School of Computer Science and Engineering

BCI3003-ANDROID SECURITY
Semester: Winter 2021-22
Slot: D2

Topic –
-- Malware Analysis --

Name – Ayush Raj

Reg No – 20BCT0168
Aim :-
The Main Aim of the assignment is to analyse a Corrupted file from
an Online Malware Analyzer and briefly describing about the
different types of Malwares present in the files .

Introduction –
Malware is a broad word that encompasses all forms of harmful software,
and in the context of computer security, it refers to:

Software which is used with the aim of attempting to breach a

computer system’s security policy with respect to Confidentiality,
Integrity or Availability.

Malware, often known as malicious software, is any program or file that is

designed to harm a computer or its users. Computer viruses, ransomware,
worms, trojan horses, and spyware are all examples of malware. These
dangerous applications have the ability to steal, encrypt, or erase important
information, change or hijack critical computing functions, and monitor
the victim's computer activities.

To infect devices and networks with malware, cybercriminals utilize a

range of physical and virtual methods. WannaCry, a well-known
ransomware outbreak, for example, was able to spread by exploiting a
known flaw. Phishing is a typical malware distribution strategy in which
normal emails contain malicious links or email attachments that distribute
executable malware to unwary recipients.

Evasion and obfuscation methods are being used in new malware strains to
deceive users, security managers, and anti-malware programs. Simple
approaches to mask the originating IP address and polymorphic malware,
which modifies its code to escape detection by signature-based detection
technologies, are examples of evasion techniques. Another example is
fileless malware, which only resides in the RAM of a computer to prevent
detection.
Analysis of a Corrupted file –

Virus detected –
Details of the document –

Hence From the Above Analysis we can conclude that the zip
file gamehack(green screw driver)-1.zip has 29 types of malware present
it. Some are same and some are of different types but same configuration .

Here we will discuss 5 different types of Malware based on the above

analysis and how they can be detected or cured and they are -
Malware 1 :-

Trojan. Dropper

About -
Android/Trojan.Dropper is a malicious app that contains additional
malicious app(s) within its payload. The Android/Trojan.Dropper will
install the additional malicious app(s) onto an infected mobile device.
On the Android OS, most often the malicious app(s) to be dropped is/are
contained within the Android/Trojan.Dropper’s Assets Directory.
The Assets Directory is an optional directory that can be added to an
APK to store raw asset files. In the case of a Mobile Trojan Dropper, it
contains a malicious APK(s) to be dropped and installed.

Symptoms
In some cases, user’s may recognize app(s) on their mobile device that
they don’t recall installing themselves. Most often though, the dropped
app(s) will hide in the background unbeknownst to the user.

Type and source of infection

On the Android OS, an Android/Trojan.Dropper infected APK typically
is given a filename of a legitimate app, but has a completely different
package name, digital certificate, and code then the app it claims. It is
then distributed through third party app stores.
What droppers can carry ?

A dropper’s payload usually includes more Trojans. Some droppers contain

only one malicious program, but most carry several malware tools. The items
are not necessarily interconnected and may serve different purposes. They
may even be developed by different hacker groups.

Protection
Malwarebytes for Android protects against Android/Trojan.Dropper
What Can You Do to Stay Safe?
➢ Use a firewall to prevent all incoming internet connections to services
that should not be made public. By default, all incoming connections
should be denied, and only those services that you expressly desire to
give to the outside world should be allowed.
➢ Enforce password policies: Complex passwords make password files on
hacked systems more difficult to decipher. In the event of an assault,
this helps to protect your machine.
➢ Ascertain that programmes and computer users have the bare minimum
of rights required to execute their tasks.
➢ Disable AutoPlay to prevent executable files on network and removable
devices from being launched automatically, and disconnect drives when
not in use.

Associated threats
• Android/Trojan.Dropper.Agent
• Android/Trojan.Dropper.FakeApp
• Android/Trojan.Dropper.Sadpor
• Android/Trojan.Dropper.Shedun
Malware 2 :-
Android/PUP.Riskware.Autoins.Fota

About -
Riskware defines any legitimate programs that
pose potential risks due to security
vulnerability, software incompatibility, or
legal violations. Typically, risks pertain to
malicious cyber criminals exploiting programs
that handle sensitive data or admin-level
processes. Misuse of riskware is done to steal
data, hijack computer systems, or cause
disruptions.
Android/PUP.Riskware.Autoins.Fota is
Malwarebytes’ detection name for a nasty variant of the Adups family of
Android malware and PUPs.

Behaviour -
Android/PUP.Riskware.Autoins.Fota is a pre-installed system
app. Android/PUP.Riskware.Autoins.Fota can potentially auto install
malware like Android/Trojan.Guerrilla, and Android/Trojan.HiddenAds.
Common Types of Android/Riskware -

An exhaustive list of riskware types is impractical since many programs can

pose risks. That said, riskware malware has been known to often include the
following types of programs:
1. Remote support utilities
2. Internet relay chat (IRC) clients
3. Dialer programs
4. File downloaders
5. Computer activity monitoring software
6. Password management utilities
7. Internet server services – such as FTP, web, proxy, and telnet
 8. Auto-installers (on mobile platforms)

How Riskware Can Affect You

Most of the issues you may face can be simplified to the following core
problems:
1. System hijacks and unauthorized system access
2. Legal complications
3. Computer system or network disruptions

Protection
How to Prevent Riskware Attacks

Riskware can be difficult to protect against since you’ll have to take caution
with any software you use. However, having a helping hand to spot possible
risks can make the task easier.
Detecting and removing Riskware

Choosing not to detect Riskware

Remediation
Android/PUP.Riskware.Autoins.Fota cannot be uninstalled through the
device’s information page, only disabled. However some variants of Adups
can’t even be disabled. Not even a mobile scanner can remove or disable it.
Advanced users can refer to the removal guide for Adups we created and
posted on our forums.
Beyond basic antivirus setup and usage tips, guarding against riskware
depends on smart computer use behaviors.
Generally, you should use a few basic principles when installing or using
programs:
1. Limit the programs that run with admin-level permissions.
2. Read ALL terms of service for programs for legal reasons.
3. Eliminate any software that is inhibiting other important software from functioning
properly.
4. Avoid illegal or explicit downloads on your devices.
Malware 3 :-
Android/ransomware
These programs have various
functions, such as concealing
files in the system, hiding the
windows of running
applications, or terminating
active processes. The group
includes cryptocurrency
miners that generate coins
using the target device’s
resources. Cybercriminals
usually use them in stealth
mode. They are not malicious in themselves. Unlike NetTool, such programs
are designed to operate locally.

The basic idea behind ransomware – which is basically a form of malicious

software – is this: Lock and encrypt the user’s computer/device and demand a
ransom in order to restore access.

Ransomware is a massive illegal money-making scheme that hackers use with

great success. And much like real-world ransom situations where the
kidnapper threatens to kill the hostage, hackers often threaten to
permanently revoke access if payment isn’t made within their suggested
timeframe.

Ransomware families are involved in sending/receiving SMSs, locking SIM

cards and smartphones, stealing network information such as Wi-Fi
connection details, and communicating to the remote server controlling the
ransomware attack.

Preventing Mobile Ransomware Attacks -

The danger of mobile ransomware attacks – or any ransomware attacks, for

that matter – is multifaceted. The most direct cost is the ransom payment.
But it’s all of the indirect and ongoing costs that ultimately doom a business.
This includes downtime, reputation loss, liability, data loss, and collateral
damage.
If you want to protect your business, you need to prevent mobile ransomware
in the first place. Here are some timely suggestions:

➢ Stay informed. Ransomware is anything but static. New attacks,

methods, and software are being developed on a daily basis. It’s
imperative that you stay informed so that you know how to best protect
your business, employees, and devices.

➢ Enforce a BYOD security policy. It’s not enough to have a BYOD

policy. You have to actually enforce it. A failure to do so means
employees won’t take you seriously and will continue to violate rules
that are meant to protect them and their devices. In other words, put
your money where your mouth is!

➢ Install security patches. Ransomware typically makes its way onto a

device via a download. Sometimes these downloads occur by visiting
compromised websites. You can avoid them by installing and updating
the latest security patches.

➢ Back up all files. By backing up your files in a third-party cloud that’s

unconnected to the rest of your business, you can reduce the cost and
risk of ransomware.

➢ Use the right mobile security solution. Finally, make sure you’re
using comprehensive security solutions that are specifically designed to
provide protection against mobile ransomware attacks (among other
threats).

There’s no singular method for preventing ransomware attacks. It requires a

concerted effort on all fronts. But if you focus on these suggestions, you’ll
significantly diminish your chances of being compromised.

Different types on Ransomware are – congur, masnu, fusob, jisut, koler,

lockscreen, slocker, and smsspy.
Malware 4 :-

Android/Adware

Adware is a kind of unwanted software (often

malware) that commonly infects Android
phones. In fact, adware accounts for almost
50% of all mobile phone malware. It’s so
common because every time a person clicks or
views an ad, the adware developers make
money, making it surprisingly profitable.

Symptoms of Adware -
It can be hard to tell if your Android is infected
with adware or if an app or website just has a
bunch of annoying pop-ups. Here are a few
signs that could mean your Android is infected with malware:
• You’re seeing ads constantly. If you’re seeing ads no matter what
app you’re using, it’s a telltale sign that your Android is infected with
adware.
• Your web browser homepage has suddenly changed. Often,
adware will update your browser’s homepage to an advertising website
that they make money from. If your browser suddenly changes in this
way, it’s time to scan your device!
• Your Android is much slower or apps are crashing. Because
adware is resource-intensive, it may cause your Android phone to begin
behaving weirdly. This can include slower loading and frequent app
crashes.
• Your battery is draining very quickly. As above, adware is likely to
cause your Android battery to drain far quicker than usual. If you spot
this happening, you may have adware.
 • Random apps are appearing. If you see an app (or a handful of
apps) that you don’t remember installing, it’s very likely that your
phone is infected with malware. If this is associated with a sudden
increase in advertisements, you guessed it - you’ve got adware.

Adware isn’t only frustrating, it can also be dangerous. Often, adware will try to
trick you into granting it permissions on your Android so that it can display ads
no matter which app you are using. Worse, though, is that it may be stealing your
personal information including your banking credentials or contacts list.

The most common way that people’s phones become infected with adware is by
downloading apps from third-party or unknown sources. If you think you have
adware, remember - do NOT tap anywhere on the pop-ups!
Identification and Removal –
Method for identification and analysis of the adware in your smartphone are –

➢ The first thing to do when you spot adware on your phone would be to
reboot your phone in safe mode. Hold down the power button until the
shut down and reboot options appear. Then, press and hold the power
off menu item. This will bring up a new menu where you can choose to
reboot in safe mode, effectively disabling all third-party apps.
➢ open your Android settings menu and scroll down to the 'Apps' entry.
Tap that and the list of installed apps should come up. Slowly go
through the list of installed apps and find the faulty one that triggered
the unwanted ads with its install. This could be anything, as adware
often hides in seemingly harmless apps, including games.
➢ The safest procedure would be to reboot your phone normally after
uninstalling each suspicious app and check for any persisting unwanted
ads. If the issue is not solved, repeat the safe mode reboot and uninstall
procedure.
➢ Making sure Play Protect is Enabled, Once the faulty adware app has
been removed, the next step would be to make sure you have Play
Protect enabled. Play Protect is a malware protection service, built into
the Google Play Store.
Hence your Phone is Protected .
Different Names –
The viruses which act same as Adware and follows the same principle but has a
different names are - spyware, malware, spywares, keyloggers, anti-
spyware, Adaware, scumware and spyware-adware.
Some important adware families include gexin, batmobi, ewind, shedun,
pandaad, appad, dianjin, gmobi, hummingbird, mobisec, loki,
kyhub, and adcolony
Malware 5 :-

Android/Backdoor
Backdoors act as hidden gateways into a smartphone. In other words,
backdoors are a way to
bypass the authentication of
a smartphone and raise
privileges allowing the
attacker to access the device
any time. Backdoors
facilitate the launch of
remote attacks without
having the device physically.
They can be completely new
programs or part of an
existing one. It’s observed in some cases that if users do not change their
default passwords of any account that they created on their device; these
passwords can be used as backdoors to inject malicious code for remotely
controlling the device.

Behaviour –
Backdoor malware collects personal information from the phone,
sends/receives messages, makes phone calls and collects call history, collects
lists of installed and running applications, and creates memory space in the
device. In some severe cases, the backdoor is rooted to the Android device on
which it was installed. Attackers often use advertisement malware to lure the
users in. Once the user clicks the advertisement, a backdoor is installed on
their device. Backdoors can be installed in two different parts of your system:

• Hardware/firmware. Physical alterations that provide remote access

to your device.
• Software. Malware files that hide their tracks so your operating
system doesn’t know that another user is accessing your device.
Any malware that provides hackers access to your device can be
considered a backdoor — this includes rootkits, trojans, spyware,
cryptojackers, keyloggers, worms, and even ransomware.
In order for cybercriminals to successfully install a backdoor on your device,
they first need to gain access to your device, either through physical access, a
malware attack, or by exploiting a system vulnerability — here are some of the
more common vulnerabilities that hackers target:

• Open ports.
• Weak passwords.
• Out-of-date software.
• Weak firewalls.

Different kinds of commonly used backdoors are – Trojans, Rootkits,

Hardware backdoors, Cryptographic backdoors.

Protection against Backdoors –

Backdoors are difficult to detect. Everyday users can’t discover a backdoor
just by opening the Task Manager. But there are a few easy steps you can take
to keep your device safe from backdoors virus attacks, such as:

Use an Antivirus : Always use advanced antivirus software that can detect
and prevent a wide range of malware, including trojans, cryptojackers,
spyware, and rootkits.
Download with Care : Make sure to always download from official
websites, avoid pirate sites, and install an antivirus with real-time
protection that can flag malware files before you even download them onto
your system.
Use a Firewall : Firewalls are essential for anti-backdoor protection — they
monitor all incoming and outgoing traffic on your device
Use a Password Manager : Password managers generate and store login
information for all your accounts and even help you log into them
automatically. All of this information is securely encrypted using 256-bit AES
encryption and locked behind a master password.
Monitor network activity : Any weird data spikes could mean someone is
using a backdoor on your system. To stop this, use firewalls to track inbound
and outbound activity from the various applications installed on your
computer.
 Comparative Study –

TROJAN ADWARE
Trojan Horse is a form of malware that Adware is similar to a
capture some important information spyware and it can
about a computer system or a computer be both intrusive and difficult
network. to eradicate.

The main objective of the trojan horse The main objective of adware is to monitor
is to control the activity of the system. your interests and display relevant ads.

Trojan horses are detected Adware can be detected and removed by

by the antivirus software. the antivirus program.

It also give unauthorized access

and control of the system It provides profit to the developer by
to the hackers. generating online advertisement.

It is more harmful as
compared. Adware is less harmful.

It is unknowingly attached with

Trojan horse are executed through free to use software, distributed through
a program and interprets as utility software. pop-up windows.

Fireball, Appearch, Gator and

Back orifice, Rootkit and Beast Dollarrevenue are some of the
Trojan are some of the common Trojan horses. examples of adware.
 TROJAN RANSOMWARE
Trojan Horse is a form of malware that capture Ransomware is a form of malware
some important information about a computer designed to block access from
system or a computer network. system until a ransom fee is paid.

The main objective of ransomware

The main objective of Trojan horse is
is to take money by gaining access.
to steal the information.

It is generally spread through

It is generally install on the system as phishing emails having malicious
Legitimate and useful software . attachments.

It is installed for malicious purposes.

It is installed for commercial purposes.

It provides profit to the ransomware programmers

It can give unauthorized access and control by getting money from user for unlocking
of the system to the hackers. the system.

Crypto, Wanna Cry, Cerber and

Back orifice, Rootkit and Beast Trojan are some locker are some of the examples
of the common Trojan horses. of Ransomwares.

It is less harmful as compared. It is more harmful .

Conclusion –
This article brings forward the fundamentals of different types
of malware families. It comes equipped with malicious
behaviour exhibited by these families on the target device i.e.
the Android devices different apps and games present in the
Smartphone . We established imperative indicators of
compromise that points to the fact that the phone or the
software is infected by these malware files families. Based on
our public dataset given above and the brief discussion done on
different malwares, we open on the technical features that are
very useful to detect these families. Finally, the article
introduces preventive measures to protect the device.