{"id":1497,"date":"2015-02-12T18:57:17","date_gmt":"2015-02-12T16:57:17","guid":{"rendered":"http:\/\/sseblog.ec-spride.de\/?page_id=1497"},"modified":"2016-08-05T13:55:06","modified_gmt":"2016-08-05T11:55:06","slug":"harvester","status":"publish","type":"page","link":"https:\/\/blogs.uni-paderborn.de\/sse\/tools\/harvester\/","title":{"rendered":"Harvester &#8211; Combating current Android malware"},"content":{"rendered":"<div class=\"twoclick_social_bookmarks_post_1497 social_share_privacy clearfix 1.6.4 locale-en_US sprite-en_US\"><\/div><div class=\"twoclick-js\"><script type=\"text\/javascript\">\/* <![CDATA[ *\/\njQuery(document).ready(function($){if($('.twoclick_social_bookmarks_post_1497')){$('.twoclick_social_bookmarks_post_1497').socialSharePrivacy({\"txt_help\":\"Wenn Sie diese Felder durch einen Klick aktivieren, werden Informationen an Facebook, Twitter, Flattr, Xing, t3n, LinkedIn, Pinterest oder Google eventuell ins Ausland \\u00fcbertragen und unter Umst\\u00e4nden auch dort gespeichert. N\\u00e4heres erfahren Sie durch einen Klick auf das <em>i<\\\/em>.\",\"settings_perma\":\"Dauerhaft aktivieren und Daten\\u00fcber-tragung zustimmen:\",\"info_link\":\"http:\\\/\\\/www.heise.de\\\/ct\\\/artikel\\\/2-Klicks-fuer-mehr-Datenschutz-1333879.html\",\"uri\":\"https:\\\/\\\/blogs.uni-paderborn.de\\\/sse\\\/tools\\\/harvester\\\/\",\"post_id\":1497,\"post_title_referrer_track\":\"Harvester+%26%238211%3B+Combating+current+Android+malware\",\"display_infobox\":\"on\"});}});\n\/* ]]> *\/<\/script><\/div><p>The current trend goes towards\u00a0<a href=\"http:\/\/blogs.wsj.com\/personal-technology\/2015\/02\/04\/android-malware-removed-from-google-play-store-after-millions-of-downloads\/\">&#8220;dorma<\/a><a href=\"http:\/\/blogs.wsj.com\/personal-technology\/2015\/02\/04\/android-malware-removed-from-google-play-store-after-millions-of-downloads\/\">nt&#8221; malware<\/a>. (German article <a href=\"http:\/\/www.heise.de\/newsticker\/meldung\/Google-Play-Schlaefer-Apps-infizieren-Millionen-Android-Geraete-2539278.html\">here on Heise.de<\/a>.) Such\u00a0malware previously <strong>went unnoticed by laying dormant<\/strong> for several hours, sometimes multiple days, after installation, in some cases even requiring a reboot of the device to become active. Dynamic-analysis procedures usually only run for minutes and for efficiency reasons do not simulate situations like reboot Contrary to the current\u00a0perception, though, this problem had long been identified, and in fact today <strong>with this article we are revealing Harvester, a new tool to address\u00a0exactly this problem<\/strong>.<\/p>\n<p>Harvester*\u00a0uses a unique\u00a0novel combination of static and dynamic analysis and code transformation to (1)<strong> identify and eliminate emulator and timeout checks<\/strong> from apps, and (2) that way <strong>allows for the extraction of interesting runtime values<\/strong> such as reflective method calls, target numbers of calls to the SMS APIs,\u00a0account-data hard-wired in the malware, etc. In addition, Harvester is resilient against\u00a0virtually all current\u00a0cases of code obfuscation.<\/p>\n<p>As we show in our Technical Report (see below), Harvester can retrieve most runtime values of interest in a short amount of time, and can be used to significantly improve the quality of existing static and dynamic analysis tools.<\/p>\n<p>In the past, we have successfully used Harvester to help retrieve inside information about current threats such as the <a href=\"http:\/\/sseblog.ec-spride.de\/2015\/01\/korea-threat-compain-2014\/\">banking trojan BadAccents<\/a>\u00a0we reported on earlier.<\/p>\n<h2>How does it work?<\/h2>\n<p>The main idea of Harvester is to apply dynamic analysis not to the original malware app but to a version of app that has been carefully altered to allow for an easy extraction of values of interest. Consider the\u00a0original app code shown\u00a0to the left. This app has an emulator check, returning early if the deviceId is all zeros.