The Android Malware Handbook: Detection and Analysis by Human and Machine

Cover Page
Title Page
Copyright Page
About the Authors
About the Technical Reviewer
BRIEF CONTENTS
CONTENTS IN DETAIL
FOREWORD
ACKNOWLEDGMENTS
INTRODUCTION
   Who Should Read This Book
   What You’ll Find in This Book
PART I A PRIMER ON ANDROID MALWARE
1 THE BASICS OF ANDROID SECURITY
   The Android Security Model
      Application Isolation
      Attack Surface Reduction
      Exploit Mitigation
      Device Integrity
      Permissions
      Security Updates
      Add-on Security and Safety Services
      Collaboration Across Google
      Sideloaded and Preloaded Malware Protection
   The Android Package
   Categories of Android Malware
      Denial of Service
      Backdoors
      Rooting
      Trojans
      Spyware
      Stalkerware
      Phishing
      Hostile Downloaders
      Privilege Escalation
      Ransomware
      SMS Fraud
      Toll Fraud
      Call Fraud
      Spam
      Ad Fraud
      Non-Android Threats
   Up Next
2 ANDROID MALWARE IN THE WILD
   The Early Years: 2008 to 2012
      DroidSMS
      DroidDream
      The Wallpaper Family
      The Camera Family
      Cricketland
      Dougaleaker
      BeeKeeper
      Dogowar
      Other Early Android Malware
   The Professionalization of Malware: 2013 and 2014
      Ghost Push
      BadNews, RuFraud, and RuPlay
      WallySMS
      Mono WAP
      Cryptocurrency Malware
      Taicliphot
      The First Preinstalled Malware
   The Rise of Large Malware Networks: 2015 and 2016
      Turkish Clicker
      Gaiaphish
      Judy
      DressCode
      Joker
      Triada
      Chamois
      Gooligan and Snowfox
      Hummingbad
      YouTube Downloader
   The Consolidation of Abuse: 2017 and Onward
      OneAudience
      Android.Click.312.origin
      Cheetah Mobile
      Anti-Fraud SDKs
      Loapi/Podec
      HDC Bookmark
      EagerFonts
      GMobi
      Adups
      Redstone
      Digitime
   Up Next
PART II MANUAL ANALYSIS
3 STATIC ANALYSIS
   What Is Static Code Analysis?
      Guided vs. Unguided Analysis
      Knowing When You’re Done
   Loading the Malware Sample into jadx
   Malicious Code in the Permissions
      Viewing the Permissions
      Finding the APIs Gated by Permissions
      Analyzing the READ_CONTACTS Permission
      Analyzing the BIND_NOTIFICATION_LISTENER_SERVICE Permission
   Malicious Code in App Entry Points
      Exported Activities
      Broadcast Receivers
      Services
      Application Subclasses
   Hiding Malicious Code
      Anti-Analysis Techniques
      Reflection
      Non-Java Code
      Encryption and Encoding
   The Malware’s First Stage
      Understanding the Malicious Class
      Reverse Engineering the String Decryption Method
      Decrypting All Strings in the Class
   The Malware’s Second Stage
      Entry Points
      The yin.Chao.yin Method
      The com.* Package
   The Malware’s Third Stage
      jadx Decompilation Issues
      Entry Points
      Name Mangling
   Command-and-Control Server Communication
      Examining the Encryption Algorithm
      Probing the Server from the Command Line
      Registering with the Server
      Processing the Registration Response
      Downloading Commands
      Processing the Command-and-Control Server’s Response
      Secretly Signing Up for the Premium Service
      Setting Up the JavaScript Bridge
      Interacting with the Java Bridge Object
      Completing the Sign-up Process
   The Mysterious Fourth Stage
   Up Next
4 DYNAMIC ANALYSIS
   What Is Dynamic Code Analysis?
