Lei Xue,Hao Zhou,Xiapu Luo,Yajin Zhou,Yang Shi,Guofei Gu,Fengwei Zhang,Man Ho Au

DOI: https://doi.org/10.1109/SP40001.2021.00105

2021-01-01

Abstract:Malware authors are abusing packers (or runtime-based obfuscators) to protect malicious apps from being analyzed. Although many unpacking tools have been proposed, they can be easily impeded by the anti-analysis methods adopted by the packers, and they fail to effectively collect the hidden Dex data due to the evolving protection strategies of packers. Consequently, many packing behaviors are unknown to analysts and packed malware can circumvent the inspection. To fill the gap, in this paper, we propose a novel hardware-assisted approach that first monitors the packing behaviors and then selects the proper approach to unpack the packed apps. Moreover, we develop a prototype named Happerwith a domain-specific language named behavior description language (BDL) for the ease of extending Happerafter tackling several technical challenges. We conduct extensive experiments with 12 commercial Android packers and more than 24k Android apps to evaluate Happer. The results show that Happerobserved 27 packing behaviors, 17 of which have not been elaborated by previous studies. Based on the observed packing behaviors, Happeradopted proper approaches to collect all the hidden Dex data and assembled them to valid Dex files.

Lei Xue,Yuxiao Yan,Luyi Yan,Muhui Jiang,Xiapu Luo,Dinghao Wu,Yajin Zhou

DOI: https://doi.org/10.1145/3460319.3464839

2021-01-01

Abstract:Android packers have been widely adopted by developers to protect apps from being plagiarized. Meanwhile, various unpacking tools unpack the apps through direct memory dumping. To defend against these off-the-shelf unpacking tools, packers start to adopt virtual machine (VM) based protection techniques, which replace the original Dalvik bytecode (DCode) with customized bytecode (PCode) in memory. This defeats the unpackers using memory dumping mechanisms. However, little is known about whether such packers can provide enough protection to Android apps. In this paper, we aim to shed light on these questions and take the first step towards demystifying the protections provided to the apps by the VM-based packers. We proposed novel program analysis techniques to investigate existing commercial VM-based packers including a learning phase and a deobfuscation phase.We aim at deobfuscating the VM-protection DCode in three scenarios, recovering original DCode or its semantics with training apps, and restoring the semantics without training apps. We also develop a prototype named Parema to automate much work of the deobfuscation procedure. By applying it to the online VM-based Android packers, we reveal that all evaluated packers do not provide adequate protection and could be compromised.

Lei Xue,Hao Zhou,Xiapu Luo,Le Yu,Dinghao Wu,Yajin Zhou,Xiaobo Ma

DOI: https://doi.org/10.1109/TSE.2020.2996433

2022-01-01

Abstract:App developers are increasingly using packing services (or packers) to protect their code against being reverse engineered or modified. However, such packing techniques are also leveraged by the malicious developers to prevent the malware from being analyzed and detected by the static malware analysis and detection systems. Though there are already studies on unpacking packed Android apps, they usually leverage the manual reverse engineered packing behaviors to unpack apps packed by the specific packers and cannot be appified to the evolved and new packers. In this paper, we propose a novel unpacking approach with the capacity of adaptively unpacking the evolved and newly encountered packers. Also, we develop a new system, named PackerGrind, based on this adaptive approach for unpacking Android packers. The evaluation with real packed apps demonstrates that PackerGrind can successfully reveal packers protection mechanisms, effectively handle their evolution and recover Dex files with low overhead.

