Resilient User-Side Android Application Repackaging and Tampering Detection Using Cryptographically Obfuscated Logic Bombs
Qiang Zeng,Lannan Luo,Zhiyun Qian,Xiaojiang Du,Zhoujun Li,Chin-Tser Huang,Csilla Farkas
DOI: https://doi.org/10.1109/tdsc.2019.2957787
2021-11-01
IEEE Transactions on Dependable and Secure Computing
Abstract:Application repackaging is a severe threat to Android users and the market. Not only does it infringe on intellectual property, but it is also one of the most common ways of propagating mobile malware. Existing countermeasures mostly detect repackaging based on app similarity measurement, which tends to be imprecise when obfuscations are applied to repackaged apps. Moreover, they rely on a central party, typically the hosting app store, to perform the detection, but many app stores fail to commit proper effort to piracy detection. We consider building the application repackaging detection capability into apps, such that user devices are made use to detect repackaging in a decentralized fashion. The main challenge is how to protect the detection code from being manipulated by attacks. We propose a creative use of logic bombs, which are otherwise regularly used in malware. The trigger conditions of bombs are constructed to exploit the differences between the attacker and users, such that a bomb that lies dormant on the attacker side will be activated on the user side. The detection code, which is part of the bomb payload, is executed only if the bomb is activated. We introduce cryptographically obfuscated logic bomb to enhance the bomb: (1) the detection code is woven into the neighboring original app code, (2) the mixed code gets encrypted using a key, and (3) the key is deleted from the app and can only be derived when the bomb is activated. Thus, attacks that try to modify or delete the detection code will corrupt the app itself, and searching the key in the application will be in vain. Moreover, we propose a bomb spraying technique that allows many bombs to be injected into an app, multiplying the needed adversary effort for bypassing the detection. In addition to repackaging detection, we present application tampering detection to fight attacks -hat insert malicious code into repackaged apps. We have implemented a prototype, named BombDroid, that builds repackaging and tampering detection into apps through bytecode instrumentation. The evaluation and the security analysis show that the technique is effective, efficient, and resilient to various bomb analysis techniques including fuzzing, symbolic execution, multi-path exploration, and program slicing. Ethical issues due to the use of logic bombs are also discussed.
computer science, information systems, software engineering, hardware & architecture