   Dynamic vs. Static Analysis
   The Android Studio Emulator
      Creating a System Image
      Starting the Emulator
      Resetting the Emulator
      Interacting with the Emulator
   Dynamic Analysis Tools
      tcpdump
      Wireshark
      Frida
   The Malware Sample
   Detecting Malicious Functionality
      Observing Filesystem Changes
      Downloading Files for Inspection
      Capturing Network Traffic
      Analyzing Network Traffic
      Analyzing Logs with Logcat
   Analysis with Frida
      Running frida-server
      Using frida-trace to Find Interesting APIs
      Finding Entry Points into the Malware with Frida Scripting
      Executing the Frida Script
   Decrypting the Command-and-Control Communications
      With CyberChef
      With Frida
   Command-and-Control Server Messages
      The /ping URL
      The /metrics URL
      The Rotating Encryption Keys
   Other Malware Functionality
      com.sniff with frida-trace
      Accessibility Abuse
   Adding Static Analysis
      Other Command-and-Control Servers
      Other Server Commands
      More Accessibility Abuse
      Automatically Granting Permissions
      Injecting Phishing Windows
      Stealing Credentials
   Up Next
PART III MACHINE LEARNING DETECTION
5 MACHINE LEARNING FUNDAMENTALS
   How Machine Learning for Malware Analysis Works
      Identifying App Features
      Creating Training Sets
      Using Classification Algorithms
   Classification Algorithms
      Decision Trees
      Bagging and Random Forest
      Support Vector Machines
      k-Nearest Neighbors
      Naive Bayes
   Evaluating Machine Learning Models
   Struggles of Machine Learning Classifiers
      Identical Feature Vectors
      Balance vs. Imbalance
      Interpretability
      Cross-Validation vs. Rolling Window Prediction
   Up Next
6 MACHINE LEARNING FEATURES
   Static Features
   Dynamic Features
   Method Call Features (A Weak Tactic)
   Triadic Suspicion Graph Features
      Suspicion Scores
      The Suspicion Rank
      TSG Features
   Landmark-Based Features
      Selecting Landmarks
      Computing Landmark-Based Features
   Feature Clustering
      Generating Feature Clusters
      Choosing Clustering and Feature Aggregation Algorithms
   Correlation Graph–Based Feature Transformation
   Further Reading
   Up Next
7 ROOTING MALWARE
   Rooting Malware Families
   Testing Classifier Performance
   Rooting Malware vs. Goodware
      Permission-Related Features
      Network-Based Features
   Rooting Malware vs. Other Malware
      Permission-Related Features
      Other Features
   DroidDream: A Case Study
   Up Next
8 SPYWARE
   Spyware Families
   Spyware vs. Goodware
      Permission-Related Features
      Prediction Efficacy
   Spyware vs. Other Malware
      Permission-Related Features
      Prediction Efficacy
   Qibla Compass Ramadan: A Case Study
   Predictions for Spyware Apps
   Up Next
9 BANKING TROJANS
   Banking Trojan Families
   Banking Trojans vs. Goodware
      SMS Permission Features
      Other Permission Features
      Prediction Efficacy
   Banking Trojans vs. Other Malware
      Permission-Related Features
      Prediction Efficacy
   Marcher: A Case Study
   Up Next
10 RANSOMWARE
   How Ransomware Attacks Work
   Android Ransomware Families
   Ransomware vs. Goodware
      Permission-Related Features
      Other Features
      Prediction Efficacy
   Ransomware vs. Other Malware
      Permission-Related Features
      Prediction Efficacy
   Simplocker: A Case Study
   Predictions for Important Ransomware Samples
   Up Next
11 SMS FRAUD
   SMS Fraud vs. Goodware
      Non-SMS Permissions
      The Absence of SMS Permissions
      Prediction Efficacy
   SMS Fraud vs. Other Malware
      Permission-Related Features
      Prediction Efficacy
   BeeKeeper: A Case Study
   Predictions for SMS Fraud Samples
   Up Next
12 THE FUTURE OF ANDROID MALWARE
   Windows vs. Android
      Windows
      Android
   Hiding Malicious Behavior with Anti-Analysis Techniques
   Native ARM Code
   Downloaded Modules
   Less Popular Languages
   SDK-less Techniques
   Distribution
      Preloaded Malware and Supply Chain Compromises
      Smarter Sideloading
   Malware Economics
   Machine Learning Trends for Attackers and Defenders
   Next Steps
INDEX