The Android Malware Handbook: Detection and Analysis by Human and Machine 9781718503311, 9781718503304
Written by machine-learning researchers and members of the Android Security team, this all-star guide tackles the analys
133 93 25MB
English Pages 386 Year 2024
Table of contents :
Cover Page
Title Page
Copyright Page
About the Authors
About the Technical Reviewer
BRIEF CONTENTS
CONTENTS IN DETAIL
FOREWORD
ACKNOWLEDGMENTS
INTRODUCTION
Who Should Read This Book
What You’ll Find in This Book
PART I A PRIMER ON ANDROID MALWARE
1 THE BASICS OF ANDROID SECURITY
The Android Security Model
Application Isolation
Attack Surface Reduction
Exploit Mitigation
Device Integrity
Permissions
Security Updates
Add-on Security and Safety Services
Collaboration Across Google
Sideloaded and Preloaded Malware Protection
The Android Package
Categories of Android Malware
Denial of Service
Backdoors
Rooting
Trojans
Spyware
Stalkerware
Phishing
Hostile Downloaders
Privilege Escalation
Ransomware
SMS Fraud
Toll Fraud
Call Fraud
Spam
Ad Fraud
Non-Android Threats
Up Next
2 ANDROID MALWARE IN THE WILD
The Early Years: 2008 to 2012
DroidSMS
DroidDream
The Wallpaper Family
The Camera Family
Cricketland
Dougaleaker
BeeKeeper
Dogowar
Other Early Android Malware
The Professionalization of Malware: 2013 and 2014
Ghost Push
BadNews, RuFraud, and RuPlay
WallySMS
Mono WAP
Cryptocurrency Malware
Taicliphot
The First Preinstalled Malware
The Rise of Large Malware Networks: 2015 and 2016
Turkish Clicker
Gaiaphish
Judy
DressCode
Joker
Triada
Chamois
Gooligan and Snowfox
Hummingbad
YouTube Downloader
The Consolidation of Abuse: 2017 and Onward
OneAudience
Android.Click.312.origin
Cheetah Mobile
Anti-Fraud SDKs
Loapi/Podec
HDC Bookmark
EagerFonts
GMobi
Adups
Redstone
Digitime
Up Next
PART II MANUAL ANALYSIS
3 STATIC ANALYSIS
What Is Static Code Analysis?
Guided vs. Unguided Analysis
Knowing When You’re Done
Loading the Malware Sample into jadx
Malicious Code in the Permissions
Viewing the Permissions
Finding the APIs Gated by Permissions
Analyzing the READ_CONTACTS Permission
Analyzing the BIND_NOTIFICATION_LISTENER_SERVICE Permission
Malicious Code in App Entry Points
Exported Activities
Broadcast Receivers
Services
Application Subclasses
Hiding Malicious Code
Anti-Analysis Techniques
Reflection
Non-Java Code
Encryption and Encoding
The Malware’s First Stage
Understanding the Malicious Class
Reverse Engineering the String Decryption Method
Decrypting All Strings in the Class
The Malware’s Second Stage
Entry Points
The yin.Chao.yin Method
The com.* Package
The Malware’s Third Stage
jadx Decompilation Issues
Entry Points
Name Mangling
Command-and-Control Server Communication
Examining the Encryption Algorithm
Probing the Server from the Command Line
Registering with the Server
Processing the Registration Response
Downloading Commands
Processing the Command-and-Control Server’s Response
Secretly Signing Up for the Premium Service
Setting Up the JavaScript Bridge
Interacting with the Java Bridge Object
Completing the Sign-up Process
The Mysterious Fourth Stage
Up Next
4 DYNAMIC ANALYSIS
What Is Dynamic Code Analysis?
Dynamic vs. Static Analysis
The Android Studio Emulator
Creating a System Image
Starting the Emulator
Resetting the Emulator
Interacting with the Emulator
Dynamic Analysis Tools
tcpdump
Wireshark
Frida
The Malware Sample
Detecting Malicious Functionality
Observing Filesystem Changes
Downloading Files for Inspection
Capturing Network Traffic
Analyzing Network Traffic
Analyzing Logs with Logcat
Analysis with Frida
Running frida-server
Using frida-trace to Find Interesting APIs
Finding Entry Points into the Malware with Frida Scripting
Executing the Frida Script
Decrypting the Command-and-Control Communications
With CyberChef
With Frida
Command-and-Control Server Messages
The /ping URL
The /metrics URL
The Rotating Encryption Keys
Other Malware Functionality
com.sniff with frida-trace
Accessibility Abuse
Adding Static Analysis
Other Command-and-Control Servers
Other Server Commands
More Accessibility Abuse
Automatically Granting Permissions
Injecting Phishing Windows
Stealing Credentials
Up Next
PART III MACHINE LEARNING DETECTION
5 MACHINE LEARNING FUNDAMENTALS
How Machine Learning for Malware Analysis Works
Identifying App Features
Creating Training Sets
Using Classification Algorithms
Classification Algorithms
Decision Trees
Bagging and Random Forest
Support Vector Machines
k-Nearest Neighbors
Naive Bayes
Evaluating Machine Learning Models
Struggles of Machine Learning Classifiers
Identical Feature Vectors
Balance vs. Imbalance
Interpretability
Cross-Validation vs. Rolling Window Prediction
Up Next
6 MACHINE LEARNING FEATURES
Static Features
Dynamic Features
Method Call Features (A Weak Tactic)
Triadic Suspicion Graph Features
Suspicion Scores
The Suspicion Rank
TSG Features
Landmark-Based Features
Selecting Landmarks
Computing Landmark-Based Features
Feature Clustering
Generating Feature Clusters
Choosing Clustering and Feature Aggregation Algorithms
Correlation Graph–Based Feature Transformation
Further Reading
Up Next
7 ROOTING MALWARE
Rooting Malware Families
Testing Classifier Performance
Rooting Malware vs. Goodware
Permission-Related Features
Network-Based Features
Rooting Malware vs. Other Malware
Permission-Related Features
Other Features
DroidDream: A Case Study
Up Next
8 SPYWARE
Spyware Families
Spyware vs. Goodware
Permission-Related Features
Prediction Efficacy
Spyware vs. Other Malware
Permission-Related Features
Prediction Efficacy
Qibla Compass Ramadan: A Case Study
Predictions for Spyware Apps
Up Next
9 BANKING TROJANS
Banking Trojan Families
Banking Trojans vs. Goodware
SMS Permission Features
Other Permission Features
Prediction Efficacy
Banking Trojans vs. Other Malware
Permission-Related Features
Prediction Efficacy
Marcher: A Case Study
Up Next
10 RANSOMWARE
How Ransomware Attacks Work
Android Ransomware Families
Ransomware vs. Goodware
Permission-Related Features
Other Features
Prediction Efficacy
Ransomware vs. Other Malware
Permission-Related Features
Prediction Efficacy
Simplocker: A Case Study
Predictions for Important Ransomware Samples
Up Next
11 SMS FRAUD
SMS Fraud vs. Goodware
Non-SMS Permissions
The Absence of SMS Permissions
Prediction Efficacy
SMS Fraud vs. Other Malware
Permission-Related Features
Prediction Efficacy
BeeKeeper: A Case Study
