Abstract
Cryptography allows for guaranteeing secure communications, concealing critical data from reverse engineering, or ensuring mobile users’ privacy. Android malware developers extensively leveraged cryptographic libraries to obfuscate and hide malicious behavior. Various system-based and third-party libraries provide cryptographic functionalities for Android, and their use and misuse by application developers have already been documented. This paper analyzes the use of cryptographic APIs in Android malware by comparing them to benign Android applications. In particular, Android applications released between 2012 and 2020 have been analyzed, and more than 1 million cryptographic API expressions have been gathered. We created a processing pipeline to produce a report to reveal trends and insights on how and why cryptography is employed in Android malware. Results showed that the usage of cryptographic APIs in malware differs from that made in benign applications. The different patterns in the use of cryptographic APIs in malware and benign applications have been further analyzed through the explanations of Android malware detectors based on machine learning approaches, showing how crypto-related features can improve detection performances. We observed that the transition to more robust cryptographic techniques is slower in Android malware than in benign applications.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
The code is accessible from github.com/adamjanovsky/AndroidMalwareCrypto.
- 2.
AES-256 in CBC or GCM mode, SHA-2 for hash functions, SHA-2 HMAC for MACs and SHA-2 ECDSA for signatures as of early 2020 [14].
- 3.
Android Application Package, an archive that encapsulates the whole Android application.
- 4.
Since LibRadar requires a large Redis database to run (preventing parallelization), we actually leveraged its lightweight version LiteRadar. Before doing so, we compared the output of both tools on a small subset to find out that this decision has a negligible effect on the number of detected libraries.
- 5.
The tuples were sampled in advance to avoid repetition.
- 6.
While having the capability to capture such diverse landscape, in Sect. 6 we present results only for 220 constructor variants from 8 classes, since the rest is used very rarely. No conclusions can be drawn from such rare events.
- 7.
virustotal.com. The number of VirusTotal positive flags is already contained in the Androzoo dataset.
- 8.
Kindly provided by Avast, available at http://apklab.io.
- 9.
Remember that our goal was not to build a better classifier but to show that it is possible to distinguish between malicious and benign Android applications by resorting to their cryptographic API usage only.
- 10.
References
Allix, K., Bissyandé, T.F., Klein, J., Le Traon, Y.: AndroZoo: collecting millions of Android apps for the research community. In: Proceedings of MSR ’16, pp. 468–471. ACM (2016)
Ami, A.S., Cooper, N., Kafle, K., Moran, K., Poshyvanyk, D., Nadkarni, A.: Why Crypto-detectors Fail: A Systematic Evaluation of Cryptographic Misuse Detection Techniques. arXiv:2107.07065 [cs], August 2021
Anthony, D., Geoffroy, G.: Androguard (2012). https://github.com/androguard/androguard. Accessed 4 Aug 2019
Backes, M., Bugiel, S., Derr, E.: Reliable third-party library detection in android and its security applications. In: Proceedings of CCS ’16, pp. 356–367. ACM (2016)
Bauer, V.: Android Arsenal (2014). https://android-arsenal.com, 5 June 2020
Biham, E., Shamir, A.: Differential cryptanalysis of DES-like cryptosystems. J. Cryptol. 4(1), 3–72 (1991)
BusinessOfApps: Android statistics (2022). http://businessofapps.com/data/android-statistics
Chatzikonstantinou, A., Ntantogian, C., Karopoulos, G., Xenakis, C.: Evaluation of Cryptography Usage in Android Applications. In: Proceedings of EAI BCT ’16, pp. 83–90. ACM (2016)
Chen, S., Xue, M., Tang, Z., Xu, L., Zhu, H.: Stormdroid: a streaminglized machine learning-based system for detecting android malware. In: Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security, ASIA CCS 2016, pp. 377–388. ACM, New York (2016)
Daniel, A., Michael, S., Malte, H., Hugo, G., Rieck, K.: Drebin: efficient and explainable detection of android malware in your pocket. In: Proceedings 2014 Network and Distributed System Security Symposium, pp. 23–26. The Internet Society, San Diego (2014)
