Yajin Zhou,Xuxian Jiang

DOI: https://doi.org/10.1109/sp.2012.16

2012-01-01

Abstract:The popularity and adoption of smart phones has greatly stimulated the spread of mobile malware, especially on the popular platforms such as Android. In light of their rapid growth, there is a pressing need to develop effective solutions. However, our defense capability is largely constrained by the limited understanding of these emerging mobile malware and the lack of timely access to related samples. In this paper, we focus on the Android platform and aim to systematize or characterize existing Android malware. Particularly, with more than one year effort, we have managed to collect more than 1,200 malware samples that cover the majority of existing Android malware families, ranging from their debut in August 2010 to recent ones in October 2011. In addition, we systematically characterize them from various aspects, including their installation methods, activation mechanisms as well as the nature of carried malicious payloads. The characterization and a subsequent evolution-based study of representative families reveal that they are evolving rapidly to circumvent the detection from existing mobile anti-virus software. Based on the evaluation with four representative mobile security software, our experiments show that the best case detects 79.6% of them while the worst case detects only 20.2% in our dataset. These results clearly call for the need to better develop next-generation anti-mobile-malware solutions.

Chiachih Wu,Yajin Zhou,Kunal Patel,Zhenkai Liang,Xuxian Jiang

DOI: https://doi.org/10.14722/ndss.2014.23164

2014-01-01

Abstract:Recent years have experienced explosive growth of smartphone sales. Inevitably, the rise in the popularity of smartphones also makes them an attractive target for attacks. In light of these threats, current mobile platform providers have developed various server-side vetting processes to block malicious applications (“apps”). While helpful, they are still far from ideal in achieving their goals. To make matters worse, the presence of alternative (less-regulated) mobile marketplaces also opens up new attack vectors, which necessitate client-side solutions (e.g., mobile anti-virus software) to run on mobile devices. However, existing client-side solutions still exhibit limitations in their capability or deployability. In this paper, we present AirBag, a lightweight OS-level virtualization approach to enhance the popular Android platform and boost our defense capability against mobile malware infection. Assuming a trusted smartphone OS kernel and the fact that untrusted apps will be eventually installed onto users’ phones, AirBag is designed to isolate and prevent them from infecting our normal systems (e.g., corrupting the phone firmware) or stealthily leaking private information. More specifically, by dynamically creating an isolated runtime environment with its own dedicated namespace and virtualized system resources, AirBag not only allows for transparent execution of untrusted apps, but also effectively mediates their access to various system resources or phone functionalities (e.g., SMSs or phone calls). We have implemented a proof-of-concept prototype on three representative mobile devices, i.e., Google Nexus One, Nexus 7, and Samsung Galaxy S III. The evaluation results with a number of untrusted apps, including real-world mobile malware, demonstrate its practicality and effectiveness.

Michael C. Grace,Yajin Zhou,Qiang Zhang,Shihong Zou,Xuxian Jiang

DOI: https://doi.org/10.1145/2307636.2307663

2012-01-01

Abstract:ABSTRACTSmartphone sales have recently experienced explosive growth. Their popularity also encourages malware authors to penetrate various mobile marketplaces with malicious applications (or apps). These malicious apps hide in the sheer number of other normal apps, which makes their detection challenging. Existing mobile anti-virus software are inadequate in their reactive nature by relying on known malware samples for signature extraction. In this paper, we propose a proactive scheme to spot zero-day Android malware. Without relying on malware samples and their signatures, our scheme is motivated to assess potential security risks posed by these untrusted apps. Specifically, we have developed an automated system called RiskRanker to scalably analyze whether a particular app exhibits dangerous behavior (e.g., launching a root exploit or sending background SMS messages). The output is then used to produce a prioritized list of reduced apps that merit further investigation. When applied to examine 118,318 total apps collected from various Android markets over September and October 2011, our system takes less than four days to process all of them and effectively reports 3281 risky apps. Among these reported apps, we successfully uncovered 718 malware samples (in 29 families) and 322 of them are zero-day (in 11 families). These results demonstrate the efficacy and scalability of RiskRanker to police Android markets of all stripes.

