Mobile Malware Evolution

Question 1

Growth of mobile malware was slow up until 2010, despite the industry constantly predicting it would increase. What change in 2010-2012 saw an explosion in malware?

Answer 1

Android was released

Question 2

For mobile worms – name 3 main ways that they can spread from device to device

Answer 2

• Bluetooth
• MMS
• other vulnerable protocol (e.g. SSH) on the provider netblock

Question 3

Apart from “normal” spyware features that are common between Windows and Mobile malware (infostealing of passwords) – name 3 features that are generally unique to mobile malware

Answer 3

Anything with SMS, or Phone Calls, Geolocation

Question 4

Briefly (1-2 lines) explain how a Banking Mobile Trojan tends to work

Answer 4

They are normally designed to intercept 2 factor – by intercepting SMS or a proprietary protocol

Question 5

You have found an Android malware sample that you believe to be exfiltrating data to a number starting with +353. Give a general overview of how to do Android malware analysis by treating it as Java code (as opposed to Dalvik assembly). In your description list:

• The main tools you would use
• 1-2 lines to describe the major steps you would carry out in order to analyse the sample and identify where the code sending the message is located

Answer 5

• Tools: Winzip, Dex2Jar, JD-GUI
• Desc of using these 3 tools in order, and then searching in the decompiled Java for +353.

Question 6

Name ways how a malicious APK file can make its way onto a target phone?

Answer 6

• 3rd Party App Stores
• Official Android PlayStore
• Driven By Downloads
• Phising
• QR codes
• Mobile Worm

Question 7

What are three common malware motives?

Answer 7

• Worms (just spread for the sake of spreading)
• Malicious destructive Trojans
• Financially motivated malware
  
  • Banking trojans like Zitmo
  • Ransomware
  • SMS Trojans to high cost numbers
  • SPAM Trojans
  • Spyware

Question 8

How is an APK being created?

Answer 8

1. Programmer write code in Java
2. Compiler compiles files into Class files
3. Class files gets converted to dex files (Bytecode for Dalvik VM)
4. Classes.dex + AndroidManifest.xml + Resources (media files) = APK file

Question 9

How can you analyse Android Malware?

Answer 9

1. WinZip: Extract content => Manifest + DEX file
2. Dex2Jar: Convert classes.dex into JAR
3. JD-GUI: Use Java Decompiler to analyse code inside JAR.

Question 10

Why increased malware on Android that much?

Answer 10

• A Platform / OS with enough market share to make good business sense to attack
• Good development support
• Relatively poor lack of security protection

Question 11

What is the AndroidManifest.xml?

Answer 11

The XML file AndroidManifest.xml describes the application (e.g. The permissions needed). These are the same permissions that are presented to a user when they wish to install an app

Question 12

Name some other Android analysis tools?

Answer 12

• AndroGuard
• Joes Sandbox
• APK-Analyzer.net
• Genymotion
• AppUse

Question 13

What can you do if the some parts are coded directly in the Dalvik language?

Answer 13

Use SMALI / BAKSMALI