StaDynA: Addressing the Problem of Dynamic Code Updates in the Security Analysis of Android Applications

[en] Static analysis of Android applications can be hindered by the presence of the popular dynamic code update techniques: dynamic class loading and reflection. Recent Android malware samples do actually use these mechanisms to conceal their malicious behavior from static analyzers. These techniques defuse even the most recent static analyzers that usually operate under the "closed world" assumption (the targets of reflective calls can be resolved at analysis time; only classes reachable from the class path at analysis time are used at runtime). Our proposed solution allows existing static analyzers to remove this assumption. This is achieved by combining static and dynamic analysis of applications in order to reveal the hidden/updated behavior and extend static analysis results with this information. This paper presents design, implementation and preliminary evaluation results of our solution called StaDynA.

Centre de recherche :

Interdisciplinary Centre for Security, Reliability and Trust (SnT)

Disciplines :

Sciences informatiques

Auteur, co-auteur :

Zhauniarovich, Yury

Ahmad, Maqsood

GADYATSKAYA, Olga ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) ; CSC/FSTC

Crispo, Bruno

Massacci, Fabio

Co-auteurs externes :

yes

Langue du document :

Anglais

Titre :

StaDynA: Addressing the Problem of Dynamic Code Updates in the Security Analysis of Android Applications

Date de publication/diffusion :

mars 2015

Nom de la manifestation :

Fifth ACM Conference on Data and Application Security and Privacy

Date de la manifestation :

March 2-4, 2015

Manifestation à portée :

International

Titre de l'ouvrage principal :

Proceedings of CODASPY '15

Maison d'édition :

ACM

Peer reviewed :

Peer reviewed

URL complémentaire :

http://dl.acm.org/citation.cfm?id=2699105

Disponible sur ORBilu :

depuis le 22 janvier 2016

Statistiques

Nombre de vues

196 (dont 0 Unilu)

Nombre de téléchargements

0 (dont 0 Unilu)