Predictions for SMS Fraud Samples
Up Next
12 THE FUTURE OF ANDROID MALWARE
Windows vs. Android
Windows
Android
Hiding Malicious Behavior with Anti-Analysis Techniques
Native ARM Code
Downloaded Modules
Less Popular Languages
SDK-less Techniques
Distribution
Preloaded Malware and Supply Chain Compromises
Smarter Sideloading
Malware Economics
Machine Learning Trends for Attackers and Defenders
Next Steps
INDEX
Cover Page
Title Page
Copyright Page
About the Authors
About the Technical Reviewer
BRIEF CONTENTS
CONTENTS IN DETAIL
FOREWORD
ACKNOWLEDGMENTS
INTRODUCTION
Who Should Read This Book
What You’ll Find in This Book
PART I A PRIMER ON ANDROID MALWARE
1 THE BASICS OF ANDROID SECURITY
The Android Security Model
Application Isolation
Attack Surface Reduction
Exploit Mitigation
Device Integrity
Permissions
Security Updates
Add-on Security and Safety Services
Collaboration Across Google
Sideloaded and Preloaded Malware Protection
The Android Package
Categories of Android Malware
Denial of Service
Backdoors
Rooting
Trojans
Spyware
Stalkerware
Phishing
Hostile Downloaders
Privilege Escalation
Ransomware
SMS Fraud
Toll Fraud
Call Fraud
Spam
Ad Fraud
Non-Android Threats
Up Next
2 ANDROID MALWARE IN THE WILD
The Early Years: 2008 to 2012
DroidSMS
DroidDream
The Wallpaper Family
The Camera Family
Cricketland
Dougaleaker
BeeKeeper
Dogowar
Other Early Android Malware
The Professionalization of Malware: 2013 and 2014
Ghost Push
BadNews, RuFraud, and RuPlay
WallySMS
Mono WAP
Cryptocurrency Malware
Taicliphot
The First Preinstalled Malware
The Rise of Large Malware Networks: 2015 and 2016
Turkish Clicker
Gaiaphish
Judy
DressCode
Joker
Triada
Chamois
Gooligan and Snowfox
Hummingbad
YouTube Downloader
The Consolidation of Abuse: 2017 and Onward
OneAudience
Android.Click.312.origin
Cheetah Mobile
Anti-Fraud SDKs
Loapi/Podec
HDC Bookmark
EagerFonts
GMobi
Adups
Redstone
Digitime
Up Next
PART II MANUAL ANALYSIS
3 STATIC ANALYSIS
What Is Static Code Analysis?
Guided vs. Unguided Analysis
Knowing When You’re Done
Loading the Malware Sample into jadx
Malicious Code in the Permissions
Viewing the Permissions
Finding the APIs Gated by Permissions
Analyzing the READ_CONTACTS Permission
Analyzing the BIND_NOTIFICATION_LISTENER_SERVICE Permission
Malicious Code in App Entry Points
Exported Activities
Broadcast Receivers
Services
Application Subclasses
Hiding Malicious Code
Anti-Analysis Techniques
Reflection
Non-Java Code
Encryption and Encoding
The Malware’s First Stage
Understanding the Malicious Class
Reverse Engineering the String Decryption Method
Decrypting All Strings in the Class
The Malware’s Second Stage
Entry Points
The yin.Chao.yin Method
The com.* Package
The Malware’s Third Stage
jadx Decompilation Issues
Entry Points
Name Mangling
Command-and-Control Server Communication
Examining the Encryption Algorithm
Probing the Server from the Command Line
Registering with the Server
Processing the Registration Response
Downloading Commands
Processing the Command-and-Control Server’s Response
Secretly Signing Up for the Premium Service
Setting Up the JavaScript Bridge
Interacting with the Java Bridge Object
Completing the Sign-up Process
The Mysterious Fourth Stage
Up Next
4 DYNAMIC ANALYSIS
What Is Dynamic Code Analysis?
Dynamic vs. Static Analysis
The Android Studio Emulator
Creating a System Image
Starting the Emulator
Resetting the Emulator
Interacting with the Emulator
Dynamic Analysis Tools
tcpdump
Wireshark
Frida
The Malware Sample
Detecting Malicious Functionality
Observing Filesystem Changes
Downloading Files for Inspection
Capturing Network Traffic
Analyzing Network Traffic
Analyzing Logs with Logcat
Analysis with Frida
Running frida-server
Using frida-trace to Find Interesting APIs
Finding Entry Points into the Malware with Frida Scripting
Executing the Frida Script
Decrypting the Command-and-Control Communications
With CyberChef
With Frida
Command-and-Control Server Messages
The /ping URL
The /metrics URL
The Rotating Encryption Keys
Other Malware Functionality
com.sniff with frida-trace
Accessibility Abuse
Adding Static Analysis
Other Command-and-Control Servers
Other Server Commands
More Accessibility Abuse
Automatically Granting Permissions
Injecting Phishing Windows
Stealing Credentials
Up Next
PART III MACHINE LEARNING DETECTION
5 MACHINE LEARNING FUNDAMENTALS
How Machine Learning for Malware Analysis Works
Identifying App Features
Creating Training Sets
Using Classification Algorithms
Classification Algorithms
Decision Trees
Bagging and Random Forest
Support Vector Machines
k-Nearest Neighbors
Naive Bayes
Evaluating Machine Learning Models
Struggles of Machine Learning Classifiers
Identical Feature Vectors
Balance vs. Imbalance
Interpretability
Cross-Validation vs. Rolling Window Prediction
Up Next
6 MACHINE LEARNING FEATURES
Static Features
Dynamic Features
Method Call Features (A Weak Tactic)
Triadic Suspicion Graph Features
Suspicion Scores
The Suspicion Rank
TSG Features
Landmark-Based Features
Selecting Landmarks
Computing Landmark-Based Features
Feature Clustering
Generating Feature Clusters
Choosing Clustering and Feature Aggregation Algorithms
Correlation Graph–Based Feature Transformation
Further Reading
Up Next
7 ROOTING MALWARE
Rooting Malware Families
Testing Classifier Performance
Rooting Malware vs. Goodware
Permission-Related Features
Network-Based Features
Rooting Malware vs. Other Malware
Permission-Related Features
Other Features
DroidDream: A Case Study
Up Next
8 SPYWARE
Spyware Families
Spyware vs. Goodware
Permission-Related Features
Prediction Efficacy
Spyware vs. Other Malware
Permission-Related Features
Prediction Efficacy
Qibla Compass Ramadan: A Case Study
Predictions for Spyware Apps
Up Next
9 BANKING TROJANS
Banking Trojan Families
Banking Trojans vs. Goodware
SMS Permission Features
Other Permission Features
Prediction Efficacy
Banking Trojans vs. Other Malware
Permission-Related Features
Prediction Efficacy
Marcher: A Case Study
Up Next
10 RANSOMWARE
How Ransomware Attacks Work
Android Ransomware Families
Ransomware vs. Goodware
Permission-Related Features
Other Features
Prediction Efficacy
Ransomware vs. Other Malware
Permission-Related Features
Prediction Efficacy
Simplocker: A Case Study
Predictions for Important Ransomware Samples
Up Next
11 SMS FRAUD
SMS Fraud vs. Goodware
Non-SMS Permissions
The Absence of SMS Permissions
Prediction Efficacy
SMS Fraud vs. Other Malware
Permission-Related Features
Prediction Efficacy
BeeKeeper: A Case Study
Predictions for SMS Fraud Samples
Up Next
12 THE FUTURE OF ANDROID MALWARE
Windows vs. Android
Windows
Android
Hiding Malicious Behavior with Anti-Analysis Techniques
Native ARM Code
Downloaded Modules
Less Popular Languages
SDK-less Techniques
Distribution
Preloaded Malware and Supply Chain Compromises
Smarter Sideloading
Malware Economics
Machine Learning Trends for Attackers and Defenders
Next Steps
INDEX
- Author / Uploaded
- Qian Han
- Salvador Mandujano
- Sebastian Porst
- V.S. Subrahmanian
- Sai Deep Tetali
- Yanhai Xiong
![Android Malware [1 ed.]
1461473934, 9781461473930](https://ebin.pub/img/200x200/android-malware-1nbsped-1461473934-9781461473930.jpg)
![Android Malware Detection using Machine Learning: Data-Driven Fingerprinting and Threat Intelligence: 86 (Advances in Information Security, 86) [1st ed. 2021]
3030746631, 9783030746636](https://ebin.pub/img/200x200/android-malware-detection-using-machine-learning-data-driven-fingerprinting-and-threat-intelligence-86-advances-in-information-security-86-1st-ed-2021-3030746631-9783030746636-d-7452842.jpg)
![Android Malware Detection using Machine Learning: Data-Driven Fingerprinting and Threat Intelligence: 86 (Advances in Information Security, 86) [1st ed. 2021]
3030746631, 9783030746636](https://ebin.pub/img/200x200/android-malware-detection-using-machine-learning-data-driven-fingerprinting-and-threat-intelligence-86-advances-in-information-security-86-1st-ed-2021-3030746631-9783030746636.jpg)
