Skip to main content
SpringerLink
Log in

Explaining the Use of Cryptographic API in Android Malware

  • Conference paper
  • First Online:
E-Business and Telecommunications (ICSBT 2022, SECRYPT 2022)

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 1849))

  • 68 Accesses

Abstract

Cryptography allows for guaranteeing secure communications, concealing critical data from reverse engineering, or ensuring mobile users’ privacy. Android malware developers extensively leveraged cryptographic libraries to obfuscate and hide malicious behavior. Various system-based and third-party libraries provide cryptographic functionalities for Android, and their use and misuse by application developers have already been documented. This paper analyzes the use of cryptographic APIs in Android malware by comparing them to benign Android applications. In particular, Android applications released between 2012 and 2020 have been analyzed, and more than 1 million cryptographic API expressions have been gathered. We created a processing pipeline to produce a report to reveal trends and insights on how and why cryptography is employed in Android malware. Results showed that the usage of cryptographic APIs in malware differs from that made in benign applications. The different patterns in the use of cryptographic APIs in malware and benign applications have been further analyzed through the explanations of Android malware detectors based on machine learning approaches, showing how crypto-related features can improve detection performances. We observed that the transition to more robust cryptographic techniques is slower in Android malware than in benign applications.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 49.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 64.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    The code is accessible from github.com/adamjanovsky/AndroidMalwareCrypto.

  2. 2.

    AES-256 in CBC or GCM mode, SHA-2 for hash functions, SHA-2 HMAC for MACs and SHA-2 ECDSA for signatures as of early 2020 [14].

  3. 3.

    Android Application Package, an archive that encapsulates the whole Android application.

  4. 4.

    Since LibRadar requires a large Redis database to run (preventing parallelization), we actually leveraged its lightweight version LiteRadar. Before doing so, we compared the output of both tools on a small subset to find out that this decision has a negligible effect on the number of detected libraries.

  5. 5.

    The tuples were sampled in advance to avoid repetition.

  6. 6.

    While having the capability to capture such diverse landscape, in Sect. 6 we present results only for 220 constructor variants from 8 classes, since the rest is used very rarely. No conclusions can be drawn from such rare events.

  7. 7.

    virustotal.com. The number of VirusTotal positive flags is already contained in the Androzoo dataset.

  8. 8.

    Kindly provided by Avast, available at http://apklab.io.

  9. 9.

    Remember that our goal was not to build a better classifier but to show that it is possible to distinguish between malicious and benign Android applications by resorting to their cryptographic API usage only.

  10. 10.

    developer.android.com/training/articles/security-config.

References

  1. Allix, K., Bissyandé, T.F., Klein, J., Le Traon, Y.: AndroZoo: collecting millions of Android apps for the research community. In: Proceedings of MSR ’16, pp. 468–471. ACM (2016)

    Google Scholar 

  2. Ami, A.S., Cooper, N., Kafle, K., Moran, K., Poshyvanyk, D., Nadkarni, A.: Why Crypto-detectors Fail: A Systematic Evaluation of Cryptographic Misuse Detection Techniques. arXiv:2107.07065 [cs], August 2021

  3. Anthony, D., Geoffroy, G.: Androguard (2012). https://github.com/androguard/androguard. Accessed 4 Aug 2019

  4. Backes, M., Bugiel, S., Derr, E.: Reliable third-party library detection in android and its security applications. In: Proceedings of CCS ’16, pp. 356–367. ACM (2016)

    Google Scholar 

  5. Bauer, V.: Android Arsenal (2014). https://android-arsenal.com, 5 June 2020

  6. Biham, E., Shamir, A.: Differential cryptanalysis of DES-like cryptosystems. J. Cryptol. 4(1), 3–72 (1991)

    Article  MathSciNet  MATH  Google Scholar 

  7. BusinessOfApps: Android statistics (2022). http://businessofapps.com/data/android-statistics

  8. Chatzikonstantinou, A., Ntantogian, C., Karopoulos, G., Xenakis, C.: Evaluation of Cryptography Usage in Android Applications. In: Proceedings of EAI BCT ’16, pp. 83–90. ACM (2016)

