Chiachih Wu,Yajin Zhou,Kunal Patel,Zhenkai Liang,Xuxian Jiang

DOI: https://doi.org/10.14722/ndss.2014.23164

2014-01-01

Abstract:Recent years have experienced explosive growth of smartphone sales. Inevitably, the rise in the popularity of smartphones also makes them an attractive target for attacks. In light of these threats, current mobile platform providers have developed various server-side vetting processes to block malicious applications (“apps”). While helpful, they are still far from ideal in achieving their goals. To make matters worse, the presence of alternative (less-regulated) mobile marketplaces also opens up new attack vectors, which necessitate client-side solutions (e.g., mobile anti-virus software) to run on mobile devices. However, existing client-side solutions still exhibit limitations in their capability or deployability. In this paper, we present AirBag, a lightweight OS-level virtualization approach to enhance the popular Android platform and boost our defense capability against mobile malware infection. Assuming a trusted smartphone OS kernel and the fact that untrusted apps will be eventually installed onto users’ phones, AirBag is designed to isolate and prevent them from infecting our normal systems (e.g., corrupting the phone firmware) or stealthily leaking private information. More specifically, by dynamically creating an isolated runtime environment with its own dedicated namespace and virtualized system resources, AirBag not only allows for transparent execution of untrusted apps, but also effectively mediates their access to various system resources or phone functionalities (e.g., SMSs or phone calls). We have implemented a proof-of-concept prototype on three representative mobile devices, i.e., Google Nexus One, Nexus 7, and Samsung Galaxy S III. The evaluation results with a number of untrusted apps, including real-world mobile malware, demonstrate its practicality and effectiveness.

Weili Han,Chang Cao,Hao Chen,Dong Li,Zheran Fang,Wenyuan Xu,X. Sean Wang

DOI: https://doi.org/10.1109/tdsc.2017.2768536

2020-01-01

Abstract:Sensors are widely used in modern mobile devices (e.g., smartphones, watches) and may gather abundant information from environments as well as about users, e.g., photos, sounds and locations. The rich set of sensor data enables various applications (e.g., health monitoring) and personalized apps as well. However, the powerful sensing abilities provide opportunities for attackers to steal both personal sensitive data and commercial secrets like never before. Unfortunately, the current design of smart devices only provides a coarse access control on sensors and does not have the capability to audit sensing. We argue that knowing how often the sensors are accessed and how much sensor data are collected is the first-line defense against sensor data breach. Such an ability is yet to be designed. In this paper, we propose a framework that allows users to acquire sensor data usages. In particular, we leverage a hook-based track method to track sensor accesses. Thus, with no need to change the source codes of the Android system and applications, we can intercept sensing operations to graphic sensors, audio sensors, location sensors, and standard sensors, and audit them from four aspects: flow audit, frequency audit, duration audit and invoker audit. Then, we implement a prototype, referred to as senDroid, which visually shows the quantitative usages of these sensors in real time at a performance overhead of [0.04-8.05] percent. senDroid allows Android users to audit the applications even when they bypass the Android framework via JNI invocations or when the malicious codes are dynamically loaded from the server side. Our empirical study on 1,489 popular apps in three well-known Android app markets shows that 26.32 percent apps access sensors when the apps are launched, and 11.01 percent apps access sensors while the apps run in the background. Furthermore, we analyze the relevance between sensor usage patterns and third-party libraries, and reverse-engineering on suspicious third-party libraries shows that 77.27 percent apps access sensors via third-party libraries. Our results call attentions to address the users' privacy concerns caused by sensor access.

Yajin Zhou,Kunal Patel,Lei Wu,Zhi Wang,Xuxian Jiang

DOI: https://doi.org/10.1145/2714576.2714598

2015-01-01

Abstract:ABSTRACTUsers of Android phones increasingly entrust personal information to third-party apps. However, recent studies reveal that many apps, even benign ones, could leak sensitive information without user awareness or consent. Previous solutions either require to modify the Android framework thus significantly impairing their practical deployment, or could be easily defeated by malicious apps using a native library. In this paper, we propose AppCage, a system that thoroughly confines the run-time behavior of third-party Android apps without requiring framework modifications or root privilege. AppCage leverages two complimentary user-level sandboxes to interpose and regulate an app's access to sensitive APIs. Specifically, dex sandbox hooks into the app's Dalvik virtual machine instance and redirects each sensitive framework API to a proxy which strictly enforces the user-defined policies, and native sandbox leverages software fault isolation to prevent the app's native libraries from directly accessing the protected APIs or subverting the dex sandbox. We have implemented a prototype of AppCage. Our evaluation shows that AppCage can successfully detect and block attempts to leak private information by third-party apps, and the performance overhead caused by AppCage is negligible for apps without native libraries and minor for apps with them.

Tien-Duy B. Le,Lingfeng Bao,David Lo,Debin Gao,Li

DOI: https://doi.org/10.1109/iceccs2018.2018.00014

2018-01-01

Abstract:Android is the most widely used mobile operating system with billions of users and devices. The popularity of Android apps have enticed malware writers to target them. Recently, Jamrozik et al. proposed an approach, named Boxmate, to mine sandboxes to protect Android users from malicious behaviors. In a nutshell, Boxmate analyzes the execution of an app, and collects a list of sensitive APIs that are invoked by that app in a monitoring phase. Then, it constructs a sandbox that can restrict accesses to sensitive APIs not called by the app. In such a way, malicious behaviors that are not observed in the monitoring phase - occurring, for example, due to malicious code injection during an attack - can be prevented. Nevertheless, Boxmate only focuses on a specific API type (i.e., sensitive APIs); it also ignores parameter values of many API methods and requested permissions during the execution of a target app. As a result, Boxmate is not able to detect malicious behaviors in many cases. In this work, we address the limitation of Jamrozik et al.'s work by considering input parameters of many different types of API methods for mining a more comprehensive sandbox. Given a benign app, we first extract a list of Android permissions that the app may request during its execution. Next, we leverage an automated test case generation tool, named Droidbot, to generate a rich set of GUI test cases for exploring behaviors of the app. During the execution of these test cases, we analyze the execution of four different types of API methods. Furthermore, we record input parameters to these API methods, and classify those into four different categories. We leverage the collected parameter values, and the list of requested permissions to create a sandbox that can protect users from malicious behaviors. Our experiments on 25 pairs of real benign and malicious apps show that our approach is more effective than the coarse-and fine-grained variants of Boxmate by 267.37% and 81.64% in terms of F-measure respectively.

Yajin Zhou,Xuxian Jiang

2013-01-01

Abstract:In this paper, we systematically study two vulnerabilities and their presence in existing Android applications (or “apps”). These two vulnerabilities are rooted in an unprotected Android component, i.e., content provider, inside vulnerable apps. Because of the lack of necessary access control enforcement, affected apps can be exploited to either passively disclose various types of private in-app data or inadvertently manipulate certain security-sensitive in-app settings or configurations that may subsequently cause serious system-wide side effects (e.g., blocking all incoming phone calls or SMS messages). To assess the prevalence of these two vulnerabilities, we analyze 62, 519 apps collected in February 2012 from various Android markets. Our results show that among these apps, 1, 279 (2.0%) and 871 (1.4%) of them are susceptible to these two vulnerabilities, respectively. In addition, we find that 435 (0.7%) and 398 (0.6%) of them are accessible from official Google Play and some of them are extremely popular with more than 10, 000, 000 installs. The presence of a large number of vulnerable apps in popular Android markets as well as the variety of private data for leaks and manipulation reflect the severity of these two vulnerabilities. To address them, we also explore and examine possible mitigation solutions.

Hao Xiong,Qinming Dai,Rui Chang,Mingran Qiu,Renxiang Wang,Wenbo Shen,Yajin Zhou

DOI: https://doi.org/10.1145/3650212.3652133

2024-01-01

Abstract:Fuzzing is an effective method for detecting security bugs in software, and there have been quite a few effective works on fuzzing Android. Researchers have developed methods for fuzzing open-source native APIs and Java interfaces on actual Android devices. However, the realm of automatically fuzzing Android closed-source native libraries, particularly on emulators, remains insufficiently explored. There are two key challenges: firstly, the multi-language programming model inherent to Android; and secondly, the absence of a Java runtime environment within the emulator. To address these challenges, we propose Atlas, a practical automated fuzz framework for Android closed-source native libraries. Atlas consists of an automatic harness generator and a fuzzer containing the necessary runtime environment. The generator uses static analysis techniques to deduce the correct calling sequences and parameters of the native API according to the information from the "native world" and the "Java world". To maximize the practicality of the generated harness, Atlas heuristically optimizes the generated harness. The Fuzzer provides the essential Java runtime environment in the emulator, making it possible to fuzz the Android closed-source native libraries on a multi-core server. We have tested Atlas on 17 pre-installed apps from four Android vendors. Atlas generates 820 harnesses containing 767 native APIs, of which 78% is practical. Meanwhile, Atlas has discovered 74 new security bugs with 16 CVEs assigned. The experiments show that Atlas can efficiently generate high-quality harnesses and find security bugs.

Lei Zhang,Keke Lian,Haoyu Xiao,Zhibo Zhang,Peng Liu,Yuan Zhang,Min Yang,Haixin Duan

DOI: https://doi.org/10.1109/sp46214.2022.9833563

2022-01-01

Abstract:The Android system services usually play a critical role in running multiple important tasks, and delivering seamless user experiences, e.g., conveniently storing user data. In this paper, we conduct the first systematic security study on the data storing process in Android system services, and consequently discover a novel class of design flaws (named Straw), which can lead to serious DoS (Denial-of-Service) attacks, e.g., permanently crashing the whole victim Android device.Then we propose a novel directed fuzzing based approach, called StrawFuzzer, to automatically vet all system services against the straw vulnerabilities. StrawFuzzer balances the tradeoff between path exploration and vulnerability exploitation. By applying StrawFuzzer on three Android systems with the latest security updates, we identified 35 unique straw vulnerabilities affecting 474 interfaces across 77 system services and successfully generated corresponding exploits, which can be used to conduct various permanent/temporary DoS attacks. We have reported our findings with suggestions for repairing the vulnerabilities to corresponding vendors. Up to now, Google has rated our vulnerability as high severity.

Zhang Lei,Zhemin Yang,Yuyu He,Zhenyu Zhang,Zhiyun Qian,Geng Hong,Yuan Zhang,Min Yang

DOI: https://doi.org/10.1145/3243734.3243843

2018-01-01

Abstract:Android integrates an increasing number of features into system services to manage sensitive resources, such as location, medical and social network information. To prevent untrusted apps from abusing the services, Android implements a comprehensive set of access controls to ensure proper usage of sensitive resources. Unlike explicit permission-based access controls that are discussed extensively in the past, our paper focuses on the widespread yet undocumented input validation problem. As we show in the paper, there are in fact more input validations acting as security checks than permission checks, rendering them a critical foundation for Android framework. Unfortunately, these validations are unstructured, ill-defined, and fragmented, making it challenging to analyze. To this end, we design and implement a tool, called Invetter, that combines machine learning and static analysis to locate sensitive input validations that are problematic in system services. By applying Invetter to 4 different AOSP codebases and 4 vendor-customized images, we locate 103 candidate insecure validations. Among the true positives, we are able to confirm that at least 20 of them are truly exploitable vulnerabilities by constructing various attacks such as privilege escalation and private information leakage.