Lei Xue,Yajin Zhou,Ting Chen,Xiapu Luo,Guofei Gu

2017-01-01

Abstract:It's an essential step to understand malware's behaviors for developing effective solutions. Though a number of systems have been proposed to analyze Android malware, they have been limited by incomplete view of inspection on a single layer. What's worse, various new techniques (e.g., packing, anti-emulator, etc.) employed by the latest malware samples further make these systems ineffective. In this paper, we propose Malton, a novel on-device non-invasive analysis platform for the new Android runtime (i.e., the ART runtime). As a dynamic analysis tool, Malton runs on real mobile devices and provides a comprehensive view of malware's behaviors by conducting multi-layer monitoring and information flow tracking, as well as efficient path exploration. We have carefully evaluated Malton using real-world malware samples. The experimental results showed that Malton is more effective than existing tools, with the capability to analyze sophisticated malware samples and provide a comprehensive view of malicious behaviors of these samples

Muhui Jiang,Xiaoye Zheng,Rui Chang,Yajin Zhou,Xiapu Luo

DOI: https://doi.org/10.1109/tse.2024.3406900

IF: 7.4

2024-01-01

IEEE Transactions on Software Engineering

Abstract:Emulators are commonly employed to construct dynamic analysis frameworks due to their ability to perform fine-grained tracing, monitor full system functionality, and run on diverse operating systems and architectures. Nonetheless, the consistency of emulators with the real devices, remains uncertain. To address this issue, our objective is to automatically identify inconsistent instructions that exhibit different behavior between emulators and real devices across distinct privileges, including user-level and system-level privilege.We target the Arm architecture, which provides machine-readable specifications. Based on the specification, we propose a sufficient test case generator by designing and implementing the first symbolic execution engine for the Arm architecture specification language (ASL). We generated 2,774,649 representative instruction streams and developed a differential testing engine, EXAMINER PRO. With this engine, we compared the behavior of real Arm devices across different instruction sets (A32, A64, T16, and T32) with the popular QEMU emulator, both at the user-level and system-level. To demonstrate the generalizability of EXAMINER PRO, we also tested two other emulators, namely Unicorn and Angr. We find that undefined implementation in Arm manual and bugs of emulators are the major causes of inconsistencies. Furthermore, we discover 17 bugs, which influence commonly used instructions (e.g., BLX). With the inconsistent instructions, we build three security applications and demonstrate the capability of these instructions on detecting emulators, anti-emulation, and anti-fuzzing.

Shengtao Yue,Weizan Feng,Jun Ma,Yanyan Jiang,Xianping Tao,Chang Xu,Jian Lu

DOI: https://doi.org/10.1109/ICPC.2017.16

2017-01-01

Abstract:In recent years, with the explosive growth of mobile smart phonesnes, the number of Android applications (apps) increases rapidly. Attackers usually leverage the popumobile smart phoneslarity of Android apps by inserting malwares, modifying the original apps, repackaging and releasing them for their own illegal purposes. To avoid repackaged apps from being detected, they usually use sorts of obfuscation and encryption tools. As a result, it's important to detect which apps are repackaged. People often intuitively judge whether two apps are a repackaged pair by executing them and observing their runtime user interface (UI) traces. Hence, we propose layout group graph (LGG) built from UI trances to model those UI behaviors and use LGG as the birthmark of Android apps for identification. Based on LGG, we also implement a dynamic repackaging detection tool, RepDroid. Since our method does not require the apps' source code, it is resilient to app obfuscation and encryption. We conducted an experiment with two data sets. The first set contains 98 pairs of repackaged apps. The original apps and repackaged ones are compared and we can detect all of these repackaged pairs. The second set contains 125 commercial apps. We compared them pair-wisely and the false positive rate was 0.08%.

Helei Cui,Yajin Zhou,Cong Wang,Qi Li,Kui Ren

DOI: https://doi.org/10.1109/padsw.2018.8644924

2018-01-01

Abstract:Android is the primary target for mobile malware. To protect users, phone vendors (e.g., Samsung and Huawei) usually leverage third-party security service providers (e.g., VirusTotal and Qihoo 360) to detect malicious apps in app stores and collect apps' runtime behaviors on users' phones to further spot malware missed in the previous step. However, this practice could cause privacy concerns to phone vendors, users and security service providers. Specifically, phone vendors do not want to share apps (including the paid ones) with security service providers, while the latter do not want to share the malware signatures with the former. Moreover, users do not want to expose apps' runtime behaviors to third parties. These concerns would cause a real dilemma for each involved party. In this paper, we propose a privacy-preserving malware detection system for Android, in which the privacy (or assets) of phone vendors, users, and security service providers are protected. It detects malicious apps in phone vendor's app stores and on users' phones, without directly sharing apps, apps' runtime behaviors, and malware signatures to other parties. We implement a prototype system called PPMDroid and apply several optimizations to save bandwidth and speed up the process. Extensive evaluation results with real malware samples demonstrate the effectiveness and efficiency of our system.

