WEBVTT 1 00:00:00.080 --> 00:00:04.160 Welcome to the dep dive Today. We're jumping straight into 2 00:00:04.160 --> 00:00:07.000 a topic that's relevant to pretty much everyone listening, the 3 00:00:07.040 --> 00:00:10.960 world of android malware. Think of it as those digital 4 00:00:11.080 --> 00:00:14.759 pests that can really mess with your smartphone experience. Yeah, definitely, 5 00:00:15.119 --> 00:00:18.960 why God is digging into this well, honestly, just a 6 00:00:19.039 --> 00:00:23.359 simple desire to be better informed, more secure as our 7 00:00:23.399 --> 00:00:26.160 lives get more and more digital. Makes sense, And when 8 00:00:26.199 --> 00:00:29.199 you actually pause to consider it, the sheer size of 9 00:00:29.239 --> 00:00:34.200 the Android universe is just staggering, billions of devices globally 10 00:00:34.320 --> 00:00:37.960 right managing everything from social media to bank accounts. 11 00:00:38.039 --> 00:00:42.600 Absolutely, that scale makes it a massive, very tempting target 12 00:00:42.640 --> 00:00:45.719 for cyber criminals. The widespread use that different things phones 13 00:00:45.759 --> 00:00:48.799 do now, it creates to prime environment for them exactly. 14 00:00:48.840 --> 00:00:52.280 And to help us make sense of this sometimes complicated area, 15 00:00:52.359 --> 00:00:56.159 we've got a fantastic resource, the Android Malware Handbook. Right now, 16 00:00:56.159 --> 00:00:59.399 This isn't some like dry textbook. It's a really comprehensive 17 00:00:59.439 --> 00:01:03.359 look put together by experts at Meta and Google. You know, 18 00:01:03.600 --> 00:01:05.519 the folks actively fighting. 19 00:01:05.200 --> 00:01:06.840 These threats, the ones on the front lines. 20 00:01:07.079 --> 00:01:09.920 Yeah, their aim with this handbook is basically to equip 21 00:01:09.920 --> 00:01:13.239 people with the know how to understand and spot Android malware. 22 00:01:13.560 --> 00:01:15.319 It's kind of like getting an insider's view. 23 00:01:15.400 --> 00:01:18.719 This is a significant piece of work, Yeah, connecting deep 24 00:01:18.799 --> 00:01:22.439 research with practical steps for better security. 25 00:01:23.040 --> 00:01:25.159 So our mission today and you're already part of it 26 00:01:25.239 --> 00:01:27.560 just by listening, is to pull out the most important 27 00:01:27.560 --> 00:01:30.719 insights from this handbook. We're going to explore how Android 28 00:01:30.719 --> 00:01:34.799 malware has, you know, changed over time devolution, right, what 29 00:01:34.920 --> 00:01:37.760 the common attack methods are, and really get a handle 30 00:01:37.840 --> 00:01:40.599 on this ongoing back and forth between the attackers and 31 00:01:40.640 --> 00:01:44.680 the security experts cat mouse game exactly. The goal is 32 00:01:44.719 --> 00:01:46.879 to give you useful knowledge so you can navigate the 33 00:01:46.920 --> 00:01:52.079 digital world more confidently without needing like a computer science degree. Okay, 34 00:01:52.239 --> 00:01:53.079 let's get into it. 35 00:01:53.159 --> 00:01:56.159 Okay, So the handbook points out that the first identified 36 00:01:56.159 --> 00:02:00.439 piece of Android malware appeared relatively soon after the platform launched. 37 00:02:00.719 --> 00:02:02.040 We're talking around twenty eleven. 38 00:02:02.280 --> 00:02:05.000 Wow, that's surprisingly fast. You'd think it would take a 39 00:02:05.040 --> 00:02:07.079 bit longer for people to figure out how to exploit 40 00:02:07.120 --> 00:02:07.760 a new system. 41 00:02:08.080 --> 00:02:10.599 Well, what's really interesting is the driving force behind it 42 00:02:10.919 --> 00:02:14.599 right from the start, Unlike say early PC malware, where 43 00:02:14.599 --> 00:02:17.280 there was maybe this element of technical curiosity like what 44 00:02:17.319 --> 00:02:17.879 can we do? 45 00:02:18.000 --> 00:02:19.159 Yeah, exploring the limits. 46 00:02:19.439 --> 00:02:23.280 Pretty much all known Android malware right from the beginning 47 00:02:23.560 --> 00:02:26.039 seems to have been primarily motivated. 