\u00a0Using a specialized backwards slicing, Harvester determines that the check cannot influence our\u00a0value of interest, in this case the number used in the sendTextMessage call. Therefore the check is simply eliminated from the app, as is all other code not influencing the value of interest. <strong>Executing this app thus\u00a0<i>immediately<\/i> triggers the malicious behavior<\/strong> &#8211; no improved emulation or waiting required. Conditionals that may influence the value at hand are replaced by controllable boolean variables as shown to the right. Using a limited number of fast executions of the modified code, Harvester can quickly cover all necessary branches and extract all three relevant phone numbers.<\/p>\n<p><a href=\"http:\/\/blogs.uni-paderborn.de\/sse\/files\/2015\/02\/paper1.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"size-medium wp-image-1480\" src=\"http:\/\/blogs.uni-paderborn.de\/sse\/files\/2015\/02\/paper1-234x300.jpg\" alt=\"Malware app code\" width=\"234\" height=\"300\" srcset=\"https:\/\/blogs.uni-paderborn.de\/sse\/files\/2015\/02\/paper1-234x300.jpg 234w, https:\/\/blogs.uni-paderborn.de\/sse\/files\/2015\/02\/paper1-768x983.jpg 768w, https:\/\/blogs.uni-paderborn.de\/sse\/files\/2015\/02\/paper1-800x1024.jpg 800w, https:\/\/blogs.uni-paderborn.de\/sse\/files\/2015\/02\/paper1.jpg 1365w\" sizes=\"auto, (max-width: 234px) 100vw, 234px\" \/><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-medium wp-image-1482\" src=\"http:\/\/blogs.uni-paderborn.de\/sse\/files\/2015\/02\/paper2-202x300.jpg\" alt=\"App sliced by Harvester\" width=\"202\" height=\"300\" \/><\/a><\/p>\n<p>Our report\u00a0is currently under submission at a major conference. We plan to make the implementation available after\u00a0the paper has been accepted for publication.<\/p>\n<h2>Technical Report<\/h2>\n<p><a href=\"http:\/\/www.bodden.de\/pubs\/TUD-CS-2015-0031.pdf\"><span class=\"bibtitle\">Harvesting Runtime Data in Android Applications for Identifying Malware and Enhancing Code Analysis<\/span><\/a> <span class=\"bibauthor\">(Siegfried Rasthofer, Steven Arzt, Marc Miltenberger, Eric Bodden)<\/span>, <span class=\"bibpublisher\">Technical report TUD-CS-2015-0031, EC SPRIDE<\/span>, 2015. <a href=\"http:\/\/www.bodden.de\/bibtexbrowser.php?key=TrHarvester&amp;bib=publications.bib\">[bib]<\/a><\/p>\n<p>* Patent pending<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The current trend goes towards\u00a0&#8220;dormant&#8221; malware. (German article here on Heise.de.) Such\u00a0malware previously went unnoticed by laying dormant for several hours, sometimes multiple days, after installation, in some cases even requiring a reboot of the device to become active. Dynamic-analysis &hellip; <a href=\"https:\/\/blogs.uni-paderborn.de\/sse\/tools\/harvester\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":6542,"featured_media":0,"parent":22,"menu_order":2,"comment_status":"closed","ping_status":"open","template":"","meta":{"footnotes":""},"class_list":["post-1497","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/blogs.uni-paderborn.de\/sse\/wp-json\/wp\/v2\/pages\/1497","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blogs.uni-paderborn.de\/sse\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/blogs.uni-paderborn.de\/sse\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.uni-paderborn.de\/sse\/wp-json\/wp\/v2\/users\/6542"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.uni-paderborn.de\/sse\/wp-json\/wp\/v2\/comments?post=1497"}],"version-history":[{"count":2,"href":"https:\/\/blogs.uni-paderborn.de\/sse\/wp-json\/wp\/v2\/pages\/1497\/revisions"}],"predecessor-version":[{"id":4087,"href":"https:\/\/blogs.uni-paderborn.de\/sse\/wp-json\/wp\/v2\/pages\/1497\/revisions\/4087"}],"up":[{"embeddable":true,"href":"https:\/\/blogs.uni-paderborn.de\/sse\/wp-json\/wp\/v2\/pages\/22"}],"wp:attachment":[{"href":"https:\/\/blogs.uni-paderborn.de\/sse\/wp-json\/wp\/v2\/media?parent=1497"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}