The Android Malware Handbook: Detection and Analysis by Human and Machine

Title Page
Copyright Page
About the Authors
About the Technical Reviewer
BRIEF CONTENTS
CONTENTS IN DETAIL
FOREWORD
ACKNOWLEDGMENTS
INTRODUCTION
	Who Should Read This Book
	What You’ll Find in This Book
PART I A PRIMER ON ANDROID MALWARE
1 THE BASICS OF ANDROID SECURITY
	The Android Security Model
		Application Isolation
		Attack Surface Reduction
		Exploit Mitigation
		Device Integrity
		Permissions
		Security Updates
		Add-on Security and Safety Services
		Collaboration Across Google
		Sideloaded and Preloaded Malware Protection
	The Android Package
	Categories of Android Malware
		Denial of Service
		Backdoors
		Rooting
		Trojans
		Spyware
		Stalkerware
		Phishing
		Hostile Downloaders
		Privilege Escalation
		Ransomware
		SMS Fraud
		Toll Fraud
		Call Fraud
		Spam
		Ad Fraud
		Non-Android Threats
	Up Next
2 ANDROID MALWARE IN THE WILD
	The Early Years: 2008 to 2012
		DroidSMS
		DroidDream
		The Wallpaper Family
		The Camera Family
		Cricketland
		Dougaleaker
		BeeKeeper
		Dogowar
		Other Early Android Malware
	The Professionalization of Malware: 2013 and 2014
		Ghost Push
		BadNews, RuFraud, and RuPlay
		WallySMS
		Mono WAP
		Cryptocurrency Malware
		Taicliphot
		The First Preinstalled Malware
	The Rise of Large Malware Networks: 2015 and 2016
		Turkish Clicker
		Gaiaphish
		Judy
		DressCode
		Joker
		Triada
		Chamois
		Gooligan and Snowfox
		Hummingbad
		YouTube Downloader
	The Consolidation of Abuse: 2017 and Onward
		OneAudience
		Android.Click.312.origin
		Cheetah Mobile
		Anti-Fraud SDKs
		Loapi/Podec
		HDC Bookmark
		EagerFonts
		GMobi
		Adups
		Redstone
		Digitime
	Up Next
PART II MANUAL ANALYSIS
3 STATIC ANALYSIS
	What Is Static Code Analysis?
		Guided vs. Unguided Analysis
		Knowing When You’re Done
	Loading the Malware Sample into jadx
	Malicious Code in the Permissions
		Viewing the Permissions
		Finding the APIs Gated by Permissions
		Analyzing the READ_CONTACTS Permission
		Analyzing the BIND_NOTIFICATION_LISTENER_SERVICE Permission
	Malicious Code in App Entry Points
		Exported Activities
		Broadcast Receivers
		Services
		Application Subclasses
	Hiding Malicious Code
		Anti-Analysis Techniques
		Reflection
		Non-Java Code
		Encryption and Encoding
	The Malware’s First Stage
		Understanding the Malicious Class
		Reverse Engineering the String Decryption Method
		Decrypting All Strings in the Class
	The Malware’s Second Stage
		Entry Points
		The yin.Chao.yin Method
		The com.* Package
	The Malware’s Third Stage
		jadx Decompilation Issues
		Entry Points
		Name Mangling
	Command-and-Control Server Communication
		Examining the Encryption Algorithm
		Probing the Server from the Command Line
		Registering with the Server
		Processing the Registration Response
		Downloading Commands
		Processing the Command-and-Control Server’s Response
		Secretly Signing Up for the Premium Service
		Setting Up the JavaScript Bridge
		Interacting with the Java Bridge Object
		Completing the Sign-up Process
	The Mysterious Fourth Stage
	Up Next
4 DYNAMIC ANALYSIS
	What Is Dynamic Code Analysis?