Baozheng Liu,Chao Zhang,Guang Gong,Yishun Zeng,Haifeng Ruan,Jianwei Zhuge

2020-01-01

Abstract:Android native system services provide essential supports and fundamental functionalities for user apps. Finding vulnerabilities in them is crucial for Android security. Fuzzing is one of the most popular vulnerability discovery solutions, yet faces several challenges when applied to Android native system services. First, such services are invoked via a special interprocess communication (IPC) mechanism, namely binder, via service-specific interfaces. Thus, the fuzzer has to recognize all interfaces and generate interface-specific test cases automatically. Second, effective test cases should satisfy the interface model of each interface. Third, the test cases should also satisfy the semantic requirements, including variable dependencies and interface dependencies. In this paper, we propose an automated generation-based fuzzing solution FANS to find vulnerabilities in Android native system services. It first collects all interfaces in target services and uncovers deep nested multi-level interfaces to test. Then, it automatically extracts interface models, including feasible transaction code, variable names and types in the transaction data, from the abstract syntax tree (AST) of target interfaces. Further, it infers variable dependencies in transactions via the variable name and type knowledge, and infers interface dependencies via the generation and use relationship. Finally, it employs the interface models and dependency knowledge to generate sequences of transactions, which have valid formats and semantics, to test interfaces of target services. We implemented a prototype of FANS from scratch and evaluated it on six smartphones equipped with a recent version of Android, i.e., android-9.0.0_r46 , and found 30 unique vulnerabilities deduplicated from thousands of crashes, of which 20 have been confirmed by Google. Surprisingly, we also discovered 138 unique Java exceptions during fuzzing.

Yi He,Yacong Gu,Purui Su,Kun Sun,Yajin Zhou,Zhi Wang,Qi Li

DOI: https://doi.org/10.1109/TDSC.2022.3160872

2022-03-17

Abstract:Android allows apps to communicate with its system services via system service helpers so that these apps can use various functions provided by the system services. Meanwhile, the system services rely on their service helpers to enforce security checks for protection. Unfortunately, the security checks in the service helpers may be bypassed via directly exploiting the non-SDK (hidden) APIs, degrading the stability and posing severe security threats such as privilege escalation, automatic function execution without users' interactions, crashes, and DoS attacks. Google has proposed various approaches to address this problem, e.g., case-by-case fixing the bugs or even proposing a blacklist to block all the non-SDK APIs. However, the developers can still figure out new ways of exploiting these hidden APIs to evade the non-SDKs restrictions. In this paper, we systematically study the vulnerabilities due to the hidden API exploitation and analyze the effectiveness of Google's countermeasures. We aim to answer if there are still vulnerable hidden APIs that can be exploited in the newest Android 12. We develop a static analysis tool called ServiceAudit to automatically mine the inconsistent security enforcement between service helper classes and the hidden service APIs. We apply ServiceAudit to Android 6~12. Our tool discovers 112 vulnerabilities in Android 6 with higher precision than existing approaches. Moreover, in Android 11 and 12, we identify more than 25 hidden APIs with inconsistent protections; however, only one of the vulnerable APIs can lead to severe security problems in Android 11, and none of them work on Android 12.

Cryptography and Security

Jingzheng Wu,Shen Liu,Shouling Ji,Mutian Yang,Tianyue Luo,Yanjun Wu,Yongji Wang

DOI: https://doi.org/10.1109/icse-seip.2017.12

2017-01-01

Abstract:Android is characterized as a complicated open source software stack created for a wide array of devices with different form of factors, whose latest release has over one hundred million lines of code. Such code is mainly developed with the Java language, which builds complicated logic and brings implicit information flows among components and the inner framework. By studying the source code of system service interfaces, we discovered an unknown type of code flaw, which is named uncaughtException flaw, caused by un-well implemented exceptions that could crash the system and be further vulnerable to system level Denial-of-Service (DoS) attacks. We found that exceptions are used to handle the errors and other exceptional events but sometimes they would kill some critical system services exceptionally. We designed and implemented ExHunter, a new tool for automatic detection of this uncaughtException flaw by dynamically reflecting service interfaces, continuously fuzzing parameters and verifying the running logs. On 11 new popular Android devices, ExHunter extracted 1045 system services, reflected 758 suspicious functions, discovered 132 uncaughtException flaws which are 0-day vulnerabilities that have never been known before and generated 275 system DoS attack exploitations. The results showed that: (1) almost every type of Android phone suffers from this flaw, (2) the flaws are different from phone by phone, and (3) all the vulnerabilities can be exploited by direct/indirect trapping. To mitigate uncaughtException flaws, we further developed ExCatcher to re-catch the exceptions. Finally, we informed four internationally renowned manufacturers and provided secure improvements in their commercial phones.

