wording Chain
• Script Virus
                                  • Interfering Mechanism
• Macro Virus                     • Normalized Confrontation
Normalized Confrontation
                                              Virus
                               current      database
                 framework
                               diverter
  Object
obataining



                 matching    preprocessor
                   box




                 assessor      disposer                Solution
Systematical confrontation(2000~2005)
Systematical confrontation (notable event)

The Emerge of P2P Zombie Network
The Application of PKI System in Zombie Network
Attack on VirusTotal by distributed DDos
Shift from Client to Could Port
Industrial Confrontation (2005—Now)




    underground         information
     industrial          industrial
       system              system
An Integral Whole Seen from Underground Economy Chain




                     invade
                    enterprise                                      sale
                      server         steal secret

                   invade server
                  network games

underground                                                                                  obtain money
                   steal virtual
 industrial                         steal account                              launder
                     currency
   player                                            steal bank                money
                                                      account
                  invade website
                     massively                      steal network
                                                                           send rubbish e-
                                                      exchange
                                                                                mail
                                                       account
                     compile
                     malware                        steal virtual           reject service
                                    spreading         property                  attack

                                                     incorporate
                                   forum spread                            charge spread
        Compile                                        Zombie
        mobile                      tying spread       network
        malware
                                                       mobile                SP expense
                                                    malware code              deducting
Industrial Chain: Complex and Interminable

                                                                      app store

                                                Software              personal
              content                           supplier
              supplier                                            enterprise
 security                  application
 vendors                                               sale service
                            software
               service                      private                official
              supplier                      service               after-sale


baseband                 spare-                       manufactu          sale
            solution                       OS
  chip                    parts                         ring           approach


Qualcomm     TechFaith    ARM            Symbian、WM、                  genuine product
    TI        DaTang     Memory          Macos、android、                grey product
                ……       Battery             palm……                   custom and tie
                                                                                        48
Summary
Malware has developed and broke through the
 traditional single concept of program code. It has
 penetrated into the whole system of society, politics,
 economy and life. It is impossible to resist malware
 effectively only relying on anti-virus vendors. The
 battle against malware requires the management and
 resistance of the whole social system.
Anti-virus men of all countries, unite!
Thank you!
seak@antiy.com

Más contenido relacionado

La actualidad más candente

Emerging cyber threats_report2012
Emerging cyber threats_report2012Emerging cyber threats_report2012
Emerging cyber threats_report2012day4justice
 
Known Knowns, Unknown Unknowns and Anti Virus stuff yadayadayada
Known Knowns, Unknown Unknowns and Anti Virus stuff yadayadayadaKnown Knowns, Unknown Unknowns and Anti Virus stuff yadayadayada
Known Knowns, Unknown Unknowns and Anti Virus stuff yadayadayadanamblasec
 
Introduction - Trend Micro Deep Security
Introduction - Trend Micro Deep SecurityIntroduction - Trend Micro Deep Security
Introduction - Trend Micro Deep SecurityAndrew Wong
 
RSA 2012 Presentation: Information Protection
RSA 2012 Presentation: Information ProtectionRSA 2012 Presentation: Information Protection
RSA 2012 Presentation: Information ProtectionSymantec
 
Trend Micro - 13martie2012
Trend Micro - 13martie2012Trend Micro - 13martie2012
Trend Micro - 13martie2012Agora Group
 
AWS Partner Presentation - TrendMicro - Securing your Journey to the Cloud, A...
AWS Partner Presentation - TrendMicro - Securing your Journey to the Cloud, A...AWS Partner Presentation - TrendMicro - Securing your Journey to the Cloud, A...
AWS Partner Presentation - TrendMicro - Securing your Journey to the Cloud, A...Amazon Web Services
 
Comilion introduction presentation 26102012 (1)
Comilion introduction presentation 26102012 (1)Comilion introduction presentation 26102012 (1)
Comilion introduction presentation 26102012 (1)AP DealFlow
 
