From reverse engineering several samples of mobile banking trojans, we observed the presence of repetitive static artifacts that revealed valuable information for the researchers that need to track and monitor the distribution of this class of malicious apps. In addition to these artifacts, banking trojans must unavoidably communicate with their operators in multiple ways (e.g., phone, SMS, Web service), which guarantees another source of interesting data. Motivated by the high threat level posed by banking trojans and by the lack of publicly available analysis and intelligence tools targeted at mobile banking trojans, we automated the extraction of such artifacts and created a malware tracker that we named Droydseuss. Based on the aforementioned observations, Droydseuss processes malware samples statically and dynamically, searching for allocated relevant strings that contain traces of communication endpoints. Then, it prioritizes the extracted strings based on the API functions that manipulate them, giving more priority to strings used by phone- and web-related functions. Droydseuss then uses frequent itemset mining to correlate the endpoints so derived with descriptive metadata from the samples (e.g., package name), providing aggregated statistics, raw data and cross-sample information that allow researchers to pinpoint relevant groups of applications. We connected Droydseuss to the VirusTotal daily feed, consuming Android samples that perform banking-trojan activity. In about 5 months it analyzed 1,605 samples. As a result, Droydseuss produces publicly available blacklists of the extracted endpoints. In addition to evaluating the performance of Droydseuss, we manually analyzed its output and found supporting evidence to confirm its correctness. Remarkably, the most frequent itemset revealed a campaign currently spreading against Chinese and Korean bank customers. Although motivated by mobile banking trojan tracking, Droydseuss can be used to analyze the communication behavior of any dataset of suspicious samples.
Droydseuss. A mobile banking trojan tracking service
COLETTA, ALBERTO
2013/2014
Abstract
From reverse engineering several samples of mobile banking trojans, we observed the presence of repetitive static artifacts that revealed valuable information for the researchers that need to track and monitor the distribution of this class of malicious apps. In addition to these artifacts, banking trojans must unavoidably communicate with their operators in multiple ways (e.g., phone, SMS, Web service), which guarantees another source of interesting data. Motivated by the high threat level posed by banking trojans and by the lack of publicly available analysis and intelligence tools targeted at mobile banking trojans, we automated the extraction of such artifacts and created a malware tracker that we named Droydseuss. Based on the aforementioned observations, Droydseuss processes malware samples statically and dynamically, searching for allocated relevant strings that contain traces of communication endpoints. Then, it prioritizes the extracted strings based on the API functions that manipulate them, giving more priority to strings used by phone- and web-related functions. Droydseuss then uses frequent itemset mining to correlate the endpoints so derived with descriptive metadata from the samples (e.g., package name), providing aggregated statistics, raw data and cross-sample information that allow researchers to pinpoint relevant groups of applications. We connected Droydseuss to the VirusTotal daily feed, consuming Android samples that perform banking-trojan activity. In about 5 months it analyzed 1,605 samples. As a result, Droydseuss produces publicly available blacklists of the extracted endpoints. In addition to evaluating the performance of Droydseuss, we manually analyzed its output and found supporting evidence to confirm its correctness. Remarkably, the most frequent itemset revealed a campaign currently spreading against Chinese and Korean bank customers. Although motivated by mobile banking trojan tracking, Droydseuss can be used to analyze the communication behavior of any dataset of suspicious samples.| File | Dimensione | Formato | |
|---|---|---|---|
|
2015_04_Coletta.pdf
solo utenti autorizzati dal 08/04/2016
Descrizione: Thesis text
Dimensione
2.18 MB
Formato
Adobe PDF
|
2.18 MB | Adobe PDF | Visualizza/Apri |
I documenti in POLITesi sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
https://hdl.handle.net/10589/106646