Jiayun Xie,Xiao Fu,Xiaojiang Du,Bin Luo,Mohsen Guizani

DOI: https://doi.org/10.1109/icc.2017.7996682

2017-01-01

Abstract:recently, an increasing number of inter-app attacks such as confused deputy attacks, data leakage attacks and collusion attacks spring up. However, there is no perfect defense method against them. As we all know, developers play an important role in android security, but their weak consciousness about the security may lead to inter-app attacks. Therefore, considered for developers, it is important to investigate and try to defend against such attacks in android. This paper presents typical inter-app attacks in android and proposes AutoPatchDroid, an automatic framework to find the vulnerable code in apps and patch them automatically. We firstly find the vulnerable paths from sources to sinks, sources to execution exit points, execution entry points to sinks and execution entry points to execution exit points in the application using static analysis. Then we locate the vulnerable code pieces and insert the patch code to guard against such attacks. AutoPatchDroid prevent inter-app attacks in the application level rather than modifying the kernel or framework. We use DroidBench and IccRE to evaluate our framework, and find that AutoPatchDroid could effectively secure the apps. The runtime overhead introduced by AutoPatchDroid is 1.105% on average.

Lannan Luo,Qiang Zeng,Chen Cao,Kai Chen,Jian Liu,Limin Liu,Neng Gao,Min Yang,Xinyu Xing,Peng Liu

DOI: https://doi.org/10.1145/3081333.3081361

2017-01-01

Abstract:Android Application Framework is an integral and foundational part of the Android system. Each of the 1.4 billion Android devices relies on the system services of Android Framework to manage applications and system resources. Given its critical role, a vulnerability in the framework can be exploited to launch large-scale cyber attacks and cause severe harms to user security and privacy. Recently, many vulnerabilities in Android Framework were exposed, showing that it is vulnerable and exploitable. However, most of the existing research has been limited to analyzing Android applications, while there are very few techniques and tools developed for analyzing Android Framework. In particular, to our knowledge, there is no previous work that analyzes the framework through symbolic execution, an approach that has proven to be very powerful for vulnerability discovery and exploit generation. We design and build the first system, Centaur, that enables symbolic execution of Android Framework. Due to some unique characteristics of the framework, such as its middleware nature and extraordinary complexity, many new challenges arise and are tackled in Centaur. In addition, we demonstrate how the system can be applied to discovering new vulnerability instances, which can be exploited by several recently uncovered attacks against the framework, and to generating PoC exploits.

Xiaoyu Sun

DOI: https://doi.org/10.48550/arXiv.2302.07467

2023-02-15

Abstract:Never before has any OS been so popular as Android. Existing mobile phones are not simply devices for making phone calls and receiving SMS messages, but powerful communication and entertainment platforms for web surfing, social networking, etc. Even though the Android OS offers powerful communication and application execution capabilities, it is riddled with defects (e.g., security risks, and compatibility issues), new vulnerabilities come to light daily, and bugs cost the economy tens of billions of dollars annually. For example, malicious apps (e.g., back-doors, fraud apps, ransomware, spyware, etc.) are reported [Google, 2022] to exhibit malicious behaviours, including privacy stealing, unwanted programs installed, etc. To counteract these threats, many works have been proposed that rely on static analysis techniques to detect such issues. However, static techniques are not sufficient on their own to detect such defects precisely. This will likely yield false positive results as static analysis has to make some trade-offs when handling complicated cases (e.g., object-sensitive vs. object-insensitive). In addition, static analysis techniques will also likely suffer from soundness issues because some complicated features (e.g., reflection, obfuscation, and hardening) are difficult to be handled [Sun et al., 2021b, Samhi et al., 2022].

