M1. Understanding and Contrasting Android Malware at Runtime

[This is a full day session.]

Android-based devices are the most sold in the world dominating the market share with a solid 78.4%. A key-aspect in Android's success is the support for third-party applications (or simply apps) creating a very dynamic software landscape accessible through the Google Play marketplace as well as third-party markets.

The rate of Android success is only matched by the increase in malicious activity targeting Android. Between 2011 and 2012 the malware samples targeting Android has gone up of 1000%. At the end of 2012, Android has crashed another record becoming the top target for malicious code overtaking Microsoft's Windows operating system.

Android is not only dominating the mobile device market (smartphones and tablets), but is also becoming predominant in mission critical support and infotainment car systems. The implication of its security issues can be very important in these areas as well. For instance, through Android malware could find its way to interact with the Can Bus system of a car.

This course will be organised in two main components. In the first component, we will study the security model in Android and how malware is able to bypass some of its security features. To better understand the security exploits, this first part of the course will be dedicated to the Android security framework and how apps interact with it. We will cover also recent research effort for enhancing Android security.

The second part of the course is more practical. Firstly, we will focus on the analysis of malware samples. To demonstrate the malware capabilities, we will use a real Android device where the malware samples will be installed and executed. Afterwards, students will be organised in teams (2 to up to 4 students depending on the final number of attendees) and will have access to a policy-based tool developed at the University of Auckland for protecting Android devices. This tool, called FireDroid and presented at ACSAC 29 in 2013, allows the definition of security policies from a web-based console and can be deployed over the air to an Android device. We will provide each team with an Android device where malware samples will be installed. Each team will define security policies and deploy them on the infected devices to stop malware attacks. Finally, we will review the policies each team come up with and discuss the strategies for creating such policies.

Learning Objectives:

• Deep understanding of the Android security model

• Understanding of the malware capabilities and how to contrast them

• Know-how to develop robust and secure apps and policies for cyber-physical systems

• An overview of the most recent security approached in Android

Prerequisites:

• An understanding of Operating Systems (Linux in particular) and Access control models (MAC and DAC).

Outline:

1. Introduction (1 hour) An initial overview of the course content followed by an overview of the basic principle of system security to bring all the students at the same level of knowledge on access control and policy-based systems.

2. Overview of the Android Security Framework And Inter Component Communication (ICC) (1 hour) We will dive in the details of the security framework of Android and some of its not-so-well documented exceptions/refinements. To better understand some of the malware action is also important to cover the ICC mechanism offered by Android to apps for exchanging information and communicate with the system services (e.g., SMS sending service).

3. State of the Art (1 hour) We will discuss the state of the art in research, covering the most recent research efforts in security for the Android OS. We will also discuss the reason why current commercial solutions, such as Anti-Virus Software are not capable of contrasting this huge wave of attacks.

4. Malware Classification (1 hour) There are several malware families for Android. We will discuss each of these families providing details of their malicious actions, and what damage/loss they cause.

5. Malware Runtime Demonstration (0.5 hour) In this part of the course, we will use a real device where several malware samples will be deployed and executed. The most important aspects of the attack for each malware will be highlighted to the students.

6. Hands-on: Blocking Malware (1 hour) In this component of the course, students will form teams and will have access to the policy specification tool and a device with malware samples. After a brief explanation of how the tool works each team will have to analyse the malware and define policies to block its attack. Material will be provided to the students to familiarise themselves with the tool prior to the course.

7. Policy Review and Concluding Thoughts (0.5 hour) Each team will provide a short presentation describing their policies and the strategy used to define them. We will wrap up the course thanking the students.

About the Instructor:

Dr. Giovanni Russello is a senior lecturer at the University of Auckland. He has worked in access control and cloud security for the past 9 years. In the past three years, he has focused on research enhancing the security of the Android OS. Giovanni is also founding CEO at Active Mobile Security, a start-up focusing on smartphone security. Giovanni has given a similar course at ACSAC 2013. This course is based on a post-graduate course (20 hours of lectures), taught at his department during Semester 1 in 2013 (March to May). Students who attended this course were very enthusiastic and found it very useful.