    Google Scholar 

  9. Chen, S., Xue, M., Tang, Z., Xu, L., Zhu, H.: Stormdroid: a streaminglized machine learning-based system for detecting android malware. In: Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security, ASIA CCS 2016, pp. 377–388. ACM, New York (2016)

    Google Scholar 

  10. Daniel, A., Michael, S., Malte, H., Hugo, G., Rieck, K.: Drebin: efficient and explainable detection of android malware in your pocket. In: Proceedings 2014 Network and Distributed System Security Symposium, pp. 23–26. The Internet Society, San Diego (2014)

    Google Scholar 

  11. Egele, M., Brumley, D., Fratantonio, Y., Kruegel, C.: An empirical study of cryptographic misuse in android applications. In: Proceedings of CCS’13, pp. 73–84. ACM (2013)

    Google Scholar 

  12. Fahl, S., Harbach, M., Muders, T., Smith, M., Baumgärtner, L., Freisleben, B.: Why eve and mallory love android: An analysis of android SSL (in)security. In: Proceedings of CCS ’12, pp. 50–61. ACM (2012)

    Google Scholar 

  13. Gao, J., Kong, P., Li, L., Bissyande, T.F., Klein, J.: Negative results on mining crypto-API usage rules in android apps. In: Proceedings of MSR ’19, pp. 388–398. IEEE (2019)

    Google Scholar 

  14. Google: Android Cryptography API Guide (2020). https://developer.android.com/guide/topics/security/cryptography. Accessed 4 Mar 2020

  15. Google, i.: Conscrypt - a java security provider (2013). https://github.com/google/conscrypt. Accessed 5 June 2020

  16. Hoffmann, J., Rytilahti, T., Maiorca, D., Winandy, M., Giacinto, G., Holz, T.: Evaluating analysis tools for android apps: status quo and robustness against obfuscation. In: Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy, pp. 139–141. Association for Computing Machinery, New York (2016)

    Google Scholar 

  17. Isode Limited, OpenLDAP Foundation: RFC 4422 - simple authentication and security layer (sasl) (2006). http://tools.ietf.org/html/rfc4422, March 2, 2022

  18. Janovsky., A., Maiorca., D., Macko., D., Matyas., V., Giacinto., G.: A longitudinal study of cryptographic api: a decade of android malware. In: Proceedings of the 19th International Conference on Security and Cryptography - SECRYPT, pp. 121–133. INSTICC, SciTePress (2022). https://doi.org/10.5220/0011265300003283

  19. Krüger, S., Späth, J., Ali, K., Bodden, E., Mezini, M.: CrySL: An Extensible Approach to Validating the Correct Usage of Cryptographic APIs. In: Proceedings of ECOOP 2018, pp. 10:1–10:27. LIPIcs, vol. 109, LZI (2018)

    Google Scholar 

  20. Kursa, M.B., Rudnicki, W.R., et al.: Feature selection with the boruta package. J. Stat. Softw. 36(11), 1–13 (2010)

    Article  Google Scholar 

  21. Legion of the Bouncy Castle Inc.: The Legion of the Bouncy Castle (2020). https://www.bouncycastle.org/java.html. Accessed 6 Apr 2020

  22. Lundberg, S.M., Lee, S.I.: A unified approach to interpreting model predictions. In: Proceedings of NIPS 2017, pp. 4765–4774. Curran Associates, Inc. (2017). http://papers.nips.cc/paper/7062-a-unified-approach-to-interpreting-model-predictions.pdf

  23. Ma, S., Lo, D., Li, T., Deng, R.H.: CDRep: automatic repair of cryptographic misuses in android applications. In: Proceedings of ASIACCS 2016, pp. 711–722. ACM, Xi’an, China (2016)

    Google Scholar 

  24. Ma, Z., Wang, H., Guo, Y., Chen, X.: LibRadar: fast and accurate detection of third-party libraries in Android apps. In: Proceedings of ICSE 2016, pp. 653–656. ACM, Austin, Texas (2016)

    Google Scholar 

  25. Maiorca, D., Ariu, D., Corona, I., Aresu, M., Giacinto, G.: Stealth attacks: an extended insight into the obfuscation effects on android malware. Comput. Secur. 51(C), 16–31 (2015)