Shmoocon 2010 - The Monkey Steals the Berries
Shmoocon 2010 - The Monkey Steals the BerriesShmoocon 2010 - The Monkey Steals the Berries
Shmoocon 2010 - The Monkey Steals the BerriesTyler Shields
 
Trend micro real time threat management press presentation
Trend micro real time threat management press presentationTrend micro real time threat management press presentation
Trend micro real time threat management press presentationAndrew Wong
 
Android Camp 2011 @ Silicon India
Android Camp 2011 @ Silicon IndiaAndroid Camp 2011 @ Silicon India
Android Camp 2011 @ Silicon IndiaAvinash Birnale
 
Securing the Human (人を守るセキュリティ)
Securing the Human (人を守るセキュリティ)Securing the Human (人を守るセキュリティ)
Securing the Human (人を守るセキュリティ)itforum-roundtable
 
Briskinfosec - Threatsploit Report Augest 2021- Cyber security updates
Briskinfosec - Threatsploit Report Augest 2021- Cyber security updatesBriskinfosec - Threatsploit Report Augest 2021- Cyber security updates
Briskinfosec - Threatsploit Report Augest 2021- Cyber security updatesBriskinfosec Technology and Consulting
 
Android open-source operating System for mobile devices
Android open-source operating System for mobile devicesAndroid open-source operating System for mobile devices
Android open-source operating System for mobile devicesIOSR Journals
 
Taxonomy mobile malware threats and detection techniques
Taxonomy  mobile malware threats and detection techniquesTaxonomy  mobile malware threats and detection techniques
Taxonomy mobile malware threats and detection techniquescsandit
 
Android Services Black Magic by Aleksandar Gargenta
Android Services Black Magic by Aleksandar GargentaAndroid Services Black Magic by Aleksandar Gargenta
Android Services Black Magic by Aleksandar GargentaMarakana Inc.
 
IRJET- A Survey on Android Ransomware and its Detection Methods
IRJET- A Survey on Android Ransomware and its Detection MethodsIRJET- A Survey on Android Ransomware and its Detection Methods
IRJET- A Survey on Android Ransomware and its Detection MethodsIRJET Journal
 
Connecting the Dots of the User Experience
Connecting the Dots of the User ExperienceConnecting the Dots of the User Experience
Connecting the Dots of the User ExperienceGianluca Brugnoli
 

La actualidad más candente (20)

Emerging cyber threats_report2012
Emerging cyber threats_report2012Emerging cyber threats_report2012
Emerging cyber threats_report2012
 
Known Knowns, Unknown Unknowns and Anti Virus stuff yadayadayada
Known Knowns, Unknown Unknowns and Anti Virus stuff yadayadayadaKnown Knowns, Unknown Unknowns and Anti Virus stuff yadayadayada
Known Knowns, Unknown Unknowns and Anti Virus stuff yadayadayada
 
Introduction - Trend Micro Deep Security
Introduction - Trend Micro Deep SecurityIntroduction - Trend Micro Deep Security
Introduction - Trend Micro Deep Security
 
RSA 2012 Presentation: Information Protection
RSA 2012 Presentation: Information ProtectionRSA 2012 Presentation: Information Protection
RSA 2012 Presentation: Information Protection
 
Trend Micro - 13martie2012
Trend Micro - 13martie2012Trend Micro - 13martie2012
Trend Micro - 13martie2012
 
AWS Partner Presentation - TrendMicro - Securing your Journey to the Cloud, A...
AWS Partner Presentation - TrendMicro - Securing your Journey to the Cloud, A...AWS Partner Presentation - TrendMicro - Securing your Journey to the Cloud, A...
AWS Partner Presentation - TrendMicro - Securing your Journey to the Cloud, A...
 