Wenjun HU,Shuang ZHAO,Jing TAO,Xiaobo MA,Liang CHEN

DOI: https://doi.org/10.7652/xjtuxb201310007

2013-01-01

Abstract:An Android malware detection system is designed and implemented to focus on the problem that malware on Android becomes widespread. The system combines static and dynamic analysis technologies. The APK features such as permission, API call sequences, component, resource and structure are extracted to form a feature vector in static analysis, and a similarity-based method is proposed to detect known malware samples using these features. Android source code is then updated to generate new kernel images in dynamic analysis. The new kernel images can monitor the Android program's behaviors such as file reading and writing, network connection, SMS sending and telephone calling, etc. Thus, unknown malware samples can be successfully identified through analyzing these behaviors. Experimental results show that the proposed system is efficient and performs well on detecting Android malware. The proposed system has been released online and free use of the system is available on the Internet.

Min Huang,Kai Bu,Hanlin Wang,Kaiwen Zhu

DOI: https://doi.org/10.1109/cyberc.2016.14

2016-01-01

Abstract:Malware has started grabbing its undeserved share long before the blossom of Android ecosystem. Injected with malware, malicious applications (apps) may threat users in various ways like financial charges and information stealing. When the severity of a deluge of malware was first noticed, malware detectors delivered unsatisfactory detection accuracy, which further degenerated upon simple transformation of malicious apps. Now years later, we are eager to re-examine the robustness of malware detectors. A surprisingly disappointed finding is that even known malicious apps can evade quite a few detectors. We also find that repackaging with extracted exploitable code instead of readily available malware samples can evade more signature-based detectors. Furthermore, we find Android OS features of Service and Broadcast exploitable to enable malicious apps stealthily active on phones. We implement all these findings through DroidRide, a framework toward making Android malware less catchable to detectors and more active on phones. Our prototype based on two example apps-AndroRAT and MIUI Notes-demonstrates DroidRide's effectiveness in malware evasion. Toward defending against DroidRide alike evasion, we further suggest feasible design enhancements of malware detectors and Android OS.

Jianfei Tang,Hui Zhao

DOI: https://doi.org/10.3233/jifs-220567

2022-09-22

Journal of Intelligent & Fuzzy Systems

Abstract:The focus of a large amount of research on malware detection is currently working on proposing and improving neural network structures, but with the constant updates of Android, the proposed detection methods are more like a race against time. Through the analysis of these methods, we found that the basic processes of these detection methods are roughly the same, and these methods rely on professional reverse engineering tools for malware analysis and feature extraction. These tools generally have problems such as high time-space cost consumption, difficulty in achieving concurrent analysis of a large number of Apk, and the output results are not convenient for feature extraction. Is it possible to propose a general malware detection process implementation platform that optimizes each process of existing malware detection methods while being able to efficiently extract various features on malware datasets with a large number of APK? To solve this problem, we propose an automated platform, AmandaSystem, that highly integrates the various processes of deep learning-based malware detection methods. At the same time, the problem of over privilege due to the openness of Android system and thus the problem of excessive privileges has always required the accurate construction of mapping relationships between privileges and API calls, while the current methods based on function call graphs suffer from inefficiency and low accuracy. To solve this problem, we propose a new bottom-up static analysis method based on AmandaSystem to achieve an efficient and complete tool for mapping relationships between Android permissions and API calls, PerApTool. Finally, we conducted tests on three publicly available malware datasets, CICMalAnal2017, CIC-AAGM2017, and CIC-InvesAndMal2019, to evaluate the performance of AmandaSystem in terms of time efficiency of APK parsing, space occupancy, and comprehensiveness of extracted features, respectively, compared with existing methods were compared.