Yajin Zhou,Zhi Wang,Wu Zhou,Xuxian Jiang

2012-01-01

Abstract:In this paper, we present a systematic study for the detection of malicious applications (or apps) on popular Android Markets. To this end, we first propose a permissionbased behavioral footprinting scheme to detect new samples of known Android malware families. Then we apply a heuristics-based filtering scheme to identify certain inherent behaviors of unknown malicious families. We implemented both schemes in a system called DroidRanger. The experiments with 204, 040 apps collected from five different Android Markets in May-June 2011 reveal 211 malicious ones: 32 from the official Android Market (0.02% infection rate) and 179 from alternative marketplaces (infection rates ranging from 0.20% to 0.47%). Among those malicious apps, our system also uncovered two zero-day malware (in 40 apps): one from the official Android Market and the other from alternative marketplaces. The results show that current marketplaces are functional and relatively healthy. However, there is also a clear need for a rigorous policing process, especially for non-regulated alternative marketplaces.

Michael C. Grace,Yajin Zhou,Zhi Wang,Xuxian Jiang

2012-01-01

Abstract:Recent years have witnessed a meteoric increase in the adoption of smartphones. To manage information and features on such phones, Android provides a permission-based security model that requires each application to explicitly request permissions before it can be installed to run. In this paper, we analyze eight popular Android smartphones and discover that the stock phone images do not properly enforce the permission model. Several privileged permissions are unsafely exposed to other applications which do not need to request them for the actual use. To identify these leaked permissions or capabilities, we have developed a tool called Woodpecker. Our results with eight phone images show that among 13 privileged permissions examined so far, 11 were leaked, with individual phones leaking up to eight permissions. By exploiting them, an untrusted application can manage to wipe out the user data, send out SMS messages, or record user conversation on the affected phones – all without asking for any permission.

Yajin Zhou,Xuxian Jiang

2013-01-01

Abstract:In this paper, we systematically study two vulnerabilities and their presence in existing Android applications (or “apps”). These two vulnerabilities are rooted in an unprotected Android component, i.e., content provider, inside vulnerable apps. Because of the lack of necessary access control enforcement, affected apps can be exploited to either passively disclose various types of private in-app data or inadvertently manipulate certain security-sensitive in-app settings or configurations that may subsequently cause serious system-wide side effects (e.g., blocking all incoming phone calls or SMS messages). To assess the prevalence of these two vulnerabilities, we analyze 62, 519 apps collected in February 2012 from various Android markets. Our results show that among these apps, 1, 279 (2.0%) and 871 (1.4%) of them are susceptible to these two vulnerabilities, respectively. In addition, we find that 435 (0.7%) and 398 (0.6%) of them are accessible from official Google Play and some of them are extremely popular with more than 10, 000, 000 installs. The presence of a large number of vulnerable apps in popular Android markets as well as the variety of private data for leaks and manipulation reflect the severity of these two vulnerabilities. To address them, we also explore and examine possible mitigation solutions.

Zia Muhammad,Faisal Amjad,Zafar Iqbal,Abdul Rehman Javed,Thippa Reddy Gadekallu

DOI: https://doi.org/10.1007/s12652-023-04535-7

IF: 3.662

2023-01-28

Journal of Ambient Intelligence and Humanized Computing

Abstract:Today digital technologies are evolving to accommodate small businesses and young entrepreneurs by reducing their time-to-market while encouraging rapid innovation in mobile, Extended Reality (XR), Internet of Things (IoT), cloud, and edge devices. The leading operating system Android typically takes one to a few days to perform application vetting and go to production by leveraging code analysis technologies in their Play Protect anti-malware program. However, developers with malicious intent are looking to circumvent this detection mechanism by exploiting Google’s relatively lenient trust policies that allow for package distribution and feature updates. This paper develops a proof-of-concept malware that exploits customers’ trust and Google’s policies to circumvent popular voice search applications. Our results show that attackers can initially circumvent Play Protect by uploading benign applications to build trust and then add malicious feature updates incrementally to distribute highly intrusive malware into user systems. This malware can scan and collect private user data from the device and exfiltrate it to the command-and-control server. The contributions are three-fold. (1) A proof-of-concept stealthy malware and publishing mechanism has developed that highlights the relative ease with which Google Play Protect policies may be subverted. (2) a comprehensive evaluation has been performed using major publicly available anti-malware solutions. (3) Recommendations and policies have been suggested to prevent this attack and ensure users’ privacy concerns (IMUTA is a novel attack in which malicious functionality is slowly added to a benign application through updates. This attack evades malware detection tools and exploits user trust. The attack can be launched against any application distribution platform like the Play Store).