Comilion introduction presentation 26102012 (1)
Comilion introduction presentation 26102012 (1)Comilion introduction presentation 26102012 (1)
Comilion introduction presentation 26102012 (1)
 
Shmoocon 2010 - The Monkey Steals the Berries
Shmoocon 2010 - The Monkey Steals the BerriesShmoocon 2010 - The Monkey Steals the Berries
Shmoocon 2010 - The Monkey Steals the Berries
 
Trend micro real time threat management press presentation
Trend micro real time threat management press presentationTrend micro real time threat management press presentation
Trend micro real time threat management press presentation
 
Android Camp 2011 @ Silicon India
Android Camp 2011 @ Silicon IndiaAndroid Camp 2011 @ Silicon India
Android Camp 2011 @ Silicon India
 
Securing the Human (人を守るセキュリティ)
Securing the Human (人を守るセキュリティ)Securing the Human (人を守るセキュリティ)
Securing the Human (人を守るセキュリティ)
 
Briskinfosec - Threatsploit Report Augest 2021- Cyber security updates
Briskinfosec - Threatsploit Report Augest 2021- Cyber security updatesBriskinfosec - Threatsploit Report Augest 2021- Cyber security updates
Briskinfosec - Threatsploit Report Augest 2021- Cyber security updates
 
Mobile Malware
Mobile MalwareMobile Malware
Mobile Malware
 
Android open-source operating System for mobile devices
Android open-source operating System for mobile devicesAndroid open-source operating System for mobile devices
Android open-source operating System for mobile devices
 
Taxonomy mobile malware threats and detection techniques
Taxonomy  mobile malware threats and detection techniquesTaxonomy  mobile malware threats and detection techniques
Taxonomy mobile malware threats and detection techniques
 
Android Services Black Magic by Aleksandar Gargenta
Android Services Black Magic by Aleksandar GargentaAndroid Services Black Magic by Aleksandar Gargenta
Android Services Black Magic by Aleksandar Gargenta
 
Security News bytes October 2013
Security News bytes  October 2013Security News bytes  October 2013
Security News bytes October 2013
 
Rp threat-predictions-2013
Rp threat-predictions-2013Rp threat-predictions-2013
Rp threat-predictions-2013
 
IRJET- A Survey on Android Ransomware and its Detection Methods
IRJET- A Survey on Android Ransomware and its Detection MethodsIRJET- A Survey on Android Ransomware and its Detection Methods
IRJET- A Survey on Android Ransomware and its Detection Methods
 
Connecting the Dots of the User Experience
Connecting the Dots of the User ExperienceConnecting the Dots of the User Experience
Connecting the Dots of the User Experience
 

Similar a Malware in Mobile Platform from Panoramic Industrial View

Info security - mobile approach
Info security -  mobile approachInfo security -  mobile approach
Info security - mobile approachEY Belgium
 
APPNATION IV - The State of Security in the Mobile Enterprise - Cesare Garlati
APPNATION IV - The State of Security in the Mobile Enterprise - Cesare GarlatiAPPNATION IV - The State of Security in the Mobile Enterprise - Cesare Garlati
APPNATION IV - The State of Security in the Mobile Enterprise - Cesare GarlatiMasha Geller
 
When developer's api simplify user mode rootkits developing.
When developer's api simplify user mode rootkits developing.When developer's api simplify user mode rootkits developing.
When developer's api simplify user mode rootkits developing.Yury Chemerkin
 
I haz you and pwn your maal whitepaper
I haz you and pwn your maal whitepaperI haz you and pwn your maal whitepaper
I haz you and pwn your maal whitepaperHarsimran Walia
 
C0c0n 2011 mobile security presentation v1.2
C0c0n 2011 mobile  security presentation v1.2C0c0n 2011 mobile  security presentation v1.2
C0c0n 2011 mobile security presentation v1.2Santosh Satam
 
Symantec Website Security Threat Report
Symantec Website Security Threat ReportSymantec Website Security Threat Report
Symantec Website Security Threat Reportcheinyeanlim
 
Telesemana ce nominum:mef
Telesemana ce nominum:mefTelesemana ce nominum:mef
Telesemana ce nominum:mefRafael Junquera
 
NewsByte Mumbai October 2017
NewsByte Mumbai October 2017NewsByte Mumbai October 2017
NewsByte Mumbai October 2017chauhananand17
 
Software Supply Chain Attacks (June 2021)
Software Supply Chain Attacks (June 2021)Software Supply Chain Attacks (June 2021)
Software Supply Chain Attacks (June 2021)TzahiArabov
 
The Endless Wave of Online Threats - Protecting our Community
The Endless Wave of Online Threats - Protecting our CommunityThe Endless Wave of Online Threats - Protecting our Community
The Endless Wave of Online Threats - Protecting our CommunityAVG Technologies AU
 
Droidcon2013 security genes_trendmicro
Droidcon2013 security genes_trendmicroDroidcon2013 security genes_trendmicro
Droidcon2013 security genes_trendmicroDroidcon Berlin
 
2013 Security Threat Report Presentation
2013 Security Threat Report Presentation2013 Security Threat Report Presentation
2013 Security Threat Report PresentationSophos
 
Deep Dive Into Android Security
Deep Dive Into Android SecurityDeep Dive Into Android Security
Deep Dive Into Android SecurityMarakana Inc.
 
Mobile Commerce: A Security Perspective
Mobile Commerce: A Security PerspectiveMobile Commerce: A Security Perspective
Mobile Commerce: A Security PerspectivePragati Rai
 
Lumension Security - Adjusting our defenses for 2012
Lumension Security - Adjusting our defenses for 2012Lumension Security - Adjusting our defenses for 2012
Lumension Security - Adjusting our defenses for 2012Andris Soroka
 
Battling Malware In The Enterprise
Battling Malware In The EnterpriseBattling Malware In The Enterprise
Battling Malware In The EnterpriseAyed Al Qartah
 
Maximize Computer Security With Limited Ressources
Maximize Computer Security With Limited RessourcesMaximize Computer Security With Limited Ressources
Maximize Computer Security With Limited RessourcesSecunia
 
NXP'S-PORTFOLIO-FOR-ADDRESSING-IOT-SECURITY.pdf
NXP'S-PORTFOLIO-FOR-ADDRESSING-IOT-SECURITY.pdfNXP'S-PORTFOLIO-FOR-ADDRESSING-IOT-SECURITY.pdf
NXP'S-PORTFOLIO-FOR-ADDRESSING-IOT-SECURITY.pdfssuser57b3e5
 

Similar a Malware in Mobile Platform from Panoramic Industrial View (20)

Info security - mobile approach
Info security -  mobile approachInfo security -  mobile approach
Info security - mobile approach
 
APPNATION IV - The State of Security in the Mobile Enterprise - Cesare Garlati
APPNATION IV - The State of Security in the Mobile Enterprise - Cesare GarlatiAPPNATION IV - The State of Security in the Mobile Enterprise - Cesare Garlati
APPNATION IV - The State of Security in the Mobile Enterprise - Cesare Garlati
 
When developer's api simplify user mode rootkits developing.
When developer's api simplify user mode rootkits developing.When developer's api simplify user mode rootkits developing.
When developer's api simplify user mode rootkits developing.
 
Mbs w23
Mbs w23Mbs w23
Mbs w23
 
I haz you and pwn your maal whitepaper
I haz you and pwn your maal whitepaperI haz you and pwn your maal whitepaper
I haz you and pwn your maal whitepaper
 
C0c0n 2011 mobile security presentation v1.2
C0c0n 2011 mobile  security presentation v1.2C0c0n 2011 mobile  security presentation v1.2
C0c0n 2011 mobile security presentation v1.2
 
News Bytes - December 2012
News Bytes - December 2012News Bytes - December 2012
News Bytes - December 2012
 
Symantec Website Security Threat Report
Symantec Website Security Threat ReportSymantec Website Security Threat Report
Symantec Website Security Threat Report
 
Telesemana ce nominum:mef
Telesemana ce nominum:mefTelesemana ce nominum:mef
Telesemana ce nominum:mef
 
NewsByte Mumbai October 2017
NewsByte Mumbai October 2017NewsByte Mumbai October 2017
NewsByte Mumbai October 2017
 
