Android Security Symposium 2015

A walk through the construction of the first mobile malware tracker

About the speaker

Federico Maggi

Politecnico di Milano, Milano, Italy
Federico Maggi is a Assistant Professor at Dipartimento di Elettronica e Informazione, Politecnico di Milano in Italy, working at the NECST Laboratory. Specifically, his research interests are in analysis of malicious activity, Internet measurements and mobile malware. He is also actively involved in research projects funded by the European Union.
During his Doctorate he studied and made contributions in the field of intrusion detection: he developed and tested anomaly-based tools to mitigate Internet threats by (1) avoiding their spread via vulnerable web applications, (2) detecting unexpected activities in the operating system’s kernel (sing of malware infections or compromised processes), and (3) dealing with high number of alerts using alert correlation. Federico is instructor of the graduate-level course of computer security at Politecnico di Milano and has been invited in several venues to give lectures about his research work.


In this talk I will start presenting the practical problem of analyzing the botnet activity of Android malware, describing how an Android bot typically works and which network primitives and transport they normally use. Next, I will introduce a little bit of the basics (theory & practice) necessary to start a simple static analysis to obtain the information that we need to analyize the botnet activity of a suspected bot. Then, I will show you how TraceDroid (presented in the previous talk) can be used to collect the very same information at runtime. After this, I will show you how we constructed a simple intelligence tool to correlate such collected information to provide a first, high-level ranking of the network endpoints that are potentially interesting C&C servers. I will conclude with a demonstration of the resulting tool, which our lab has recently released to the public as a web service. Remarkably, this tool has allowed us to discover malware-spreading campaigns targeting Chinese- and Korean-speaking bank customers.