Lei Xue,Hao Zhou,Xiapu Luo,Le Yu,Dinghao Wu,Yajin Zhou,Xiaobo Ma

DOI: https://doi.org/10.1109/TSE.2020.2996433

2022-01-01

Abstract:App developers are increasingly using packing services (or packers) to protect their code against being reverse engineered or modified. However, such packing techniques are also leveraged by the malicious developers to prevent the malware from being analyzed and detected by the static malware analysis and detection systems. Though there are already studies on unpacking packed Android apps, they usually leverage the manual reverse engineered packing behaviors to unpack apps packed by the specific packers and cannot be appified to the evolved and new packers. In this paper, we propose a novel unpacking approach with the capacity of adaptively unpacking the evolved and newly encountered packers. Also, we develop a new system, named PackerGrind, based on this adaptive approach for unpacking Android packers. The evaluation with real packed apps demonstrates that PackerGrind can successfully reveal packers protection mechanisms, effectively handle their evolution and recover Dex files with low overhead.

Lei Xue,Hao Zhou,Xiapu Luo,Yajin Zhou,Yang Shi,Guofei Gu,Fengwei Zhang,Man Ho Au

DOI: https://doi.org/10.1109/SP40001.2021.00105

2021-01-01

Abstract:Malware authors are abusing packers (or runtime-based obfuscators) to protect malicious apps from being analyzed. Although many unpacking tools have been proposed, they can be easily impeded by the anti-analysis methods adopted by the packers, and they fail to effectively collect the hidden Dex data due to the evolving protection strategies of packers. Consequently, many packing behaviors are unknown to analysts and packed malware can circumvent the inspection. To fill the gap, in this paper, we propose a novel hardware-assisted approach that first monitors the packing behaviors and then selects the proper approach to unpack the packed apps. Moreover, we develop a prototype named Happerwith a domain-specific language named behavior description language (BDL) for the ease of extending Happerafter tackling several technical challenges. We conduct extensive experiments with 12 commercial Android packers and more than 24k Android apps to evaluate Happer. The results show that Happerobserved 27 packing behaviors, 17 of which have not been elaborated by previous studies. Based on the observed packing behaviors, Happeradopted proper approaches to collect all the hidden Dex data and assembled them to valid Dex files.

Lei Xue,Yuxiao Yan,Luyi Yan,Muhui Jiang,Xiapu Luo,Dinghao Wu,Yajin Zhou

DOI: https://doi.org/10.1145/3460319.3464839

2021-01-01

Abstract:Android packers have been widely adopted by developers to protect apps from being plagiarized. Meanwhile, various unpacking tools unpack the apps through direct memory dumping. To defend against these off-the-shelf unpacking tools, packers start to adopt virtual machine (VM) based protection techniques, which replace the original Dalvik bytecode (DCode) with customized bytecode (PCode) in memory. This defeats the unpackers using memory dumping mechanisms. However, little is known about whether such packers can provide enough protection to Android apps. In this paper, we aim to shed light on these questions and take the first step towards demystifying the protections provided to the apps by the VM-based packers. We proposed novel program analysis techniques to investigate existing commercial VM-based packers including a learning phase and a deobfuscation phase.We aim at deobfuscating the VM-protection DCode in three scenarios, recovering original DCode or its semantics with training apps, and restoring the semantics without training apps. We also develop a prototype named Parema to automate much work of the deobfuscation procedure. By applying it to the online VM-based Android packers, we reveal that all evaluated packers do not provide adequate protection and could be compromised.

Yajin Zhou,Kunal Patel,Lei Wu,Zhi Wang,Xuxian Jiang

DOI: https://doi.org/10.1145/2714576.2714598

2015-01-01

Abstract:ABSTRACTUsers of Android phones increasingly entrust personal information to third-party apps. However, recent studies reveal that many apps, even benign ones, could leak sensitive information without user awareness or consent. Previous solutions either require to modify the Android framework thus significantly impairing their practical deployment, or could be easily defeated by malicious apps using a native library. In this paper, we propose AppCage, a system that thoroughly confines the run-time behavior of third-party Android apps without requiring framework modifications or root privilege. AppCage leverages two complimentary user-level sandboxes to interpose and regulate an app's access to sensitive APIs. Specifically, dex sandbox hooks into the app's Dalvik virtual machine instance and redirects each sensitive framework API to a proxy which strictly enforces the user-defined policies, and native sandbox leverages software fault isolation to prevent the app's native libraries from directly accessing the protected APIs or subverting the dex sandbox. We have implemented a prototype of AppCage. Our evaluation shows that AppCage can successfully detect and block attempts to leak private information by third-party apps, and the performance overhead caused by AppCage is negligible for apps without native libraries and minor for apps with them.

