Polymorphic Android malware requires HIPS analysis

Mobile application morphing isn’t something we have heard of on mobile platforms – however I did read an article on some recent developments. I suspect malware writers are developing mobile apps that automatically modify on download as well as continuing to re-engineer the codebase on a daily basis which involves changing the file signature and manifest files on a regular basis.

Polymorphic malware apps can also change malicious URL redirects and PRS numbers in the database on a daily basis too – so there is an element of intelligence here. So what about app permission controls? All apps need permissions, so even if one of these apps was installed, a user could deny all app permissions to connect including i.e. sending an SMS or make a silent PRS call. Is this actually true?

I know it isn’t’ true – see the forensics video below from our good friend Thomas Cannon. Thomas highlights how it is possible to circumvent the Android app permission feature when using an unprivileged app in a sandbox and move around the file system on either Gingerbread or Ice Cream Sandwich. Scary! This makes the idea of app malware morphing even more paletable.

Android No-Permissions Reverse Shell from Thomas Cannon on Vimeo.

I remember also being caught out some 5 years ago when I received an SMS message with a link. I don’t know how (and no I didn’t click any links!) but I was about to receive a dozen pictures of naked women all delivered via a PRS number. It hit my pocket for 24 GBP! I must have clicked a link to activate, but I know I didn’t. Apparently I had read the SMS which had a read receipt embedded – this sent the confirmation to the phisher that my mobile number was indeed active. Very clever.

Sending a mobile user an image of a naked or scantily clad woman is one ruse the phishers adopt to entrap mobile users into pushing them to visit a malicious URL. The malicious URLs will also look to deliver their payload of additional malware via the mobile browser. Mobile browsers do a very good job of hiding the URL to improve the user experience but inadvertently it means users don’t actually see where the URL is taking them, that is, until it is too late. 🙁

So what could be done to manage and control polymorphic Android malware? Dalvik outside of the obvious VM mechanisms it deploys, would in my mind require some form of kernel and ‘intents’ behaviour analysis – akin to anti–malware behaviour analysis (or ‘HIPS’ as some like to call it) on Windows. It’s unlikely to happen any time soon though, especially as Google launched ‘bouncer’ recently. Having worked in the anti-malware behaviour analysis industry the past few years I’m in a good position to comment on ‘HIPS’. Real time scanning is also something that is missing from mobile security apps right now, however opening up the Linux kernel to read/write access (currently only read-only partition) will indeed lead developers (and malware writers) to think it’s ‘open season’ again for the Android OS.

I’m also still perplexed as to why Android continues to persist with self-signing certificates – any readers care to comment on this?

Safe surfing folks!

This entry was posted in android and tagged , , . Bookmark the permalink.

One Response to Polymorphic Android malware requires HIPS analysis

  1. Pingback: Polymorphic Android malware requires HIPS analysis | News | IT Security Magazine - Hakin9 www.hakin9.org

Leave a Reply

Your email address will not be published. Required fields are marked *