12345

12/16/2011

[Information] Automatic detection and analysis system of malicious Android application

1. Information

INCA Internet Security Response Center's Emergency Response Team has gathered Android malicious files for immediate response since July 2011. To collect and analyze automatically, we developed automation system which is using malicious similarity policy.
With this automation system, we have stocked about 2,000 Android malicious files.
The number of Android malicious apps is more than we thought.
 


We already know that the number of Android malicious file is rapidly increasing from the beginning in the second half; however, certain malicious file aiming at Korean users hasn't been reported.
Therefore, Korean users are not familiar with these security threats.

[Information] Malicious Android app for multiple countries
http://en-erteam.nprotect.com/2011/12/information-malicious-android-app-for.html

[Information] Android malicious application in Europe
http://en-erteam.nprotect.com/2011/12/information-android-malicious.html

[Information] Status for Android-based mobile malicious file
http://en-erteam.nprotect.com/2011/11/information-status-for-android-based.html

INCA Internet Security Response Center's Emergency Response Team has been preparing response system for Android security threats.

2. Status of Android file collection

December 6, 2011, Google announced that the number of cumulative download on Android market passed 10 billion downloads. And APK files are spreading on 3rd party market.


According to Google's announcement, Korea ranked #1, which means that South Korea is the most prevalent country on using smartphone.
The fact that China isn't ranked in this table is peculiar, however, it can mean that the great number of users are using 3rd party in China.

Following figure is top 10 most App-crazed Countries.


INCA Internet Security Response Center's Emergency Response Team has collected various malicious files with the 3rd party market's information.


Chinese 3rd party market

Our automatic APK crawling system has collected about 57,000 files (153Gb) and new apps are downloading every day.

In 2012, the range of 3rd party and processing capacity will be widening.

Following figure shows downloading status of our Automatic collecting system of APK files.
We are using this program to download APK files.

Among we collected, There are about 2,000 malicious APK files including Geinimi, ADRD, BaseBrid, GoldDream, DroidKungFu, SendSMS, FakeInstall, GingerMaster, Rooter and so on. And their various variants are also identified.

Following folder size is our collected APKs and those will be included our nProtect Mobile for ANDROID.


With this program, we succeeded to shorten more than 80% to analyze APK files on classifying its variants automatically.
Following figure shows auto-decompiled and analyzed target file by our automation analysis system.
First of all, it extracts Manifest log and Decompiled code for analyzing code. Then it compares extracted code to INCA Internet's malicious pattern. If it matches each other, those files will be moved to malicious sample folder. (More than 98% files of them were revealed as malicious).


3. Finishing

The fact that Android malicious file has been rapidly increasing is very remarkable. Malicious attackers are aiming at various target; therefore, users need to be careful on using.

Following figure is our detecting status of nProtect Mobile for ANDROID.



To use smartphone safely from security threats of these malicious applications, we recommend following tips "Smartphone security management tips" for general users.


Smartphone security management tips

1. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
2. Download the proven application by multiple users at all times.
3. Use mobile anti-virus SW to check downloaded application before using it.
4. Do not visit suspicious or unknown site via smartphone.
5. Try not to see MMS, text, e-mail from uncertain user.
6. Set strong password on smartphone always.
7. Turn the wireless interfaces like Bluetooth only be used.
8. Do not save important information on phone.
9. Do not try illegal customizing like rooting or jailbreak.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with “nProtect Mobile for Android” for mobile such as malicious file stated above and runs responding system against various security threats.

1 comment: