Michael C. Grace,Yajin Zhou,Qiang Zhang,Shihong Zou,Xuxian Jiang

DOI: https://doi.org/10.1145/2307636.2307663

2012-01-01

Abstract:ABSTRACTSmartphone sales have recently experienced explosive growth. Their popularity also encourages malware authors to penetrate various mobile marketplaces with malicious applications (or apps). These malicious apps hide in the sheer number of other normal apps, which makes their detection challenging. Existing mobile anti-virus software are inadequate in their reactive nature by relying on known malware samples for signature extraction. In this paper, we propose a proactive scheme to spot zero-day Android malware. Without relying on malware samples and their signatures, our scheme is motivated to assess potential security risks posed by these untrusted apps. Specifically, we have developed an automated system called RiskRanker to scalably analyze whether a particular app exhibits dangerous behavior (e.g., launching a root exploit or sending background SMS messages). The output is then used to produce a prioritized list of reduced apps that merit further investigation. When applied to examine 118,318 total apps collected from various Android markets over September and October 2011, our system takes less than four days to process all of them and effectively reports 3281 risky apps. Among these reported apps, we successfully uncovered 718 malware samples (in 29 families) and 322 of them are zero-day (in 11 families). These results demonstrate the efficacy and scalability of RiskRanker to police Android markets of all stripes.

Christopher S. Gates,Ninghui Li,Hao Peng,Bhaskar Sarma,Yuan Qi,Rahul Potharaju,Cristina Nita-Rotaru,Ian Molloy

DOI: https://doi.org/10.1109/tdsc.2014.2302293

2014-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:One of Android's main defense mechanisms against malicious apps is a risk communication mechanism which, before a user installs an app, warns the user about the permissions the app requires, trusting that the user will make the right decision. This approach has been shown to be ineffective as it presents the risk information of each app in a “stand-alone” fashion and in a way that requires too much technical knowledge and time to distill useful information. We discuss the desired properties of risk signals and relative risk scores for Android apps in order to generate another metric that users can utilize when choosing apps. We present a wide range of techniques to generate both risk signals and risk scores that are based on heuristics as well as principled machine learning techniques. Experimental results conducted using real-world data sets show that these methods can effectively identify malware as very risky, are simple to understand, and easy to use.

Chiachih Wu,Yajin Zhou,Kunal Patel,Zhenkai Liang,Xuxian Jiang

DOI: https://doi.org/10.14722/ndss.2014.23164

2014-01-01

Abstract:Recent years have experienced explosive growth of smartphone sales. Inevitably, the rise in the popularity of smartphones also makes them an attractive target for attacks. In light of these threats, current mobile platform providers have developed various server-side vetting processes to block malicious applications (“apps”). While helpful, they are still far from ideal in achieving their goals. To make matters worse, the presence of alternative (less-regulated) mobile marketplaces also opens up new attack vectors, which necessitate client-side solutions (e.g., mobile anti-virus software) to run on mobile devices. However, existing client-side solutions still exhibit limitations in their capability or deployability. In this paper, we present AirBag, a lightweight OS-level virtualization approach to enhance the popular Android platform and boost our defense capability against mobile malware infection. Assuming a trusted smartphone OS kernel and the fact that untrusted apps will be eventually installed onto users’ phones, AirBag is designed to isolate and prevent them from infecting our normal systems (e.g., corrupting the phone firmware) or stealthily leaking private information. More specifically, by dynamically creating an isolated runtime environment with its own dedicated namespace and virtualized system resources, AirBag not only allows for transparent execution of untrusted apps, but also effectively mediates their access to various system resources or phone functionalities (e.g., SMSs or phone calls). We have implemented a proof-of-concept prototype on three representative mobile devices, i.e., Google Nexus One, Nexus 7, and Samsung Galaxy S III. The evaluation results with a number of untrusted apps, including real-world mobile malware, demonstrate its practicality and effectiveness.

Yajin Zhou,Xuxian Jiang

2013-01-01

Abstract:In this paper, we systematically study two vulnerabilities and their presence in existing Android applications (or “apps”). These two vulnerabilities are rooted in an unprotected Android component, i.e., content provider, inside vulnerable apps. Because of the lack of necessary access control enforcement, affected apps can be exploited to either passively disclose various types of private in-app data or inadvertently manipulate certain security-sensitive in-app settings or configurations that may subsequently cause serious system-wide side effects (e.g., blocking all incoming phone calls or SMS messages). To assess the prevalence of these two vulnerabilities, we analyze 62, 519 apps collected in February 2012 from various Android markets. Our results show that among these apps, 1, 279 (2.0%) and 871 (1.4%) of them are susceptible to these two vulnerabilities, respectively. In addition, we find that 435 (0.7%) and 398 (0.6%) of them are accessible from official Google Play and some of them are extremely popular with more than 10, 000, 000 installs. The presence of a large number of vulnerable apps in popular Android markets as well as the variety of private data for leaks and manipulation reflect the severity of these two vulnerabilities. To address them, we also explore and examine possible mitigation solutions.

Huikang Hao,Zhoujun Li,Haibo Yu

DOI: https://doi.org/10.1109/TASE.2015.16

2015-01-01

Abstract:As the most popular platform, Android dominates the mobile device market. In order to enrich the functions of the phone and facilitate the utilization of users, more and more Android applications have been developed. Unfortunately, a greatly increasing amount of malware targeting the Android platform mingle with the numerous benign applications and hide in almost every market, even the official market Google Play. Therefore, it is a pressing concern about how to measure and assess the risk of such apps. In this paper, we propose a novel approach to deal with this problem. First of all, through the empirical analysis with market-scale dataset, we verify the following fact: for a set of benign applications in the same category, the type and number of permissions they request are similar and consistent in general. Hence, for the benign applications in each category, we can construct a standard permission vector model, which can be used as a baseline to measure and assess the risk of applications in the category. For a downloaded app, we extract its requested permissions to form a permission vector, whose deviation from the baseline can be calculated by employing Euclidean distance and weighted Euclidean distance. The deviation can be used as metric to measure and assess the risk of the app. Finally, an experiment on real-world dataset, consisting of 7737 market apps and 1260 malware samples, is conducted to evaluate our method. The empirical result validates the effectiveness of our approach to help users understand the risk when they decide to install an app.

LI Zhoujun,WU Chunming,WANG Xiao

DOI: https://doi.org/10.16511/j.cnki.qhdxxb.2016.25.001

2016-01-01

Abstract:Android has become the most popular operating system on mobile devices.However,the Android is an open source system with billions of applications.More users are choosing Android,so Android security problems are receiving much attention in the industry.Android of malware is already a major problem and cannot be avoided in the Android ecosystem.This paper describes a sandbox system based on Android 4.1.2 which can dynamically monitor and record application behavior.A risk assessment approach based on behavior analysis is given so that users can get an explicit risk prognosis for an application to improve their safety.Tests on malware and normal application samples verify the effectiveness of this risk assessment approach.

Jing Chen,Chiheng Wang,Kun He,Ziming Zhao,Min Chen,Ruiying Du,Gail-Joon Ahn

DOI: https://doi.org/10.1109/TDSC.2018.2871682

2021-01-01

Abstract:Most of the existing mobile application (app) vetting mechanisms only estimate risks at a coarse-grained level by analyzing app syntax but not semantics. We propose a semantics-aware privacy risk assessment framework (SPRisk), which considers the sensitivity discrepancy of privacy-related factors at semantic level. Our framework can provide qualitative (i.e., risk level) and quantitative (i.e., risk score) assessment results, both of which help users make decisions to install an app or not. Furthermore, to find the reasonable weight distribution of each factor automatically, we exploit a self-learning weight assignment method, which is based on fuzzy clustering and knowledge dependency theory. We implement a prototype system and evaluate the effectiveness of SPRisk with 192,445 normal apps and 7,111 malicious apps. A measurement study further reveals some interesting findings, such as the privacy risk distribution of Google Play Store, the diversity of official and unofficial marketplaces, which provide insights into understanding the seriousness of privacy threat in the Android ecosystem.

Chenkai Guo,Jing Xu,Lei Liu,Sihan Xu

DOI: https://doi.org/10.1109/compcomm.2015.7387530

2015-01-01

Abstract:With the development of Android system and intelligent mobile technology, Android applications have been widely used in recent years. However, the trust on these applications may be used by attackers who design malware to achieve illegal income. Therefore, to evaluate the security risk of applications is necessary. In this paper, an evaluation approach based on association statistics of application permissions is represented. By analyzing the frequency of permission combinations, the malicious features of Android applications is estimated. Meanwhile, the redundant frequency is wiped off by computing the frequency discount, and then the risk seeds are correspondingly achieved. The final risk score is calculated by the seeds from malicious and benign aspects. To verify the effectiveness of our approach, we took 1260 malware as "malicious" datasets and 10,247 valid apps collected from Android Market as "benign" datasets, and sufficient experiments show that our approach has better results compared with other traditional methods.