Software Supply Chain Attacks (June 2021)
Software Supply Chain Attacks (June 2021)Software Supply Chain Attacks (June 2021)
Software Supply Chain Attacks (June 2021)
 
The Endless Wave of Online Threats - Protecting our Community
The Endless Wave of Online Threats - Protecting our CommunityThe Endless Wave of Online Threats - Protecting our Community
The Endless Wave of Online Threats - Protecting our Community
 
Droidcon2013 security genes_trendmicro
Droidcon2013 security genes_trendmicroDroidcon2013 security genes_trendmicro
Droidcon2013 security genes_trendmicro
 
2013 Security Threat Report Presentation
2013 Security Threat Report Presentation2013 Security Threat Report Presentation
2013 Security Threat Report Presentation
 
Deep Dive Into Android Security
Deep Dive Into Android SecurityDeep Dive Into Android Security
Deep Dive Into Android Security
 
Mobile Commerce: A Security Perspective
Mobile Commerce: A Security PerspectiveMobile Commerce: A Security Perspective
Mobile Commerce: A Security Perspective
 
Lumension Security - Adjusting our defenses for 2012
Lumension Security - Adjusting our defenses for 2012Lumension Security - Adjusting our defenses for 2012
Lumension Security - Adjusting our defenses for 2012
 
Battling Malware In The Enterprise
Battling Malware In The EnterpriseBattling Malware In The Enterprise
Battling Malware In The Enterprise
 
Maximize Computer Security With Limited Ressources
Maximize Computer Security With Limited RessourcesMaximize Computer Security With Limited Ressources
Maximize Computer Security With Limited Ressources
 
NXP'S-PORTFOLIO-FOR-ADDRESSING-IOT-SECURITY.pdf
NXP'S-PORTFOLIO-FOR-ADDRESSING-IOT-SECURITY.pdfNXP'S-PORTFOLIO-FOR-ADDRESSING-IOT-SECURITY.pdf
NXP'S-PORTFOLIO-FOR-ADDRESSING-IOT-SECURITY.pdf
 

Más de Antiy Labs

Development, Confusion and Exploration of Honeypot Technology
Development, Confusion and Exploration of Honeypot TechnologyDevelopment, Confusion and Exploration of Honeypot Technology
Development, Confusion and Exploration of Honeypot TechnologyAntiy Labs
 
Data Storage and Security Strategies of Network Identity
Data Storage and Security Strategies of Network IdentityData Storage and Security Strategies of Network Identity
Data Storage and Security Strategies of Network IdentityAntiy Labs
 
Security Challenges of Antivirus Engines, Products and Systems
Security Challenges of Antivirus Engines, Products and SystemsSecurity Challenges of Antivirus Engines, Products and Systems
Security Challenges of Antivirus Engines, Products and SystemsAntiy Labs
 
The Evolution Theory of Malware and Our Thought
The Evolution Theory of Malware and Our ThoughtThe Evolution Theory of Malware and Our Thought
The Evolution Theory of Malware and Our Thought Antiy Labs
 
Virus Detection System
Virus Detection SystemVirus Detection System
Virus Detection SystemAntiy Labs
 
Virus Detection Based on the Packet Flow
Virus Detection Based on the Packet FlowVirus Detection Based on the Packet Flow
Virus Detection Based on the Packet FlowAntiy Labs
 
PE Trojan Detection Based on the Assessment of Static File Features
PE Trojan Detection Based on the Assessment of Static File FeaturesPE Trojan Detection Based on the Assessment of Static File Features
PE Trojan Detection Based on the Assessment of Static File FeaturesAntiy Labs
 
Embeddable Antivirus engine with high granularity
Embeddable Antivirus engine with high granularityEmbeddable Antivirus engine with high granularity
Embeddable Antivirus engine with high granularityAntiy Labs
 

Más de Antiy Labs (8)

Development, Confusion and Exploration of Honeypot Technology
Development, Confusion and Exploration of Honeypot TechnologyDevelopment, Confusion and Exploration of Honeypot Technology
Development, Confusion and Exploration of Honeypot Technology
 
Data Storage and Security Strategies of Network Identity
Data Storage and Security Strategies of Network IdentityData Storage and Security Strategies of Network Identity
Data Storage and Security Strategies of Network Identity
 
Security Challenges of Antivirus Engines, Products and Systems
Security Challenges of Antivirus Engines, Products and SystemsSecurity Challenges of Antivirus Engines, Products and Systems
Security Challenges of Antivirus Engines, Products and Systems
 
The Evolution Theory of Malware and Our Thought
The Evolution Theory of Malware and Our ThoughtThe Evolution Theory of Malware and Our Thought
The Evolution Theory of Malware and Our Thought
 
Virus Detection System
Virus Detection SystemVirus Detection System
Virus Detection System
 
Virus Detection Based on the Packet Flow
Virus Detection Based on the Packet FlowVirus Detection Based on the Packet Flow
Virus Detection Based on the Packet Flow
 
PE Trojan Detection Based on the Assessment of Static File Features
PE Trojan Detection Based on the Assessment of Static File FeaturesPE Trojan Detection Based on the Assessment of Static File Features
PE Trojan Detection Based on the Assessment of Static File Features
 
Embeddable Antivirus engine with high granularity
Embeddable Antivirus engine with high granularityEmbeddable Antivirus engine with high granularity
Embeddable Antivirus engine with high granularity
 

Último

Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesDavid Newbury
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?IES VE
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...DianaGray10
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URLRuncy Oommen
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfAijun Zhang
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6DianaGray10
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesMd Hossain Ali
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxUdaiappa Ramachandran
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfDaniel Santiago Silva Capera
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopBachir Benyammi
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Commit University
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarPrecisely
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdfPedro Manuel
 

Último (20)

Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond Ontologies
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URL
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdf
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptx
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity Webinar
 
20150722 - AGV
20150722 - AGV20150722 - AGV
20150722 - AGV
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdf
 