	Dynamic vs. Static Analysis
	The Android Studio Emulator
		Creating a System Image
		Starting the Emulator
		Resetting the Emulator
		Interacting with the Emulator
	Dynamic Analysis Tools
		tcpdump
		Wireshark
		Frida
	The Malware Sample
	Detecting Malicious Functionality
		Observing Filesystem Changes
		Downloading Files for Inspection
		Capturing Network Traffic
		Analyzing Network Traffic
		Analyzing Logs with Logcat
	Analysis with Frida
		Running frida-server
		Using frida-trace to Find Interesting APIs
		Finding Entry Points into the Malware with Frida Scripting
		Executing the Frida Script
	Decrypting the Command-and-Control Communications
		With CyberChef
		With Frida
	Command-and-Control Server Messages
		The /ping URL
		The /metrics URL
		The Rotating Encryption Keys
	Other Malware Functionality
		com.sniff with frida-trace
		Accessibility Abuse
	Adding Static Analysis
		Other Command-and-Control Servers
		Other Server Commands
		More Accessibility Abuse
		Automatically Granting Permissions
		Injecting Phishing Windows
		Stealing Credentials
	Up Next
PART III MACHINE LEARNING DETECTION
5 MACHINE LEARNING FUNDAMENTALS
	How Machine Learning for Malware Analysis Works
		Identifying App Features
		Creating Training Sets
		Using Classification Algorithms
	Classification Algorithms
		Decision Trees
		Bagging and Random Forest
		Support Vector Machines
		k-Nearest Neighbors
		Naive Bayes
	Evaluating Machine Learning Models
	Struggles of Machine Learning Classifiers
		Identical Feature Vectors
		Balance vs. Imbalance
		Interpretability
		Cross-Validation vs. Rolling Window Prediction
	Up Next
6 MACHINE LEARNING FEATURES
	Static Features
	Dynamic Features
	Method Call Features (A Weak Tactic)
	Triadic Suspicion Graph Features
		Suspicion Scores
		The Suspicion Rank
		TSG Features
	Landmark-Based Features
		Selecting Landmarks
		Computing Landmark-Based Features
	Feature Clustering
		Generating Feature Clusters
		Choosing Clustering and Feature Aggregation Algorithms
	Correlation Graph–Based Feature Transformation
	Further Reading
	Up Next
7 ROOTING MALWARE
	Rooting Malware Families
	Testing Classifier Performance
	Rooting Malware vs. Goodware
		Permission-Related Features
		Network-Based Features
	Rooting Malware vs. Other Malware
		Permission-Related Features
		Other Features
	DroidDream: A Case Study
	Up Next
8 SPYWARE
	Spyware Families
	Spyware vs. Goodware
		Permission-Related Features
		Prediction Efficacy
	Spyware vs. Other Malware
		Permission-Related Features
		Prediction Efficacy
	Qibla Compass Ramadan: A Case Study
	Predictions for Spyware Apps
	Up Next
9 BANKING TROJANS
	Banking Trojan Families
	Banking Trojans vs. Goodware
		SMS Permission Features
		Other Permission Features
		Prediction Efficacy
	Banking Trojans vs. Other Malware
		Permission-Related Features
		Prediction Efficacy
	Marcher: A Case Study
	Up Next
10 RANSOMWARE
	How Ransomware Attacks Work
	Android Ransomware Families
	Ransomware vs. Goodware
		Permission-Related Features
		Other Features
		Prediction Efficacy
	Ransomware vs. Other Malware
		Permission-Related Features
		Prediction Efficacy
	Simplocker: A Case Study
	Predictions for Important Ransomware Samples
	Up Next
11 SMS FRAUD
	SMS Fraud vs. Goodware
		Non-SMS Permissions
		The Absence of SMS Permissions
		Prediction Efficacy
	SMS Fraud vs. Other Malware
		Permission-Related Features
		Prediction Efficacy
	BeeKeeper: A Case Study
	Predictions for SMS Fraud Samples
	Up Next
12 THE FUTURE OF ANDROID MALWARE
	Windows vs. Android
		Windows
		Android
	Hiding Malicious Behavior with Anti-Analysis Techniques
		Native ARM Code
		Downloaded Modules
		Less Popular Languages
		SDK-less Techniques
	Distribution
		Preloaded Malware and Supply Chain Compromises
		Smarter Sideloading
	Malware Economics
	Machine Learning Trends for Attackers and Defenders
	Next Steps
INDEX