    Google Scholar 

  26. Maiorca, D., Mercaldo, F., Giacinto, G., Visaggio, C.A., Martinelli, F.: R-PackDroid: API package-based characterization and detection of mobile ransomware. In: Proceedings of SAC 2017, pp. 1718–1723. ACM (2017)

    Google Scholar 

  27. McAfee Labs: McAfee labs threats report, august 2019 (2019). http://mcafee.com/enterprise/en-us/threat-center/mcafee-labs/reports.html. 7 March 2022

  28. Melis, M., Maiorca, D., Biggio, B., Giacinto, G., Roli, F.: Explaining black-box android malware detection. In: 26th European Signal Processing Conference. EUSIPCO 2018, pp. 524–528. IEEE, Rome, Italy (2018)

    Google Scholar 

  29. Melis, M., Scalas, M., Demontis, A., Maiorca, D., Biggio, B., Giacinto, G., Roli, F.: Do gradient-based explanations tell anything about adversarial robustness to android malware? Int. J. Mach. Learn. Cybern. 13(1), 217–232 (2022). https://doi.org/10.1007/s13042-021-01393-7

    Article  Google Scholar 

  30. Menezes, A.J., Katz, J., Van Oorschot, P.C., Vanstone, S.A.: Handbook of Applied cryptography. CRC Press (1996)

    Google Scholar 

  31. Muslukhov, I., Boshmaf, Y., Beznosov, K.: Source attribution of cryptographic API misuse in android applications. In: Proceedings of ASIACCS 2018, pp. 133–146. ACM (2018)

    Google Scholar 

  32. Oltrogge, M., Huaman, N., Amft, S., Acar, Y., Backes, M., Fahl, S.: Why eve and mallory still love android: Revisiting TLS (In)Security in android applications. In: Proceedings of USENIX ’21, pp. 4347–4364. USENIX (2021)

    Google Scholar 

  33. Paletov, R., Tsankov, P., Raychev, V., Vechev, M.: Inferring crypto API rules from code changes. In: Proceedings of PLDI 2018, pp. 450–464. ACM (2018)

    Google Scholar 

  34. Piccolboni, L., Guglielmo, G.D., Carloni, L.P., Sethumadhavan, S.: CRYLOGGER: detecting crypto misuses dynamically. In: Proceedings of IEEE SP 2021, pp. 1972–1989. IEEE (2021)

    Google Scholar 

  35. Platform, J.: Java Cryptography Architecture (JCA) Reference Guide (2017). https://docs.oracle.com/javase/7/docs/technotes/guides/security/crypto/CryptoSpec.html. Accessed 4 Mar 2020

  36. Rahaman, S., et al.: CryptoGuard: high precision detection of cryptographic vulnerabilities in massive-sized java projects. In: Proceedings of CCS 2019, pp. 2455–2472. ACM (2019)

    Google Scholar 

  37. Salem, A.: Towards accurate labeling of Android apps for reliable malware detection. arXiv preprint arXiv:2007.00464 (2020)

  38. Shapley, L.: A value for n-person games. contributions to the theory of games. Annals of mathematics studies (2) (1953)

    Google Scholar 

  39. Shuai, S., Guowei, D., Tao, G., Tianchang, Y., Chenjie, S.: Modelling analysis and auto-detection of cryptographic misuse in android applications. In: Proceedings of DASC 2014, pp. 75–80. IEEE (2014)

    Google Scholar 

  40. skylot: Jadx decompiler (2020). https://github.com/skylot/jadx, 15 December 2019

  41. Stevens, M., Bursztein, E., Karpman, P., Albertini, A., Markov, Y.: The first collision for full SHA-1. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10401, pp. 570–596. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63688-7_19

    Chapter  Google Scholar 

  42. Wang, H., Guo, Y., Ma, Z., Chen, X.: WuKong: a scalable and accurate two-phase approach to Android app clone detection. In: Proceedings of ISSTA 2015, pp. 71–82. ACM (2015)

