Investigate malware behavior on android platform.
1
INVESTIGATE MALWARE BEHAVIOR ON ANDROID PLATFORM
LOH KE LIH
FACULTY OF INFORMATION AND COMMUNICATION TECHNOLOGY UNIVERSITI TEKNIKAL MALAYSIA MELAKA
2014
(2)
2
JUDUL: INVESTIGATE MALWARE BEHAVIOR ON ANDROID PLATFORM
SESI PENGAJIAN: SESI 2013/2014
Saya LOH KE LIH mengaku membenarkan tesis (PSM/Sarjana/Doktor Falsafah) ini disimpan di Perpustakaan Fakulti Teknologi Maklumat dan Komunikasi dengan syarat-syarat kegunaan seperti berikut:
1. Tesis dan projek adalah hakmilik Universiti Teknikal Malaysia Melaka.
2. Perpustakaan Fakulti Teknologi Maklumat dan Komunikasi dibenarkan membuat salinan untuk tujuan pengajian sahaja.
3. Perpustakaan Fakulti Teknologi Maklumat dan Komunikasi dibenarkan membuat salinan tesis ini sebagai bahan pertukaran antara institusi pengajian tinggi.
4. ** Sila tandakan (/)
_____________ SULIT (Mengandungi maklumat yang berdarjah keselamatan atau kepentingan Malaysia seperti yang termaktub di dalam AKTA RAHSIA RASMI
1972)
_____________ TERHAD (Mengandungi maklumat TERHAD yang telah ditentukan oleh organisasi/badan di mana penyelidikan dijalankan)
_____/_______ TIDAK TERHAD
__________________________
___________________________
(TANDATANGAN PENULIS) (TANDATANGAN PENYELIA)
Alamat tetap : 18, Jalan Khalidi, Nama Penyelia : En. Zulkiflee
84000 Muar, Muslim
Johor, Malaysia
Tarikh : __________________________ Tarikh: _____________________
(3)
3
INVESTIGATE MALWARE BEHAVIOR ON ANDROID PLATFORM
LOH KE LIH
This report is submitted in partial fulfillment of the requirement for the Bachelor of Computer Science (Computer Networking)
FACULTY OF INFORMATION AND COMMUNICATION TECHNOLOGY UNIVERSITI TEKNIKAL MALAYSIA MELAKA
(4)
4
DECLARATION
I hereby declare this project report entitled
INVESTIGATE MALWARE BEHAVIOR ON ANDROID PLATFORM
is written by me and is my own effort and that no part has been plagiarized without citations.
STUDENT :_____________________________ Date:_____________ (LOH KE LIH)
SUPERVISOR:_____________________________ Date:_____________ (EN ZULKIFLEE BIN MUSLIM)
(5)
5
DEDICATION
(6)
6
ACKNOWLEDGEMENTS
I would like to show my gratitude and appreciation to my supervisor, En Zulkiflee bin Muslim for all the ideas and advices in guiding me throughout the project.
I would also like to thank my family members especially my parents because they have given me the greatest support in all sorts of materials throughout my years of studying in this university.
Last but not least, I would like to thanks to all my friends and course mates for their kindness in sharing knowledge and resources.
(7)
7 ABSTRACT
This project identifies the behaviours of Android malware, BaseBridge through dynamic analysis. Scope to be conducted in this project are using only one specific type of android malware and focusing on behaviour of android malware. Tcpdump will be used in this project to sniff the network. This research will be contributed in identifying the behavior of BaseBridge in respective network traffic by using Santoku Linux operating system which contains several tools such as Android SDK emulator, Wireshark and Tcpdump. In the end of this project, behaviour of BaseBridge will be concluded. However, there are several constraints and limitations on this project which is not fully fit for other android malwares’ behaviours. For future works, a script can be generate and conducted into a complete software system, so that the processes of capture data can be done automatically by the system thus enhances the system fit for other android malwares.