Zikan Dong,Hongxuan Liu,Liu Wang,Xiapu Luo,Yao Guo,Guoai Xu,Xusheng Xiao,Haoyu Wang

DOI: https://doi.org/10.1145/3540250.3558969

2022-01-01

Abstract:Commercial Android packers have been widely used by developers as a way to protect their apps from being tampered with. However, app packer is usually provided as an online service developed by security vendors, and the packed apps are well protected. It is thus hard to know what exactly is packed in the app, and few existing studies in the community have systematically analyzed the behaviors of commercial app packers. In this paper, we propose PackDiff, a dynamic analysis system to inspect the fine-grained behaviors of commercial packers. By instrumenting the Android system, PackDiff records the runtime behaviors of Android apps (e.g., Linux system call invocations, Java API calls, Binder interactions, etc.), which are further processed to pinpoint the additional sensitive behaviors introduced by packers. By applying PackDiff to roughly 200 apps protected by seven commercial packers, we observe the disappointing facts of existing commercial packers. Most app packers have introduced unnecessary behaviors (e.g., accessing sensitive data), serious performance and compatibility issues, and they can even be abused to create evasive malware and repackaged apps, which contradicts with their design purposes.

Xiaolei Wang,Andrea Continella,Yuexiang Yang,Yongzhong He,Sencun Zhu

DOI: https://doi.org/10.1145/3314415

2019-01-01

Proceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies

Abstract:With the enormous popularity of smartphones, millions of mobile apps are developed to provide rich functionalities for users by accessing certain personal data, leading to great privacy concerns. To address this problem, many approaches have been proposed to detect privacy disclosures in mobile apps, but they largely fail to automatically determine whether the privacy disclosures are necessary for the functionality of apps. As a result, security analysts may easily face with a large number of false positives when directly adopting such approaches for app analysis. In this paper, we propose LeakDoctor, an analysis system seeking to automatically diagnose privacy leaks by judging if a privacy disclosure from an app is necessary for some functionality of the app. Functionality-irrelevant privacy disclosures are not justifiable, so considered as potential privacy leak cases. To achieve this goal, LeakDoctor integrates dynamic response differential analysis with static response taint analysis. In addition, it employs a novel technique to locate the program statements of each privacy disclosure. We implement a prototype of LeakDoctor and evaluate it against 1060 apps, which contain 2,095 known disclosure cases. Our experimental results show that LeakDoctor can automatically determine that 71.9% of the privacy disclosure cases indeed serve apps' functionalities and are justifiable. Hence, with the diagnosis results of LeakDoctor, analysts may avoid analyzing many justifiable privacy disclosures and only focus on the those unjustifiable cases.

Zhemin Yang,Min Yang,Yuan Zhang,Guofei Gu,Peng Ning,Xiaoyang Sean Wang

DOI: https://doi.org/10.1145/2508859.2516676

2013-01-01

Abstract:ABSTRACTAndroid phones often carry personal information, attracting malicious developers to embed code in Android applications to steal sensitive data. With known techniques in the literature, one may easily determine if sensitive data is being transmitted out of an Android phone. However, transmission of sensitive data in itself does not necessarily indicate privacy leakage; a better indicator may be whether the transmission is by user intention or not. When transmission is not intended by the user, it is more likely a privacy leakage. The problem is how to determine if transmission is user intended. As a first solution in this space, we present a new analysis framework called AppIntent. For each data transmission, AppIntent can efficiently provide a sequence of GUI manipulations corresponding to the sequence of events that lead to the data transmission, thus helping an analyst to determine if the data transmission is user intended or not. The basic idea is to use symbolic execution to generate the aforementioned event sequence, but straightforward symbolic execution proves to be too time-consuming to be practical. A major innovation in AppIntent is to leverage the unique Android execution model to reduce the search space without sacrificing code coverage. We also present an evaluation of AppIntent with a set of 750 malicious apps, as well as 1,000 top free apps from Google Play. The results show that AppIntent can effectively help separate the apps that truly leak user privacy from those that do not.