48 00:02:25.520 --> 00:02:30.879 By profit, So less digital graffiti and more straight up 49 00:02:30.919 --> 00:02:34.319 trying to make money. That fundamental difference that tells you a. 50 00:02:34.319 --> 00:02:38.400 Lot precisely, And as Google's Android security team started, you know, 51 00:02:38.680 --> 00:02:41.520 putting up safeguards to keep the official Google Play store secure, 52 00:02:42.159 --> 00:02:45.360 the malware creators adapted pretty quickly. They didn't just give up, No, 53 00:02:45.400 --> 00:02:49.080 they shifted strategies. It's that constant cycle, you know, reaction 54 00:02:49.199 --> 00:02:50.479 and counter reaction. 55 00:02:50.280 --> 00:02:52.439 Right, So how did they try to get around Google's 56 00:02:52.439 --> 00:02:54.159 protections then? What were the main ways? 57 00:02:54.240 --> 00:02:57.800 Well, several key approaches popped up. One was developing methods 58 00:02:58.280 --> 00:03:03.759 specifically designed to evade Google Play's own malware detection systems, 59 00:03:04.439 --> 00:03:07.840 getting sneakier about hiding code or delaying when it runs. 60 00:03:08.360 --> 00:03:11.520 Another big route was distributing apps through third party app 61 00:03:11.520 --> 00:03:13.879 stores websites, what we often call side. 62 00:03:13.599 --> 00:03:16.680 Loading, right installing outside the official channel exactly. 63 00:03:17.159 --> 00:03:20.639 That needed different tactics, more focus on tricking users into 64 00:03:21.000 --> 00:03:26.319 installing from those sources, and maybe the most disturbing, there 65 00:03:26.319 --> 00:03:30.879 were efforts to get malware pre installed right onto devices 66 00:03:30.919 --> 00:03:31.800 during manufacturing. 67 00:03:32.120 --> 00:03:35.400 Pre installed malware. That sounds like a huge breach of trust. 68 00:03:35.639 --> 00:03:37.680 You buy a new phone, you expect it to be clean. 69 00:03:37.919 --> 00:03:40.000 It really highlights how far they were willing to go, 70 00:03:40.360 --> 00:03:44.199 even setting up like seemingly legitimate companies to fool the 71 00:03:44.240 --> 00:03:45.400 device manufacturers. 72 00:03:45.479 --> 00:03:47.840 Wow, Okay, that gives us a good overview of the 73 00:03:47.879 --> 00:03:51.400 early days. Now let's get into the specifics. What kinds 74 00:03:51.439 --> 00:03:53.719 of malware are we actually seeing on Android? How do 75 00:03:53.800 --> 00:03:57.120 they work? The handbook breaks down some common categories, right. 76 00:03:57.080 --> 00:03:59.719 Yes, it does. One of the earliest and still pretty 77 00:03:59.719 --> 00:04:03.560 common types is SMS fraud. Okay. This involves apps sending 78 00:04:03.599 --> 00:04:06.039 text messages to those premium short codes. 79 00:04:06.319 --> 00:04:08.960 Ah yeah, the ones that charge you extra for voting 80 00:04:09.000 --> 00:04:10.879 on TV shows or something exactly. 81 00:04:10.919 --> 00:04:14.759 Those but used for deceptive stuff like fake donations or 82 00:04:15.039 --> 00:04:19.279 unwanted subscriptions. And these apps often do it silently, how 83 00:04:19.360 --> 00:04:22.040 so they send messages in the background, maybe suppress the 84 00:04:22.079 --> 00:04:25.720 notifications so you, the user might not even know until 85 00:04:25.720 --> 00:04:26.600 you get your phone bill. 86 00:04:26.879 --> 00:04:31.519 That's incredibly sneaky. Did the handbook mention specific examples? 87 00:04:31.600 --> 00:04:35.399 It did. Cricket Land and Beekeeper were two early big 88 00:04:35.600 --> 00:04:39.879 SMS fraud families. Cricket Land mainly hit users in Vietnam. 89 00:04:40.240 --> 00:04:43.959 Beekeeper focused more on Russia, and interestingly, cricket Land wasn't 90 00:04:43.959 --> 00:04:46.759 really documented publicly before this handbook. 91 00:04:46.480 --> 00:04:50.120 So the handbook is even bringing some previously lesser known 92 00:04:50.120 --> 00:04:52.879 threats to light. What was cricketland doing well? 93 00:04:52.879 --> 00:04:55.759 It became known for SMS fraud, but its initial versions 94 00:04:55.800 --> 00:04:58.800 actually function more like spyware. Yeah, often hidden in normal 95 00:04:58.839 --> 00:05:02.199 looking apps. I only grab the user's contact list and 96 00:05:02.240 --> 00:05:04.720 send it off to a remote server, no permission asks. 97 00:05:04.759 --> 00:05:05.079 Wow. 98 00:05:05.120 --> 00:05:07.319 The Android security team actually named it after one of 99 00:05:07.360 --> 00:05:10.720 its internal software parts. So even early on you see 100 00:05:10.720 --> 00:05:13.879 this mixed deception for money but also data harvesting. 101 00:05:14.079 --> 00:05:18.439 Okay, so it shifted tactics. Speaking of spyware, that sounds 102 00:05:18.480 --> 00:05:21.000 even more invasive than just SMS fraud. What's the main 103 00:05:21.040 --> 00:05:21.560 goal there? 104 00:05:21.800 --> 00:05:25.040 Yeah, the main aim of spyware is just that secretly 105 00:05:25.120 --> 00:05:29.000 collecting sensitive user data without consent, without you knowing. For 106 00:05:29.079 --> 00:05:32.600 cricket Land, it started with contacts. The handbook also mentions 107 00:05:33.120 --> 00:05:37.279 doogle Leaker. Yeah, a spyware family with a narrower goal, 108 00:05:37.639 --> 00:05:41.519 apparently mapping social connections in Japan again by collecting contact lists. 109 00:05:41.680 --> 00:05:44.360 So less about instant cash, more about gathering intel. 110 00:05:44.399 --> 00:05:47.160 Maybe that seems to be the idea of their and 111 00:05:47.199 --> 00:05:49.639 the handbook makes a really interesting connection between this kind 112 00:05:49.680 --> 00:05:52.319 of data collection and the rise of what it calls 113 00:05:52.759 --> 00:05:55.720 financial anti fraud SDKs. 114 00:05:56.120 --> 00:05:59.079 SDK's software development kits like toolkits for. 115 00:05:59.079 --> 00:06:02.920 App developers, exactly things like loan spy, which got baked 116 00:06:02.920 --> 00:06:05.360 into lending apps, especially in Southeast Asia. 117 00:06:05.120 --> 00:06:08.240 Anti fraud SDKs. That sounds helpful on the surface, and 118 00:06:08.240 --> 00:06:08.920 that's the catch. 119 00:06:09.360 --> 00:06:12.560 While they look legit maybe supposed to prevent loan fraud, 120 00:06:13.319 --> 00:06:16.920 these SDKs often gather way way more data than needed, 121 00:06:17.439 --> 00:06:21.639 excessively so well. Loanspy, for instance, was found accessing WhatsApp messages. 122 00:06:22.399 --> 00:06:25.439 It did this by misusing Android's accessibility features. 123 00:06:25.680 --> 00:06:28.360 Hold on accessibility features, aren't those meant to help people 124 00:06:28.399 --> 00:06:29.879 with disabilities use their phones? 125 00:06:30.040 --> 00:06:33.120 They are, but they can be powerful, and in this case, 126 00:06:33.399 --> 00:06:36.480 they were exploited to basically snoop on private chats. 127 00:06:36.680 --> 00:06:41.160 Wow, accessing WhatsApp messages. That's a massive privacy violation, and 128 00:06:41.279 --> 00:06:42.519 loan spy was common. 129 00:06:42.759 --> 00:06:46.480 The handbook says its reach was comparable to actual malware networks, 130 00:06:46.920 --> 00:06:49.040 partly because of the high demand for loans in the 131 00:06:49.079 --> 00:06:53.879 region needing identity verification. It's a sobering example. Really, something 132 00:06:53.959 --> 00:06:57.480 looking like security turns into a huge privacy threat operating 133 00:06:57.480 --> 00:06:58.079 at scale. 134 00:06:58.199 --> 00:07:01.759 That is sobering. Okay, let's move on to another classic trojans. 135 00:07:02.319 --> 00:07:04.839 We all know the story The Wooden Horse. How does 136 00:07:04.839 --> 00:07:05.920 that play out on Android? 137 00:07:06.480 --> 00:07:09.839 Very similar concept. Android trojans look harmless, maybe they even 138 00:07:09.879 --> 00:07:14.439 clone of popular apps appearance, but they hide malicious functions inside. 139 00:07:14.160 --> 00:07:15.720 So they trick you into letting them in. 140 00:07:16.040 --> 00:07:18.439 Right, They have that innocent looking part to gain your 141 00:07:18.480 --> 00:07:21.360 trust while the bad stuff happens secretly in the background. 142 00:07:21.639 --> 00:07:24.920 Did the handbook mention common ways they get onto devices? 143 00:07:25.199 --> 00:07:28.279 Yes, A very effective trick is publishing a clean app. First, 144 00:07:28.959 --> 00:07:32.120 get it onto Google Play, pass the checks build up, some. 145 00:07:32.199 --> 00:07:35.279 Users establish legitimacy. 146 00:07:34.879 --> 00:07:38.800 Then later push an update that contains the malware. Users 147 00:07:38.800 --> 00:07:40.040 trust the app they already have. 148 00:07:40.160 --> 00:07:43.759 They hit update and boom. That's really sneaky building trust 149 00:07:43.959 --> 00:07:47.160 just to break it. Are there other kinds of crogan 150 00:07:47.240 --> 00:07:49.199 behavior highlighted absolutely? 151 00:07:49.560 --> 00:07:53.240 Some manipulate online reviews. They download fake positive reviews from 152 00:07:53.240 --> 00:07:57.079 a server and post them to boost app ratings artificially. 