Q. Qian,Jing Cai,Mengbo Xie,Rui Zhang

2016-01-01

Abstract:Android, as a modern popular open source mobile platform, makes its security issues more prominent, especially in user privacy leakage. In this paper, we proposed a twostep model which combines static and dynamic analysis approaches. During the static analysis, permission combination matrix is used to determine whether an application has potential risks. For those suspicious applications, based on the reverse engineering, embed monitoring Smali code for those sensitive APIs such as sending SMS, accessing user location, device ID, phone number, etc. From experiments, it shows that almost 26% applications in Android market have privacy leakage risks. And our proposed method is feasible and eective for monitoring these kind of malicious behavior.

Engineering

Sen Chen,Guozhu Meng,Ting Su,Lingling Fan,Yinxing Xue,Yang Liu,Lihua Xu,Minhui Xue,Bo Li,Shuang Hao

2018-01-01

Abstract:Contemporary financial technology (FinTech) that enables cashless mobile payment has been widely adopted by financial institutions, such as banks, due to its convenience and efficiency. However, FinTech has also made massive and dynamic transactions susceptible to security risks. Given large financial losses caused by such vulnerabilities, regulatory technology (RegTech) has been developed, but more comprehensive security risk assessment is specifically desired to develop robust, scalable, and efficient financial activities. In this paper, we undertake the first automated security risk assessment and focus on global banking apps to examine FinTech. First, we analyze a large number of banking apps and propose a comprehensive set of security weaknesses widely existent in these apps. Second, we design a three-phase automated security risk assessment system (Ausera), which combines natural language processing and static analysis of data and control flows, to efficiently identify security weaknesses of banking apps. We performed experiments on 693 real-world banking apps across over 80 countries and unveiled 2,157 weaknesses. To date, 21 banks have acknowledged the weaknesses that we reported. We find that outdated version of banking apps, pollution from third-party libraries, and weak hash functions are all likely to be exploited by attackers. We also show that banking apps of different provenance exhibit various types of security weaknesses, mainly due to economies and regulations that take shape. Given the drastic change in the nature of intermediation, it behooves the RegTech companies and all stakeholders to understand the characteristics and consequences of security risks brought by contemporary FinTech.

Liu Yang,Xingmin Cui,Changyuan Wang,Shanqing Guo,Xinshun Xu

DOI: https://doi.org/10.1109/trustcom.2016.0097

2016-01-01

Abstract:Nowadays, there are more and more hybrid apps appearing in the app market which contain native code and Web pages. In order to enhance the ability of JavaScript in the WebView, these apps expose methods that can be invoked by JavaScript. However, when we study the communication from JavaScript to native code, we find a security issue that if the exposed methods finally invoke sensitive methods, such as SEND_SMS, getLastKnownLocation, and these exposed methods are called via unsafe connections, malicious code can be injected to perform sensitive operations without the user's consent. To automatically detect this vulnerability, we provide a hybrid system that contains both static and dynamic analysis modules. The static analysis discerns potential vulnerable apps and gathers information to guide the dynamic analysis while the dynamic analysis executes the app to verify whether the app is vulnerable or not. We use this system to test 400 most popular apps in the Google Play market and find that 43 apps are vulnerable.

Pengbin Feng,Cong Sun,Jianfeng Ma

DOI: https://doi.org/10.1002/sec.1746

IF: 1.968

2016-01-01

Security and Communication Networks

Abstract:Nowadays, smartphones carry large amounts of user privacy and sensitive data. With the popularity of the Android operating system, the cases of sensitive date leakage in Android applications are on the rise and are causing a great loss to Android users. In order to mitigate this condition, static and dynamic taint analysis are applied to precisely detect sensitive data leakages. These approaches cannot distinguish sensitive data leakages in benign apps from the ones in malicious apps. Recently, the difference on sensitive data flows between benign apps and malicious apps has been found to be significant. In this paper, we further find that there exists great difference between benign and malicious apps on the frequencies of sensitive dataflow paths. This difference can be used to enforce a risk value over every sensitive dataflow path. This risk value can guide the identification of sensitive data leakages in malicious apps. We present RISKPATH, a tool that automatically calculates the risk values for sensitive dataflow paths in Android applications. Applying the result of RISKPATH to MUDFLOW framework, we increase the true positive rate of malware detection by 3.96–6.54% on different datasets with reasonable increase in time and memory consumption. Copyright © 2017 John Wiley & Sons, Ltd.

Jianlin Xu,Yifan Yu,Zhen Chen,Bin Cao,Wenyu Dong,Yu Guo,Junwei Cao

DOI: https://doi.org/10.1109/tst.2013.6574680

2013-01-01

Tsinghua Science & Technology

Abstract:With the explosive increase in mobile apps, more and more threats migrate from traditional PC client to mobile device. Compared with traditional Win+Intel alliance in PC, Android+ARM alliance dominates in Mobile Internet, the apps replace the PC client software as the major target of malicious usage. In this paper, to improve the security status of current mobile apps, we propose a methodology to evaluate mobile apps based on cloud computing platform and data mining. We also present a prototype system named MobSafe to identify the mobile app's virulence or benignancy. Compared with traditional method, such as permission pattern based method, MobSafe combines the dynamic and static analysis methods to comprehensively evaluate an Android app. In the implementation, we adopt Android Security Evaluation Framework (ASEF) and Static Android Analysis Framework (SAAF), the two representative dynamic and static analysis methods, to evaluate the Android apps and estimate the total time needed to evaluate all the apps stored in one mobile app market. Based on the real trace from a commercial mobile app market called AppChina, we can collect the statistics of the number of active Android apps, the average number apps installed in one Android device, and the expanding ratio of mobile apps. As mobile app market serves as the main line of defence against mobile malwares, our evaluation results show that it is practical to use cloud computing platform and data mining to verify all stored apps routinely to filter out malware apps from mobile app markets. As the future work, MobSafe can extensively use machine learning to conduct automotive forensic analysis of mobile apps based on the generated multifaceted data in this stage.

Cong Sun,Xinpeng Xu,Yafei Wu,Dongrui Zeng,Gang Tan,Siqi Ma,Peicheng Wang

DOI: https://doi.org/10.48550/arXiv.2112.06146

2023-05-14

Abstract:The misunderstanding and incorrect configurations of cryptographic primitives have exposed severe security vulnerabilities to attackers. Due to the pervasiveness and diversity of cryptographic misuses, a comprehensive and accurate understanding of how cryptographic misuses can undermine the security of an Android app is critical to the subsequent mitigation strategies but also challenging. Although various approaches have been proposed to detect cryptographic misuse in Android apps, studies have yet to focus on estimating the security risks of cryptographic misuse. To address this problem, we present an extensible framework for deciding the threat level of cryptographic misuse in Android apps. Firstly, we propose a general and unified specification for representing cryptographic misuses to make our framework extensible and develop adapters to unify the detection results of the state-of-the-art cryptographic misuse detectors, resulting in an adapter-based detection tool chain for a more comprehensive list of cryptographic misuses. Secondly, we employ a misuse-originating data-flow analysis to connect each cryptographic misuse to a set of data-flow sinks in an app, based on which we propose a quantitative data-flow-driven metric for assessing the overall risk of the app introduced by cryptographic misuses. To make the per-app assessment more useful for app vetting at the app-store level, we apply unsupervised learning to predict and classify the top risky threats to guide more efficient subsequent mitigation. In the experiments on an instantiated implementation of the framework, we evaluate the accuracy of our detection and the effect of data-flow-driven risk assessment of our framework. Our empirical study on over 40,000 apps and the analysis of popular apps reveal important security observations on the real threats of cryptographic misuse in Android apps.

Cryptography and Security

Peng Zhang,Hanlin Sun,Zheng Yan

DOI: https://doi.org/10.4028/www.scientific.net/amr.756-759.4382

2013-01-01

Advanced Materials Research

Abstract:Mobile operating systems (e.g., iOS, Android, Windows Mobile, etc) are becoming powerful platforms on which various applications can be installed and run. Each mobile OS offers application store (e.g., Apple App Store, Android Play, etc) for developers to easily publish applications and earn profits. However, existing mobile platforms provide little means for mobile users to evaluate risks on allowing certain security permissions when installing mobile applications. Since mobile users may not be able to justify the risks on allowing certain permissions required by an application, mobile users may install malware with extra permissions, which leads to security risk for mobile users, e.g., private information leaked, etc. In this paper, we present process and visual User Interface for mobile users to understand and justify the risks on permissions required by mobile applications during installation. We also present two algorithms for calculating the risks.