Hua Cheng,Guang Hu,Jin Liu,Zhiwei Kang,Chao Pan,ZiJun Zhang

DOI: https://doi.org/10.1109/cac57257.2022.10054907

2022-01-01

Abstract:Third-party libraries are widely used in APP development, providing technical solutions for APP rich functions, but some third-party libraries can collect many user privacy information and cause data leakage. According to our survey, about 60% of Android applications use android packing services. Existing tools cannot effectively detect third-party libraries used in packed applications, and their analysis results of third-party library privacy leaks are not comprehensive. To overcome these limitations, we improve the traditional third- party library detection tools so that it can detect third-party libraries used in packed applications. We propose a fine-grained privacy-collecting third-party library detection framework for detecting the privacy leakage of third-party libraries in Android applications by combining Androguard, Frida and improved third-party library detection tools. Our experimental results on 300 mainstream apps show that our framework provides good support for analyzing packed applications, and our approach can detect more third-party libraries and provide a more comprehensive analysis of privacy leaks of third-party libraries than existing tools.

Xin Chen,Sencun Zhu

DOI: https://doi.org/10.1145/2766498.2766507

2015-01-01

Abstract:ABSTRACTAndroid applications (apps for short) can send out users' sensitive information against users' intention. Based on the stats from Genome and Mobile-Sandboxing, 55.8% and 59.7% Android malware families feature privacy leakage. Prior approaches to detecting privacy leakage on smartphones primarily focused on the discovery of sensitive information flows. However, Android apps also send out users' sensitive information for legitimate functions. Due to the fuzzy nature of the privacy leakage detection problem, we formulate it as a justification problem, which aims to justify if a sensitive information transmission in an app serves any purpose, either for intended functions of the app itself or for other related functions. This formulation makes the problem more distinct and objective, and therefore more feasible to solve than before. We propose DroidJust, an automated approach to justifying an app's sensitive information transmission by bridging the gap between the sensitive information transmission and application functions. We also implement a prototype of DroidJust and evaluate it with over 6000 Google Play apps and over 300 known malware collected from VirusTotal. Our experiments show that our tool can effectively and efficiently analyze Android apps w.r.t their sensitive information flows and functionalities, and can greatly assist in detecting privacy leakage.

Yufei Yang,Wenbo Luo,Yu Pei,Minxue Pan,Tian Zhang

DOI: https://doi.org/10.1109/compsac.2019.00029

2019-01-01

Abstract:Mobile apps often need to collect and/or access sensitive user information to fulfill their purposes, but they may also leak such information either intentionally or accidentally, causing financial and/or emotional damages to users. In the past few years, researchers have developed various techniques to detect privacy leakage in mobile apps, however, such detection remains a challenging task when privacy leakage is implemented via dynamic class loading (DCL). In this work, we propose the DL2 technique that enhances static analysis with dynamic app execution to effectively detect privacy leakage implemented via DCL in Android apps. To evaluate DL2, we construct a benchmark of 88 subject apps with 2578 injected privacy leaks and apply DL2 to the apps. DL 2 was able to detect 1073, or 42%, of the leaks, significantly outperforming existing state-of-the-art privacy leakage detection tools.

Hongyi Chen,Ho-fung Leung,Biao Han,Jinshu Su

DOI: https://doi.org/10.1109/icc.2017.7996335

2017-01-01

Abstract:Android apps frequently leak private data off the device with or without intentions. Researchers have proposed a large number of methods, for example, static and dynamic analysis methods, to pick out the apps which tend to leak private data. However, they are only able to identify part of private data leakage vulnerabilities, due to the dynamic features in codes or code coverage problem. This paper presents a novel hybrid approach that can find out more private data leakages than the existing static or dynamic methods. The approach, realized in a tool, called HybriDroid, which employs both static and dynamic analysis methods to extract the models of each apps, and then refines the behavior model to a more adequate one according to the dynamic analysis result. As a consequence, HybriDroid inherits the advantages of both static and dynamic analysis methods, which not only achieves a high code coverage, but also can deal with the dynamic features in codes. The evaluation results show that HybriDroid is effective in detecting privacy leakages for both inter-and intra-app communication. Comparing with the existing methods, it can achieve considerable improvements in data leakage detection performance with a 97.8% precision and 90% recall on the selected apps from DroidBench 3.0 test suite.

Nai-Wei Lo,Kuo-Hui Yeh,Chuan-Yen Fan

DOI: https://doi.org/10.1109/jsyst.2014.2364202

IF: 4.802

2016-12-01

IEEE Systems Journal

Abstract:How to identify and manage information leakage of user privacy is a very crucial and sensitive topic for handheld mobile device manufacturers, telecommunication companies, and mobile device users. As the success of a financial fraud usually requires possessing a victim's private information, new types of personal identity theft and private information acquirement attack are developed and deployed along with various Apps in order to steal personal private information from mobile device users. With more than 50% of smartphone market share, Android-based mobile phone vendors and Internet service providers have to face the new challenge on user privacy management. In this paper, we present a user privacy analysis framework for an Android platform called LRPdroid. The goals of LRPdroid are to achieve information leakage detection, user privacy disclosure evaluation, and privacy risk assessment for Apps installed on Android-based mobile devices. With a formally defined user privacy model, LRPdroid can effectively support mobile users to manage their own privacy risks on targeted Apps. In addition, new privacy analysis viewpoints such as user perception and leakage awareness are introduced in LRPdroid. Two general App usage scenarios are evaluated with our system prototype to show the feasibility and practicability of the LRPdroid framework on user privacy management.

computer science, information systems,telecommunications,engineering, electrical & electronic,operations research & management science

Ji-wei YAN,Ming-su LI,Qiong LU,Jun YAN,Hong-yu GAO

DOI: https://doi.org/10.11896/j.issn.1002-137X.2017.010.025

2017-01-01

Abstract:In recent years,the problems of privacy leak in Android applications attract more and more attention.The maliciously access of private information will increase the risk of users' privacy leak.To solve this problem,researchers have proposed many privacy-leak detection tools that have differences in emphasis point and performance.In order to facilitate the understanding and using for researchers,this paper analyzed and compared nine kinds of privacy leak static detection tools for Android apps.We summarized the detection targets,methods,types of error detection and their efficiency.We also designed and conducted experiments for two open source tools,FlowDroid and IccTA,to test their perfor-mance and detecting ability.For the 50 downloaded apps,FlowDroid successfully detected 9 apps possessing privacy leak and IccTA detected 7 apps possessing ICC leak.For the 12 self-designed test cases,FlowDroid and IccTA can successfully detect all privacy leaks.

YANG Guang-liang,GONG Xiao-rui,YAO Gang,HAN Xin-hui

DOI: https://doi.org/10.3969/j.issn.1000-3428.2012.23.001

2012-01-01

Abstract:To detect user’s privacy leakage in Android software,this paper proposes an automated detection system based on dynamic taint tracking,called TaintChaser.TaintChaser can detect behaviors of user’s data leakage in Android applications under test at a fine granularity,and the system also can analyze and test massive Android software in the automatic way.It uses TaintChaser to automatically analyze 28 369 popular Android applications and finds that 24.69% of them may leak user’s privacy.

Tao Liu,Zhushou Tang,Beijun Shen

DOI: https://doi.org/10.3969/j.issn.1000-386x.2015.03.070

2015-01-01

Abstract:When Android becomes the smartphone operating system with largest global market share,the malicious applications is booming on its platform.In particular,privacy leak problems in Android applications are getting worsening.With the development of technology,the concealment of privacy leaks in Android applications grows high increasingly,and its detection becomes more and more difficult as well,for instance,using reflection technique to hide the privacy leak operations.Facing such challenge,in this paper we detect and analyse the pseu-do-code of Android applications and propose a new analysis approach for detecting the reflection callings occurring in pseudo-code.Through re-constructing the reflection calling’s arguments and restoring it to the standard calling,we make the reflection calling explicit,so that those privacy leak behaviours which cannot be found and confirmed previously are detected.Based on this work,we design and implement a static detection tool for Android applications privacy leak.At last,the effectiveness of the proposed approach and tool is validated by the experi-ments and analyses on benign applications from Android market and the malicious applications collected from Internet.

