Victor van der Veen (Security Consultant, ITQ)

PRESENTATION TITLE: TraceDroid: A Fast and Complete Android Method Tracer

PRESENTATION ABSTRACT:

Recent reports show that Android is responsible for 92% of all known mobile malware. From March 2012 to March 2013, the number of mobile malware grew with 614 percent to 276,259 detected apps [1]. While expecting a shipment of a billion Android-based devices in 2017 [2], we need to be able to quickly detect and quarantine these malicious applications.

Tools have been proposed to ease analysis of unknown applications. Projects like AndroGuard, APKinspector and Dexter or Dex2Jar/JD-Gui are excellent tools to perform static analysis on Android apps and dissect potential malicious code. Statical analysis on obfuscated apps, however, can be a very complex and time consuming process, as was shown recently with the discovery of the ‘most sophisticated Android Trojan’ (Backdoor.AndroidOS.Obad.a) which uses reflection and encryption to obfuscate its functionality.

To overcome these problems, dynamic analysis platforms have been implemented, including Mobile-Sandbox, CopperDroid, Joe Security, Andrubis, and DroidBox. Except DroidBox, these platforms provide a web interface where users can submit Android packages (APK files) for inspection. The result is a detailed report containing detected, suspicious behavior. However, the definition of suspicious behavior is always solely set by the platform’s developers.

We think that it is essential for malware researchers to have a complete overview of an app’s invoked methods. Such fine grain information will give a much better insight in how the app’s components interact and how it is implemented. These insights can complement the overview of the app’s capabilities as provided by existing frameworks.

ABOUT VICTOR VAN DER VEEN

Victor van der Veen is a security consultant at ITQ and holds a MSc degree in Computer Science from the VU University Amsterdam. TraceDroid and TAP are part of his master thesis titled ‘Dynamic Analysis of Android Malware’ for which he co-worked with the Andrubis team from Vienna’s iSecLab.

His interests are low-level system topics that enhance system security, as well as reverse engineering and analyzing malicious code. His previous work involves the implementation of a (partial) thrust-worthy voting machine and an in depth analysis on trends in the field of memory errors (published at RAID 2012).