153 00:07:57.800 --> 00:08:00.839 Often involves managing lots of fake accounts. Huh, and the 154 00:08:00.839 --> 00:08:05.439 handbook also mentioned some proxy network apps behaving like trojans. 155 00:08:05.160 --> 00:08:08.079 Proxy networks like VPNs that make it look like you're 156 00:08:08.079 --> 00:08:09.680 browsing from somewhere else sort of. 157 00:08:09.800 --> 00:08:13.040 Yeah, some less than reputable VPN companies create these proxy 158 00:08:13.240 --> 00:08:17.959 SDKs those developer tools again and pay popular app developers. 159 00:08:17.519 --> 00:08:20.360 To include them, and the user has no idea. 160 00:08:19.759 --> 00:08:22.720 Often not. Their device then becomes an exit point for 161 00:08:22.800 --> 00:08:25.920 other people's Internet traffic, which could mean illegal stuff is 162 00:08:25.920 --> 00:08:27.800 getting routed through your phone without you knowing. 163 00:08:28.000 --> 00:08:30.519 Okay, so your phone could unknowingly be part of some 164 00:08:30.759 --> 00:08:34.720 shady network. That's another big risk. What about phishing? We 165 00:08:34.720 --> 00:08:36.759 hear about email phishing all the time. How does it 166 00:08:36.799 --> 00:08:37.600 work on Android? 167 00:08:37.759 --> 00:08:41.919 Well, messaging and communication apps are prime territory attackers and 168 00:08:42.039 --> 00:08:45.480 beid malicious links and messages, texts, whatever. 169 00:08:45.320 --> 00:08:47.120 And use social engineering to get you to. 170 00:08:47.080 --> 00:08:51.399 Click exactly psychological tricks. The links might go to fake 171 00:08:51.480 --> 00:08:54.360 login pages to steal your passwords, or to sites that 172 00:08:54.399 --> 00:08:56.120 trick you into downloading more malware. 173 00:08:56.320 --> 00:08:59.519 Simple but effective. Was there a more technical phishing example 174 00:08:59.519 --> 00:09:00.000 in the book? 175 00:09:00.159 --> 00:09:04.960 There was, Yeah, involving something called OMACP. It's basically a 176 00:09:04.960 --> 00:09:08.919 way for mobile carriers to send configuration settings to your phone. 177 00:09:08.759 --> 00:09:10.519 Remotely like network settings. 178 00:09:10.600 --> 00:09:13.679 Right, malware could steal your phone's unique ID, send it 179 00:09:13.679 --> 00:09:16.120 to a server, and that server could then send your 180 00:09:16.159 --> 00:09:20.720 phone especially crafted OMACP message. This message would insert a 181 00:09:20.799 --> 00:09:24.159 proxy setting to intercept your data like logging credentials. 182 00:09:24.320 --> 00:09:28.399 Wow, that's intricate, exploiting carrier level. So okay, let's talk 183 00:09:28.399 --> 00:09:31.080 privileged escalation. Sounds like apps trying to get more power 184 00:09:31.080 --> 00:09:31.679 than they should. 185 00:09:31.919 --> 00:09:35.200 That's exactly it. They try to disable security features like 186 00:09:35.480 --> 00:09:39.000 Google play Protect, maybe by exploiting system permissions like right 187 00:09:39.080 --> 00:09:42.360 secure settings, or they fiddle with system settings to weaken 188 00:09:42.440 --> 00:09:43.480 security overall. 189 00:09:43.759 --> 00:09:44.360 Wow. 190 00:09:44.399 --> 00:09:49.200 Some execute shell commands directly or manipulate settings like package 191 00:09:49.279 --> 00:09:52.799 verifying or onnable. That's the one controlling malware scanning, so. 192 00:09:52.919 --> 00:09:56.639 Actively trying to shut down the phone's defenses. The handbook 193 00:09:56.679 --> 00:09:58.159 mentioned upload Barnkennel two. 194 00:09:58.519 --> 00:10:01.879 Yes, that setting can trolls whether your device sends app 195 00:10:01.919 --> 00:10:05.399 samples back to Google play Protect to help find new malware. 196 00:10:05.799 --> 00:10:08.120 So attackers might try to turn that off to slow 197 00:10:08.120 --> 00:10:09.039 down their own detection. 198 00:10:09.159 --> 00:10:11.720 Makes sense. Hep Google in the dark longer. 199 00:10:11.360 --> 00:10:14.759 And it gets worse. Some malware even includes rooting tools. 200 00:10:14.960 --> 00:10:17.720 Rooting like gaining admin control over the. 201 00:10:17.639 --> 00:10:21.200 Whole system precisely, which basically blows security wide open. They 202 00:10:21.279 --> 00:10:23.360 might use that root access to make it easier for 203 00:10:23.440 --> 00:10:26.600 other malicious apps to steal really sensitive stuff like your 204 00:10:26.639 --> 00:10:27.720 Google account tokens. 205 00:10:27.799 --> 00:10:30.320 So it's like one piece of malware opens the door 206 00:10:30.360 --> 00:10:34.240 for others. Nasty. Now, ransomware, we hear about that constantly 207 00:10:34.279 --> 00:10:36.519 on PCs. Is it a big deal on Android too? 208 00:10:36.840 --> 00:10:39.879 It definitely exists on Android. Same goal, lock up your 209 00:10:39.960 --> 00:10:43.279 data or your whole device and demand money to get 210 00:10:43.279 --> 00:10:43.639 it back. 211 00:10:43.799 --> 00:10:44.000 Right. 212 00:10:44.080 --> 00:10:47.960 Handbook distinguishes between lockers they just lock your screen, and 213 00:10:48.080 --> 00:10:51.799 cryptors which actually encrypt your files, photos, everything, And sometimes 214 00:10:51.799 --> 00:10:53.840 you get crypto lockers that do both and. 215 00:10:53.720 --> 00:10:57.840 That encrypt xfiltrate leak strategy we see on PCs. Is 216 00:10:57.879 --> 00:10:59.320 that happening on Android. 217 00:10:59.240 --> 00:11:03.879 Yes, increase So the modern approach this el strategy. They 218 00:11:03.919 --> 00:11:06.120 encrypt your stuff and they steal a copy, and they 219 00:11:06.159 --> 00:11:09.000 threaten to release it publicly if you don't pay double distortion. 220 00:11:10.000 --> 00:11:13.879 The handbook mentioned simplocker as an early Android example. Apparently 221 00:11:14.000 --> 00:11:17.279 used a pretty basic encryption method, just incrementing byte values 222 00:11:17.360 --> 00:11:20.240 or something simple but still enough to cause panic. 223 00:11:20.360 --> 00:11:23.919 I bet simple but effective. Okay, denial of service DOS attacks. 224 00:11:24.360 --> 00:11:27.480 Usually we think of websites being taken down. Can Android 225 00:11:27.480 --> 00:11:28.360 phones be involved? 226 00:11:28.360 --> 00:11:32.440 Absolutely? Well, maybe not. The main goal for malware targeting individuals. 227 00:11:32.799 --> 00:11:35.159 Infected Android devices can be pulled into. 228 00:11:35.039 --> 00:11:37.600 Botnets networks of zombie devices. 229 00:11:37.399 --> 00:11:40.480 Exactly, and those botnets can then launch distributed denial of 230 00:11:40.519 --> 00:11:44.799 service d'd ass attacks against websites, online services, you name it. 231 00:11:45.279 --> 00:11:48.519 The handbook stresses the consequences can be serious financial losses, 232 00:11:49.039 --> 00:11:52.600 even public safety risks. If critical infrastructure is targeted. 233 00:11:52.960 --> 00:11:56.360 That's a disturbing thought. Your phone being an unwitting soldier 234 00:11:56.399 --> 00:12:00.559 in some digital attack. What about quieter form of abuse 235 00:12:00.639 --> 00:12:01.399 like AD fraud? 236 00:12:01.720 --> 00:12:04.559 Yeah, ad fraud is a huge money maker for malware authors. 237 00:12:04.759 --> 00:12:07.799 It's often invisible to the user, doesn't lock your device, 238 00:12:07.840 --> 00:12:09.960 doesn't necessarily steal your logins. 239 00:12:09.600 --> 00:12:10.759 Directly, So what does it do? 240 00:12:11.039 --> 00:12:14.200 Things like click fraud the app secretly clicks on ads 241 00:12:14.200 --> 00:12:16.879 in the background, generating tiny bits of revenue that add 242 00:12:16.960 --> 00:12:21.360 up or installation attribution fraud, falsely claiming credit for installing 243 00:12:21.360 --> 00:12:23.279 other apps to get referral bonuses. 244 00:12:22.960 --> 00:12:25.240 Sneaky background money making. Any examples. 245 00:12:25.320 --> 00:12:28.720 Handbook menches Turkish clicker, It used JavaScript inside app web 246 00:12:28.759 --> 00:12:32.120 components to do dedos attacks and click fraud, and the 247 00:12:32.200 --> 00:12:36.120 Cheetah mobile scandal which involves large scale installation attribution fraud. 248 00:12:36.360 --> 00:12:39.000 So even if your phone seems fine, it could be 249 00:12:39.080 --> 00:12:43.399 silently working for criminals. And those dodgyvpns came up again 250 00:12:43.440 --> 00:12:43.840 here too. 251 00:12:44.600 --> 00:12:48.960 Yes, related to the proxy behavior we discussed, some shady 252 00:12:49.039 --> 00:12:53.840 VPN outfits used those proxy sdgrays in popular apps, turning 253 00:12:53.919 --> 00:12:56.360 user devices into exit nodes without. 