Li,Alexandre Bartel,Tegawende F. Bissyande,Jacques Klein,Yves Le Traon,Steven Arzt,Siegfried Rasthofer,Eric Bodden,Damien Octeau,Patrick McDaniel

DOI: https://doi.org/10.1109/icse.2015.48

2015-01-01

Abstract:Shake Them All is a popular "Wallpaper" application exceeding millions of downloads on Google Play. At installation, this application is given permission to (1) access the Internet (for updating wallpapers) and (2) use the device microphone (to change background following noise changes). With these permissions, the application could silently record user conversations and upload them remotely. To give more confidence about how Shake Them All actually processes what it records, it is necessary to build a precise analysis tool that tracks the flow of any sensitive data from its source point to any sink, especially if those are in different components. Since Android applications may leak private data carelessly or maliciously, we propose IccTA, a static taint analyzer to detect privacy leaks among components in Android applications. IccTA goes beyond state-of-the-art approaches by supporting inter-component detection. By propagating context information among components, IccTA improves the precision of the analysis. IccTA outperforms existing tools on two benchmarks for ICC-leak detectors: DroidBench and ICC-Bench. Moreover, our approach detects 534 ICC leaks in 108 apps from MalGenome and 2,395 ICC leaks in 337 apps in a set of 15,000 Google Play apps.

Vaibhav Rastogi,Yan Chen,William Enck

DOI: https://doi.org/10.1145/2435349.2435379

2013-01-01

Abstract:ABSTRACTToday's smartphone application markets host an ever increasing number of applications. The sheer number of applications makes their review a daunting task. We propose AppsPlayground for Android, a framework that automates the analysis smartphone applications. AppsPlayground integrates multiple components comprising different detection and automatic exploration techniques for this purpose. We evaluated the system using multiple large scale and small scale experiments involving real benign and malicious applications. Our evaluation shows that AppsPlayground is quite effective at automatically detecting privacy leaks and malicious functionality in applications.

Tianchang Yang,Haoliang Cui,Shaozhang Niu,Peng Zhang

DOI: https://doi.org/10.1109/icct.2015.7399807

2015-01-01

Abstract:Android smartphones store huge amount of sensitive data, and Android provides the Permission Management and the Sandbox Mechanism to protect data. However, it cannot avoid the passive leakage of sensitive data due to the defects introduced during the design and implementation phase. In this paper, we perform a systematic analysis on the passive sensitive data leakage vulnerability in Android applications, design and implement a testing tool Sensitive Data Passive Leakage Detector (DPLDetector). The tool can perform static taint propagation analysis on Android applications, based on the characteristics of the taint propagation paths, and cryptographic misuses analysis or component hijacking analysis is executed selectively. At last, test reports are generated according to the analysis result. Using SDPLDetector to analyze dozens of typical Android applications, the experimental results showed that more than 50% applications were found potential sensitive data passive leakage problems.

Yongzhong He,Binghui Hu,Zhen Han

DOI: https://doi.org/10.1109/icdis.2018.00051

IF: 4.96

2019-01-01

Journal of Information Security and Applications

Abstract:Third-party libraries are widely used in Android apps. As third-party libraries share permissions with the host apps, they are easily over-privileged and leak users' privacy without notice. Combing static third-party library detection tool and dynamic Xposed framework, we propose a fine-grained and dynamic privacy leakage analysis tool to analyze the privacy leakage behaviors of third-party libraries in real time. This paper identifies three types of privacy leakage path inside apps. We evaluate 150 popular apps, collecting 1909 privacy information related call chains. We find the third-party libraries access to privacy information account for the largest proportion, and most of third-party libraries have direct network connections and the correspondent flows are inspected to validate the privacy leakage risk. The results show that the tool can achieve real-time, fine-grained and dynamic privacy behavior analysis of Android apps.

Kai Ma,Mengyang Liu,Shanqing Guo,Tao Ban

DOI: https://doi.org/10.1007/978-3-319-26555-1_43

2015-01-01

Abstract:Static and dynamic taint-analysis approaches have been developed to detect the processing of sensitive information. Unfortunately, faced with the result of analysis about operations of sensitive information, people have no idea of which operation is legitimate operation and which is stealthy malicious behavior. In this paper, we present Monkeydroid to pinpoint automatically whether the android application would leak sensitive information of users by distinguishing the reasonable and unreasonable operation of sensitive information on the basis of information provided by developer and market provider. We evaluated Monkeydroid over the top 500 apps on the Google play and experiments show that our tool can effectively distinguish malicious operations of sensitive information from legitimate ones.