Malware Analysis - : Name - Ayush Raj Reg No - 20BCT0168
Malware Analysis - : Name - Ayush Raj Reg No - 20BCT0168
Malware Analysis - : Name - Ayush Raj Reg No - 20BCT0168
BCI3003-ANDROID SECURITY
Semester: Winter 2021-22
Slot: D2
Topic –
-- Malware Analysis --
Introduction –
Malware is a broad word that encompasses all forms of harmful software,
and in the context of computer security, it refers to:
Evasion and obfuscation methods are being used in new malware strains to
deceive users, security managers, and anti-malware programs. Simple
approaches to mask the originating IP address and polymorphic malware,
which modifies its code to escape detection by signature-based detection
technologies, are examples of evasion techniques. Another example is
fileless malware, which only resides in the RAM of a computer to prevent
detection.
Analysis of a Corrupted file –
Virus detected –
Details of the document –
Hence From the Above Analysis we can conclude that the zip
file gamehack(green screw driver)-1.zip has 29 types of malware present
it. Some are same and some are of different types but same configuration .
Trojan. Dropper
About -
Android/Trojan.Dropper is a malicious app that contains additional
malicious app(s) within its payload. The Android/Trojan.Dropper will
install the additional malicious app(s) onto an infected mobile device.
On the Android OS, most often the malicious app(s) to be dropped is/are
contained within the Android/Trojan.Dropper’s Assets Directory.
The Assets Directory is an optional directory that can be added to an
APK to store raw asset files. In the case of a Mobile Trojan Dropper, it
contains a malicious APK(s) to be dropped and installed.
Symptoms
In some cases, user’s may recognize app(s) on their mobile device that
they don’t recall installing themselves. Most often though, the dropped
app(s) will hide in the background unbeknownst to the user.
Protection
Malwarebytes for Android protects against Android/Trojan.Dropper
What Can You Do to Stay Safe?
➢ Use a firewall to prevent all incoming internet connections to services
that should not be made public. By default, all incoming connections
should be denied, and only those services that you expressly desire to
give to the outside world should be allowed.
➢ Enforce password policies: Complex passwords make password files on
hacked systems more difficult to decipher. In the event of an assault,
this helps to protect your machine.
➢ Ascertain that programmes and computer users have the bare minimum
of rights required to execute their tasks.
➢ Disable AutoPlay to prevent executable files on network and removable
devices from being launched automatically, and disconnect drives when
not in use.
Associated threats
• Android/Trojan.Dropper.Agent
• Android/Trojan.Dropper.FakeApp
• Android/Trojan.Dropper.Sadpor
• Android/Trojan.Dropper.Shedun
Malware 2 :-
Android/PUP.Riskware.Autoins.Fota
About -
Riskware defines any legitimate programs that
pose potential risks due to security
vulnerability, software incompatibility, or
legal violations. Typically, risks pertain to
malicious cyber criminals exploiting programs
that handle sensitive data or admin-level
processes. Misuse of riskware is done to steal
data, hijack computer systems, or cause
disruptions.
Android/PUP.Riskware.Autoins.Fota is
Malwarebytes’ detection name for a nasty variant of the Adups family of
Android malware and PUPs.
Behaviour -
Android/PUP.Riskware.Autoins.Fota is a pre-installed system
app. Android/PUP.Riskware.Autoins.Fota can potentially auto install
malware like Android/Trojan.Guerrilla, and Android/Trojan.HiddenAds.
Common Types of Android/Riskware -
Most of the issues you may face can be simplified to the following core
problems:
1. System hijacks and unauthorized system access
2. Legal complications
3. Computer system or network disruptions
Protection
How to Prevent Riskware Attacks
Riskware can be difficult to protect against since you’ll have to take caution
with any software you use. However, having a helping hand to spot possible
risks can make the task easier.
Detecting and removing Riskware
Remediation
Android/PUP.Riskware.Autoins.Fota cannot be uninstalled through the
device’s information page, only disabled. However some variants of Adups
can’t even be disabled. Not even a mobile scanner can remove or disable it.
Advanced users can refer to the removal guide for Adups we created and
posted on our forums.
Beyond basic antivirus setup and usage tips, guarding against riskware
depends on smart computer use behaviors.
Generally, you should use a few basic principles when installing or using
programs:
1. Limit the programs that run with admin-level permissions.
2. Read ALL terms of service for programs for legal reasons.
3. Eliminate any software that is inhibiting other important software from functioning
properly.
4. Avoid illegal or explicit downloads on your devices.
Malware 3 :-
Android/ransomware
These programs have various
functions, such as concealing
files in the system, hiding the
windows of running
applications, or terminating
active processes. The group
includes cryptocurrency
miners that generate coins
using the target device’s
resources. Cybercriminals
usually use them in stealth
mode. They are not malicious in themselves. Unlike NetTool, such programs
are designed to operate locally.
➢ Use the right mobile security solution. Finally, make sure you’re
using comprehensive security solutions that are specifically designed to
provide protection against mobile ransomware attacks (among other
threats).
Android/Adware
Symptoms of Adware -
It can be hard to tell if your Android is infected
with adware or if an app or website just has a
bunch of annoying pop-ups. Here are a few
signs that could mean your Android is infected with malware:
• You’re seeing ads constantly. If you’re seeing ads no matter what
app you’re using, it’s a telltale sign that your Android is infected with
adware.
• Your web browser homepage has suddenly changed. Often,
adware will update your browser’s homepage to an advertising website
that they make money from. If your browser suddenly changes in this
way, it’s time to scan your device!
• Your Android is much slower or apps are crashing. Because
adware is resource-intensive, it may cause your Android phone to begin
behaving weirdly. This can include slower loading and frequent app
crashes.
• Your battery is draining very quickly. As above, adware is likely to
cause your Android battery to drain far quicker than usual. If you spot
this happening, you may have adware.
• Random apps are appearing. If you see an app (or a handful of
apps) that you don’t remember installing, it’s very likely that your
phone is infected with malware. If this is associated with a sudden
increase in advertisements, you guessed it - you’ve got adware.
Adware isn’t only frustrating, it can also be dangerous. Often, adware will try to
trick you into granting it permissions on your Android so that it can display ads
no matter which app you are using. Worse, though, is that it may be stealing your
personal information including your banking credentials or contacts list.
The most common way that people’s phones become infected with adware is by
downloading apps from third-party or unknown sources. If you think you have
adware, remember - do NOT tap anywhere on the pop-ups!
Identification and Removal –
Method for identification and analysis of the adware in your smartphone are –
➢ The first thing to do when you spot adware on your phone would be to
reboot your phone in safe mode. Hold down the power button until the
shut down and reboot options appear. Then, press and hold the power
off menu item. This will bring up a new menu where you can choose to
reboot in safe mode, effectively disabling all third-party apps.
➢ open your Android settings menu and scroll down to the 'Apps' entry.
Tap that and the list of installed apps should come up. Slowly go
through the list of installed apps and find the faulty one that triggered
the unwanted ads with its install. This could be anything, as adware
often hides in seemingly harmless apps, including games.
➢ The safest procedure would be to reboot your phone normally after
uninstalling each suspicious app and check for any persisting unwanted
ads. If the issue is not solved, repeat the safe mode reboot and uninstall
procedure.
➢ Making sure Play Protect is Enabled, Once the faulty adware app has
been removed, the next step would be to make sure you have Play
Protect enabled. Play Protect is a malware protection service, built into
the Google Play Store.
Hence your Phone is Protected .
Different Names –
The viruses which act same as Adware and follows the same principle but has a
different names are - spyware, malware, spywares, keyloggers, anti-
spyware, Adaware, scumware and spyware-adware.
Some important adware families include gexin, batmobi, ewind, shedun,
pandaad, appad, dianjin, gmobi, hummingbird, mobisec, loki,
kyhub, and adcolony
Malware 5 :-
Android/Backdoor
Backdoors act as hidden gateways into a smartphone. In other words,
backdoors are a way to
bypass the authentication of
a smartphone and raise
privileges allowing the
attacker to access the device
any time. Backdoors
facilitate the launch of
remote attacks without
having the device physically.
They can be completely new
programs or part of an
existing one. It’s observed in some cases that if users do not change their
default passwords of any account that they created on their device; these
passwords can be used as backdoors to inject malicious code for remotely
controlling the device.
Behaviour –
Backdoor malware collects personal information from the phone,
sends/receives messages, makes phone calls and collects call history, collects
lists of installed and running applications, and creates memory space in the
device. In some severe cases, the backdoor is rooted to the Android device on
which it was installed. Attackers often use advertisement malware to lure the
users in. Once the user clicks the advertisement, a backdoor is installed on
their device. Backdoors can be installed in two different parts of your system:
• Open ports.
• Weak passwords.
• Out-of-date software.
• Weak firewalls.
Use an Antivirus : Always use advanced antivirus software that can detect
and prevent a wide range of malware, including trojans, cryptojackers,
spyware, and rootkits.
Download with Care : Make sure to always download from official
websites, avoid pirate sites, and install an antivirus with real-time
protection that can flag malware files before you even download them onto
your system.
Use a Firewall : Firewalls are essential for anti-backdoor protection — they
monitor all incoming and outgoing traffic on your device
Use a Password Manager : Password managers generate and store login
information for all your accounts and even help you log into them
automatically. All of this information is securely encrypted using 256-bit AES
encryption and locked behind a master password.
Monitor network activity : Any weird data spikes could mean someone is
using a backdoor on your system. To stop this, use firewalls to track inbound
and outbound activity from the various applications installed on your
computer.
Comparative Study –
TROJAN ADWARE
Trojan Horse is a form of malware that Adware is similar to a
capture some important information spyware and it can
about a computer system or a computer be both intrusive and difficult
network. to eradicate.
The main objective of the trojan horse The main objective of adware is to monitor
is to control the activity of the system. your interests and display relevant ads.
It is more harmful as
compared. Adware is less harmful.