Skip to main content
SpringerLink
Log in

DroydSeuss: A Mobile Banking Trojan Tracker (Short Paper)

  • Conference paper
  • First Online:
Financial Cryptography and Data Security (FC 2016)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 9603))

Included in the following conference series:

Abstract

After analyzing several Android mobile banking trojans, we observed the presence of repetitive artifacts that describe valuable information about the distribution of this class of malicious apps. Motivated by the high threat level posed by mobile banking trojans and by the lack of publicly available analysis and intelligence tools, we automated the extraction of such artifacts and created a malware tracker named DroydSeuss. DroydSeuss first processes applications both statically and dynamically, extracting relevant strings that contain traces of communication endpoints. Second, it prioritizes the extracted strings based on the APIs that manipulate them. Finally, DroydSeuss correlates the endpoints with descriptive metadata from the samples, providing aggregated statistics, raw data, and cross-sample information that allow researchers to pinpoint relevant groups of applications.

We connected DroydSeuss to the VirusTotal daily feed, consuming Android samples that perform banking-trojan activity. We manually analyzed its output and found supporting evidence to confirm its correctness. Remarkably, the most frequent itemset unveiled a campaign currently spreading against Chinese and Korean bank customers.

Although motivated by mobile banking trojans, DroydSeuss can be used to analyze the communication behavior of any suspicious application.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Zeus tracker. https://zeustracker.abuse.ch/

  2. Alexa top 1M (2015). http://s3.amazonaws.com/alexa-static/top-1m.csv.zip

  3. HostIP (2015). www.hostip.info

  4. IP to ASN mapping (2015). http://www.team-cymru.org/IP-ASN-mapping.html

  5. PassiveTotal (2015). https://www.passivetotal.org

  6. Andrototal.org: (Another) Android trojan scheme using Google Cloud Messaging (2015). http://blog.andrototal.org/post/89637972097/another-android-trojan-scheme-using-google-cloud

  7. Lehtiö, A.: C&C-as-a-service: abusing third-party web services as C&C channels (2015). https://www.virusbtn.com/conference/vb2015/abstracts/R-Lehtio.xml

  8. Chebyshev, V., Unuchek, R.: Mobile malware evolution: 2013 (2014). http://securelist.com/analysis/kaspersky-security-bulletin/58335/mobile-malware-evolution-2013

  9. Delosières, L., Baltatu, M.: D2.3 lightweight malware detector. Technical report, Enhanced Network Security for Seamless Service Provisioning in the Smart Mobile Ecosystem (2012). http://www.nemesys-project.eu/nemesys/files/document/deliverables/NEMESYS_Deliverable_D2.3.pdf

  10. Heyman, A.: First SpyEye attack on Android mobile platform now in the wild (2011). http://www.trusteer.com/cn/node/360

  11. Hipp, J., Güntzer, U., Nakhaeizadeh, G.: Algorithms for association rule mining - a general survey and comparison. SIGKDD Explor. Newsl. 2(1), 58–64 (2000). http://doi.acm.org/10.1145/360402.360421

    Article  Google Scholar 

  12. Kafeine: Nitmo? no!dotsjust “iBanking” used by a (the?) neverquest/vawtrak team (2013). http://malware.dontneedcoffee.com/2013/12/nitmo-no-just-ibanking-used-by-the.html

  13. Lindorfer, M., et al.: AndRadar: fast discovery of Android applications in alternative markets. In: Dietrich, S. (ed.) DIMVA 2014. LNCS, vol. 8550, pp. 51–71. Springer, Cham (2014). doi:10.1007/978-3-319-08509-8_4

    Google Scholar 

  14. Loetprasoetsit, A.: Csd 2013 sso_session_2_14112013 (2013). http://www.slideshare.net/nozumutee/csd-2013-ssosession214112013

  15. Siewierski, Ł.: Tweet by maldr0id (2015). https://twitter.com/maldr0id/status/595953612032991232

  16. Meller, I.: F5SOC iBanking malware analysis report. Technical report. https://devcentral.f5.com/d/f5soc-ibanking-malware-analysis-report

  17. Petsas, T., Voyatzis, G., Athanasopoulos, E., Polychronakis, M., Ioannidis, S.: Rage against the virtual machine: hindering dynamic analysis of Android malware. In: Proceedings of the Seventh European Workshop on System Security, EuroSec 2014, pp. 5:1–5:6. ACM, New York (2014). http://doi.acm.org/10.1145/2592791.2592796

  18. PhishReported: Submission #1531388 - http://kundencenter-accountservice.com (2015). http://www.phishtank.com/phish_detail.php?phish_id=1531388

  19. Spasojevic, B.: Android.zeusmitmo (2012). http://www.symantec.com/security_response/writeup.jsp?docid=2012-080818-0448-99&tabid=2

  20. Van Der Veen, V.: Dynamic analysis of Android malware. Ph.D. thesis (2013). http://tracedroid.few.vu.nl/thesis.pdf

  21. Vidas, T., Christin, N.: Evading Android runtime analysis via sandbox detection. In: Proceedings of the 9th ACM Symposium on Information, Computer and Communications Security, ASIA CCS 2014, pp. 447–458. ACM, New York (2014). http://doi.acm.org/10.1145/2590296.2590325

Download references

Acknowledgments

The authors are thankful to the reviewers and to MIUR FACE Project No. RBFR13AJFT and Reply CV for supporting this work.

Author information

Authors and Affiliations

  1. Politecnico di Milano, Milan, Italy

    Alberto Coletta & Federico Maggi

  2. Vrije Universiteit, Amsterdam, The Netherlands

    Victor van der Veen

Authors
  1. Alberto Coletta
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Victor van der Veen
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Federico Maggi
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Alberto Coletta .

Editor information

Editors and Affiliations

  1. Technical University Munich, Garching, Germany

    Jens Grossklags

  2. Department of Electrical Engineering-ESAT, KU Leuven, Leuven, Belgium

    Bart Preneel

Rights and permissions

Reprints and permissions

Copyright information

© 2017 International Financial Cryptography Association

About this paper

Cite this paper

Coletta, A., van der Veen, V., Maggi, F. (2017). DroydSeuss: A Mobile Banking Trojan Tracker (Short Paper). In: Grossklags, J., Preneel, B. (eds) Financial Cryptography and Data Security. FC 2016. Lecture Notes in Computer Science(), vol 9603. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-54970-4_14

Download citation

  • DOI: https://doi.org/10.1007/978-3-662-54970-4_14

  • Published:

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-662-54969-8

  • Online ISBN: 978-3-662-54970-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation