國立台灣科技大學 資訊工程系所
智慧型系統實驗室 研究論文
Intelligent System Laboratory Paper

105級畢業碩士王俊傑  發表論文

DroidDAPA: 偵測廣告潛在攻擊

摘要

   根據 2015 年 IDC(InternationalDataCorporation)WorldwideQuarterlayMobilePhone 調查的報導,Android 智慧型手機佔全球市占率 82%,是近年來最受歡迎的智慧 型手機系統。主要原因有兩個:第一,Android 提供了免費開放式的系統架構,因 此,吸引大量的手機製造商的青睞,且 Android 系統版本更新週期非常快,使得 Android 智慧手機消費者,永遠充滿著新鮮感。第二,Google 提供 Android 智慧型 手機的 Apps 軟體設計師,可以透過兩種方式增加收入,分別是廣告和使用者付 費兩機制,使得 GoogleAppStore 上的 Apps 數量,每年倍數成長,根據 AppBrain 雜誌調查,統計到 2016 年,Apps 的數量已經達到兩百萬隻驚人的數量。根據 2016 年 BloombergTechnolog 報導指出,Oracle 的律師 AnnetteHurst 披露 Android 為 Google 帶來 310 億美金營收,其中有 220 億美金獲利來自於 Google App Store 和 Apps 廣告。其中 Apps 廣告數量比例在 Google App Store 佔 49%, 由上述可看 出 Android App 廣大市場,因此成為駭客攻擊者目標,經過去研究發現,Android App 已經有存在惡意攻擊的實際案例。 近年來 AndroidApp 惡意攻擊手法已經滲透到廣告, 最常見利用廣告引導使用 者到惡意網站, 這些惡意網站潛藏攻擊, 往往會造成個人或企業財務損失, 像網站勒 索攻擊或釣魚網站等, 且因為 Ads 元件採用 Ad-Network 動態產生方式呈現, 在偵 測上非常困難。因此, 本論文中, 我們提出一個工具稱為 DroidDAPA (Droid Detect PotentialAttacksofAds)。利用影像處理技術和分析 Android 系統 Logs 方式,探討 Android App Ads 觸發後與 Browser 之間資料傳遞。最後結合 VirusTotal 掃毒引擎 進行惡意網站比對,產生惡意網站分析報表。此外, 本研究額外發現, 亦可幫助 VirusTotal 偵測 Malicious URL Infect 和 Malicious URL Repackage 惡意攻擊手法。 此外, 本研究額外發現, 亦可幫助 VirusTotal 偵測 MaliciousURLInfect 和 Malicious URLRepackage 惡意攻擊手法。

DroidDAPA:The Detect Potential Attacks of Ads

Abstract

AccordingtoresearchbyInternationalDataCorporation(IDC)WorldwideQuarterlyMobile Phone in 2015, Android smartphones constitute 82% of the global market share of smartphones. Androidhasbecomethemostpopularsmartphoneoperatingsystem. There are two rationales behind this finding. First, Android adopts a free, open-source system architecture, which many phone manufacturers appreciate. Since Android is constantly updated,Androidsmartphoneusersareconstantlygreetedwithfreshness. Second,Google providesAndroidsmartphoneappdeveloperswithtwowaystoincreasetheirincome: by advertisements, and by user payments. These have allowed the number of Apps in the GooglePlayStoretoincreaseexponentially. AsclaimedbyAppBrain,thereareovertwo million Apps on Android. Furthermore, an article in Bloomberg Technology features an attorney of Oracle, Annette Hurst, who discloses that Android has brought about 31 billion U.S. dollars’worth of revenue for Google—while 22 billions of which come from Google Play Store and Apps advertisements. Moreover, we note that advertisements in Apps make up 49% of the Google Play Store—and the sheer amount of Apps has made themthetargetsofmanyhackers. PastresearcheslargelyindicatethatAndroidAppshave beenfoundtobemalicious. Inrecentyears,maliciousattacksinAndroidAppshavetakentheformofAds. The most ubiquitous method leads users to pharming websites—which launches attacks on the users’android smartphome. Common consequences include personal or business financial losses (like extortion attack or phishing websites). Moreover, because Ads elementsappeardynamicallybyusingAd-Network,virusesormaliciousintentwithinthem are difficult to detect. Therefore, we present, in this thesis, a tool called DroidDAPA (DroidDetectPotentialAttacksofAds). Thisutilisesbothimage-processingtechnology, andanalysisofAndroidSystemLogs,todiscussdatatransferbetweenAndroidAppAds (after activation) and the Browser. Then, by incorporating VirusTotal to cross-reference malicious (i.e. pharming) websites, we produce a report of such websites. In addition to ourintention,wehavefoundthatDroidDAPAcanalsoassistVirusTotalindetectingMalicious URL Infect, and Malicious URL Repackage—which are methods of conducting maliciousattacks.