254 00:12:56.039 --> 00:12:57.960 Telling them right routing traffic. 255 00:12:57.720 --> 00:13:00.080 It's invisible runs in the background as long as the 256 00:13:00.080 --> 00:13:03.279 app is installed. Another easy monetization route. 257 00:13:03.039 --> 00:13:07.440 For the bad guys, a hidden network built on unsuspecting users. Okay, 258 00:13:07.440 --> 00:13:10.879 so these malware creators are clearly getting more sophisticated. How 259 00:13:10.879 --> 00:13:13.639 do they try to stay hidden both from users and 260 00:13:14.480 --> 00:13:16.960 from the security researchers trying to pick their code apart? 261 00:13:17.080 --> 00:13:19.440 Yes, staying hidden is key. Obviously they try to be 262 00:13:19.440 --> 00:13:21.759 invisible to the user. If an app is clearly messing 263 00:13:21.759 --> 00:13:24.360 things up, you'll uninstall it right sure, But they also 264 00:13:24.480 --> 00:13:28.559 use a lot of technical anti analysis techniques, specifically to 265 00:13:28.639 --> 00:13:32.080 thwart researchers. What kind of tricks The handbook talks about 266 00:13:32.080 --> 00:13:35.600 static anti analysis ways to make the app's code hard 267 00:13:35.600 --> 00:13:39.919 to examine without running it. Things like hiding tone, encrypting important. 268 00:13:39.559 --> 00:13:42.600 Parts you can't just read it easily exactly. 269 00:13:42.440 --> 00:13:45.559 Or loading the malicious code in later stages so it's 270 00:13:45.600 --> 00:13:48.679 not even there in the initial file you download. App 271 00:13:48.679 --> 00:13:52.320 backers are also huge, especially in places like China. They 272 00:13:52.399 --> 00:13:55.879 compress or encrypt the real app code. It's like trying 273 00:13:55.879 --> 00:13:57.200 to analyze the scrambled egg. 274 00:13:57.240 --> 00:13:59.679 Okay, makes sense. The book also mentioned reflection. 275 00:14:00.360 --> 00:14:05.279 What's that ah? Reflection is a common dynamic technique. Malware 276 00:14:05.320 --> 00:14:08.960 often breaks itself into pieces, like plugins. The first piece 277 00:14:09.000 --> 00:14:10.919 you install might be small, look. 278 00:14:10.759 --> 00:14:13.240 Harmless, the initial foothold right, and. 279 00:14:13.240 --> 00:14:16.080 It only downloads and runs the really malicious parts later, 280 00:14:16.559 --> 00:14:19.440 maybe after checking if it's running in an analysis environment. 281 00:14:20.039 --> 00:14:23.440 Java Reflection features Android's own code loading tools, like dex, 282 00:14:23.480 --> 00:14:26.320 class letter. They're used for this. Lately, they're even loading 283 00:14:26.320 --> 00:14:30.039 code directly from memory, not separate files, to leave fewer traces. 284 00:14:30.200 --> 00:14:32.240 It really is a constant game of cat and mouse. 285 00:14:32.279 --> 00:14:35.159 What about the programming languages? Does using different languages help 286 00:14:35.200 --> 00:14:35.759 them hide? 287 00:14:35.879 --> 00:14:39.759 Definitely? While Java's been the main language for Android, developers 288 00:14:39.759 --> 00:14:44.360 increasingly use others Flutter, Cotlin, React, Native, even Lua or Python. 289 00:14:44.440 --> 00:14:46.000 Sometimes Why does that make it harder? 290 00:14:46.240 --> 00:14:49.519 Because most security tools and researchers are more geared towards 291 00:14:49.559 --> 00:14:53.279 analyzing Java. Even if just the core malicious bid is 292 00:14:53.279 --> 00:14:58.399 written in say flutter, it can seriously complicate reverse engineering. 293 00:14:58.960 --> 00:15:01.679 So it's not just scrambling the code but using a 294 00:15:01.759 --> 00:15:05.440 less common language for it. The handbook also mentioned name mangling. 295 00:15:05.679 --> 00:15:09.080 Yeah, that's a basic obfuscation trick, giving things like classes 296 00:15:09.080 --> 00:15:13.840 and functions really short, meaningless names like ABC. It makes 297 00:15:13.879 --> 00:15:16.080 the code incredibly hard to read and understand for a 298 00:15:16.120 --> 00:15:20.200 human analyst. Reverse engineers have to spend ages renaming things 299 00:15:20.240 --> 00:15:21.200 just to make sense of it. 300 00:15:21.399 --> 00:15:25.399 Just deliberately making it confusing and slow to analyze. Okay, 301 00:15:25.480 --> 00:15:29.080 let's shift gears a bit supply chain compromises. That sounds 302 00:15:29.159 --> 00:15:31.399 much bigger, potentially more impactful it is. 303 00:15:31.480 --> 00:15:34.240 Yeah, it's about malware getting into the ecosystem at a 304 00:15:34.279 --> 00:15:38.080 deeper level through trusted players like the companies making the phones, 305 00:15:38.240 --> 00:15:41.960 or more commonly, the providers of over the year software updates. 