Capa Rules
Due to their wide spread use for everyday activities like online banking, healthcare administration, and storing personal photos, mobile devices are now popular targets for criminals looking to steal sensitive data. In order to make illicit and/or unethical earnings, bad actors frequently use applications to publish and distribute malware.
Android has a multi-layered strategy to fight malware in order to protect users. However, threat actors are constantly improving their software in order to avoid detection, even as Google Cloud bolster their defences against malware. The ubiquitous Android app development toolkits in Java were utilised by malware makers to carry out their full destructive activities; this makes it easier to identify by reversing the Java bytecode. Malware developers have been using native code more frequently in recent years to hide some of the most important malware behaviours. They also hope that obscuration in compiled and symbol-stripped Executable and Linkable Format (ELF) files will be more difficult and time-consuming to uncover.
The open-source binary analysis tool capa rules is being extended to analyse native ARM ELF files aimed at Android by the Android Security and Privacy Team in collaboration with Mandiant FLARE in order to address these new issues. In order to improve Google Cloud’s review processes and make decisions more quickly, Google Cloud collaborated to create new and improve existing capa rules to detect capabilities seen in Android malware, highlight highly suspicious code in native files using capa rules matches, and prompt Gemini with the highlighted code behaviours for summarisation.
An Illegal Gambling App Under a Music App Façade
All published applications are guaranteed to abide by local laws and regulations by the Google Play Store. This includes applications for gambling, which in certain places are illegal or need permits. In these regions, creating and disseminating unlawful gambling applications may provide substantial illicit earnings, which are occasionally linked to organised crime.
Some gambling applications pose as innocuous games or music in order to get past the security-screening processes of the Google Play Store. Using a variety of anti-analysis techniques, these applications only make their gaming portals available in specific geographic regions. Regretfully, dynamic analysis like emulation and sandbox detonation requires certain device configurations, and threat actors are always experimenting with alternative setups to avoid Google Cloud’s detections. The game of cat and mouse is still going on!
The Android Security and Privacy Team has responded by developing static analysis methods, including ones that assess the behaviour of a whole application and all of its conditional logic. Let’s now discuss an app that broke Google Play Store guidelines and demonstrate how to more effectively identify and prevent similar apps.
Google Cloud learnt that a music app was allowing users in specific regions to access gambling websites. In order to avoid discovery, it employed an intriguing technique of concealing important behaviours in a native ELF file that is loaded at runtime and has the majority of the symbols stripped.
Google Cloud discovered that the application contains a song-playing feature when they used a program called JEB Decompiler to decompile it into Java source code, as seen in “MainActivity”. This appears to be harmless behaviour that complies completely with Google Play Store regulations.
However, com.x.y.z class, a little section of initialisation code loads an ELF file as soon as the application is initialised when invoking the onCreate method. Google Cloud also had to reverse engineer the ELF file, which calls for an entirely separate set of tools, in order to properly comprehend the behaviour of the entire application.
Google Cloud decompiled the ARM64 ELF file into C source code using a program like Ghidra, and discovered that this application uses timezone information to estimate the user’s location. A loop that compares the user’s timezone with a list of target areas is implemented by the code.
- If a value in the list corresponds to the user’s location, this malware:
- Obtains a DEX file that has been encrypted from a distant server.
- Unlocks the DEX file that was downloaded.
opens the memory with the encrypted DEX file.
After employing further server-side cloaking methods, the loaded DEX file presents app users with a gambling website. It clearly does not match the functionality of the program as claimed when compared to the app symbol.
Although there are several detection tools, like YARA, for locating malware hidden in ELF files, they are not as resistant to changes made by threat actors or program upgrades. Thankfully, by examining the native ELF components of Android apps, the Android Security and Privacy Team has created new methods for identifying fraudulent apps.
The gambling app, for instance, has several API calls that are dynamically resolved through the Java Native Interface (JNI) and communicate with the Android runtime. These cross-runtime interactions were identified by Google Cloud’s detection algorithms, which also deduced their purpose. Google Cloud has listed typical Android malware behaviours, like ptrace API calls, device information extraction, code downloads from distant servers to local storage, and various cryptographic operations using JNI, and Google Cloud has turned them into capa rules detections that they can use to find and stop threats from the Google Play Store.
Now, let’s take a closer look at this process.
Android capa Rules
A program called capa rules can identify the capabilities of executable files. It informs you what it believes a compiled program is capable of when you run it against it. capa rules may indicate, for instance, that a file has a backdoor, has the ability to install services, or depends on HTTP for communication.
In order to enable BinExport2, an architecture-neutral representation of disassembled programs, Mandiant FLARE expanded capa rules. With an initial focus on ARM64 ELF files, this allows capa rules to match capabilities for other architectures and file formats, such as those offered by Ghidra and its BinExport2 plugin. After that, the Android Security and Privacy Team developed additional capa rules that were especially designed to identify features found in ARM64 ELF files that were utilised by different Android malware samples. Internal Android malware analysis pipelines employ these proprietary rules in conjunction with Capa’s open-source rules to detect malware capabilities.
Returning to the gambling app, the malicious routines executing cloaking techniques were matched by the following open-source capa rules and Google proprietary rules for additional examination.
Rules that are proprietary:
- Call the ptrace API.
- Using Android’s JNI, retrieve device configuration data
- Timezone extraction on Android with JNI
- Use Base64 to encode or decode data on Android using JNI
- Use the Android Cypher API via JNI to encrypt or decrypt data.
Gemini Summaries of capa Rule Matches
Google Cloud’s Android malware analysis pipelines thoroughly examine millions of ELF files, each with hundreds to millions of lines in their decompiled routines, every day to protect the Android environment. Capa rules can choose the most intriguing code for Gemini summarisation, with a focused focus on a much smaller group of the most suspect functions, in addition to the rapidly developing Gemini capabilities in malware analysis.
Android’s Multi-Layered Security Approach
In order to maintain the safety of the Android platform and ecosystem, Android’s constantly changing, multi-layered security strategy involves adding cutting-edge technologies and collaborating with developers and device implementers. This comprises, however is not restricted to:
Advanced built-in protections
Regardless of where the app was downloaded, Google Play Protect automatically checks all Android apps that use Google Play Services. Enabled by default, this built-in protection offers vital defence against undesired applications and viruses. In order to fight new and hidden dangers like polymorphic malware, Google Play Protect scans over 200 billion applications every day and does real-time code-level screening on innovative apps. In 2024, over 13 million new dangerous applications from sources other than Google Play were discovered by Google Play Protect’s real-time scanning.
Google Play and developer protections from malware
Google Cloud employ multi-layered safeguards that are constantly being improved to help keep Google Play secure, using Google Cloud’s secure principles as a guide to build a trusted experience for all users. Since developers are essential to creating safe apps, these safeguards begin with them. For creating secure, superior apps, Google Cloud give developers access to best-in-class tools, best practices, and on-demand training materials. Only authorised applications are permitted to be available in the Play Store after a thorough review and testing process. To make an informed choice, consumers may examine an app’s ratings, user reviews, and data protection section on Google Play before downloading it.
Engagement with the security research community
To promote app safety standards, Google collaborates extensively with the security community on a number of fronts, including the App Defence Alliance. In order to combat new threats and protect Android users everywhere, Android also works with Google Threat Intelligence Group (GTIG).
Google Cloud’s analysts can spend less time on those complex samples with the rapidly changing Gemini, which reduces the exposure of rogue apps and guarantees the security of Android ecosystems.