Cryptography and Security,Software Engineering

Mounir Elgharabawy,Blas Kojusner,Mohammad Mannan,Kevin R. B. Butler,Byron Williams,Amr Youssef

DOI: https://doi.org/10.48550/arXiv.2204.01516

2022-04-04

Cryptography and Security

Abstract:The Android operating system is currently the most popular mobile operating system in the world. Android is based on Linux and therefore inherits its features including its Inter-Process Communication (IPC) mechanisms. These mechanisms are used by processes to communicate with one another and are extensively used in Android. While Android-specific IPC mechanisms have been studied extensively, Unix domain sockets have not been examined comprehensively, despite playing a crucial role in the IPC of highly privileged system daemons. In this paper, we propose SAUSAGE, an efficient novel static analysis framework to study the security properties of these sockets. SAUSAGE considers access control policies implemented in the Android security model, as well as authentication checks implemented by the daemon binaries. It is a fully static analysis framework, specifically designed to analyze Unix domain socket usage in Android system daemons, at scale. We use this framework to analyze 200 Android images across eight popular smartphone vendors spanning Android versions 7-9. As a result, we uncover multiple access control misconfigurations and insecure authentication checks. Our notable findings include a permission bypass in highly privileged Qualcomm system daemons and an unprotected socket that allows an untrusted app to set the scheduling priority of other processes running on the system, despite the implementation of mandatory SELinux policies. Ultimately, the results of our analysis are worrisome; all vendors except the Android Open Source Project (AOSP) have access control issues, allowing an untrusted app to communicate to highly privileged daemons through Unix domain sockets introduced by hardware manufacturer or vendor customization.

Xuerui Pan,Yibing Zhongyang,Zhi Xin,Bing Mao,Hao Huang

DOI: https://doi.org/10.1109/trustcom.2014.36

2014-01-01

Abstract:Recently the market of Android has shown an explosive development. Unfortunately the increasing popularity turns the Android platform into the main target of malware. At the same time, the limited security protection built-in Android makes the situation much worse. In this paper, we present a new framework named Defensor which takes the practicability and effectiveness into consideration. The core part of Defensor is built in Linux kernel, which results in a small size of TCB. Defensor is a system-wide lightweight inspecting framework. It can closely monitor the malicious behaviors within and across applications, such as sending SMS to premium rate numbers, stealing privacy from the compromised device and getting root privileges through root exploits. This type of monitor is mandatory. Any application installed on the phone and any component including malicious native code can't bypass it. Defensor can not only rebuild the high level behaviors from system calls, but also extract the context information that the behavior runs in. Context-based information likes background and foreground contributes a lot to the accuracy of malware detection. We have tested Defensor on real malware to prove its effectiveness. Finally, an experimental evaluation showing that the overhead introduced by Defensor is limited.

Fangda Cai,Hao Chen,Yuanyi Wu,Yuan Zhang

2014-01-01

Abstract:A fundamental security principle in developing networked applications is end-to-end security, where the confidentiality and integrity of the data transmitted over the network do not rely on the security of the network. In response to the ever increasing traffic from mobile apps, WiFi networks are spreading fast and widely. Since WiFi networks are unregulated, a passive attacker may eavesdrop on the traffic on open WiFi networks, while an active attacker may set up his own WiFi network to modify its traffic at will. In theory, end-to-end security should protect mobile apps from both these attacks; in practice, however, the situation is far less rosy.We examine how the popular, important mobile apps on Chinese Android markets defend themselves against untrusted networks. We select top apps from major categories, such as online shopping, banking, social networks, travel services, and apps from companies with huge market capitalization. We analyze both their code and their network traffic to identify vulnerabilities. We design a mini-language for describing the vulnerabilities and develop a tool, AppCracker, that launches both passive and active attacks on these apps to verify their vulnerabilities. AppCracker has confirmed that 100 apps from 69 companies are vulnerable during their user or session authentication. These vulnerabilities allow an adversary to capture the victim user’s login credentials or to hijack the victim’s session. We describe these diverse types of vulnerabilities, many of which are caused by the misuse of cryptography in their homegrown cryptographic protocols. Finally, we discuss the lessons learned during our investigation to help …