Zikan Dong,Hongxuan Liu,Liu Wang,Xiapu Luo,Yao Guo,Guoai Xu,Xusheng Xiao,Haoyu Wang

DOI: https://doi.org/10.1145/3540250.3558969

2022-01-01

Abstract:Commercial Android packers have been widely used by developers as a way to protect their apps from being tampered with. However, app packer is usually provided as an online service developed by security vendors, and the packed apps are well protected. It is thus hard to know what exactly is packed in the app, and few existing studies in the community have systematically analyzed the behaviors of commercial app packers. In this paper, we propose PackDiff, a dynamic analysis system to inspect the fine-grained behaviors of commercial packers. By instrumenting the Android system, PackDiff records the runtime behaviors of Android apps (e.g., Linux system call invocations, Java API calls, Binder interactions, etc.), which are further processed to pinpoint the additional sensitive behaviors introduced by packers. By applying PackDiff to roughly 200 apps protected by seven commercial packers, we observe the disappointing facts of existing commercial packers. Most app packers have introduced unnecessary behaviors (e.g., accessing sensitive data), serious performance and compatibility issues, and they can even be abused to create evasive malware and repackaged apps, which contradicts with their design purposes.

Can Huang,Weidong Qiu,Li Wang

DOI: https://doi.org/10.3969/j.issn.1007-757X.2017.04.014

2017-01-01

Abstract:With the popularity of mobile Internet and the growing share of the Android platform,the safety of the application on the Android platform has become an important issue.Hence,this paper has designed an efficient universal unpacker for the malicious code detection based on the Android platform in aid of the static analysis.The mainstream reinforcement technologies for the Android as well as the principle and method of realizing the universal unpacker have been illustrated.It is found that the unpacker can satisfy the needs of almost all mainstream reinforcement companies in the market.

Wenbo Yang,Yuanyuan Zhang,Juanru Li,Junliang Shu,Bodong Li,Wenjun Hu,Dawu Gu

DOI: https://doi.org/10.1007/978-3-319-26362-5_17

2015-01-01

Abstract:As the techniques for Android malware detection are progressing, malware also fights back through deploying advanced code encryption with the help of Android packers. An effective Android malware detection therefore must take the unpacking issue into consideration to prove the accuracy. Unfortunately, this issue is not easily addressed. Android packers often adopt multiple complex anti-analysis defenses and are evolving frequently. Current unpacking approaches are either based on manual efforts, which are slow and tedious, or based on coarse-grained memory dumping, which are susceptible to a variety of anti-monitoring defenses. This paper conducts a systematic study on existing Android malware which is packed. A thorough investigation on 37,688 Android malware samples is conducted to take statistics of how widespread are those samples protected by Android packers. The anti-analysis techniques of related commercial Android packers are also summarized. Then, we propose AppSpear, a generic and fine-grained system for automatically malware unpacking. Its core technique is a bytecode decrypting and Dalvik executable DEX reassembling method, which is able to recover any protected bytecode effectively without the knowledge of the packer. AppSpear directly instruments the Dalvik VM to collect the decrypted bytecode information from the Dalvik Data Struct DDS, and performs the unpacking by conducting a refined reassembling process to create a new DEX file. The unpacked app is then available for being analyzed by common program analysis tools or malware detection systems. Our experimental evaluation shows that AppSpear could sanitize mainstream Android packers and help detect more malicious behaviors. To the best of our knowledge, AppSpear is the first automatic and generic unpacking system for current commercial Android packers.

Xinghang Lv,Tao Peng,Junwei Tang,Ruhan He,Xinrong Hu,Minghua Jiang,Zaihui Deng,Wenli Cao

DOI: https://doi.org/10.1109/msn57253.2022.00072

2022-01-01

Abstract:During the process of pushing patch packets for Android application hotfix, the attacker can hijack and tamper with the dex file due to the lack of adding a digital signature, which leads to code injection with serious consequences. To address the above problems, an dynamic vulnerability detection system based on mitmproxy is primary proposed, which first utilizes mitmproxy to capture all the packets interacted between the client and the server while locating the dex file, then injects the test code into the dex and pushes it to the client for execution using a man-in-the-middle attack, and finally verifies through the log output by the application whether there is a code injection vulnerability. For 1000 applications in the application market, our system successfully detects 34 new unknown applications with dex injection, and the experimental results show that the system is effective in detecting real-world applications with vulnerabilities caused by hotfix.

