As part of Security Innovation's internship program, I spent a month conducting extensive research on Android malware; in particular, the automated analysis of malware for the purpose of uncovering insights that can help in identifying new strains or modified versions of existing malware.
I began by setting a series of attainable goals: researching Chinese application marketplaces, automating identification of permissions both claimed and used by applications, and automating compiler fingerprint to determine the likelihood that an application has been modified from its original source. In addition to these quicker and more attainable goals, I set some stretch goals that revolved around the implementation and identification of more advanced static analysis techniques to reveal useful information about how malware samples actually behave. For instance, more detailed static analysis could be used to drill down into specific high-risk API calls and the arguments to them. One use for such analysis would is to get a glimpse into what types of information a Remote Access Trojan (RAT) might be sending to and receiving from a command and control server. Also useful is understanding how that information is being transferred, whether by HTTP, SMS, or some other medium.
Initial tests revealed that a large portion of applications were employing dangerous permissions, many of which were indicative of a Trojan exfiltrating device information or communicating with a command and control server. Use of further techniques revealed frequent attempts to escalate privileges, typically by simply requesting them from an unsuspecting user.
It was a major concern that most of these applications were flagged as behaving suspiciously. While these third-party app stores aren't very popular in the United States, a majority of Chinese smartphone users use them as an alternative to Google Play, which is banned in China. The use of third-party app stores poses a big security risk with the only security alternative being complete avoidance. This risk not only pertains to malicious applications that make it past the app review processes, but also the lack of TLS on most of these stores that opens up an avenue for local attackers to backdoor applications on target users' phones. Still, users will often favor convenience, among other factors, when installing applications.
Resultantly, I began the process of designing automated tests to identify malware critical to a strong, trustworthy app review. While many of these stores do implement automated checks to weed out malicious applications (as well as scraping apps directly from Google Play so that their authenticity is maintained), it's hard to determine quickly which have these security measures in place. Hopefully these stores will continue to make steps in the right direction but I encourage researchers to continue to develop new test cases and malware analysis techniques, which will continue to assist in increasing the protections afforded to users by Google Play and a variety of third-party app stores.
Intern Author: Graham Smith