computer science, information systems,telecommunications, artificial intelligence

Tao Wei,Yulong Zhang,Hui Xue,Min Zheng,Chuangang Ren,Dawn Song

2014-01-01

Abstract:By 2014, the number of Android users has grown to 1.1 billion and the number of Android devices has reached 1.9 billion [1]. At the same time, enterprises are also embracing Android based Bring Your Own Device (BYOD) solutions. For example, in Intel’s BYOD program, there are over 20,000 Android devices across over 800 combinations of Android versions and hardware configurations [2].Although Google Play has little malware, there are many vulnerabilities in Android apps and the Android system itself. Aggressive ad libraries also leak the user’s private information. By combining altogether, an attacker can conduct more targeted attacks, which we call “Sidewinder Targeted Attacks”. In this paper, we explain the security risks from such attacks, in which an attacker can intercept private information like GPS location uploaded from ad libraries and use that information to precisely locate targeted areas such as a CEO’s office or some specific conference rooms. When the target is identified,“Sidewinder Targeted Attack” exploits popular vulnerabilities in ad libraries, such as Javascript-bindingover-HTTP or dynamic-loading-over-HTTP, etc. It is a well-known challenge for an attacker to call Android services from injected native code which doesn’t have Android application context. We explain how attackers can invoke Android services for tasks such as taking photos, calling phone numbers, sending SMS, reading/writing the clipboard, etc. Furthermore, the attackers can exploit several Android vulnerabilities to get valuable private information or to launch more advanced attacks. Finally, we show that this threat is not only real but also prevalent due to …

Sun Pu,Chen Sen,Fan Lingling,Gao Pengfei,Song Fu,Yang Min

DOI: https://doi.org/10.1007/s11704-021-1126-x

IF: 2.6688

2022-01-01

Frontiers of Computer Science

Abstract:Activity hijacking is one of the most powerful attacks in Android.Though promising,all the prior activity hijacking attacks suffer from some limitations and have limited attack capabilities.They no longer pose security threats in recent Android due to the presence of effective defense mecha-nisms.In this work,we propose the first automated and adap-tive activity hijacking attack,named VenomAttack,enabling a spectrum of customized attacks(e.g.,phishing,spoofing,and DoS)on a large scale in recent Android,even the state-of-the-art defense mechanisms are deployed.Specifically,we propose to use hotpatch techniques to identify vulnerable devices and update attack payload without re-installation and re-distribu-tion,hence bypassing offline detection.We present a newly-discovered flaw in Android and a bug in derivatives of Android,each of which allows us to check if a target app is running in the background or not,by which we can determine the right attack timing via a designed transparent activity.We also propose an automated fake activity generation approach,allowing large-scale attacks.Requiring only the common permission INTERNET,we can hijack activities at the right timing without destroying the GUI integrity of the foreground app.We conduct proof-of-concept attacks,showing that VenomAttack poses severe security risks on recent Android versions.The user study demonstrates the effectiveness of VenomAttack in real-world scenarios,achieving a high success rate(95％)without users'awareness.That would call more attention to the stakeholders like Google.

Min Huang,Kai Bu,Hanlin Wang,Kaiwen Zhu

DOI: https://doi.org/10.1109/cyberc.2016.14

2016-01-01

Abstract:Malware has started grabbing its undeserved share long before the blossom of Android ecosystem. Injected with malware, malicious applications (apps) may threat users in various ways like financial charges and information stealing. When the severity of a deluge of malware was first noticed, malware detectors delivered unsatisfactory detection accuracy, which further degenerated upon simple transformation of malicious apps. Now years later, we are eager to re-examine the robustness of malware detectors. A surprisingly disappointed finding is that even known malicious apps can evade quite a few detectors. We also find that repackaging with extracted exploitable code instead of readily available malware samples can evade more signature-based detectors. Furthermore, we find Android OS features of Service and Broadcast exploitable to enable malicious apps stealthily active on phones. We implement all these findings through DroidRide, a framework toward making Android malware less catchable to detectors and more active on phones. Our prototype based on two example apps-AndroRAT and MIUI Notes-demonstrates DroidRide's effectiveness in malware evasion. Toward defending against DroidRide alike evasion, we further suggest feasible design enhancements of malware detectors and Android OS.

Harel Berger,Chen Hajaj,Amit Dvir

DOI: https://doi.org/10.48550/arXiv.2205.14576

2022-06-21

Abstract:Android is the most popular OS worldwide. Therefore, it is a target for various kinds of malware. As a countermeasure, the security community works day and night to develop appropriate Android malware detection systems, with ML-based or DL-based systems considered as some of the most common types. Against these detection systems, intelligent adversaries develop a wide set of evasion attacks, in which an attacker slightly modifies a malware sample to evade its target detection system. In this survey, we address problem-space evasion attacks in the Android OS, where attackers manipulate actual APKs, rather than their extracted feature vector. We aim to explore this kind of attacks, frequently overlooked by the research community due to a lack of knowledge of the Android domain, or due to focusing on general mathematical evasion attacks - i.e., feature-space evasion attacks. We discuss the different aspects of problem-space evasion attacks, using a new taxonomy, which focuses on key ingredients of each problem-space attack, such as the attacker model, the attacker's mode of operation, and the functional assessment of post-attack applications.

Cryptography and Security

A. Shabtai,Y. Fledel,U. Kanonov,Y. Elovici,S. Dolev

DOI: https://doi.org/10.48550/arXiv.0912.5101

2009-12-27

Cryptography and Security

Abstract:Google's Android is a comprehensive software framework for mobile communication devices (i.e., smartphones, PDAs). The Android framework includes an operating system, middleware and a set of key applications. The incorporation of integrated access services to the Internet on such mobile devices, however, increases their exposure to damages inflicted by various types of malware. This paper provides a comprehensive security assessment of the Android framework and the security mechanisms incorporated into it. A methodological qualitative risk analysis that we conducted identifies the high-risk threats to the framework and any potential danger to information or to the system resulting from vulnerabilities that have been uncovered and exploited. Our review of current academic and commercial solutions in the area of smartphone security yields a list of applied and recommended defense mechanisms for hardening mobile devices in general and the Android in particular. Lastly, we present five major (high-risk) threats to the Android framework and propose security solutions to mitigate them. We conclude by proposing a set of security mechanisms that should be explored and introduced into Android-powered devices.

Yibing Zhongyang,Zhi Xin,Bing Mao,Li Xie

DOI: https://doi.org/10.1145/2484313.2484359

2013-01-01

Abstract:ABSTRACTSince smartphones have stored diverse sensitive privacy information, including credit card and so on, a great deal of malware are desired to tamper them. As one of the most prevalent platforms, Android contains sensitive resources that can only be accessed via corresponding APIs, and the APIs can be invoked only when user has authorized permissions in the Android permission model. However, a novel threat called privilege escalation attack may bypass this watchdog. It's presented as that an application with less permissions can access sensitive resources through public interfaces of a more privileged application, which is especially useful for malware to hide sensitive functions by dispersing them into multiple programs. We explore privilege-escalation malware evolution techniques on samples from Android Malware Genome Project. And they have showed great effectiveness against a set of powerful antivirus tools provided by VirusTotal. The detection ratios present different and distinguished reduction, compared to an average 61% detection ratio before transformation. In order to conquer this threat model, we have developed a tool called DroidAlarm to conduct a full-spectrum analysis for identifying potential capability leaks and present concrete capability leak paths by static analysis on Android applications. And we can still alarm all these cases by exposing capability leak paths in them.

Lei Zhang,Zhemin Yang,Yuyu He,Mingqi Li,Sen Yang,Min Yang,Yuan Zhang,Zhiyun Qian

DOI: https://doi.org/10.1145/3322205.3311088

2019-01-01

ACM SIGMETRICS Performance Evaluation Review

Abstract:Customizability is a key feature of the Android operating system that differentiates it from Apple's iOS. One concrete feature that gaining popularity is called "app virtualization''. This feature allows multiple copies of the same app to be installed and opened simultaneously (e.g., with multiple accounts logged in). Virtualization frameworks are used by more than 100 million users worldwide. As with any new system features, we are interested in two aspects: (1) whether the feature itself introduces security risks and (2) whether the feature is abused for unintended purposes. This paper conducts a systematic study on the two aspects of the app virtualization techniques. With a thorough study of 32 popular virtualization frameworks from Google Play, we identify seven areas of potential attack vectors and find that most of the frameworks are susceptible to them. By deeply investigating their ecosystem, we show, with demonstrations, that attackers can easily distribute malware that takes advantage of these attack vectors. In addition, we show that the same virtualization techniques are also abused by malware as an alternative and easy-to-use repackaging mechanism. To this end, we design and implement a new app repackage detector. After scanning 250,145 apps from app markets, it finds 164 repackaged apps that attempt to steal user credentials and private data.

Marco Alecci,Riccardo Cestaro,Mauro Conti,Ketan Kanishka,Eleonora Losiouk

DOI: https://doi.org/10.48550/arXiv.2010.10639

2020-10-20

Cryptography and Security

Abstract:Android virtualization enables an app to create a virtual environment, in which other apps can run. Originally designed to overcome the limitations of mobile apps dimensions, malicious developers soon started exploiting this technique to design novel attacks. As a consequence, researchers proposed new defence mechanisms that enable apps to detect whether they are running in a virtual environment. In this paper, we propose Mascara, the first attack that exploits the virtualization technique in a new way, achieving the full feasibility against any Android app and proving the ineffectiveness of existing countermeasures. Mascara is executed by a malicious app, that looks like the add-on of the victim app. As for any other add-on, our malicious one can be installed as a standard Android app, but, after the installation, it launches Mascara against the victim app. The malicious add-on is generated by Mascarer, the framework we designed and developed to automate the whole process. Concerning Mascara, we evaluated its effectiveness against three popular apps (i.e., Telegram, Amazon Music and Alamo) and its capability to bypass existing mechanisms for virtual environments detection. We analyzed the efficiency of our attack by measuring the overhead introduced at runtime by the virtualization technique and the compilation time required by Mascarer to generate 100 malicious add-ons (i.e., less than 10 sec). Finally, we designed a robust approach that detects virtual environments by inspecting the fields values of ArtMethod data structures in the Android Runtime (ART) environment.

Saket Acharya,Umashankar Rawat,Roheet Bhatnagar

DOI: https://doi.org/10.1155/2022/7775917

IF: 1.968

2022-06-30

Security and Communication Networks

Abstract:The popularity and open-source nature of Android devices have resulted in a dramatic growth of Android malware. Malware developers are also able to evade the detection methods, reducing the efficiency of malware detection techniques. It is hence desirable that security researchers and experts come up with novel and more efficient methods to analyze existing and zero-day Android malware. Most of the researchers have focused on Android system security. However, to examine Android security, with a specific focus on malware development, investigation of malware prevention techniques and already known malware detection techniques needs a broad inclusion. To overcome the research gaps, this paper provides a broad review of current Android security concerns, security implementation enhancements, significant malware detected during 2017–2021, and stealth procedures used by the malware developers along with the current Android malware detection techniques. A comparative analysis is presented between this article and similar recent survey articles to fill the existing research gaps. In the end, a three-phase model is proposed to efficiently identify and characterize Android malware. In the first phase, a lightweight deep transfer learning approach is used to classify Android applications into benign and malicious. In the second phase, the malicious applications are executed in a virtual emulator to reduce the number of false positives. Finally, the malicious applications having the same characteristic ratio are grouped into their corresponding families using the topic modelling approach. The proposed model can efficiently detect, characterize, and provide a familial classification of Android malware with a good accuracy rate.

computer science, information systems,telecommunications

Yingbo Li,Jing Fang,Cheng Liu,Mengrong Liu,ShaoHua Wu

DOI: https://doi.org/10.1109/iceiec.2015.7284546

2015-01-01

Abstract:With the increasing popularization of smart phones in life, malicious software targeting smart phones is emerging in an endless stream. As the phone system possessing the highest current market share, Android is facing a full-scale security challenge. This article focuses on analyzing the application of Dalvik injection technique in the detection of Android malware. Modify the system API (Application Program Interface) through Dalvik injection technique can detect the programs on an Android phone directly. Through the list of sensitive API called by malicious programs, eventually judge the target program as malicious or not.

Xiao Chen,Chaoran Li,Derui Wang,Sheng Wen,Jun Zhang,Surya Nepal,Yang Xiang,Kui Ren

DOI: https://doi.org/10.1109/TIFS.2019.2932228

IF: 7.231

2018-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Machine learning based solutions have been successfully employed for automatic detection of malware on Android. However, machine learning models lack robustness to adversarial examples, which are crafted by adding carefully chosen perturbations to the normal inputs. So far, the adversarial examples can only deceive detectors that rely on syntactic features (e.g., requested permissions, API calls, etc), and the perturbations can only be implemented by simply modifying application's manifest. While recent Android malware detectors rely more on semantic features from Dalvik bytecode rather than manifest, existing attacking/defending methods are no longer effective. In this paper, we introduce a new attacking method that generates adversarial examples of Android malware and evades being detected by the current models. To this end, we propose a method of applying optimal perturbations onto Android APK that can successfully deceive the machine learning detectors. We develop an automated tool to generate the adversarial examples without human intervention. In contrast to existing works, the adversarial examples crafted by our method can also deceive recent machine learning based detectors that rely on semantic features such as control-flow-graph. The perturbations can also be implemented directly onto APK's Dalvik bytecode rather than Android manifest to evade from recent detectors. We demonstrate our attack on two state-of-the-art Android malware detection schemes, MaMaDroid and Drebin. Our results show that the malware detection rates decreased from 96 0

Yeonjoon Lee,Tongxin Li,Nan Zhang,Soteris Demetriou,Mingming Zha,XiaoFeng Wang,Kai Chen,Xiaoyong Zhou,Xinhui Han,Michael Grace

DOI: https://doi.org/10.1109/dsn.2017.33

2017-01-01

Abstract:Android allows developers to build apps with app installation functionality themselves with minimal restriction and support like any other functionalities. Given the critical importance of app installation, the security implications of the approach can be significant. This paper reports the first systematic study on this issue, focusing on the security guarantees of different steps of the App Installation Transaction (AIT). We demonstrate the serious consequences of leaving AIT development to individual developers: most installers (e.g., Amazon AppStore, DTIgnite, Baidu) are riddled with various security-critical loopholes, which can be exploited by attackers to silently install any apps, acquiring dangerous-level permissions or even unauthorized access to system resources. Surprisingly, vulnerabilities were found in all steps of AIT. The attacks we present, dubbed Ghost Installer Attack (GIA), are found to pose a realistic threat to Android ecosystem. Further, we developed both a user-app-level and a system-level defense that are innovative and practical.

Zhaoguo Wang,Chenglong Li,Yi Guan,Yibo Xue,Yingfei Dong

DOI: https://doi.org/10.1109/icccn.2016.7568487

2016-01-01

Abstract:As many malicious apps have been distributed in Android markets, it is urgent to fix the vulnerabilities exploited by these apps and develop effective mitigation methods. In this paper, we identify a common vulnerability in many Android apps. This vulnerability is rooted in an unprotected Android component, called "Activity". Utilizing this vulnerability, a malicious app can stealthily and cannily collect sensitive user data. To better understand this issue, we have built "ActivityHijacker", an app that can detect the right moment to hijack the Activity component and intercept a user's password while it is being inputted in real time. To assess the prevalence of this vulnerability, we further analyzed 8 Android OSs (version 2.x to 5.x) and 22 banking apps collected in January 2016 from various Android markets. Our results show that all these Android OSs and apps are susceptible to the vulnerability; 14 out of 22 banking apps can be hijacked without any prompts. We further present a mitigation mechanism that restricts the Activity component to authorized apps.