[Owasp-leaders] [Owasp-community] Battle of the cyber warrior:Testing OWASP SeraphimDroid against nasty malware

johanna curiel curiel johanna.curiel at owasp.org
Fri Mar 18 23:47:32 UTC 2016


Hi Nikola

I decided to do a test on an Emulator.

What I can say, correct me if I'm wrong, is that an user has the ability to
lock apps and services as preventive measure.
What happens if I decide to lock?
The trojan <http://home.mcafee.com/virusinfo/virusprofile.aspx?key=9609501>
that I downloaded on a tablet, attempts to use SMS to premium rate numbers.
As I downloaded, while I actually locked all other services on  the
SeraphimDroid. Off course this emulator is not connected to any SMS, but
when I looked back at the running app I can see the outGoingSmsRecepter
active, which I did not see before.(see print screen)

I think I'll continue this conversation on the project mailing list.
Anyways, , so far it seems that it blocked the activities of this trojan :)
Like the fact also that you can block the app and every time is necessary
to provide the code to unlock.

http://home.mcafee.com/virusinfo/virusprofile.aspx?key=9609501


Cheers

Johanna

On Fri, Mar 18, 2016 at 5:51 PM, Nikola Milosevic <
nikola.milosevic at owasp.org> wrote:

> @Azzeddine by false negatives I mean false negatives. False negative will
> be malware that was not detected, while false positive would be benign app
> flaged as malware, true negative is benign app flagged as benign app and
> true positive is malware flagged as malware. I hope that makes the
> terminology clear?
>
> @Johanna thank you for your kind words. It is very nice to hear that.
> However, my bravery to go into machine learning comes from the fact that
> part of my University work/research is machine learning related. I am
> probably more machine learning/text mining/data science guy than security
> guy, although I have obviously strong interest in it, otherwise I would not
> be involved in OWASP. And I believe merging these fields can work on
> benefit of both of them.  However, I agree it is complex, especially to
> properly test the models. I have updated the app on store with a fix made
> by our contributor Kartik Kohli, so I hope it will propagate over the store
> by tomorrow and you can try it. I hope it will work, but anyway let me know
> (in case it work, I can close the issue, otherwise back to the drawing
> board).
>
>
> Pozdrav/Best regards,
>
> Nikola Milošević
> OWASP Seraphimdroid project leader
> nikola.milosevic at owasp.org
> OWASP - Open Web Application Security Project
> <https://www.owasp.org/index.php/Main_Page>
> OWASP Seraphimdroid Project
> <https://www.owasp.org/index.php/OWASP_SeraphimDroid_Project>
>
> On Fri, Mar 18, 2016 at 4:11 PM, Azzeddine Ramrami <
> azzeddine.ramrami at owasp.org> wrote:
>
>> Just for information in the version 4.0 of CSRFGuard I added several
>> techniques using Cogintive Security (AI). Il will publish the new code ASAP.
>>
>> Cordialement.
>> Azzeddine RAMRAMI
>>
>> On Fri, Mar 18, 2016 at 4:31 PM, johanna curiel curiel <
>> johanna.curiel at owasp.org> wrote:
>>
>>> Hi Nikola
>>>
>>> I'm quite familiarised with the project and the reason I choose it is
>>> because I think people should know more about this.
>>> No project at owasp, so far, is attempting to do something in the area
>>> of Machine learning implementation for security and I find this
>>> fascinating, especially because I finalised myself the coursera Machine
>>> learning course from Stanford, and I know how complex is to implement this.
>>>
>>> While I understand you concerns , let me assure you that given the
>>> resources and the fact that you are a brave project leader (who has also a
>>> full time job) , no one should be judging any results
>>>
>>> My malware test will be from the most benign to the most aggressive,
>>> just to see how it goes as I escalate the type of malware, especially
>>> because is the only project applying machine learning at owasp.
>>>
>>> In fact , if your project performs well, it will only reassure to me (I
>>> don't know talk in the name of OWASP since I'm not part of project reviews
>>> anymore) that your project should definitely qualify in a higher ranking
>>> that just another incubator project.
>>>
>>> Cheers
>>>
>>> Johanna
>>>
>>>
>>>
>>>
>>>
>>> On Fri, Mar 18, 2016 at 5:09 AM, Nikola Milosevic <
>>> nikola.milosevic at owasp.org> wrote:
>>>
>>>> Hello Johanna,
>>>>
>>>>
>>>> The report you made is all we need. We can see that there was some
>>>> security exception regarding vibrate permission, which is apparently some
>>>> bug of Android 4.2, fixed later in 4.2.1 (at least that was said on
>>>> stackoverflow). I hope I will be able to fix the issue soon, however, I am
>>>> travelling tomorrow, so it may take a couple of days.
>>>>
>>>> The test you are aiming to perform with malware is great. I don't know
>>>> how much you did familiarise yourself with project, there are couple of
>>>> things app can do, but still defenses are not perfect and on some we might
>>>> be working during this GSoC, if we get some slot. Currently, based on
>>>> permission app is using we have some machine learning model that is
>>>> triggered either on app install or when you run permission scanner and that
>>>> should notify you whether app is malicious or not. However, since it uses
>>>> permissions only for static analysis with our training set which was the
>>>> following dataset http://m0droid.netai.net/modroid/. It
>>>> achieved around 89% accuracy. But it may report false positives and even
>>>> false negatives. Anyway, it was still not tested on other datasets, which
>>>> makes me a bit anxious, but it is good to test it that way and see the
>>>> performance and whether we may need to adjust the model at some point (or
>>>> whether machine learning is approach to go at all). However, machine
>>>> learning was the only approach where we can allow some degree of malware
>>>> detection without any infrastructure for signature generation and similar
>>>> things, which is impossible for open source project.  Also, it can be set
>>>> to allow certain calls or sms, but that is mainly rule based approach (i.e.
>>>> don't allow outgoing calls if not in my contact list). Some features like
>>>> this made us use a lot of permissions as well as some anti-theft features
>>>> like geo-fencing (i.e. sending sms is used when phone exits some area you
>>>> defined and it sends its location). Several users already told me about
>>>> their concerns when they saw the permission list, which is truly large.
>>>> Here it is kinda where we want to balance, whether it will be to try to be
>>>> innovative and try certain things or keep it small. Since it is open source
>>>> and everyone can check the code what for the permissions are used for, we
>>>> decided to go for research and try to implement all the interesting
>>>> features we thought of.
>>>>
>>>> Anyway, thanks for the effort and I hope, we will be able to resolve
>>>> the issue.
>>>>
>>>>
>>>>
>>>> Pozdrav/Best regards,
>>>>
>>>> Nikola Milošević
>>>> OWASP Seraphimdroid project leader
>>>> nikola.milosevic at owasp.org
>>>> OWASP - Open Web Application Security Project
>>>> <https://www.owasp.org/index.php/Main_Page>
>>>> OWASP Seraphimdroid Project
>>>> <https://www.owasp.org/index.php/OWASP_SeraphimDroid_Project>
>>>>
>>>> On Fri, Mar 18, 2016 at 2:49 AM, johanna curiel curiel <
>>>> johanna.curiel at owasp.org> wrote:
>>>>
>>>>> Hi Nikola
>>>>>
>>>>> My excuses if I didn't send the report sooner. Indeed I just did and I
>>>>> have to gather some info on the device. As I user I'm clueless what kind of
>>>>> information should I provide, but I guess the logs as the report was send
>>>>> will do this, right? Let me know if this is the case.
>>>>>
>>>>> I'll attempt install and uninstall.
>>>>>
>>>>> Keep in mind this is no former test but just blogging about my
>>>>> experience as an user and experimenting a little, by no means people
>>>>> reading the blog should see this as a former QA testing procedures or the
>>>>> similar.
>>>>>
>>>>> Basically I'll install malware on this device, one that will be under
>>>>> a controlled environment attempting to send info to the C&C
>>>>>
>>>>> I'll sniff the communication and check how does the project protect me
>>>>> against this type of attacks to the phone,what kind of warnings are given,
>>>>> basically report my user experience.
>>>>>
>>>>> cheers
>>>>>
>>>>> Johanna
>>>>>
>>>>> On Thu, Mar 17, 2016 at 10:37 PM, Nikola Milosevic <
>>>>> nikola.milosevic at owasp.org> wrote:
>>>>>
>>>>>> Hello Johanna,
>>>>>>
>>>>>> Can you tell me a bit more about your device and Android version you
>>>>>> are using? Also, when was it tested and have you sent the crash report?
>>>>>>
>>>>>> I have tried to uninstall and install again the app on my Nexus 5 and
>>>>>> it works well, so definitely it is not some version in a store that should
>>>>>> not be there. I am not claiming it does not have any bugs, but what you
>>>>>> have experienced should not happen.
>>>>>>
>>>>>> Also, I would appreciate and probably other leaders as well whose
>>>>>> project you would be testing, if you could report the problem directly to
>>>>>> me or via bug tracking platform on Github. I believe writing a blog post
>>>>>> with so tendentious title and without any details about a problem is a bit
>>>>>> unfair. Especially, claiming to contact support in a post was false, since
>>>>>> I have no record of you contacting neither me, nor anyone else who worked
>>>>>> on a project.
>>>>>>
>>>>>> Anyway, the fact is that this should not happen and I would love to
>>>>>> help you resolve your issue and be able to work with the app.
>>>>>>
>>>>>>
>>>>>>
>>>>>> Pozdrav/Best regards,
>>>>>>
>>>>>> Nikola Milošević
>>>>>> OWASP Seraphimdroid project leader
>>>>>> nikola.milosevic at owasp.org
>>>>>> OWASP - Open Web Application Security Project
>>>>>> <https://www.owasp.org/index.php/Main_Page>
>>>>>> OWASP Seraphimdroid Project
>>>>>> <https://www.owasp.org/index.php/OWASP_SeraphimDroid_Project>
>>>>>>
>>>>>> On Fri, Mar 18, 2016 at 2:14 AM, johanna curiel curiel <
>>>>>> johanna.curiel at owasp.org> wrote:
>>>>>>
>>>>>>> Leaders,
>>>>>>>
>>>>>>> This is a first attempt to use OWASP projects in a real scenario and
>>>>>>> report my experiences
>>>>>>>
>>>>>>> This information will be posted in a blog site I'm working on about
>>>>>>> my experience testing OWASP projects with real implementations,
>>>>>>> application, devices and projects
>>>>>>>
>>>>>>>
>>>>>>> http://cybersecuritywarrior.blogspot.com/2016/03/testing-owasp-seraphimdroid-against.html
>>>>>>>
>>>>>>>
>>>>>>> Please feel free to comment
>>>>>>>
>>>>>>> Cheers
>>>>>>> --
>>>>>>> Johanna Curiel
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> OWASP-Leaders mailing list
>>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Johanna Curiel
>>>>> OWASP Volunteer
>>>>>
>>>>
>>>>
>>>
>>>
>>> --
>>> Johanna Curiel
>>> OWASP Volunteer
>>>
>>> _______________________________________________
>>> Owasp-community mailing list
>>> Owasp-community at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-community
>>>
>>>
>>
>>
>> --
>> Azzeddine RAMRAMI
>> +33 6 65 48 90 04.
>> Enterprise Security Architect
>> OWASP Leader (Morocco Chapter)
>> Mozilla Security Projects Mentor
>>
>
>


-- 
Johanna Curiel
OWASP Volunteer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160318/46e922e6/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: TrojanAndroid_test1.png
Type: image/png
Size: 81018 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160318/46e922e6/attachment-0001.png>


More information about the OWASP-Leaders mailing list