Harvester Wakes “Sleeper” Malware
Hackers and cyber criminals are using “sleeper” malware more and more to hide malicious code for mobile devices in apps. This “sleeper” malware does nothing initially. After a certain amount of time or predetermined action, though, it becomes active - making its recognition very difficult. Therefore, security researchers at the TU Darmstadt and Fraunhofer Institute for Secure Information Technology have developed the analysis tool Harvester, which helps security analysts uncover malicious “sleeper” code in Android apps within minutes.
Millions of Android devices are already infected with mobile “sleeper” malicious code, also known as timing bombs - at first glance it looks like normal software. Its destructive potential is not realized until after a longer incubation period. For smartphone users, determining the actual cause of delayed attacks is then difficult. A current example is the banking Trojan BadAccent, a two-level malicious code that infects smartphones when an allegedly pirated copy of the film “The Interview” is downloaded onto them. Individual components within BadAccent then become active under certain circumstances, for instance when the smartphone receives specific commands via text message.
For security analysts, e.g. anti-virus specialists, malicious sleeper code that is only activated in particular contexts poses problems as well. Every day they have to check thousands of new apps to see if they could be harmful, leaving only minutes to analyze each individual app. But to uncover a sleeper app, an analyst would have to perform an analysis for days and simulate all possible contexts as well as combinations of them. This is because one cannot know what activates the malicious code prior to discovering it. In order to find sleeper apps faster, IT security experts at the Technical University of Darmstadt and Fraunhofer SIT have developed the analysis tool Harvester. This tool uses a unique combination of software-analysis techniques as well as code translation; in doing so, it saves security analysts a great deal of time.
Harvester does not examine the original app’s entire code. Instead, it analyzes suspicious places in the program. To do this, the software uses a special static analysis process known as “backwards slicing” or “program slicing”. With the help of this tool, analysts can simply extract the part of the code they would like to learn more about – everything else is easily set aside. As a result, such malicious code is executed directly, and while waiting periods and event filters are removed from the app. When malicious code is found, Harvester can also completely automatically extract important information (telephone numbers, text message content, encryption keys, URLs, etc.) from the harmful Android code with which the analyst can then determine the type and source of the malware. Harvester needs only about a minute for the partial analysis of program code. This was confirmed through experiments with more than 13,500 common malware examples, which the experts at the TU Darmstadt and Fraunhofer SIT conducted.
The testing tool even works when the harmful app’s code is heavily cloaked or other anti-analysis techniques have been used. A basic version of the tool is available as an open source tool for scientific purposes. Companies can license a version with extended functionality for commercial use. Harvester is part of an analysis framework currently being developed in Darmstadt. With this framework, Android code can be examined extremely quickly and easily.