(8)
8 ABSTRAK
Projek ini mengenal pasti tingkah laku malware Android, BaseBridge melalui analisis dinamik. Skop yang akan dijalankan dalam projek ini menggunakan hanya satu jenis tertentu Android malware dan memberi tumpuan kepada tingkah laku Android malware. Tcpdump akan digunakan dalam projek ini untuk mengesan rangkaian BaseBridge. Kajian ini akan menyumbang dalam mengenal pasti tingkah laku dalam BaseBridge trafik rangkaian masing-masing dengan menggunakan sistem operasi Linux Santoku yang mengandungi beberapa peralatan seperti Android SDK emulator, Wireshark dan tcpdump. Di akhir projek ini, tingkah laku BaseBridge akan dibuatkan kesimpulan. Walau bagaimanapun, terdapat beberapa kekangan dan batasan projek ini, iaitu tidak cergas sepenuhnya untuk tingkah laku lain malwares Android. Bagi kerja-kerja masa depan, skrip yang boleh dijana dan dijalankan ke dalam sistem perisian yang lengkap, supaya proses menangkap data boleh dilakukan secara automatik oleh sistem itu bagi meningkatkan sistem untuk malwares Android lain.
(9)
9
TABLE OF CONTENTS
DECLARATION i
DEDICATION ii
ACKNOWLEDGEMENTS iii
ABSTRACT iv
ABSTRAK v
TABLE OF CONTENTS vi
LIST OF TABLES x
LIST OF FIGURES xi
LIST OF ABBREVIATIONS xiii
LIST OF ATTACHMENTS xiv
INTRODUCTION 1
1.1 Introduction 1
1.2 Project Background 2
1.3 Problem Statement 3
1.4 Objective 4
1.5 Scope 5
1.6 Project Contribution 5
1.7 Report Organization 6
1.8 Summary 7
LITERATURE REVIEW 8
2.1 Introduction 8
2.2 Android 9
(10)
10
2.2.2 Android Architecture 9
2.3 Malware 11
2.3.1 Malware Definition and Category 11
2.3.1.1 Trojan Definition and Classification 13
2.3.2 Android Malware 14
2.3.2.1 BaseBridge 16
2.3.2.2 BaseBridge Characteristics and Behaviour 16
2.4 Malware Detection Technique 17
2.4.1 Anomaly-based Detection 18
2.4.1.1 Dynamic Anomaly-based Detection 18
2.4.1.2 Static Anomaly-based Detection 19
2.4.1.3 Hyrid Anomaly-based Detection 19
2.4.2 Specification-based Detection 19
2.4.2.1 Dynamic Specification-based Detection 20
2.4.2.2 Static Specification-based Detection 20
2.4.2.3 Hyrid Specification-based Detection 20
2.4.3 Signature-based Detection 20
2.4.3.1 Dynamic Signature-based Detection 21
2.4.3.2 Static Signature-based Detection 21
2.4.3.3 Hyrid Signature-based Detection 21
2.5 Parameter 22
2.5.1 Network Traffic 22
2.6 Santoku Linux 23
2.7 Summary 24
METHODOLOGY 25
3.1 Introduction 25
3.2 Project Methodology 25
3.3 Phase I: Requirement Analysis 26
3.4 Phase II: Design 26
3.5 Phase III: Implementation 27
3.6 Phase IV: Testing 28
(11)
11
3.8 Project Schedule and Milestones 28
3.9 Summary 31
ANALYSIS & DESIGN 32
4.1 Introduction 32
4.2 Problem Analysis 33
4.3 Requirements Analysis 33
4.3.1 Data Requirements 33
4.3.2 Software Requirements 33
4.3.3 Hardware Requirements 34
4.4 BaseBridge Analysis Approach 35
4.4.1 Network Design 35
4.4.2 Environment Setup 37
4.4.3 Install Malware and Capture Network Traffic 38
4.4.4 Analyse Collected Data 38
4.4 Summary 39
IMPLEMENTATION & TESTING 40
5.1 Introduction 40
5.2 Software Development Environment Setup 41
5.3 Activate Malware, Collect Network Traffic 41
5.3.1 Process Collect Network Traffic Data 41
5.3.2 Network Traffic Collected Data 43
5.4 Test Plan 45
5.4.1 Test Organization 45
5.4.2 Test Environment 45
5.4.3 Test Schedule 46
5.4.4 Test Strategy 47
5.4.4.1 Unit Testing 47
5.4.4.2 Integrate Testing 47
5.4.5 Test Design 47
5.4.5.1 Sample APK Set 47
5.5 Test Result & Analysis 48
(12)
12
5.5.2 Network Traffic Graph 49
5.5.2.1 Ideal Graph 50
5.5.2.2 Graph of Number of Packets 51
5.5.2.3 Graph Protocol 52
5.5.2.4 Graph Destination IP Address 53
5.6 Result Analysis 54
5.7 Summary 55
CONCLUSION 56
6.1 Introduction 56
6.2 Project Summarization 56
6.3 Project Contribution 57
6.4 Project Limitation 57
6.5 Future Project 57
6.6 Summary 58
REFERENCES 59
(13)
13
LIST OF TABLES
TABLE TITLE PAGE
Table 1.1 Summary of Problem Statement 3
Table 1.2 Summary of Research Question 3
Table 1.3 Summaries of Research Objectives 4
Table 1.4 Summary of Project Contributions 5
Table 2.1 Definitions for Malware Category 12
Table 2.2 Definitions for Trojan Classification 13
Table 2.3 Percentage of Mobile Malware Detected in Different Platform 15
Table 3.1: Milestones 28
Table 4.1: The details of hardware requirement 34
Table 5.1 Software Requirements 45
Table 5.2 Hardware Requirements 46
Table 5.3 Testing Schedule 46
Table 5.4 Sample APK File Summarization 48
Table 5.5 Network Traffic Attribute SA1 49
(14)
14
LIST OF FIGURES
FIGURE TITLE PAGE
Figure 2.1 Literature Review Phase 8
Figure 2.2 Android Architecture Structural Diagram 10
Figure 2.3 Malware Categories 11
Figure 2.4 Trojan Classifications 13
Figure 2.5 Type of threats on Android devices 15
Figure 2.6 The Most Frequently Detected Malicious Programs Targeting Android 16 Figure 2.7 The Websites that will access by Android/BaseBridge 17
Figure 2.8 Android Malware Detection Techniques 18
Figure 2.9 IP Header Versions 4 22
Figure 2.10 Santoku Linux Tools 23
Figure 3.1 Project Methodology 26
Figure 4.1 Analysis Approach 35
Figure 4.2 Physical Designs 36
Figure 4.3 Logical Designs 37
Figure 5.1 Steps on Environment Setup 41
Figure 5.2 Process of Collecting Network Traffic 42
Figure 5.3 Collected Network Traffic 43
Figure 5.4 Content of Network Traffic 44
Figure 5.5 Website that visited by BaseBridge 44
Figure 5.6 Ideal Network Traffic Pattern 50
Figure 5.7 Frequency of Packets Number 50
Figure 5.8 Graph of Number of Packets Sample APK 1 51
Figure 5.9 Frequency of Number Packets Sample APK 1 51
(15)
15
Figure 5.11 Frequency of Protocol 53
(16)
16
LIST OF ABBREVIATIONS
ALPHABET WORDS EXPLANATION
A APK Android Application Package File
ARP Address Resolution Protocol
H HTTP Hypertext Transfer Protocol
T TCP Transmission Control Protocol
U UDP User Datagram Protocol
(17)
17
LIST OF ATTACHMENTS
ATTACHMENT TITLE PAGE
A Gantt Chart 64
B Network Traffic Attributes
B.1 Network Traffic Attributes SA2 65 B.2 Network Traffic Attributes SA3 66
C Network Traffic Graph
C.1 Graph of Number of Packet Sample 67 APK 2
C.2 Frequency of Number Packets Sample 67 APK 2
C.3 Graph of Number of Packet Sample 68 APK 3
C.4 Frequency of Number Packets Sample 68 APK 3
C.5 Graph Protocol for SA 2 69
C.6 Graph Frequency of Protocol SA 2 69
C.5 Graph Protocol for SA 3 70
C.6 Graph Frequency of Protocol SA 3 70 C.9 Number of Packet to Destination Port 71 for SA2
C.10 Number of Packet to Destination Port 71 for SA3
(18)
18 CHAPTER I
INTRODUCTION
1.1 Introduction
Nowadays, the mobile platforms and applications are increasing in popularity. However, the popular platform such as Android has greatly stimulated the spread of mobile malware. In order to identify the problem that cause mobile malware spread rapidly, we will discuss about the background of the project which is Android and malware. The research problem will be formulated into three research questions. Based on the research questions, the current problem that faced by the Android user will be clearly shown. After that, the research objective can be generated and all works done in this project will be based on the research objective.
