KiloGrams: Very Large N-Grams for Malware Classification

Edward Raff, William Fleming, Richard Zak, Hyrum Anderson, Charles Nicholas, Mark McLean

In this work, we present a method to find the top-k most frequent n-grams that is 60× faster for small n, and can tackle large n ≥ 1024. Despite the unprecedented size of n considered, we show how these features still have predictive ability for malware classification tasks. More important, large ngrams provide benefits in producing features that are interpretable by malware analysis, and can be used to create general purpose signatures compatible with industry standard tools like Yara.


Detecting Mobile Counterfeit Apps

Jathushan Rajasegaran, Naveen Karunanayake, Ashanie Gunathillake, Suranga Seneviratne, Guillaume Jourjon

In this paper, we propose a novel approach of combining content embeddings and style embeddings generated from pre-trained convolutional neural networks to detect counterfeit apps. We present an analysis of approximately 1.2 million apps from Google Play Store and identify a set of potential counterfeits for top-10,000 apps. Under conservative assumptions, we were able to find 2,040 potential counterfeits that contain malware in a set of 49,608 apps that showed high similarity to one of the top-10,000 popular apps in Google Play Store.




Which YARA Rules Rule: Basic or Advanced?

Christopher S. Culling

As there are a large number of advanced capabilities contained within YARA, this paper will focus on easy-to-use, advanced features, including YARA's Portable Execution (PE) module, to highlight some of the more powerful aspects of YARA. While it takes more time and effort to learn and utilize advanced YARA rules, in the long run, this method is a worthwhile investment towards a safer networking environment.


Comprehensive Analysis and Detection Flash-based Malware

Christian Wressnegger, Fabian Yamaguchi, Daniel Arp, and Konrad Rieck from Institute of System Security, TU Braunschweig, Germany.

Adobe Flash is a popular platform for providing dynamic and multimedia content on web pages. Despite being declared dead for years, Flash is still deployed on millions of devices. Unfortunately, the Adobe Flash Player increasingly suffers from vulnerabilities, and attacks using Flash-based malware regularly put users at risk of being remotely attacked—most prominently highlighted by numerous exploits made public during the past months. As a remedy, we present Gordon, a method for the comprehensive analysis and detection of Flash-based malware. The dataset for evaluation was assembled using the VirusTotal API.




An Analysis of the Privacy and Security Risks of Android VPN Permission-enabled Apps

Muhammad Ikram 1,2, Narseo Vallina-Rodriguez 3, Suranga Seneviratne 1, Mohamed Ali Kaafar 1, Vern Paxson 3,4 - 1. Data61, CSIRO 2. UNSW 3. ICSI 4. UC Berkeley

In this paper we provide a first comprehensive analysis of 283 Android apps that use the Android VPN permission, which we extracted from a corpus of more than 1.4 million apps on the Google Play store. We perform a number of passive and active measurements designed to investigate a wide range of security and privacy features and to study the behavior of each VPN-based app. Our analysis includes investigation of possible malware presence, third-party library embedding, and traffic manipulation, as well as gauging user perception of the security and privacy of such apps. Our experiments reveal several instances of VPN apps that expose users to serious privacy and security vulnerabilities, such as use of insecure VPN tunneling protocols, as well as IPv6 and DNS traffic leakage. We also report on a number of apps actively performing TLS interception. Of particular concern are instances of apps that inject JavaScript programs for tracking, advertising, and for redirecting e-commerce traffic to external partners.


A First Look at Mobile Ad-Blocking Apps

Muhammad Ikram and Mohamed Ali Kaafar from Data61, CSIRO, UNSW of Sydney and Macquarie University of Sydney

This paper presents the first study of Android Ad-Blocking apps (or Ad-Blockers), analysing 97 Ad-Blocking mobile apps extracted from a corpus of more than 1.5 million Android apps on Google Play. While the main (declared) purpose of the apps is to block advertisements and mobile tracking services, our data analysis revealed the paradoxical presence of third-party tracking libraries and permissions to access sensitive resources on users’ mobile devices, as well as the existence of embedded malware code within some mobile Ad-Blockers. We also analysed user reviews and found that even though a fraction of users raised concerns about the privacy and the actual performance of the mobile Ad-Blocking apps, most of the apps still attract a relatively high rating.




Predicting Impending Exposure to Malicious Content from User Behavior

Mahmood Sharif Carnegie Mellon University, Jumpei Urakawa KDDI Research, Inc., Nicolas Christin Carnegie Mellon University, Ayumu Kubota KDDI Research, Inc.,  Akira Yamada KDDI Research, Inc. 

Many computer-security defenses are reactive—they operate only when security incidents take place, or immediately thereafter. Recent efforts have attempted to predict security incidents before they occur, to enable defenders to proactively protect their devices and networks. These efforts have primarily focused on long-term predictions. We propose a system that enables proactive defenses at the level of a single browsing session. By observing user behavior, it can predict whether they will be exposed to malicious content on the web seconds before the moment of exposure, thus opening a window of opportunity for proactive defenses.