Wei Wang,Xing Wang,Dawei Feng,Jiqiang Liu,Zhen Han,Xiangliang Zhang

DOI: https://doi.org/10.1109/tifs.2014.2353996

IF: 7.231

2014-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Android has been a major target of malicious applications (malapps). How to detect and keep the malapps out of the app markets is an ongoing challenge. One of the central design points of Android security mechanism is permission control that restricts the access of apps to core facilities of devices. However, it imparts a significant responsibility to the app developers with regard to accurately specifying the requested permissions and to the users with regard to fully understanding the risk of granting certain combinations of permissions. Android permissions requested by an app depict the app's behavioral patterns. In order to help understanding Android permissions, in this paper, we explore the permission-induced risk in Android apps on three levels in a systematic manner. First, we thoroughly analyze the risk of an individual permission and the risk of a group of collaborative permissions. We employ three feature ranking methods, namely, mutual information, correlation coefficient, and T-test to rank Android individual permissions with respect to their risk. We then use sequential forward selection as well as principal component analysis to identify risky permission subsets. Second, we evaluate the usefulness of risky permissions for malapp detection with support vector machine, decision trees, as well as random forest. Third, we in depth analyze the detection results and discuss the feasibility as well as the limitations of malapp detection based on permission requests. We evaluate our methods on a very large official app set consisting of 310 926 benign apps and 4868 real-world malapps and on a third-party app sets. The empirical results show that our malapp detectors built on risky permissions give satisfied performance (a detection rate as 94.62% with a false positive rate as 0.6%), catch the malapps' essential patterns on violating permission access regulations, and are universally applicable to unknown malapps (detection rate as 74.03%).

Silvia Lucia Sanna,Diego Soi,Davide Maiorca,Giorgio Fumera,Giorgio Giacinto

2024-06-04

Abstract:Android is the most used Operating System worldwide for mobile devices, with hundreds of thousands of apps downloaded daily. Although these apps are primarily written in Java and Kotlin, advanced functionalities such as graphics or cryptography are provided through native C/C++ libraries. These libraries can be affected by common vulnerabilities in C/C++ code (e.g., memory errors such as buffer overflow), through which attackers can read/modify data or execute arbitrary code. The detection and assessment of vulnerabilities in Android native code have only been recently explored by previous research work. In this paper, we propose a fast risk-based approach that provides a risk score related to the native part of an Android application. In this way, before an app is released, the developer can check if the app may contain vulnerabilities in the Native Code and, if present, patch them to publish a more secure application. To this end, we first use fast regular expressions to detect library versions and possible vulnerable functions. Then, we apply scores extracted from a vulnerability database to the analyzed application, thus obtaining a risk score representative of the whole app. We demonstrate the validity of our approach by performing a large-scale analysis on more than $100,000$ applications (but only $40\%$ contained native code) and $15$ popular libraries carrying known vulnerabilities. The attained results show that many applications contain well-known vulnerabilities that miscreants can potentially exploit, posing serious concerns about the security of the whole Android applications landscape.

Cryptography and Security

Xiaoyu Sun

DOI: https://doi.org/10.48550/arXiv.2302.07467

2023-02-15

Abstract:Never before has any OS been so popular as Android. Existing mobile phones are not simply devices for making phone calls and receiving SMS messages, but powerful communication and entertainment platforms for web surfing, social networking, etc. Even though the Android OS offers powerful communication and application execution capabilities, it is riddled with defects (e.g., security risks, and compatibility issues), new vulnerabilities come to light daily, and bugs cost the economy tens of billions of dollars annually. For example, malicious apps (e.g., back-doors, fraud apps, ransomware, spyware, etc.) are reported [Google, 2022] to exhibit malicious behaviours, including privacy stealing, unwanted programs installed, etc. To counteract these threats, many works have been proposed that rely on static analysis techniques to detect such issues. However, static techniques are not sufficient on their own to detect such defects precisely. This will likely yield false positive results as static analysis has to make some trade-offs when handling complicated cases (e.g., object-sensitive vs. object-insensitive). In addition, static analysis techniques will also likely suffer from soundness issues because some complicated features (e.g., reflection, obfuscation, and hardening) are difficult to be handled [Sun et al., 2021b, Samhi et al., 2022].

Cryptography and Security,Software Engineering

Jianmao Xiao,Shizhan Chen,Qiang He,Zhiyong Feng,Xiao Xue

DOI: https://doi.org/10.48550/arxiv.2001.08399

2020-01-01

Abstract:Android utilizes a security mechanism that requires apps to request permission for accessing sensitive user data, e.g., contacts and SMSs, or certain system features, e.g., camera and Internet access. However, Android apps tend to be overprivileged, i.e., they often request more permissions than necessary. This raises the security problem of overprivilege. To alleviate the overprivilege problem, this paper proposes MPDroid, an approach that combines static analysis and collaborative filtering to identify the minimum permissions for an Android app based on its app description and API usage. Given an app, MPDroid first employs collaborative filtering to identify the initial minimum permissions for the app. Then, through static analysis, the final minimum permissions that an app really needs are identified. Finally, it evaluates the overprivilege risk by inspecting the apps extra privileges, i.e., the unnecessary permissions requested by the app. Experiments are conducted on 16,343 popular apps collected from Google Play. The results show that MPDroid outperforms the state-of-the-art approach significantly.