Firstly, for the purpose to do this project, project background will be discussed. The background of Android platform and malware will be described. Secondly, the research problem will be summarised. After that the research question and objective will be conducted. Project scope and contribution will also be discussed. Lastly, the report organization will be described to make sure the project is carry out in correct flow.
(19)
19
1.2 Project Background
In recent year, the using of smart phone is increasing. There are several of operating system used in smart phone such as Android, IOS, Window, Blackberry and Symbian. Android is the most popular platform used in smart phone which is 79.0% compare to Apple IOS (14.2%), Windows Phone (3.3%), Blackberry (2.7%) and other (0.9%) (mobiThinking, 2014). Android is the largest installed platform and growing fast which placed first among others smart phone operating systems (Micheal Oleaga, 2014, Guru, 2014).
As more and more smart phones come out, the amount of people accessing the Internet greatly increases. So, there is a rapid increase in the amount of malware targeting Android smart phones since it is the most popular operating system used in smart phone. 99% of mobile malware targeted Android devices last year (Brad Reed, 2014).
Malware, short for malicious software, is software used to damage or control the computer operation, gather with sensitive information, or gain access to private computer systems. It can be emerged as a collection of code, script, active content and embedded in other application (McMahon, 2013). Therefore, a script can be generating in order to detect the android malware that found in the smart phones.
Examples of android malware such as DroidKungFu, BeanBot, BaseBridge are the major threats to the security of the android mobile. However, there are some malware will re-implementing some of their malicious functionalities in native code. The changes are possibly to make their detection and analysis harder. (Yajin Zhou, 2012). So, the parameter will be analyzing to know the attack pattern of the malware.
The malware are grows rapidly, some effectively defend should take against the malware. In order to create a method to defend against the malware, we need to study, analysis and investigate about the malware. We need to how the malware behaves when executed, how it got here, what is the purpose and how it runs (Kris Kendall, 2007).
(20)
20
Therefore, dynamic analysis will be using in this project to analyse the android malware. It will focuses on the behaviour of attack, determine how and what it gets installed, how it run, what files have been added or modified, who they are communicate to, etc (Dennis Distler, 2007). So, the parameter such as system call and network traffic will be investigate in this project.
1.3 Problem Statement
Nowadays, malicious code is reportedly infecting Android devices at a rapid speed. Therefore, Android phone users are advised to take extra precautions on this situation. However, the malware characteristics cause difficulty for users to identify and detect their behaviours. The Research Problem (PR) is summarized into Table 1.1.
Table 1.1 Summary of Problem Statement
No Research Problem
RP1 Difficult to detect the appearance of android malware inside the smart phone because most of the anti-virus software is low accuracy.
Thus, Research Questions (RQ) which depicted in Table 1.2 is constructed to identify the research problem as discussed in previous section.
Table 1.2 Summary of Research Question
No Research Question
RQ1 What is the behaviour of different android malware? RQ2 What is the parameter used to detect the android malware's
behaviour?
RQ3 How to detect the android malware using parameter?
RQ1: What is the behaviour of different android malware?
This research question is used to study the behaviour of malware by identify which techniques is suitable to use for collecting data for different type of malware.
(21)
21
RQ2: What is the parameter used to detect the android malware's behaviour? This research question is formulated by considering the android malware’s behaviour issue because there are many different type of malware and that may infect to different parameter. Thus, it is important to identifying which parameter is suitable to use for study the malware’s behaviour.
RQ3: How to detect the android malware using parameter?
This research question is formulated by considering the way to extract the behavior of the android malware using parameter and generate the attack pattern dynamically.
1.4 Objective
Based on the research questions formulated in previous section, appropriate research objectives (RO) are developed as follows:
Table 1.3 Summaries of Research Objectives
RP RQ RO Research Objective
RP1 RQ1 RO1 To classify the android malware's behaviour.
RQ2 RO2 To identify the parameter used to detect the android malware's behaviour.
RQ3 RO3 To detect the android malware using parameter.
RO1: To classify the android malware's behaviour.
Firstly, we need to classify the type of android malware and the behaviour of android malware in order to find out the feature of malware. Different type of malware may have different type of behaviour.
RO2: To identify the parameter used to detect the android malware's behaviour. We need to investigate the suitable parameter used to identify the behaviour of android malware in order to generate the attack pattern of malware and do the detection
(22)
22
RO3: To detect the android malware using parameter.