Domenico Cotroneo,Antonio Ken Iannillo,Roberto Natella

DOI: https://doi.org/10.1007/s10664-019-09725-6

2019-06-03

Abstract:Android devices are shipped in several flavors by more than 100 manufacturer partners, which extend the Android "vanilla" OS with new system services, and modify the existing ones. These proprietary extensions expose Android devices to reliability and security issues. In this paper, we propose a coverage-guided fuzzing platform (Chizpurfle) based on evolutionary algorithms to test proprietary Android system services. A key feature of this platform is the ability to profile coverage on the actual, unmodified Android device, by taking advantage of dynamic binary re-writing techniques. We applied this solution on three high-end commercial Android smartphones. The results confirmed that evolutionary fuzzing is able to test Android OS system services more efficiently than blind fuzzing. Furthermore, we evaluate the impact of different choices for the fitness function and selection algorithm.

Software Engineering,Cryptography and Security

Yacong Gu,Kun Sun,Purui Su,Qi Li,Yemian Lu,Dengguo Feng,Lingyun Ying

DOI: https://doi.org/10.1109/dsn.2017.40

2017-01-01

Abstract:Android system applies a permission-based security model to restrict unauthorized apps from accessing system services; however, this security model cannot constrain authorized apps from sending excessive service requests to exhaust the limited system resource allocated for each system service. As references from native code to a Java object, JNI Global References (JGR) are prone to memory leaks, since they are not automatically garbage collected. Moreover, JGR exhaustion may lead to process abort or even Android system reboot when the victim process could not afford the JGR requests triggered by malicious apps through inter-process communication. In this paper, we perform a systematic study on JGR exhaustion (JGRE) attacks against all system services in Android. Our experimental results show that among the 104 system services in Android 6.0.1, 32 system services have 54 vulnerabilities. Particularly, 22 system services can be successfully attacked without any permission support. After reporting those vulnerabilities to Android security team and getting confirmed, we study the existing ad hoc countermeasures in Android against JGRE attacks. Surprisingly, among the 10 system services that have been protected, 8 system services are still vulnerable to JGRE attacks. Finally, we develop an effective defense mechanism to defeat all identified JGRE attacks by adopting Androids low memory killer (LMK) mechanism.

Zikan Dong,Hongxuan Liu,Liu Wang,Xiapu Luo,Yao Guo,Guoai Xu,Xusheng Xiao,Haoyu Wang

DOI: https://doi.org/10.1145/3540250.3558969

2022-01-01

Abstract:Commercial Android packers have been widely used by developers as a way to protect their apps from being tampered with. However, app packer is usually provided as an online service developed by security vendors, and the packed apps are well protected. It is thus hard to know what exactly is packed in the app, and few existing studies in the community have systematically analyzed the behaviors of commercial app packers. In this paper, we propose PackDiff, a dynamic analysis system to inspect the fine-grained behaviors of commercial packers. By instrumenting the Android system, PackDiff records the runtime behaviors of Android apps (e.g., Linux system call invocations, Java API calls, Binder interactions, etc.), which are further processed to pinpoint the additional sensitive behaviors introduced by packers. By applying PackDiff to roughly 200 apps protected by seven commercial packers, we observe the disappointing facts of existing commercial packers. Most app packers have introduced unnecessary behaviors (e.g., accessing sensitive data), serious performance and compatibility issues, and they can even be abused to create evasive malware and repackaged apps, which contradicts with their design purposes.