《移动APP-Web接口监测隐藏攻击》由会员分享,可在线阅读,更多相关《移动APP-Web接口监测隐藏攻击(40页珍藏版)》请在金锄头文库上搜索。
1、Detecting Hidden Attacks through the Mobile App-Web Interfaces Yan Chen Lab of Internet and Security Technology (LIST) Northwestern University, USA Motivation Downloaded phishing app Scan Automatically Click on the buttons Motivation Vast effort has been spent analyzing the malicious apps themselves
2、 For both industry and academia An important, yet unexplored vector of malware propagation is benign, legitimate apps that lead users to websites hosting malicious apps We call this hidden attacks though the app-web interface Contributions Develop a framework for analyzing the app-web interfaces in
3、Android applications Develop a novel technique to interact with UI widgets to trigger app-web interface Conduct a systematic study to associate ad networks with ad library packages Detect hidden attacks Tested 600,000 apps in two months Found several unknown attacks: a rogue antivirus scam, free iPa
4、d and iPhone scams, and ads propagating SMS trojans Outline Background on mobile advertising System Design Detection Results Case study Advertising Overview 6 Publishers and Advertisers Publishers show ads to users Advertisers the brand owners that wish to advertise 7 Ad networks Also called aggrega
5、tors Link advertisers to publishers Buy ad space from publishers; sell to advertisers Sophisticated algorithms for Targeting Inventory management 8 Ad networks Ad networks may interface with each other Syndication One ad network asks another to fill ad space Ad exchange Real time auction of ad inven
6、tory Bidding from many ad networks for many ad spaces Mobile In-app Advertising Ad networks provide glue code that apps can embed and communicate with ad servers Ad libraries, which identify ad networks Web links embedded directly in apps Malicious links are visited via the landing pages of ads comi
7、ng from ad networks Though the apps themselves are benign Outline Background on mobile advertising System Design Detection Results Case study Overview of Detection Methodology App DataSet Trigger App- web interfaces WEBSITE Landing Pages URL scanning Dynamic webpage analysis File scanning Malware an
8、d scan report Downloaded Files Dynamic App Analysis Redirection Chains Components Triggering Interact with the app to launch web links Detection Include the various processes to detect malicious and benig that may occur as a result of triggering Provenance Understand the cause or origin of a detecte
9、d malicious activity, and attribute events to a specific domain or an ad library Triggering App-Web interfaces Application UI Exploration Use the heuristics and algorithms developed in AppsPlayground Codaspy2013 Handling Webviews Develop based on Selendroid to interact with Webviews Apply computer v
10、ision techniques UI Exploration of AppsPlayground Examples of Handling Webviews Bounding boxes are depicted as red rectangles. The top two figures contain the whole screen while the bottom figure is just an ad. Note the detection of buttons. Detection Redirection chains Landing pages In a browser co
11、nfigured with a realistic user agent and window size Download any files that can be downloaded File and URL scanning VirusTotal URL blacklists Google Safebrowsing, Websense, VirusTotal antivirus engines Symantec, Dr. Web, Kaspersky, Eset, Provenance Understand the cause and origins of attacks Approa
12、ch 1: through redirection chains Identify the parties owning the URLs leading up to the landing URL Approach 2: attribute code-level elements to locate it: at app or ad libraries? Discovering Ad Networks First systematic step towards understanding malvertising Finding ad libraries Typically have the
13、ir own Java packages, e.g., com.google.ads Disassemble the app and get Java packages Approach 1 Find frequent packages Ad networks included in many apps so their packages will be frequent So are some other packages, e.g., Apache libs, game development libs, Have to manually filter them Approach 2 Ob
14、servation: Ad functionality is different from the main app functionality Three steps Get all android APIs Decouple: Break the app into different modules based on code characteristics Inheritance, function calls, field relationships Cluster: cluster modules from multiple apps together based on their
15、API call similarity Frequent libs such as Apache, game libs ad libraries Approach 2 APP1 Module Module Module APP2 Module Module Module APPn Module Module Module Cluster 1 Cluster m Cluster 2 Decoupling Clustering Google ads libs Apache libs Game libs Discovering Ad Networks: Results Dataset 492,534
16、 apps from Google Play 422,505 apps from four Chinese stores: 91, Anzhi (安智), AppChina(应用汇), Mumayi (木蚂蚁) Discovered a total of 201 ad networks The most reported ad networks so far Outline Background on mobile advertising System Design Detection Results Case study Overall Detection Findings Google PlayChinese Markets App-to-web links 1,000,000415,000 Malicious URLs9481475 Downloaded Files 4681097 Malicious D