    Google Scholar 

  43. Wang, X., Yu, H.: How to Break MD5 and other hash functions. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 19–35. Springer, Heidelberg (2005). https://doi.org/10.1007/11426639_2

    Chapter  Google Scholar 

  44. Zhan, X., et al.: Automated third-party library detection for Android applications: are we there yet? In: Proceedings of ASE 2020, pp. 919–930. ACM, December 2020

    Google Scholar 

  45. Zhang, X., Zhang, Y., Li, J., Hu, Y., Li, H., Gu, D.: Embroidery: patching vulnerable binary code of fragmentized android devices. In: Proceedings of ICSME 2017, pp. 47–57. IEEE (2017)

    Google Scholar 

Download references

Acknowledgements.

Davide Maiorca was supported by the project PON AIM Research and Innovation 2014–2020 - Attraction and International Mobility, funded by the Italian Ministry of Education, University and Research; and by the European cybersecurity pilot CyberSec4Europe. Giorgio Giacinto was supported by Fondazione di Sardegna under the project “TrustML: Towards Machine Learning that Humans Can Trust”, CUP: F73C22001320007. Vashek Matyas was supported by Czech Science Foundation project GA20-03426S. Adam Janovsky was supported by Invasys company. We are grateful to Jonas Konecny who ran the initial machine-learning experiments. We also thank Avast for providing the dynamic-analysis tool apklab.io.

Author information

Authors and Affiliations

  1. Masaryk University, Brno, Czech Republic

    Adam Janovsky, Dominik Macko & Vashek Matyas

  2. University of Cagliari, Cagliari, Italy

    Davide Maiorca & Giorgio Giacinto

Authors
  1. Adam Janovsky
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Davide Maiorca
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Dominik Macko
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Vashek Matyas
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Giorgio Giacinto
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Adam Janovsky .

Editor information

Editors and Affiliations

  1. University of Twente, Enschede, The Netherlands

    Marten Van Sinderen

  2. University of Twente, Enschede, The Netherlands

    Fons Wijnhoven

  3. ESEO, ERIS, Anger Cedex, France

    Slimane Hammoudi

  4. University of Milan, Milan, Italy

    Pierangela Samarati

  5. University of Milan, Milan, Italy

    Sabrina De Capitani di Vimercati

A Detailed Comparison of Symmetric Ciphers Between Androzoo-M12 and CryptoLint-B12

A Detailed Comparison of Symmetric Ciphers Between Androzoo-M12 and CryptoLint-B12

Table 6 displays an in-depth comparison between symmetric encryption schemes in the datasets CryptoLint-B12 and Androzoo-M12. It should be stressed that even though the absolute number of call sites in CryptoLint-B12 is higher (\(15\, 598\)) than in Androzoo-M12 (9729), this comparison is severely skewed by the overall distribution characteristics of CryptoLint-B12 vs. Androzoo-M12. In other words, it takes 145 thousand of benign applications (where only each fifth call originates from user-defined codebase) to get 15 thousand calls, whereas 34 thousand of malicious applications would provide a similar number of symmetric encryption API call sites.

Table 6. Comparison of distribution of symmetric encryption schemes in malicious vs. benign applications (Androzoo-M12 and CryptoLint-B12). The frequency of malicious encryption schemes was normalized to fit the size of the benign dataset. In the benign set, only the schemes with frequency \(>100\) were taken. There is no prevalent malicious scheme (freq. \(>100\)) that would not appear in the benign dataset. The default schemes marked with * symbol fall back into the ECB mode with PKCS7 padding.
Full size table

Rights and permissions

Reprints and permissions

Copyright information

© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Janovsky, A., Maiorca, D., Macko, D., Matyas, V., Giacinto, G. (2023). Explaining the Use of Cryptographic API in Android Malware. In: Van Sinderen, M., Wijnhoven, F., Hammoudi, S., Samarati, P., Vimercati, S.D.C.d. (eds) E-Business and Telecommunications. ICSBT SECRYPT 2022 2022. Communications in Computer and Information Science, vol 1849. Springer, Cham. https://doi.org/10.1007/978-3-031-45137-9_4

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-45137-9_4

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-45136-2

  • Online ISBN: 978-3-031-45137-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation