Abstract
After analyzing several Android mobile banking trojans, we observed the presence of repetitive artifacts that describe valuable information about the distribution of this class of malicious apps. Motivated by the high threat level posed by mobile banking trojans and by the lack of publicly available analysis and intelligence tools, we automated the extraction of such artifacts and created a malware tracker named DroydSeuss. DroydSeuss first processes applications both statically and dynamically, extracting relevant strings that contain traces of communication endpoints. Second, it prioritizes the extracted strings based on the APIs that manipulate them. Finally, DroydSeuss correlates the endpoints with descriptive metadata from the samples, providing aggregated statistics, raw data, and cross-sample information that allow researchers to pinpoint relevant groups of applications.
We connected DroydSeuss to the VirusTotal daily feed, consuming Android samples that perform banking-trojan activity. We manually analyzed its output and found supporting evidence to confirm its correctness. Remarkably, the most frequent itemset unveiled a campaign currently spreading against Chinese and Korean bank customers.
Although motivated by mobile banking trojans, DroydSeuss can be used to analyze the communication behavior of any suspicious application.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Zeus tracker. https://zeustracker.abuse.ch/
Alexa top 1M (2015). http://s3.amazonaws.com/alexa-static/top-1m.csv.zip
HostIP (2015). www.hostip.info
IP to ASN mapping (2015). http://www.team-cymru.org/IP-ASN-mapping.html
PassiveTotal (2015). https://www.passivetotal.org
Andrototal.org: (Another) Android trojan scheme using Google Cloud Messaging (2015). http://blog.andrototal.org/post/89637972097/another-android-trojan-scheme-using-google-cloud
Lehtiö, A.: C&C-as-a-service: abusing third-party web services as C&C channels (2015). https://www.virusbtn.com/conference/vb2015/abstracts/R-Lehtio.xml
Chebyshev, V., Unuchek, R.: Mobile malware evolution: 2013 (2014). http://securelist.com/analysis/kaspersky-security-bulletin/58335/mobile-malware-evolution-2013
Delosières, L., Baltatu, M.: D2.3 lightweight malware detector. Technical report, Enhanced Network Security for Seamless Service Provisioning in the Smart Mobile Ecosystem (2012). http://www.nemesys-project.eu/nemesys/files/document/deliverables/NEMESYS_Deliverable_D2.3.pdf
Heyman, A.: First SpyEye attack on Android mobile platform now in the wild (2011). http://www.trusteer.com/cn/node/360
Hipp, J., Güntzer, U., Nakhaeizadeh, G.: Algorithms for association rule mining - a general survey and comparison. SIGKDD Explor. Newsl. 2(1), 58–64 (2000). http://doi.acm.org/10.1145/360402.360421
Kafeine: Nitmo? no!dotsjust “iBanking” used by a (the?) neverquest/vawtrak team (2013). http://malware.dontneedcoffee.com/2013/12/nitmo-no-just-ibanking-used-by-the.html
Lindorfer, M., et al.: AndRadar: fast discovery of Android applications in alternative markets. In: Dietrich, S. (ed.) DIMVA 2014. LNCS, vol. 8550, pp. 51–71. Springer, Cham (2014). doi:10.1007/978-3-319-08509-8_4
Loetprasoetsit, A.: Csd 2013 sso_session_2_14112013 (2013). http://www.slideshare.net/nozumutee/csd-2013-ssosession214112013
Siewierski, Ł.: Tweet by maldr0id (2015). https://twitter.com/maldr0id/status/595953612032991232
Meller, I.: F5SOC iBanking malware analysis report. Technical report. https://devcentral.f5.com/d/f5soc-ibanking-malware-analysis-report
Petsas, T., Voyatzis, G., Athanasopoulos, E., Polychronakis, M., Ioannidis, S.: Rage against the virtual machine: hindering dynamic analysis of Android malware. In: Proceedings of the Seventh European Workshop on System Security, EuroSec 2014, pp. 5:1–5:6. ACM, New York (2014). http://doi.acm.org/10.1145/2592791.2592796
PhishReported: Submission #1531388 - http://kundencenter-accountservice.com (2015). http://www.phishtank.com/phish_detail.php?phish_id=1531388
Spasojevic, B.: Android.zeusmitmo (2012). http://www.symantec.com/security_response/writeup.jsp?docid=2012-080818-0448-99&tabid=2
Van Der Veen, V.: Dynamic analysis of Android malware. Ph.D. thesis (2013). http://tracedroid.few.vu.nl/thesis.pdf
Vidas, T., Christin, N.: Evading Android runtime analysis via sandbox detection. In: Proceedings of the 9th ACM Symposium on Information, Computer and Communications Security, ASIA CCS 2014, pp. 447–458. ACM, New York (2014). http://doi.acm.org/10.1145/2590296.2590325
Acknowledgments
The authors are thankful to the reviewers and to MIUR FACE Project No. RBFR13AJFT and Reply CV for supporting this work.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 International Financial Cryptography Association
About this paper
Cite this paper
Coletta, A., van der Veen, V., Maggi, F. (2017). DroydSeuss: A Mobile Banking Trojan Tracker (Short Paper). In: Grossklags, J., Preneel, B. (eds) Financial Cryptography and Data Security. FC 2016. Lecture Notes in Computer Science(), vol 9603. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-54970-4_14
Download citation
DOI: https://doi.org/10.1007/978-3-662-54970-4_14
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-662-54969-8
Online ISBN: 978-3-662-54970-4
eBook Packages: Computer ScienceComputer Science (R0)