306 00:15:42.000 --> 00:15:44.440 The OTAs you updates, your phone gets automatically. 307 00:15:44.639 --> 00:15:47.879 Exactly if malware gets into that system, it can potentially 308 00:15:47.960 --> 00:15:50.039 hit a massive number of devices all at once. 309 00:15:50.279 --> 00:15:52.679 Oh wow, were there specific examples. 310 00:15:52.279 --> 00:15:55.240 In the handbook, several worrying ones g Moby and OTA 311 00:15:55.320 --> 00:15:59.200 provider was found collecting user data showing unwanted ads and 312 00:15:59.240 --> 00:16:02.559 even silently the installing apps like ghost Push on millions 313 00:16:02.559 --> 00:16:07.519 of devices no consent. Then there was ad Ops. Their 314 00:16:07.559 --> 00:16:12.000 Ota software was basically spyware, collecting texts, contacts, call logs 315 00:16:12.240 --> 00:16:15.360 and could also install other apps. Adops was significant enough 316 00:16:15.360 --> 00:16:19.440 to get into the mitre att and CK framework which 317 00:16:19.480 --> 00:16:21.279 tracks adversary techniques. 318 00:16:20.840 --> 00:16:23.360 So it's recognized as a serious threat vector. 319 00:16:23.200 --> 00:16:27.039 Absolutely ritz on, Sunshine Digitime, other OTA providers mentioned with 320 00:16:27.399 --> 00:16:29.039 security or privacy. 321 00:16:28.639 --> 00:16:32.519 Problems, So companies meant to secure devices becoming the vulnerability. 322 00:16:32.600 --> 00:16:34.840 That's a huge trust issue and not just updates. Right 323 00:16:34.840 --> 00:16:35.960 component suppliers too. 324 00:16:36.120 --> 00:16:40.399 Yes, the Eagerfonts incident by compromising just one company supplying 325 00:16:40.440 --> 00:16:42.840 a software component, malware got onto devices from over one 326 00:16:42.919 --> 00:16:46.200 hundred different manufacturers shows the ripple effect massive scale from 327 00:16:46.200 --> 00:16:49.159 one compromise, and the handbook points out a common tactic 328 00:16:49.480 --> 00:16:52.960 malware authors setting up fake, legitimate looking companies. They offer 329 00:16:53.000 --> 00:16:56.120 apps or SDKs to manufacturers, but with hidden back doors 330 00:16:56.120 --> 00:16:56.559 built in. 331 00:16:56.919 --> 00:17:02.200 Just infiltrating the trusted pathways sounds incredible hard to defend against. Okay, 332 00:17:02.240 --> 00:17:05.359 let's put to the defense side machine learning. The handbook 333 00:17:05.440 --> 00:17:09.559 says it's increasingly important for detection. How does that work well? 334 00:17:09.599 --> 00:17:12.480 Given the sheer volume of new apps every day and 335 00:17:12.519 --> 00:17:15.759 how complex malware is, getting mL is pretty crucial now 336 00:17:15.799 --> 00:17:17.799 for detection at scale makes sense. 337 00:17:17.799 --> 00:17:19.799 You can't manually check everything exactly. 338 00:17:20.319 --> 00:17:22.680 The basic idea is to train algorithms to tell the 339 00:17:22.720 --> 00:17:26.839 difference between good apps, goodwaar and malicious apps malware by 340 00:17:26.880 --> 00:17:28.839 looking for patterns and their characteristics. 341 00:17:29.000 --> 00:17:32.160 Characteristics like what kind of things? What does the algorithm 342 00:17:32.200 --> 00:17:32.559 look at? 343 00:17:32.640 --> 00:17:34.960 These are called features. It could be the permissions and 344 00:17:35.039 --> 00:17:38.519 app asks for the specific android functions or APIs. It 345 00:17:38.599 --> 00:17:41.680 uses the structure of its code, even how it behaves 346 00:17:41.680 --> 00:17:43.880 when you run it in the safe controlled environment. 347 00:17:44.000 --> 00:17:44.240 Okay. 348 00:17:44.440 --> 00:17:48.440 These features get turned into numerical data. Then you feed 349 00:17:48.440 --> 00:17:52.720 the algorithm tons of labeled examples, known good apps, known 350 00:17:52.799 --> 00:17:56.720 bad apps, and it learns to spot the differences the patterns. 351 00:17:56.319 --> 00:17:58.319 And once it's trained, it can look at a new. 352 00:17:58.160 --> 00:18:02.720 App, preciselyzes the new apps features and makes a prediction 353 00:18:03.599 --> 00:18:06.880 likely safe or likely malicious based on what it learned. 354 00:18:07.440 --> 00:18:09.480 Classification algorithms are really good at this. 355 00:18:09.680 --> 00:18:11.680 Did it give an example like a decision tree. 356 00:18:11.920 --> 00:18:14.440 Yeah, decision trees are one type. They build rules like 357 00:18:14.759 --> 00:18:17.799 if ab asks for send ams permission, and it makes 358 00:18:17.920 --> 00:18:22.240 very few other system calls, then it's highly likely SMS fraud. 359 00:18:22.720 --> 00:18:25.920 Simple example. The Janini score mentioned is just a way 360 00:18:25.960 --> 00:18:28.279 to measure how well a feature splits the data into 361 00:18:28.279 --> 00:18:29.440 good versus bad. 362 00:18:30.079 --> 00:18:32.200 So it finds the most telling signs. But ma, our 363 00:18:32.240 --> 00:18:34.839 authors try to froo these features, right, So the book 364 00:18:34.880 --> 00:18:36.400 mentioned more advanced techniques. 365 00:18:36.480 --> 00:18:39.319 It did because attackers do learn how detection works and 366 00:18:39.359 --> 00:18:41.960 try to evade it, So researchers are always developing new 367 00:18:42.000 --> 00:18:45.440 or more robust features, things harder to manipulate, techniques like 368 00:18:45.519 --> 00:18:49.599 TSG landmark based features FACCG. They try to capture more 369 00:18:49.599 --> 00:18:52.880 complex patterns TSG tank based s Insbision grouping looks at 370 00:18:52.920 --> 00:18:56.400 sequences of API calls, how data flows, assigned suspicion scores 371 00:18:56.680 --> 00:18:59.960 groups them basically trying to understand the intent behind the action, 372 00:19:00.519 --> 00:19:03.799 not just the actions themselves, but looking deeper than just permissions. 373 00:19:04.119 --> 00:19:08.160 Sounds like a constant arms race to stay ahead. Okay, finally, 374 00:19:08.200 --> 00:19:11.759 looking ahead, what does the handbook see coming down the pike? 375 00:19:11.920 --> 00:19:14.400 For Android malware well, it. 376 00:19:14.400 --> 00:19:18.960 Draws parallels with Windows malware history. As platform security gets better, 377 00:19:19.200 --> 00:19:23.319 attacks have to get smarter, more sophisticated. Android head security 378 00:19:23.359 --> 00:19:26.839 in mind earlier on being always connected, but friends are 379 00:19:26.880 --> 00:19:30.759 still likely. We'll probably see more malware using those plug 380 00:19:30.759 --> 00:19:33.680 in architectures, adapting dynamically to the device. 381 00:19:33.519 --> 00:19:36.200 Environment, becoming more chameleon like, right, and. 382 00:19:36.319 --> 00:19:40.319 More use of less common programming languages to hinder analysis. 383 00:19:40.599 --> 00:19:43.720 That will likely continue. And unfortunately, supply chain attacks probably 384 00:19:43.759 --> 00:19:44.920 aren't going away either. 385 00:19:45.119 --> 00:19:48.920 And social engineering tricking the user that seems timeless. The 386 00:19:48.960 --> 00:19:50.200 handbook mentioned FluBot. 387 00:19:50.640 --> 00:19:53.960 Yeah, Flubot's success in twenty twenty one mainly tricking people 388 00:19:54.000 --> 00:19:57.960 into sideloading banking crojans really showed how effective good social 389 00:19:58.000 --> 00:20:01.599 engineering still is. Others will copy playbook. The handbook also 390 00:20:01.599 --> 00:20:06.640 suggests a potential shift towards more subtle background stuff, ad fraud, 391 00:20:06.960 --> 00:20:10.960 renting out devices and botnets. Maybe crypto mining harder for 392 00:20:11.000 --> 00:20:13.559 you to notice, but let's attackers build up large scale 393 00:20:13.599 --> 00:20:15.400 operations quietly. 394 00:20:15.200 --> 00:20:19.519 So less noisy ransomware, more quiet exploitation. It really does 395 00:20:19.599 --> 00:20:23.799 feel like the battle for Android security is far from over. 396 00:20:24.119 --> 00:20:26.240 Constant adaptation needed on both sides. 397 00:20:26.319 --> 00:20:31.720 Indeed, it's a constantly evolving landscape requires ongoing vigilance, continuous research. 398 00:20:31.839 --> 00:20:33.880 Well, this has been a truly deep dive into the 399 00:20:33.880 --> 00:20:36.640 world of Android malware, all thanks to the insights from 400 00:20:36.680 --> 00:20:39.839 the Android Malware Handbook. We've covered a lot early days, 401 00:20:39.960 --> 00:20:44.359