Voir plus de statistiques

citations Scopus^®

citations Scopus^®
sans auto-citations

OpenCitations

citations OpenAlex

Bibliographie

AndroGuard: Reverse engineering, malware and goodware analysis of Android applications. Available Online. https://code.google.com/p/androguard/.
Android - App Manifest - Permission http://developer.android.com/guide/topics/manifest/permission-element.html.
Android Security Tips. Available Online. http://developer.android.com/training/articles/security-tips.html.
AndroidBest - Android market. http://androidbest.ru/.
AndroidDrawer - Android market. http://www.androiddrawer.com/.
AndroidLife - Android market. http://androidlife.ru/.
Anruan - Android market. http://www.anruan.com/.
AppsApk - Android market. http://www.appsapk.com/.
F-Droid - Android market. https://f-droid.org/.
Google Play - Android official market. https://play.google.com/store/apps.
UI/Application Exerciser Monkey. Available Online. http: //developer.android.com/tools/help/monkey.html.
S. Arzt, S. Rasthofer, C. Fritz, E. Bodden, A. Bartel, J. Klein, Y. Le Traon, D. Octeau, and P. McDaniel. FlowDroid: Precise Context, Flow, Field, Object-sensitive and Lifecycle-aware Taint Analysis for Android Apps. In Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation, pages 259-269, 2014.
K. W. Y. Au, Y. F. Zhou, Z. Huang, and D. Lie. PScout: Analyzing the Android Permission Specification. In Proceedings of the 2012 ACM Conference on Computer and Communications Security, pages 217-228, 2012.
A. Bartel, J. Klein, Y. Le Traon, and M. Monperrus. Automatically Securing Permission-based Software by Reducing the Attack Surface: An Application to Android. In Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering, pages 274-277, 2012.
R. Bhoraskar, S. Han, J. Jeon, T. Azim, S. Chen, J. Jung, S. Nath, R. Wang, and D. Wetherall. Brahmastra: Driving Apps to Test the Security of Third-Party Components. In 23rd USENIX Security Symposium (USENIX Security 14), pages 1021-1036, August 2014.
D. G. Bobrow, R. P. Gabriel, and J. L. White. Object-oriented programming. chapter CLOS in Context: The Shape of the Design Space, pages 29-61. MIT Press, 1993.
E. Bodden, A. Sewe, J. Sinschek, H. Oueslati, and M. Mezini. Taming Reflection: Aiding Static Analysis in the Presence of Reflection and Custom Class Loaders. In Proceedings of the 33rd International Conference on Software Engineering, pages 241-250, 2011.
J. Bogda and A. Singh. Can a Shape Analysis Work at Run-time? In Proceedings of the 2001 Symposium on JavaTM Virtual Machine Research and Technology Symposium - Volume 1, pages 2-2, 2001.
F. Chung. Custom Class Loading in Dalvik. Available Online. http://android-developers.blogspot.it/2011/07/custom-class-loading-in-dalvik.html.
M. Conti, B. Crispo, E. Fernandes, and Y. Zhauniarovich. CRêPE: A System for Enforcing Fine-Grained Context-Related Policies on Android. IEEE Transactions on Information Forensics and Security, 7(5):1426-1438, 2012.
M. Egele, D. Brumley, Y. Fratantonio, and C. Kruegel. An Empirical Study of Cryptographic Misuse in Android Applications. In Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security, pages 73-84, 2013.
W. Enck, P. Gilbert, B.-G. Chun, L. P. Cox, J. Jung, P. McDaniel, and A. N. Sheth. TaintDroid: An Information-flow Tracking System for Realtime Privacy Monitoring on Smartphones. In Proceedings of the 9th USENIX Conference on Operating Systems Design and Implementation, pages 1-6, 2010.
W. Enck, D. Octeau, P. McDaniel, and S. Chaudhuri. A Study of Android Application Security. In Proceedings of the 20th USENIX Conference on Security, pages 21-21, 2011.
F-Secure. Trojan:Android/FakeNotify Gets Updated. Available Online, Dec. 2011. http: //www.f-secure.com/weblog/archives/00002291. html?tduid=f57e2769518f081721ffca586e797b2a.
A. P. Felt, E. Chin, S. Hanna, D. Song, and D. Wagner. Android Permissions Demystified. In Proceedings of the 18th ACM Conference on Computer and Communications Security, pages 627-638, 2011.
E. Fernandes, B. Crispo, and M. Conti. FM 99.9, Radio virus: Exploiting FM radio broadcasts for malware deployment. Information Forensics and Security, IEEE Transactions on, 8(6):1027-1037, 2013.
H. Gascon, F. Yamaguchi, D. Arp, and K. Rieck. Structural Detection of Android Malware Using Embedded Call Graphs. In Proceedings of the 2013 ACM Workshop on Artificial Intelligence and Security, pages 45-54, 2013.
C. Gibler, J. Crussell, J. Erickson, and H. Chen. AndroidLeaks: Automatically Detecting Potential Privacy Leaks in Android Applications on a Large Scale. In Proceedings of the 5th International Conference on Trust and Trustworthy Computing, pages 291-307, 2012.
M. Grace, Y. Zhou, Q. Zhang, S. Zou, and X. Jiang. RiskRanker: Scalable and Accurate Zero-day Android Malware Detection. In Proceedings of the 10th International Conference on Mobile Systems, Applications, and Services, pages 281-294, 2012.
M. Hirzel, D. von Dinklage, A. Diwan, and M. Hind. Fast Online Pointer Analysis. ACM Transactions on Programming Languages and Systems, 29(2), 2007.
J. Hoffmann, M. Ussath, T. Holz, and M. Spreitzenbarth. Slicing Droids: Program Slicing for Smali Code. In Proceedings of the 28th Annual ACM Symposium on Applied Computing, pages 1844-1851, 2013.
C. Hu and I. Neamtiu. Automating GUI Testing for Android Applications. In Proceedings of the 6th International Workshop on Automation of Software Test, pages 77-83, 2011.
X. Hu, T.-c. Chiueh, and K. G. Shin. Large-scale Malware Indexing Using Function-call Graphs. In Proceedings of the 16th ACM Conference on Computer and Communications Security, pages 611-620, 2009.
S. Liang and G. Bracha. Dynamic Class Loading in the Java Virtual Machine. In Proceedings of the 13th ACM SIGPLAN Conference on Object-oriented Programming, Systems, Languages, and Applications, pages 36-44, 1998.
M. Lindorfer, M. Neugschwandtner, L. Weichselbaum, Y. Fratantonio, V. van der Veen, and C. Platzer. Andrubis - 1,000,000 Apps Later: A View on Current Android Malware Behaviors. In Proceedings of the the 3rd International Workshop on Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS), 2014.
B. Livshits, J. Whaley, and M. S. Lam. Reflection Analysis for Java. In Proceedings of the Third Asian Conference on Programming Languages and Systems, pages 139-160, 2005.
Pandalabs. New Malware Attack through Google Play. Available Online, Feb. 2014. http://pandalabs.pandasecurity.com/new-malware-attack-through-google-play/.
S. Poeplau, Y. Fratantonio, A. Bianchi, C. Kruegel, and G. Vigna. Execute This! Analyzing Unsafe and Malicious Dynamic Code Loading in Android Applications. In Proceedings of the 21st Annual Network & Distributed System Security Symposium, 2014.
V. Rastogi, Y. Chen, and W. Enck. AppsPlayground: Automatic Security Analysis of Smartphone Applications. In Proceedings of the Third ACM Conference on Data and Application Security and Privacy, pages 209-220, 2013.
V. Rastogi, Y. Chen, and X. Jiang. DroidChameleon: Evaluating Android Anti-malware Against Transformation Attacks. In Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security, pages 329-334, 2013.
D. Sosnoski. Java programming dynamics, Part 1: Java classes and class loading. Available Online. http://www.ibm.com/developerworks/library/j-dyn0429/.
D. Sounthiraraj, J. Sahs, G. Greenwood, Z. Lin, and L. Khan. SMV-Hunter: Large Scale, Automated Detection of SSL/TLS Man-in-the-Middle Vulnerabilities in Android Apps. In Proceedings of the 21st Annual Network and Distributed System Security Symposium, San Diego, CA, February 2014.
T. Wang, K. Lu, L. Lu, S. Chung, and W. Lee. Jekyll on iOS: When Benign Apps Become Evil. In Proceedings of the 22nd USENIX Conference on Security, pages 559-572, 2013.
E. R. Wognsen and H. S. Karlsen. Static Analysis of Dalvik Bytecode and Reflection in Android. Master's thesis, Aalborg University, 2012.
L. K. Yan and H. Yin. DroidScope: Seamlessly Reconstructing the OS and Dalvik Semantic Views for Dynamic Android Malware Analysis. In Proceedings of the 21st USENIX Conference on Security Symposium, pages 29-29, 2012.
Y. Zhauniarovich, O. Gadyatskaya, and B. Crispo. DEMO: Enabling Trusted Stores for Android. In Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security, pages 1345-1348, 2013.
Y. Zhauniarovich, G. Russello, M. Conti, B. Crispo, and E. Fernandes. MOSES: Supporting and Enforcing Security Profiles on Smartphones. IEEE Transactions on Dependable and Secure Computing, 11(3):211-223, May 2014.
C. Zheng, S. Zhu, S. Dai, G. Gu, X. Gong, X. Han, and W. Zou. SmartDroid: An Automatic System for Revealing UI-based Trigger Conditions in Android Applications. In Proceedings of the Second ACM Workshop on Security and Privacy in Smartphones and Mobile Devices, pages 93-104, 2012.
Y. Zhongyang, Z. Xin, B. Mao, and L. Xie. DroidAlarm: An All-sided Static Analysis Tool for Android Privilege-escalation Malware. In Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security, pages 353-358, 2013.
Y. Zhou and X. Jiang. An Analysis of the AnserverBot Trojan. Available Online, September 2011. http://www.csc.ncsu.edu/faculty/jiang/pubs/AnserverBot-Analysis.pdf.
Y. Zhou and X. Jiang. Dissecting Android Malware: Characterization and Evolution. In Proceedings of the 2012 IEEE Symposium on Security and Privacy, pages 95-109, 2012.