Malware in Mobile Platform from Panoramic Industrial View

  • 1. Malware in Mobile Platform from Panoramic Industrial View Antiy Labs
  • 2. Contents introduction •a piece of “news” + a mobile phone phenomenon •new threat solution •Is everything under control? analysis •the history of confrontation conclusion •conclusion
  • 3. INTRODUCTION: A PIECE OF “NEWS”+ A MOBILE PHONE
  • 4. Talking From A Piece of “News”
  • 6. Taking from a Grey Mobile Phone Customize Extra Expenses Extra Services Download Other Software 恶意行为 Network Flows Website Hits Steal Message, Privacy Contacts list
  • 7. Information Analysis on Malware Name com.google.android.providers.enhancedgooglesearch Chinese Name Original Name a.apk URL Source Collection Source System Android Platform Format apk MD5 Value BFBB58D0F8B487869393A0244AE71AFC CRC32 Value C1C12A99 SHA1 Value 59EE114166CDBCDDB88B38299934021080053D86 Bytes Malware Information Name Trojan/Android.droiddg.a[rmt,sys] CNCERT Name a.remote.droiddg.a Chines Name Other Names None Original/Tied Firmware embedding Threat type remote system
  • 8. A Truely Funny Story A sexy E-market A grey Android mobile Genuine mobile Real E-market
  • 11. Crossing the System Platform(Zitmo) Android RIM OS Windows Zeus Zitmo Symbian account/ random password identifying code WinCE attacker Net Bank
  • 12. Steal Message and Contacts List (SW.Spyware)  Propagation Means – Disguise as Tax Amount Calculating Software Package Calculating  Procedure – Installation – Model as QQ Loginform to Lure Uses – Get the Account and Password of QQ and Send to Some Specific Mobile Phone  Object system – Android  Harm – Steal Message Contetns – The SW.Spyware.B Variant Can Even Monitor the Communication Record of User  Damage Range – First version of Android virus  Propagaton Time – July, 2010
  • 13. Spycall (Nickispy) • Spycall and send back • Disguise as Google+ in the First Time 2011/09/17 第13页
  • 14. Form Control System(Adrd) • Trojan/Android.Adrd.a[exp] Issue the control command and the malware trigger command Provide the data-accessing address URL needed by malware behavior Provide the parameter data needed by malware behavior Provide updating service for malware files
  • 15. the interdisciplinary use of leak and social engineering 1. Replace normal application by means of Google application download bug 2. Consumers download bootleg applications which are actually malware, with 200 thousand victims. 3.Google clears out malware by remote upgrade interplay and provides security software 4.The malware attacker disguises as Google security software
  • 17. Traditional view Host SIS format APK PE ……… Malware Mobile malware Android Spreading System SymbOS media entrance Various Windows media Mobile
  • 18. Major Spreading Approaches • Official • GPRS/3G market/network • Wi-Fi • Third-party market • PC shared network • Message/multimedia Internet User message installation download PC Inserting penetration ROM • Flash memory share • User Flash • USB communication • Vendor pre-setting up 第18页
  • 20. Static Analysis: ARM Disassembling 第20页
  • 21. Static Analysis: Java Decompilation 2011/09/20 第21页
  • 22. Dynamic Analysis: SDK Simulator 第22页
  • 23. Dynamic Analysis: Behavior Monitor 第23页
  • 24. Network Analysis 第24页
  • 25. Automatic Analysis 第25页
  • 30. System Simulation 第30页
  • 35. ANALYSIS: THE HISTORY OF CONFRONTATION
  • 36. Those Forgotten Grey Faces ? CIH Melisa Sasser 1998 1999 2004
  • 37. Those Forgotten Red Alert ?
  • 40. Cross Platform-Mobile + PC Bimorphism SymbianUpdateSrv.exe 912812352001_3rd.sisx start and update new module 0xe61caca0.dat (jar) symbianDL.exe dlinstall.dat (sisx) Function disguising class files download module module install.dat20 (sisx) symbianStarter.exe symbianSrv.exe clearing module service-monitoring symbianChkServer.exe module heartbeat telecontrol module
  • 41. The Confrontation History Since 1988 Industrial Confrontation Systematical Confrontation Normalized Confrontation
  • 42. Notable Event and Typical Method of Normalized Confrontation • Bouncing Ball Virus • Pattern Matching Penetrated • Difficulty Promoted • Encrypted Virus • Direct Attack Mechanism • Metamorphic Virus • Disrupting the Wording Chain • Script Virus • Interfering Mechanism • Macro Virus • Normalized Confrontation
  • 43. Normalized Confrontation Virus current database framework diverter Object obataining matching preprocessor box assessor disposer Solution
  • 45. Systematical confrontation (notable event) The Emerge of P2P Zombie Network The Application of PKI System in Zombie Network Attack on VirusTotal by distributed DDos Shift from Client to Could Port
  • 46. Industrial Confrontation (2005—Now) underground information industrial industrial system system
  • 47. An Integral Whole Seen from Underground Economy Chain invade enterprise sale server steal secret invade server network games underground obtain money steal virtual industrial steal account launder currency player steal bank money account invade website massively steal network send rubbish e- exchange mail account compile malware steal virtual reject service spreading property attack incorporate forum spread charge spread Compile Zombie mobile tying spread network malware mobile SP expense malware code deducting
  • 48. Industrial Chain: Complex and Interminable app store Software personal content supplier supplier enterprise security application vendors sale service software service private official supplier service after-sale baseband spare- manufactu sale solution OS chip parts ring approach Qualcomm TechFaith ARM Symbian、WM、 genuine product TI DaTang Memory Macos、android、 grey product …… Battery palm…… custom and tie 48
  • 49. Summary Malware has developed and broke through the traditional single concept of program code. It has penetrated into the whole system of society, politics, economy and life. It is impossible to resist malware effectively only relying on anti-virus vendors. The battle against malware requires the management and resistance of the whole social system. Anti-virus men of all countries, unite! Thank you! seak@antiy.com