Egele, M., Brumley, D., Fratantonio, Y., Kruegel, C.: An empirical study of cryptographic misuse in android applications. In: Proceedings of CCS’13, pp. 73–84. ACM (2013)
Fahl, S., Harbach, M., Muders, T., Smith, M., Baumgärtner, L., Freisleben, B.: Why eve and mallory love android: An analysis of android SSL (in)security. In: Proceedings of CCS ’12, pp. 50–61. ACM (2012)
Gao, J., Kong, P., Li, L., Bissyande, T.F., Klein, J.: Negative results on mining crypto-API usage rules in android apps. In: Proceedings of MSR ’19, pp. 388–398. IEEE (2019)
Google: Android Cryptography API Guide (2020). https://developer.android.com/guide/topics/security/cryptography. Accessed 4 Mar 2020
Google, i.: Conscrypt - a java security provider (2013). https://github.com/google/conscrypt. Accessed 5 June 2020
Hoffmann, J., Rytilahti, T., Maiorca, D., Winandy, M., Giacinto, G., Holz, T.: Evaluating analysis tools for android apps: status quo and robustness against obfuscation. In: Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy, pp. 139–141. Association for Computing Machinery, New York (2016)
Isode Limited, OpenLDAP Foundation: RFC 4422 - simple authentication and security layer (sasl) (2006). http://tools.ietf.org/html/rfc4422, March 2, 2022
Janovsky., A., Maiorca., D., Macko., D., Matyas., V., Giacinto., G.: A longitudinal study of cryptographic api: a decade of android malware. In: Proceedings of the 19th International Conference on Security and Cryptography - SECRYPT, pp. 121–133. INSTICC, SciTePress (2022). https://doi.org/10.5220/0011265300003283
Krüger, S., Späth, J., Ali, K., Bodden, E., Mezini, M.: CrySL: An Extensible Approach to Validating the Correct Usage of Cryptographic APIs. In: Proceedings of ECOOP 2018, pp. 10:1–10:27. LIPIcs, vol. 109, LZI (2018)
Kursa, M.B., Rudnicki, W.R., et al.: Feature selection with the boruta package. J. Stat. Softw. 36(11), 1–13 (2010)
Legion of the Bouncy Castle Inc.: The Legion of the Bouncy Castle (2020). https://www.bouncycastle.org/java.html. Accessed 6 Apr 2020
Lundberg, S.M., Lee, S.I.: A unified approach to interpreting model predictions. In: Proceedings of NIPS 2017, pp. 4765–4774. Curran Associates, Inc. (2017). http://papers.nips.cc/paper/7062-a-unified-approach-to-interpreting-model-predictions.pdf
Ma, S., Lo, D., Li, T., Deng, R.H.: CDRep: automatic repair of cryptographic misuses in android applications. In: Proceedings of ASIACCS 2016, pp. 711–722. ACM, Xi’an, China (2016)
Ma, Z., Wang, H., Guo, Y., Chen, X.: LibRadar: fast and accurate detection of third-party libraries in Android apps. In: Proceedings of ICSE 2016, pp. 653–656. ACM, Austin, Texas (2016)
Maiorca, D., Ariu, D., Corona, I., Aresu, M., Giacinto, G.: Stealth attacks: an extended insight into the obfuscation effects on android malware. Comput. Secur. 51(C), 16–31 (2015)
Maiorca, D., Mercaldo, F., Giacinto, G., Visaggio, C.A., Martinelli, F.: R-PackDroid: API package-based characterization and detection of mobile ransomware. In: Proceedings of SAC 2017, pp. 1718–1723. ACM (2017)
McAfee Labs: McAfee labs threats report, august 2019 (2019). http://mcafee.com/enterprise/en-us/threat-center/mcafee-labs/reports.html. 7 March 2022
Melis, M., Maiorca, D., Biggio, B., Giacinto, G., Roli, F.: Explaining black-box android malware detection. In: 26th European Signal Processing Conference. EUSIPCO 2018, pp. 524–528. IEEE, Rome, Italy (2018)
Melis, M., Scalas, M., Demontis, A., Maiorca, D., Biggio, B., Giacinto, G., Roli, F.: Do gradient-based explanations tell anything about adversarial robustness to android malware? Int. J. Mach. Learn. Cybern. 13(1), 217–232 (2022). https://doi.org/10.1007/s13042-021-01393-7
Menezes, A.J., Katz, J., Van Oorschot, P.C., Vanstone, S.A.: Handbook of Applied cryptography. CRC Press (1996)
Muslukhov, I., Boshmaf, Y., Beznosov, K.: Source attribution of cryptographic API misuse in android applications. In: Proceedings of ASIACCS 2018, pp. 133–146. ACM (2018)
Oltrogge, M., Huaman, N., Amft, S., Acar, Y., Backes, M., Fahl, S.: Why eve and mallory still love android: Revisiting TLS (In)Security in android applications. In: Proceedings of USENIX ’21, pp. 4347–4364. USENIX (2021)
Paletov, R., Tsankov, P., Raychev, V., Vechev, M.: Inferring crypto API rules from code changes. In: Proceedings of PLDI 2018, pp. 450–464. ACM (2018)