Bodong Li,Yuanyuan Zhang,Juanru Li,Wenbo Yang,Dawu Gu

DOI: https://doi.org/10.1016/j.jss.2018.02.040

IF: 3.5

2018-01-01

Journal of Systems and Software

Abstract:Code packing is one of the most frequently used protection techniques for malware to evade detection. Particularly, Android packers originally designed to protect intellectual property are widely utilized by Android malware nowadays to hide their malicious behaviors. What's worse, Android code packing techniques are evolving rapidly with new features of Android system (e.g., the use of new Android runtime). Meanwhile, unpacking techniques and tools generally do not respond to the evolving of packers immediately, which weakens the effectiveness of new malware detection. To address the unpacking challenge especially for Android packers with advanced code hiding strategies, in this paper we propose APPSPEAR, an automated unpacking system for both Dalvik and ART. APPSPEAR adopts a universal unpacking strategy that combines runtime instrumentation, interpreter-enforced execution, and executable reassembling to guarantee the hidden code is extracted and reconstructed as a complete executable. Our experimental evaluation with 530 packed samples shows that APPSPEAR is able to unpack protected code generated by latest versions of mainstream Android packers effectively. (C) 2018 Elsevier Inc. All rights reserved.

Qiang Zeng,Lannan Luo,Zhiyun Qian,Xiaojiang Du,Zhoujun Li,Chin-Tser Huang,Csilla Farkas

DOI: https://doi.org/10.1109/tdsc.2019.2957787

2021-11-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Application repackaging is a severe threat to Android users and the market. Not only does it infringe on intellectual property, but it is also one of the most common ways of propagating mobile malware. Existing countermeasures mostly detect repackaging based on app similarity measurement, which tends to be imprecise when obfuscations are applied to repackaged apps. Moreover, they rely on a central party, typically the hosting app store, to perform the detection, but many app stores fail to commit proper effort to piracy detection. We consider building the application repackaging detection capability into apps, such that user devices are made use to detect repackaging in a decentralized fashion. The main challenge is how to protect the detection code from being manipulated by attacks. We propose a creative use of logic bombs, which are otherwise regularly used in malware. The trigger conditions of bombs are constructed to exploit the differences between the attacker and users, such that a bomb that lies dormant on the attacker side will be activated on the user side. The detection code, which is part of the bomb payload, is executed only if the bomb is activated. We introduce cryptographically obfuscated logic bomb to enhance the bomb: (1) the detection code is woven into the neighboring original app code, (2) the mixed code gets encrypted using a key, and (3) the key is deleted from the app and can only be derived when the bomb is activated. Thus, attacks that try to modify or delete the detection code will corrupt the app itself, and searching the key in the application will be in vain. Moreover, we propose a bomb spraying technique that allows many bombs to be injected into an app, multiplying the needed adversary effort for bypassing the detection. In addition to repackaging detection, we present application tampering detection to fight attacks -hat insert malicious code into repackaged apps. We have implemented a prototype, named BombDroid, that builds repackaging and tampering detection into apps through bytecode instrumentation. The evaluation and the security analysis show that the technique is effective, efficient, and resilient to various bomb analysis techniques including fuzzing, symbolic execution, multi-path exploration, and program slicing. Ethical issues due to the use of logic bombs are also discussed.

computer science, information systems, software engineering, hardware & architecture

