The missing link in the chain? Android network analysis

Wednesday 3 October 14:30 - 15:00, Red room

Rowland Yu (Sophos)



Modern Android malware takes full advantage of the internet to execute remote tasks received from command & control servers, to click fraudulent clicks, and even generate cryptocurrency by downloading and running crypto-mining code within the victim's web browser. Existing well-known analysis tools like JEB, Apktool and Radare2 are widely used to analyse malicious Android apps. However, dealing with packed or obfuscated Android apps still remains a very challenging task. Analysis of the network activity can help enormously to understand an obfuscated app's logic. The main challenge here is being able to quickly establish a relationship between decompiled code and network traffic.

Using a packet sniffer in an Android environment is not as straightforward as it seems. To support the man-in-the-middle technique, a certificate has to be configured for SSL decryption on a test device or with a packet analyser such as Wireshark. Android-based packet analysers have the capability of linking packet data with each app on the device but provide clumsy features to download or analyse packets, while computer-based packet analysers are the exact opposite.

In this paper, we will present:

  • An overview of the latest Google Play and non-Google Play Android threats, such as drive-by Cryptominer, Fraudclicker and Dropper, which download remote malicious payloads from a remote server.
  • Demonstrations of the several existing packet analysing tools based on either Android or computer, then show why they fail to achieve the tasks required in threat research.
  • Our practical tools that allow researchers to capture all packets for each app, deeply inspect hundreds of network packets, and highlight potentially suspicious packet lists like HTML, JavaScript, or PHP for a quick and intuitive analysis.

 

Rowland-Yu-web.jpg

Rowland Yu

Rowland Yu is a senior threat researcher level 2 at Sophos. He joined SophosLabs as a spam analyst in 2006, before moving into the role of virus threat researcher for advanced threat research, reverse engineering and remediation. Rowland had also led anti-spam and DLP research in the Australian SophosLabs. After the first Android malware was revealed in 2012, Rowland believed Android would become 'the new Windows' for malware and dedicated most of his time to Android security. Now Rowland is the primary researcher leading the Android team for malware analysis and emerging threats. He is also a frequent speaker at Virus Bulletin, RSA, and AVAR conferences.

@rowlandy


   Download slides

Other VB2018 papers

Who wasn’t responsible for Olympic Destroyer?

Paul Rascagneres (Cisco Talos)
Warren Mercer (Cisco Talos)

Threat intelligence brokerage revisited

Juan Andrés Guerrero-Saade (Chronicle)

Levelling up: why sharing threat intelligence makes you more competitive

Michael Daniel (Cyber Threat Alliance)

Back to VB2018 Programme page

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.