POLITESI Politecnico di Milano Servizi Bibliotecari di Ateneo Servizi Bibliotecari di Ateneo
 
   ALL THESES       POST GRADUATE THESES       DOCTORAL THESES   
My POLITesi
authorized users
italiano
Please use this identifier to cite or link to this thesis: http://hdl.handle.net/10589/106646

Author: COLETTA, ALBERTO
Supervisor: MAGGI, FEDERICO
Scientific Disciplinary Sector: ING-INF/05 SISTEMI DI ELABORAZIONE DELLE INFORMAZIONI
Date: 29-Apr-2015
Academic year: 2013/2014
Title: Droydseuss. A mobile banking trojan tracking service
English abstract: From reverse engineering several samples of mobile banking trojans, we observed the presence of repetitive static artifacts that revealed valuable information for the researchers that need to track and monitor the distribution of this class of malicious apps. In addition to these artifacts, banking trojans must unavoidably communicate with their operators in multiple ways (e.g., phone, SMS, Web service), which guarantees another source of interesting data. Motivated by the high threat level posed by banking trojans and by the lack of publicly available analysis and intelligence tools targeted at mobile banking trojans, we automated the extraction of such artifacts and created a malware tracker that we named Droydseuss. Based on the aforementioned observations, Droydseuss processes malware samples statically and dynamically, searching for allocated relevant strings that contain traces of communication endpoints. Then, it prioritizes the extracted strings based on the API functions that manipulate them, giving more priority to strings used by phone- and web-related functions. Droydseuss then uses frequent itemset mining to correlate the endpoints so derived with descriptive metadata from the samples (e.g., package name), providing aggregated statistics, raw data and cross-sample information that allow researchers to pinpoint relevant groups of applications. We connected Droydseuss to the VirusTotal daily feed, consuming Android samples that perform banking-trojan activity. In about 5 months it analyzed 1,605 samples. As a result, Droydseuss produces publicly available blacklists of the extracted endpoints. In addition to evaluating the performance of Droydseuss, we manually analyzed its output and found supporting evidence to confirm its correctness. Remarkably, the most frequent itemset revealed a campaign currently spreading against Chinese and Korean bank customers. Although motivated by mobile banking trojan tracking, Droydseuss can be used to analyze the communication behavior of any dataset of suspicious samples.
Italian keywords: mobile banking trojan; android; malware tracker
English keywords: mobile banking trojan; android; malware tracker
Language: eng
Appears in Collections:POLITesi >Tesi Specialistiche/Magistrali

Files in This Item:

File Description SizeFormatVisibility
2015_04_Coletta.pdfThesis text2.18 MBAdobe PDFAccessible via Internet only by authorised users (AunicaLogin or Shibboleth) starting from: 7/4/2016 View/Open





 

  Support, maintenance and development by SURplus team @ CINECA- Powered by DSpace Software