Xuewen Zhang,Yuanyuan Zhang,Juanru Li,Yikun Hu,Huayi Li,Dawu Gu

DOI: https://doi.org/10.1109/icsme.2017.15

2017-01-01

Abstract:The rapid-iteration, web-style update cycle of Android helps fix revealed security vulnerabilities for its latest version. However, such security enhancements are usually only available for few Android devices released by certain manufacturers (e.g., Google's official Nexus devices). More manufactures choose to stop providing system update service for their obsolete models, remaining millions of vulnerable Android devices in use. In this situation, a feasible solution is to leverage existing source code patches to fix outdated vulnerable devices. To implement this, we introduce EMBROIDERY, a binary rewriting based vulnerability patching system for obsolete Android devices without requiring the manufacturer's source code against Android fragmentation. EMBROIDERY patches the known critical framework and kernel vulnerabilities in Android using both static and dynamic binary rewriting techniques. It transplants official patches (CVE source code patches) of known vulnerabilities to different devices by adopting heuristic matching strategies to deal with the code diversity introduced by Android fragmentation, and fulfills a complex dynamic memory modification to implement kernel vulnerabilities patching. We employ EMBROIDERY to patch sophisticated Android kernel and framework vulnerabilities for various manufactures' obsolete devices ranging from Android 4.2 to 5.1. The result shows the patched devices are able to defend against known exploits and the normal functions are not affected.

Jiayun Xie,Xiao Fu,Xiaojiang Du,Bin Luo,Mohsen Guizani

DOI: https://doi.org/10.1109/icc.2017.7996682

2017-01-01

Abstract:recently, an increasing number of inter-app attacks such as confused deputy attacks, data leakage attacks and collusion attacks spring up. However, there is no perfect defense method against them. As we all know, developers play an important role in android security, but their weak consciousness about the security may lead to inter-app attacks. Therefore, considered for developers, it is important to investigate and try to defend against such attacks in android. This paper presents typical inter-app attacks in android and proposes AutoPatchDroid, an automatic framework to find the vulnerable code in apps and patch them automatically. We firstly find the vulnerable paths from sources to sinks, sources to execution exit points, execution entry points to sinks and execution entry points to execution exit points in the application using static analysis. Then we locate the vulnerable code pieces and insert the patch code to guard against such attacks. AutoPatchDroid prevent inter-app attacks in the application level rather than modifying the kernel or framework. We use DroidBench and IccRE to evaluate our framework, and find that AutoPatchDroid could effectively secure the apps. The runtime overhead introduced by AutoPatchDroid is 1.105% on average.

Ziyi Zhou,Xuangan Xiao,Tianxiao Hou,Yikun Hu,Dawu Gu

DOI: https://doi.org/10.1007/978-3-031-51482-1_13

2024-01-01

Abstract:To provide a tamper-proof mechanism for mobile apps to check the integrity of the device and their own code/data, Android phone manufacturers have introduced Manufacturer-provided Android Remote Attestation (MARA) frameworks. The MARA framework helps an app conduct a series of integrity checks, signs the check results, and sends them to remote servers for a remote attestation. Nonetheless, we observe that real-world MARA frameworks often adopt two implementations of integrity check (hardware-based and software-based) for compatibility consideration, and this allows an attacker to easily conduct a downgrade attack to force the app to utilize the software-based integrity check and forge checking results, even if the Android device is able to employ hardware-supported remote attestation securely. We demonstrate our MARA bypass approach against MARA frameworks (i.e., Google SafetyNet and Huawei SafetyDetect) on real Android devices, and design an automated measurement pipeline to analyze 35,245 popular Android apps, successfully attacking all 104 apps that use these MARA services, including well-known apps and games such as TikTok Lite, Huawei Wallet, and Pok ' emon GO. Our study reveals the significant risks against MARA frameworks in use.

Junaid Akram,Majid Mumtaz,Gul Jabeen,Ping Luo

DOI: https://doi.org/10.1504/ijics.2021.116310

2021-01-01

International Journal of Information and Computer Security

Abstract:Security researchers and anti-virus industries have speckled stress on an Android malware, which can actually damage your phones and threatens the Android markets. In this paper, we propose and develop DroidMD, a scalable self-improvement based tool, based on auto optimisation of signature set, which detect malicious apps in the market at source code level. A prototype has been developed tested and implemented to detect malware in applications. We implement and evaluate our approach on almost 30,000 applications including 27,000 benign and 3,670 malware applications. DroidMD detects malware in different applications at partial level and full level. It analyses only the applications code, which increase its reliability. Our evaluation of DroidMD demonstrates that our approach is very efficient in detecting malware at large scale with high accuracy of 95.5%.