Dominik Christian Maier

In the work at hand, we first demonstrate that Android malware can bypass current automated analysis systems, including AV solutions, mobile sandboxes, and the Google Bouncer. A tool called Sand-Finger allowed us to fingerprint Android-based analysis systems. By analyzing the fingerprints of ten unique analysis environments from different vendors, we were able to find characteristics in which all tested environments differ from actual hardware. Depending on the availability of an analysis… Mehr anzeigen

In the work at hand, we first demonstrate that Android malware can bypass current automated analysis systems, including AV solutions, mobile sandboxes, and the Google Bouncer. A tool called Sand-Finger allowed us to fingerprint Android-based analysis systems. By analyzing the fingerprints of ten unique analysis environments from different vendors, we were able to find characteristics in which all tested environments differ from actual hardware. Depending on the availability of an analysis system, malware can either behave benignly or load malicious code dynamically at runtime. We also have investigated the widespread of dynamic code loading among benign and malicious apps, and found that malicious apps make use of this technique more often. About one third out of 14,885 malware samples we analyzed was found to dynamically load and execute code. To hide malicious code from analysis, it can be loaded from encrypted assets or via network connections. As we show, however, even dynamic scripts which call existing functions enable an attacker to execute arbitrary code. To demonstrate the effectiveness of both dynamic code and script loading, we create proof-of-concept malware that surpasses up-to-date malware scanners for Android and show that known samples can enter the Google Play Store by modifying them only slightly. Weniger anzeigen

In this paper, we demonstrate that Android malware
can bypass all automated analysis systems, including
AV solutions, mobile sandboxes, and the Google Bouncer.
We propose a tool called Sand-Finger for the fingerprinting
of Android-based analysis systems. By analyzing the fingerprints
of ten unique analysis environments from different
vendors, we were able to find characteristics in which all
tested environments differ from actual hardware. Depending
on the availability… Mehr anzeigen

In this paper, we demonstrate that Android malware
can bypass all automated analysis systems, including
AV solutions, mobile sandboxes, and the Google Bouncer.
We propose a tool called Sand-Finger for the fingerprinting
of Android-based analysis systems. By analyzing the fingerprints
of ten unique analysis environments from different
vendors, we were able to find characteristics in which all
tested environments differ from actual hardware. Depending
on the availability of an analysis system, malware can either
behave benignly or load malicious code at runtime.
We classify this group of malware as Divide-and-Conquer
attacks that are efficiently obfuscated by a combination of
fingerprinting and dynamic code loading. In this group, we
aggregate attacks that work against dynamic as well as static
analysis. To demonstrate our approach, we create proof-ofconcept
malware that surpasses up-to-date malware scanners
for Android. We also prove that known malware samples can
enter the Google Play Store by modifying them only slightly.
Due to Android’s lack of an API for malware scanning at
runtime, it is impossible for AV solutions to secure Android
devices against these attacks. Weniger anzeigen