【 Key words: Tencent Royal security, Android application reinforcement, application security, mobile application protection 】
Tencent’s security team, in conjunction with relevant departments, has effectively cracked down on online crimes such as pornography fraud and mobile pyramid schemes, ensuring the information and property security of hundreds of millions of netizens.
The introduction
In 2017, the Network Security Law of the People’s Republic of China was formally implemented, network security has laws to rely on from now on, cyberspace governance, network information dissemination order norms, punishment of cyber crimes have opened a new chapter, to protect China’s network security, maintain the overall security of the country has far-reaching and significant significance. Under the guidance of top-level design, security vendors have also brought a heavy blow to network black production. Tencent’s security team, in conjunction with relevant departments, has effectively cracked down on online crimes such as pornography fraud and mobile pyramid schemes, ensuring the information and property security of hundreds of millions of netizens.
However, it is worth noting that the network security situation is still serious: WannaCry broke out overnight worldwide, at least 150 countries, 200,000 computers were infected, and among them, enterprises, educational institutions, banking institutions and even government institutions were the most affected areas; WannaCry began the first year of ransomware attacks, in which attackers no longer target personal computers, but take over educational institutions, medical institutions, businesses, banks and even government facilities in a more crude and effective way — instead of stealing data for cash, they encrypt important data for ransom.
At the same time, more and more APT attacks have been disclosed in recent years. Organized, planned and targeted long-term uninterrupted attacks against enterprises, banks and government agencies have been quietly carried out. With the rapid development of the Internet in China, Chinese enterprises and government agencies will attract more and more international attention and become targets of APT attacks.
Will be officially launched in 2018 in China power network construction for three years, tencent security team will respond to a nation, the AI technology more applications in the terminal security construction, network black produce blow, etc, with a more positive, open attitude, cooperation with enterprises, Banks, government departments, work together for health, safety of Internet ecosystem, Contribute to building China into a cyber power.
First, the spread of Android virus aggravates the challenge of traditional countermeasures
The current spread of Android viruses is increasing the challenge of traditional countermeasures. In 2017, the number of new viruses and risk packages on Android platform reached 14.94 million, and 188 million users were infected, which is still an appalling number. Nearly 10 percent of infected end users (18 million) were exposed to 0Day or even NDay virus threats, resulting in privacy leakage and property damage.
On the other hand, in 2017, the technical level of black production malicious code continued to improve, automatic no-kill, dynamic delivery of malicious code, malicious behavior precision delivery, a large number of 0Day malicious code. At the same time, black production enterprise crime, porn APP, application promotion into black production “xiangbobo”. And after porn APP fraud, “underground undercurrent” has become the mainstream industrial chain of black production.
As the black industry practitioners in the vertical deepening of technical ability, team mode of enterprise, diversification of cash channels, Android terminal virus confrontation intensified, the traditional anti-virus engine is facing a great challenge.
1.1 Increased virus “effectiveness” makes it difficult for traditional antivirus engines to provide real-time protection
In 2017, the number of newly added virus packages on Android platform averaged 1.24 million per month, with The largest number of virus packages in April reaching 1.7 million. In April 2017, Tencent security team successively assisted the police in Wuhan, Dalian and Guangdong to destroy three large corporate-operated pornography inducing fraud gangs and their black industrial chain. Since then, the number of new virus packets has continued to decline, confirming that the joint crackdown has had a certain effect.
However, it is worth noting that nearly one million end users had been infected and the total amount of defrauded reached 600 million before the gangs were cracked down and arrested. Although the traditional antivirus engine can respond and kill viruses in time, and the response time can be reduced to a day or even a few hours with the mature cloud search technology, no matter how timely the response is, it still cannot prevent the infected users from being threatened by viruses, and prevent the leakage of users’ privacy and property losses.
The total number of Android users infected with viruses in 2017 was 188 million. Among them, Tencent mobile phone housekeeper for the first time detected and killed, the great impact of the “underground undercurrent” series of viruses, was discovered by security personnel has infected more than ten million users; In other words, about 10 percent of the affected users have been exposed to 0Day or NDay viruses.
1.2 0Day virus attack and defense technology improved, the traditional engine is not enough to fight
In 2017, Tencent’s security team captured more than 4 million new hardened apps, of which 7.2% were malicious apps and 16% were unofficial apps with advertising plug-ins. Black production constantly improve malicious code kill free technology, through automatic kill free tools, dynamic loading playload, cloud control instructions trigger malicious behavior and other means, the production of a large number of 0Day virus bypass anti-virus engine killing, to the traditional anti-virus engine brought no small challenge.
At BlackHat USA in 2017, AVPASS was unveiled as an automated antivirus tool that allows any hacker to quickly build a large number of Android viruses to evade traditional malware. Experiments show that the traditional anti-virus engine for the AVPASS tool mass production of anti-virus detection rate is only 5.8%.
In addition, Tencent security team has also monitored the existence of a large number of 0Day virus applications, through accurate cloud control malicious code delivery, to avoid a wide range of kill, effectively do a large number of user infection, to avoid anti-virus software killing, precise malicious code trigger.
In 2017, Tencent security team detected a phenomenon: VirtualApp technology is widely used in black production. VirtualApp is an App virtualization engine (VA for short). APK running in VA does not need external installation, that is, VA supports APK running without installation.
According to the monitoring and discovery of Tencent security team, 44.01% of the applications using VA technology are risk applications, 1.85% are virus applications and only 8.86% are secure applications.
1.3 The crime of enterprise hacking intensifies the security confrontation of Android terminals
In 2017, Tencent security team found a large number of “underground undercurrent” series of viruses. This series of viruses earn advertising fees by pushing a large number of apps secretly without users’ knowledge. Most of the apps pushed are mainstream promotion applications (investing a large amount of advertising fees for promotion) and malicious applications.
When Tencent security team first checked and killed this series of viruses, nearly 10 million users had been infected with this series of viruses, and had suffered from privacy leakage, cost consumption and other threats. Black industry gradually complete their own industrial reshuffle, upgrade, the crime is more and more enterprise, high-tech, the traditional anti-virus engine is in urgent need to improve the 0Day virus real-time check and kill, response capacity.
Uncover the Host Framework that controls millions of chickens
In September, Tencent’s security anti-fraud lab found that a malicious backdoor program, GhostFramework, had infected nearly 2 million mobile phone users. The mobile phone will become a “chicken”, which will be executed by the control command issued by GhostFramework from the cloud to perform three evil acts:
- To baidu search, 360 search, Tmall and other advertising platforms through simulated click advertising, simulated search, simulated form filling, download and other operations to brush
- Play malicious promotion ads on mobile phones
- Install an unknown app on your phone
Tencent security team by back analysis of the clues, highly clustered GhostFramework infected areas, most of the users are located in the territory of zhejiang province, the influence of the main influence of ningbo, hangzhou, wenzhou, taizhou, jinhua, jiaxing, according to various comprehensive information, speculated that touches the user’s channel, the application mainly in the offline mobile business hall.
Magiclamp Family of AD viruses: Advertising moss that infects the app market
Coincidentally, in November 2017, Tencent security anti-fraud laboratory monitored a black gang to develop a viral SDK with no-kill function. This kind of advertising virus named Magiclamp was implanted into a large number of applications through cooperation with developers, repackaging and other ways, and was downloaded and installed by users through application markets, software download stations and other channels. The main harm is to the user malicious advertising promotion, and in this way to profit.
Underground undercurrent series: TigerEyeing virus cloud control promotion thousands of applications
In December 2017, Tencent security anti-fraud laboratory through the development of AI engine — Tencent TRP-AI anti-virus engine from the massive samples to monitor a backdoor virus family TigerEyeing, through the open source plug-in framework DroidPlugin to achieve dynamic delivery of malicious plug-ins, Configure a list of malicious plug-ins on the cloud to implement malicious application promotion and rogue advertising.
Through AI clustering association, it is found that TigerEyeing virus is mainly spread through the following ways: root viruses such as games and pseudo pornographic applications are injected into the system ROM to disguise themselves as system applications and promoted through offline channels
1.4 Lockscreen ransomware has become a hacker subculture, leading teenagers astray
Although in 2017, the number of Android terminal ransomware samples and infected users did not reach the frightening point, but its social impact is very bad.
Through the study of the roots of extortion virus samples developers can be found, blackmail virus developers to establish the QQ group, interests, tribe, the QQ group on the one hand, as the unlock ransom collection channels, on the other hand, in the same group also through baidu cloud, post bar selling lock machine source code, tutorials, plug-ins, teaching video, the virus spread blackmail.
After the victims join the group, they are often tempted to become black production offline, and use the tutorials peddled within the group to launch a second attack to others, turning into “novice hackers”, which further expands the spread of the virus and has a bad impact. Among them, students born in the 2000s and 1990s are the main targets of temptation. Teenagers often feel that “hackers” are cool and ransomware is “cool” and turn to producers to learn from their teachers and become the next virus makers.
The current market in the spread of mobile terminal ransomware, its development, killing technology is very young, the infected population is also very limited; However, the “hacker” subculture formed by it has a serious ability to mislead the values and morals of teenagers, luring a group of teenagers to become blackmailing others and showing off “hacker” technology, which has brought extremely bad social influence.
1.5 Commercial spyware is rampant, posing a serious threat to enterprises and national security
Mobile intelligent terminal has become an essential part of people’s life and work, and mobile office has been accepted and gradually implemented by more and more Internet companies. Attackers are also targeting employees’ mobile devices.
In April 2017, Kaspersky revealed Pegasus, a commercial spyware that runs across iOS and Android platforms. Created by NSO Group, an Israeli spyware company, Pegasus uses three iOS 0Day exploits to silently jailbreak target devices and monitor them: read text messages, email, listen to phone calls, capture screens, record keystrokes, and steal browser history and contacts. On Android devices, Framaroot is used to obtain root permissions and monitor the target devices 24/7.
In December 2017, security researchers at Trend Micro discovered a new type of mobile malware called “GnatSpy,” which their analysis speculated was linked to the notorious threat group ApT-C-23 (” Double Tail Scorpion “). The researchers believe that GnatSpy is a variant of VAMP mobile malware commonly used by Scorpion and is more dangerous than VAMP. From May 2016 to March 2017, the “Twin Scorpion” organization targeted the Middle East region and carried out organized, planned and targeted long-term uninterrupted attacks on Palestinian educational institutions, military institutions and other important fields. The attack platforms mainly included Windows and Android.
Commercial spyware usually has higher technical level, longer development cycle, more perfect spy function, and its customers are often commercial spies or even national spies. Attackers are often willing to spend high software costs and use commercial spyware for espionage activities between enterprises, organizations and even countries.
As more and more mobile devices are involved in the office network and even the Intranet of enterprises, mobile devices are often difficult to clearly divide the boundary between personal life and office of employees, making more commercial and even national APT activities use mobile devices as a breakthrough point.
Facing the rampant of commercial spyware, enterprises, key institutions and even government departments are in urgent need of more perfect, effective and secure anti-APT security solutions.
Second, the next generation of antivirus engine is imperative
As the extensive use of free kill virus, reinforcement, dynamic loading, such as technology, at the same time the passage of a massive corporate, entrepreneurial operation to avoid security vendor killing, malicious code often timing, directed and controlled by the cloud of distributed transmission, after execution of the malicious behavior lies down and wait for the next instruction (moreover will delete itself).
Traditional anti-virus engine solutions are increasingly inadequate, more and more timely response, it is difficult to timely stop loss, 0Day virus discovery and other problems in front of anti-virus engine operators. Security vendors are in urgent need of new technologies or solutions to overcome the current anti-virus dilemma.
2.1 Difficulties of traditional antivirus engines
The process of traditional antivirus engines is as follows:
From the picture above you can see, the traditional antivirus engine to killing a virus, you must first through active or passive way of gathering (web crawler, honeypot, exchange of industry in the sample report, user, etc) get virus samples, and then use the existing security operations and systems for a detailed code of virus samples reverse analysis, dynamic behavior analysis, After learning the operating mechanism and working principle of viruses, security personnel extract signature codes or set antivirus policies and send them to the signature database of the antivirus engine. Then, traditional antivirus engines can detect and kill viruses.
Most av engines use the cloud search mode to optimize the process and reduce the response time. However, the cloud search mode is still used by traditional AV engines to reduce the response time as much as possible.
And with the improvement of current virus defense technology, automation tools, free content the use of dynamic, load, the issuance of the technology, makes the “zero day” the virus is becoming more and more samples to capture high difficulty (capture long cycle, less capture channels), reverse/dynamic analysis against serious, caused the current traditional antivirus engine capture difficult and high cost of analysis. The traditional anti-virus engine is at a disadvantage in terms of manpower, terminal authority and attack and defense tactics, which is the dilemma of anti-virus engine that security manufacturers need to solve urgently.
(Natural advantage of the attacker — the attacker can find a weak spot to attack the attacker through various means from various entrances, while the defense needs to consider all aspects, and any negligence will be seized by the attacker.)
2.2 Next-generation engine: Real-time behavior detection – anti-kill, real-time response
Black is produced through the current corporate crime, the use of the perfect automation, dynamic distributed load, even free VA technology, such as improving the capacity of malicious code hidden, extended the traditional antivirus engine response window, the window quickly infect a large number of users, and remote control multi-channel user terminal equipment, the multimode for quick cash.
Next generation antivirus engine will be through technical means to make up for the inadequacy of traditional antivirus engine, sensitive behavior through the real-time detection technology, real-time monitoring of unknown application sensitive background operation, combined with the known viruses behavior knowledge base, tracking and forecasting, actions of the virus on the application of the unknown malicious operation monitoring, prediction, perception and blocking.
Through the real-time behavior detection technology, the next generation of anti-virus engine must be able to 0Day virus, automatic virus elimination, dynamic delivery & loading type virus real-time monitoring and blocking malicious behavior, 0s response time to protect user terminal security.
2.3 Next generation engine: AI anti-virus – more intelligent and generalized
2017 was definitely a boom year for AI. At present, AI technology has made great achievements in voice, image, human-computer interaction and other fields, and even AI has been “effectively” applied in the field of black industry — The largest coding platform in China, Kuaiah Answer, uses AI to crack login verification codes.
On mobile Internet terminals, AI is also developing rapidly: Android 8.1 Neural Network API support TensorFlow, Caffe2, 2017-12-7 Huawei Kirin 970 chip launches AI computing unit NPU 2018 Q1 Mediatek and Samsung are also about to launch AI intelligent chips
As more and more terminal devices support AI computing, AI will be more and more widely used in image recognition, speech recognition, natural language processing and other scenarios of terminal devices.
At the same time, the next generation of antivirus engine will also apply AI to terminal security scenarios, using AI technology to achieve more intelligent virus fighting; Through machine deep learning, the next generation engine will maintain continuous self-learning and self-adaptation ability, follow up the evolution of virus behavior automatically and intelligently, and predict, identify and block virus behavior faster.
Tencent TRP – AI anti-virus engine solution
Conventional engine response time become the malicious code, a large number of malicious code by automating the kill, reinforcement, dynamic distributed free malicious code to bypass antivirus engine killing, cloud control instruction, and found in traditional antivirus engine to the response of the blank window of time to do evil, that the longer the window period, the greater the damage to the user.
Although mature cloud antivirus technology can reduce the window period, but the window period still exists, which requires security vendors to upgrade the antivirus engine to provide a real-time response, strong anti-kill technology, non-sample database dependent more intelligent antivirus engine.
Tencent security team has independently developed an AI anti-virus engine, Tencent TRP-AI Anti-virus engine, in order to cope with the severe security challenges in the future, in coordination with Tencent’s highly mature AI technology and based on the independent computing capacity of AI chips. Through the deep learning of application behavior by mature AI technology, and in coordination with the behavior monitoring ability of the system layer, The independent and efficient computing capability based on AI chips and the traditional security engine effectively solve security risks caused by unknown applications, identify and block malicious behaviors in real time, and achieve real-time terminal security protection with low power consumption and high intelligence.
3.1 Introduction to Tencent TRP-AI anti-virus engine architecture
Tencent TRP-AI anti-virus engine is an AI anti-virus engine designed for real-time behavior monitoring, strong anti-killing technology and deep learning based on the advanced AI application scenario research of Tencent AI Lab and Tencent security team’s long-term working experience in detecting and fighting malicious codes on Android platform.
Through simple integration, Tencent TRP-AI anti-virus engine can monitor application sensitive behaviors through framework layer monitoring pile points, and construct behavior data desensitization into behavior sequence; Tencent’s advanced AI anti-virus model is used to conduct independent and secure anti-virus detection based on the computing power of THE AI chip to determine whether the application behavior is malicious. The front-end displays results and interacts with users through secure applications to block malicious behaviors and uninstall malicious applications in a timely manner, providing real-time security protection for users.
A large number of clusters are built in the cloud for sandbox system construction, massive sample behavior extraction, deep learning, and real-time training to generate the latest AI model to ensure the model update of the front-end user AI engine. At the same time, in order to reduce the computing pressure of terminal devices, Tencent TRP-AI anti-virus engine supports the security cloud search service of behavior vector at the same time, and ensures the real-time response and low computing pressure of front-end by using cloud cluster computing capacity.
Tencent TRP-AI anti-virus engine has the following features: terminal behavior real-time monitoring to accurately detect and kill the latent Trojan horse to prevent privacy theft AI model cloud training, the terminal is detected with the help of AI chip. NEURAL network based AI model with low CPU consumption, low time delay, saving flow. The training process is fully automated, the operating cost is greatly reduced, and the cycle of discovering unknown viruses is greatly shortened
3.2 Tencent TRP-AI anti-virus engine integration scheme and detection effect
Tencent TRP-AI anti-virus engine integration workload is small. Tencent will provide the partner with a complete list of stake points and SDK interface description. The developer of the partner (OEM) only needs to refer to the list to make stake points on the framework layer and connect them to the AI engine. All other components will be provided by Tencent in the form of SDK.
Compared with traditional engines, Tencent TRP-AI anti-virus engine has the advantages of anti-kill, high performance, real-time protection and detection of 0Day virus. The test data of Tencent TRP-AI anti-virus engine are as follows: Virus detection coverage 90% virus detection accuracy 98% increase virus detection capability 8% increase virus detection speed 12% increase the rate of virus detection faster than virus transmission 92% detection takes 30ms, far lower than the average performance consumption of a traditional engine of 100 to 200ms. No impact on device experience
About Tencent security anti-fraud laboratory
Tencent is China’s first safety lab safety anti-fraud laboratory matrix – one of tencent’s child safety joint laboratory laboratory, and Cohen lugu laboratory, the laboratory, basaltic laboratories, light cloud tripod, anti-virus LABS, mobile security laboratory, composed of system security solutions that focus on security technology research and security defense system structure, Security protection covers six key Internet areas: connectivity, system, application, information, equipment and cloud.
Among them, Tencent Royal security focuses on personal and enterprise mobile application developers application security services, has a rich vulnerability characteristics and virus library, can fully cover the known vulnerabilities, can be 99% of the application vulnerability risk scan; In addition, the application hardening service provides anti-tamper, anti-reverse, and anti-debugging functions. After the application hardening is released, it effectively prevents the application from being packaged again and being attacked.
As a joint industry based on the method of big data, to build a research center based on terminal, pipeline and cloud full coverage of innovative black analysis and blocking mode, Tencent security anti-fraud laboratory is currently security cloud library, intelligent anti-fraud engine, anti-fraud expert think tank three core tools to protect network security.
At the same time, Tencent security anti-fraud experiment adhering to open, joint, sharing continue to empower all sectors of society. In just the past 2017 years, tencent security anti-fraud laboratory successively with the state drug administration, state administration for industry and commerce, Beijing municipal finance bureau, the shenzhen financial do a strategic cooperation, jointly explore enterprise cooperation against black production mode, and create the Internet drug regulatory index data platform, network platform of MLM situational awareness, big data financial safety regulation technology platform, We will assist national government agencies in improving their regulatory capabilities in food and drug safety, anti-pyramid schemes, anti-financial fraud and other areas.
At the same time in order to more effectively combat becomes more and more “intelligent, industrialization and internationalization” of the network crime, tencent security Kun anti-fraud laboratory through the spirit, god, network situational awareness, eagle eye, kirin budgeting, god sheep, tea and other 10 kinds of anti-fraud products jointly established anti-fraud the wisdom of the brain, build the whole chain of the protection system, It can play a role in the key links of fraud before, during and case analysis, providing a comprehensive artificial intelligence + big data anti-fraud system for the police and financial, food and drug administration, communication and other regulatory departments.