Piccolboni, L., Guglielmo, G.D., Carloni, L.P., Sethumadhavan, S.: CRYLOGGER: detecting crypto misuses dynamically. In: Proceedings of IEEE SP 2021, pp. 1972–1989. IEEE (2021)
Platform, J.: Java Cryptography Architecture (JCA) Reference Guide (2017). https://docs.oracle.com/javase/7/docs/technotes/guides/security/crypto/CryptoSpec.html. Accessed 4 Mar 2020
Rahaman, S., et al.: CryptoGuard: high precision detection of cryptographic vulnerabilities in massive-sized java projects. In: Proceedings of CCS 2019, pp. 2455–2472. ACM (2019)
Salem, A.: Towards accurate labeling of Android apps for reliable malware detection. arXiv preprint arXiv:2007.00464 (2020)
Shapley, L.: A value for n-person games. contributions to the theory of games. Annals of mathematics studies (2) (1953)
Shuai, S., Guowei, D., Tao, G., Tianchang, Y., Chenjie, S.: Modelling analysis and auto-detection of cryptographic misuse in android applications. In: Proceedings of DASC 2014, pp. 75–80. IEEE (2014)
skylot: Jadx decompiler (2020). https://github.com/skylot/jadx, 15 December 2019
Stevens, M., Bursztein, E., Karpman, P., Albertini, A., Markov, Y.: The first collision for full SHA-1. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10401, pp. 570–596. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63688-7_19
Wang, H., Guo, Y., Ma, Z., Chen, X.: WuKong: a scalable and accurate two-phase approach to Android app clone detection. In: Proceedings of ISSTA 2015, pp. 71–82. ACM (2015)
Wang, X., Yu, H.: How to Break MD5 and other hash functions. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 19–35. Springer, Heidelberg (2005). https://doi.org/10.1007/11426639_2
Zhan, X., et al.: Automated third-party library detection for Android applications: are we there yet? In: Proceedings of ASE 2020, pp. 919–930. ACM, December 2020
Zhang, X., Zhang, Y., Li, J., Hu, Y., Li, H., Gu, D.: Embroidery: patching vulnerable binary code of fragmentized android devices. In: Proceedings of ICSME 2017, pp. 47–57. IEEE (2017)
Acknowledgements.
Davide Maiorca was supported by the project PON AIM Research and Innovation 2014–2020 - Attraction and International Mobility, funded by the Italian Ministry of Education, University and Research; and by the European cybersecurity pilot CyberSec4Europe. Giorgio Giacinto was supported by Fondazione di Sardegna under the project “TrustML: Towards Machine Learning that Humans Can Trust”, CUP: F73C22001320007. Vashek Matyas was supported by Czech Science Foundation project GA20-03426S. Adam Janovsky was supported by Invasys company. We are grateful to Jonas Konecny who ran the initial machine-learning experiments. We also thank Avast for providing the dynamic-analysis tool apklab.io.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Detailed Comparison of Symmetric Ciphers Between Androzoo-M12 and CryptoLint-B12
A Detailed Comparison of Symmetric Ciphers Between Androzoo-M12 and CryptoLint-B12
Table 6 displays an in-depth comparison between symmetric encryption schemes in the datasets CryptoLint-B12 and Androzoo-M12. It should be stressed that even though the absolute number of call sites in CryptoLint-B12 is higher (\(15\, 598\)) than in Androzoo-M12 (9729), this comparison is severely skewed by the overall distribution characteristics of CryptoLint-B12 vs. Androzoo-M12. In other words, it takes 145 thousand of benign applications (where only each fifth call originates from user-defined codebase) to get 15 thousand calls, whereas 34 thousand of malicious applications would provide a similar number of symmetric encryption API call sites.
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Janovsky, A., Maiorca, D., Macko, D., Matyas, V., Giacinto, G. (2023). Explaining the Use of Cryptographic API in Android Malware. In: Van Sinderen, M., Wijnhoven, F., Hammoudi, S., Samarati, P., Vimercati, S.D.C.d. (eds) E-Business and Telecommunications. ICSBT SECRYPT 2022 2022. Communications in Computer and Information Science, vol 1849. Springer, Cham. https://doi.org/10.1007/978-3-031-45137-9_4
Download citation
DOI: https://doi.org/10.1007/978-3-031-45137-9_4
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-45136-2
Online ISBN: 978-3-031-45137-9
eBook Packages: Computer ScienceComputer Science (R0)