Samir Mody K7 Computing
Dhanalakshmi V K7 Computing
The recent Android ransomware Koler/Simple Locker, despite leaving the device's contents unencrypted, necessitated special manual cleanup actions or dedicated cleanup tools from AV companies. The reason for this was very simple. The malware, granted Device Administrator status through clever social engineering, registers callbacks to Android OS daemon broadcasts, and persistently reacts first to these stimuli such that a splash screen with ransomware demands is displayed before the hapless user has the opportunity to access the GUI of the installed AV solution to effect a scan and cleanup. This behaviour even survives a reboot.
It is possible to recover from this unenviable situation by returning the device to factory settings, fiddling about with buttons to obtain 'safe mode', uninstalling the malware via the ADB, or by using dedicated tools, but these options are far from ideal for the device's owner.
The simple example above demonstrates the ease with which mobile security solutions can be rendered impotent even when the malware can be detected with ease. It sets a dangerous precedent for dealing with far more obdurate malware including those that could burrow deep into the OS. We ought not to wait for these scenarios before acting.
This presentation will demo a sample of Koler in action, highlighting the difficulties faced in attempting to clean the infection. We investigate the Android OS daemon broadcast framework and boot mechanism in detail, identifying stages which could present opportunities for malware to 'hook' into, highlighted by an analysis of the Koler code which registers the callbacks to display the splash screen within intervals of a couple of seconds. Finally, we propose an updated boot and broadcast framework that would enable trusted applications such as mobile security apps to launch before any other application, thus strengthening the hand of AV companies in the absence of a bona fide Real-Time Scanning ability on Android.
Samir Mody graduated from the University of Oxford in 2000 with a Master's degree in chemical engineering, economics and management. Immediately after graduation he joined Sophos where he spent over nine years, the latter three of them as Threat Operations Manager of SophosLabs, UK. Since August 2010, as Senior Manager TCL, he has been running the Threat Control Lab at K7 Computing's head office in Chennai, India. Samir has actively contributed to the IEEE Taggant System project (http://standards.ieee.org/develop/indconn/icsg/amss.html) from its inception, and other industry initiatives such as AMTSO. He has co-authored and/or presented papers and participated in panel discussions at multiple international security conferences including EICAR, VB, and AVAR, and Government of India initiatives such as the National Cyber Safety Summit. Samir has also contributed to Virus Bulletin magazine, and of course to K7's blog (http://blog.k7computing.com). Samir's personal interests include reading (philosophy, politics, history, literature and economics), sport and classical music.
V.Dhanalakshmi, Senior Threat Researcher, has been with K7 Computing, Chennai, India for six years in K7's Threat Control Lab. Dhana graduated from Bharathiyar University, India in 2003 with a Bachelor's degree in electrical and electronics engineering. She started her career in March 2006 as Technical Support Executive - Virus Removal Team with Sutherland Global Services, Chennai. Later, she joined Technosoft Global Services, Chennai, and served as Threat Research Analyst till June 2008. She has presented papers at AVAR 2011 and AVAR 2013 conferences, and at the National Cyber Safety Summit 2013 conference organised by the Government of India. Her interests include listening to music and gardening.