After identify the parameter, we need to develop a script to detect the android malware automatically using its parameter.
1.5 Scope
Scope of project is going to be conducted as follows:
1. Using only one specific type of android malware.
2. Focusing on behaviour of android malware in order to generate the attack patterns of android malware by using network traffic.
3. Tcpdump and Wireshark will be used in this project to sniff the network.
1.6 Project Contribution
The contribution of this project are summarized in Table 1.4
Table 1.4 Summary of project contributions
RP RQ RO RC Research Contribution
RP1 RQ1 RO1 RC1 The classification of android malware's behaviour. RQ2 RO2 RC2 The parameter of android malware's behaviour. RQ3 RO3 RC3 Detecting the malware’s attack pattern using parameter.
Table 1.4 shows the project contributions based on the research problem, research questions and research objective.
(23)
23
1.7 Report Organization
Chapter 1: Introduction
This chapter will discuss about the introduction, project background, problem statement, research question, research objective, project scope, project contribution and report organization.
Chapter 2: Literature Review
This chapter will study about the related works such as android, malware, malware attack pattern, malware analysis technique, parameter and operating system used. The related works will be contribute to the next chapter.
Chapter 3: Methodology
This chapter will explain the method used to analyse android malware and project methodology. Project schedule and milestones will discuss in this chapter to finish the project in time.
Chapter 4: Analysis and Design
This chapter will introduce the problem analysis, requirements of software and hardware. The experimental design such as logical design and physical design will also conduct in this chapter. Environment will setup based on the requirements.
Chapter 5: Implementation and Testing
This chapter will describe the method to implement and test the collected data in order to carry out the graph to support the evidence. The test result and analysis will conclude in this chapter.
Chapter 6: Conclusion
This chapter will summarize all chapters as a conclusion. Project summarization, limitation and future work will discuss.
(24)
24
1.8 Summary
As a conclusion, this project will identify the behaviour of Android malware using dynamic analysis. The problem statement, research questions, research objectives and scope are discussed in this chapter to identify and solve the problem. Besides that, report organization also carried out in this chapter to make sure the project runs in sequence. In the next chapter, more research and related works about Android malware and malware detection technique will be discussing.
(1)
19
1.2 Project Background
In recent year, the using of smart phone is increasing. There are several of operating system used in smart phone such as Android, IOS, Window, Blackberry and Symbian. Android is the most popular platform used in smart phone which is 79.0% compare to Apple IOS (14.2%), Windows Phone (3.3%), Blackberry (2.7%) and other (0.9%) (mobiThinking, 2014). Android is the largest installed platform and growing fast which placed first among others smart phone operating systems (Micheal Oleaga, 2014, Guru, 2014).
As more and more smart phones come out, the amount of people accessing the Internet greatly increases. So, there is a rapid increase in the amount of malware targeting Android smart phones since it is the most popular operating system used in smart phone. 99% of mobile malware targeted Android devices last year (Brad Reed, 2014).
Malware, short for malicious software, is software used to damage or control the computer operation, gather with sensitive information, or gain access to private computer systems. It can be emerged as a collection of code, script, active content and embedded in other application (McMahon, 2013). Therefore, a script can be generating in order to detect the android malware that found in the smart phones.
Examples of android malware such as DroidKungFu, BeanBot, BaseBridge are the major threats to the security of the android mobile. However, there are some malware will re-implementing some of their malicious functionalities in native code. The changes are possibly to make their detection and analysis harder. (Yajin Zhou, 2012). So, the parameter will be analyzing to know the attack pattern of the malware.
The malware are grows rapidly, some effectively defend should take against the malware. In order to create a method to defend against the malware, we need to study, analysis and investigate about the malware. We need to how the malware behaves when executed, how it got here, what is the purpose and how it runs (Kris Kendall, 2007).
(2)
20
Therefore, dynamic analysis will be using in this project to analyse the android malware. It will focuses on the behaviour of attack, determine how and what it gets installed, how it run, what files have been added or modified, who they are communicate to, etc (Dennis Distler, 2007). So, the parameter such as system call and network traffic will be investigate in this project.
1.3 Problem Statement
Nowadays, malicious code is reportedly infecting Android devices at a rapid speed. Therefore, Android phone users are advised to take extra precautions on this situation. However, the malware characteristics cause difficulty for users to identify and detect their behaviours. The Research Problem (PR) is summarized into Table 1.1.
Table 1.1 Summary of Problem Statement
No Research Problem
RP1 Difficult to detect the appearance of android malware inside the smart phone because most of the anti-virus software is low accuracy.
Thus, Research Questions (RQ) which depicted in Table 1.2 is constructed to identify the research problem as discussed in previous section.
Table 1.2 Summary of Research Question
No Research Question
RQ1 What is the behaviour of different android malware? RQ2 What is the parameter used to detect the android malware's
behaviour?
RQ3 How to detect the android malware using parameter?
RQ1: What is the behaviour of different android malware?
This research question is used to study the behaviour of malware by identify which techniques is suitable to use for collecting data for different type of malware.
(3)
21
RQ2: What is the parameter used to detect the android malware's behaviour?
This research question is formulated by considering the android malware’s behaviour issue because there are many different type of malware and that may infect to different parameter. Thus, it is important to identifying which parameter is suitable to use for study the malware’s behaviour.
RQ3: How to detect the android malware using parameter?
This research question is formulated by considering the way to extract the behavior of the android malware using parameter and generate the attack pattern dynamically.
1.4 Objective
Based on the research questions formulated in previous section, appropriate research objectives (RO) are developed as follows:
Table 1.3 Summaries of Research Objectives
RP RQ RO Research Objective
RP1 RQ1 RO1 To classify the android malware's behaviour.
RQ2 RO2 To identify the parameter used to detect the android malware's behaviour.
RQ3 RO3 To detect the android malware using parameter.
RO1: To classify the android malware's behaviour.
Firstly, we need to classify the type of android malware and the behaviour of android malware in order to find out the feature of malware. Different type of malware may have different type of behaviour.
RO2: To identify the parameter used to detect the android malware's behaviour.
We need to investigate the suitable parameter used to identify the behaviour of android malware in order to generate the attack pattern of malware and do the detection
(4)
22
RO3: To detect the android malware using parameter.
After identify the parameter, we need to develop a script to detect the android malware automatically using its parameter.
1.5 Scope
Scope of project is going to be conducted as follows:
1. Using only one specific type of android malware.
2. Focusing on behaviour of android malware in order to generate the attack patterns of android malware by using network traffic.
3. Tcpdump and Wireshark will be used in this project to sniff the network.
1.6 Project Contribution
The contribution of this project are summarized in Table 1.4
Table 1.4 Summary of project contributions
RP RQ RO RC Research Contribution
RP1 RQ1 RO1 RC1 The classification of android malware's behaviour. RQ2 RO2 RC2 The parameter of android malware's behaviour. RQ3 RO3 RC3 Detecting the malware’s attack pattern using parameter.
Table 1.4 shows the project contributions based on the research problem, research questions and research objective.
(5)
23
1.7 Report Organization
Chapter 1: Introduction
This chapter will discuss about the introduction, project background, problem statement, research question, research objective, project scope, project contribution and report organization.
Chapter 2: Literature Review
This chapter will study about the related works such as android, malware, malware attack pattern, malware analysis technique, parameter and operating system used. The related works will be contribute to the next chapter.
Chapter 3: Methodology
This chapter will explain the method used to analyse android malware and project methodology. Project schedule and milestones will discuss in this chapter to finish the project in time.
Chapter 4: Analysis and Design
This chapter will introduce the problem analysis, requirements of software and hardware. The experimental design such as logical design and physical design will also conduct in this chapter. Environment will setup based on the requirements.
Chapter 5: Implementation and Testing
This chapter will describe the method to implement and test the collected data in order to carry out the graph to support the evidence. The test result and analysis will conclude in this chapter.
Chapter 6: Conclusion
This chapter will summarize all chapters as a conclusion. Project summarization, limitation and future work will discuss.
(6)
24
1.8 Summary
As a conclusion, this project will identify the behaviour of Android malware using dynamic analysis. The problem statement, research questions, research objectives and scope are discussed in this chapter to identify and solve the problem. Besides that, report organization also carried out in this chapter to make sure the project runs in sequence. In the next chapter, more research and related works about Android malware and malware detection technique will be discussing.