Abstract
Android malware vendors profit by “piggybacking” on legitimate applications (or simply apps) and inserting malicious code that can steal users’ sensitive data or display unsolicited advertisements. A piggybacked app is a repackaged legitimate app with extra code that can perform malicious acts after installation. Many researchers have put effort into signature schemes for malware detection and to develop obfuscation techniques to mitigate the effects of piggybacking. However, little has been done to protect apps after their installation. In particular, the cache, where the app actually runs, is vulnerable to tampering. Cache tampering allows for the same behavioral changes as piggybacking. Cache loading process of Android Runtime (ART) can be exploited by cache tampering attacks without rebooting the device. In this paper, we introduce an approach to protect apps by maintaining the integrity of their cache. We show that cache tampering is possible and propose a lightweight cache protection mechanism to alert users about a cache tampering attack. We describe the approach in detail and present the results of a real implementation. Our evaluation results on Android 7 (the latest version at the time of this writing) show that our cache protection system can detect the abnormal behavior effectively and efficiently.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Zhou, Y., Jiang, X.: Dissecting Android malware: characterization and evolution. In: 2012 IEEE Symposium on Security and Privacy (SP), pp. 95–109. IEEE (2012)
Yu, R.: Android packers: facing the challenges, building solutions. In: Proceedings of the Virus Bulletin Conference (VB 2014), pp. 266–275 (2014)
Dresel, L., Protsenko, M., Müller, T.: ARTIST: the Android runtime instrumentation toolkit. In: 2016 11th International Conference on Availability, Reliability and Security (ARES), pp. 107–116. IEEE (2016)
Backes, M., Bugiel, S., Schranz, O., von Styp-Rekowsky, P., Weisgerber, S.: ARTist: the Android runtime instrumentation and security toolkit. In: 2017 IEEE European Symposium on Security and Privacy (EuroS&P), pp. 481–495. IEEE (2017)
Costamagna, V., Zheng, C.: ARTDroid: a virtual-method hooking framework on Android ART runtime. In: IMPS@ ESSoS, pp. 20–28 (2016)
Zhang, Y., Luo, X., Yin, H.: DexHunter: toward extracting hidden code from packed android applications. In: Pernul, G., Ryan, P.Y.A., Weippl, E. (eds.) ESORICS 2015. LNCS, vol. 9327, pp. 293–311. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-24177-7_15
You, W., Liang, B., Shi, W., Zhu, S., Wang, P., Xie, S., Zhang, X.: Reference hijacking: patching, protecting and analyzing on unmodified and non-rooted Android devices. In: Proceedings of the 38th International Conference on Software Engineering, pp. 959–970. ACM (2016)
Davis, B., Chen, H.: RetroSkeleton: retrofitting Android apps. In: Proceedings of the 11th Annual International Conference on Mobile Systems, Applications, and Services, pp. 181–192. ACM (2013)
Han, J., Yan, Q., Gao, D., Zhou, J., Deng, H.R.: Android or iOS for better privacy protection? In: International Conference on Secure Knowledge Mangagement in Big-data Era (SKM 2014) (2014)
Finley, S., Du, X.: Dynamic cache cleaning on Android. In: 2013 IEEE International Conference on Communications (ICC), pp. 6143–6147. IEEE (2013)
Schulz, P.: Code protection in Android. In: Insititute of Computer Science, Rheinische Friedrich-Wilhelms-Universitgt Bonn, Germany, 110 (2012)
Bichsel, B., Raychev, V., Tsankov, P., Vechev, M.: Statistical deobfuscation of Android applications. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 343–355. ACM (2016)
Jeong, Y.S., Park, Y.U., Moon, J.C., Cho, S.J., Kim, D., Park, M.: An anti-piracy mechanism based on class separation and dynamic loading for android applications. In: Proceedings of the 2012 ACM Research in Applied Computation Symposium, pp. 328–332. ACM (2012)
Kywe, S. M., Li, Y., Hong, J., Yao, C.: Dissecting developer policy violating apps: characterization and detection. In: 2016 11th International Conference on Malicious and Unwanted Software (MALWARE), pp. 1–10. IEEE (2016)
Suarez-Tangil, G., Tapiador, J. E., Peris-Lopez, P., Blasco, J.: Dendroid: a text mining approach to analyzing and classifying code structures in Android malware families. In: Malicious and Unwanted Software (MALWARE), Expert Systems with Applications, vol. 41(4), pp. 1104–1117 (2014)
Zhang, M., Duan, Y., Yin, H., Zhao, Z.: Semantics-aware Android malware classification using weighted contextual API dependency graphs. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pp. 1105–1116. ACM (2014)
Deshotels, L., Notani, V., Lakhotia, A.: Droidlegacy: automated familial classification of Android malware. In: Proceedings of ACM SIGPLAN on Program Protection and Reverse Engineering Workshop 2014, p. 3. ACM (2014)
Li, L., Li, D., Bissyand, T.F., Klein, J., Traon, Y.L., Lo, D., Cavallaro, L.: Understanding Android app piggybacking. In: Proceedings of the 39th International Conference on Software Engineering Companion, pp. 359–361. IEEE Press (2017)
Xue, L., Luo, X., Yu, L., Wang, S., Wu, D.: Adaptive unpacking of Android apps. In: Proceedings of the 39th International Conference on Software Engineering, pp. 358–369. IEEE Press (2017)
Cheng, B., Buzbee, B.: A JIT compiler for androids Dalvik VM. In: Google I/O Developer Conference, vol. 201 (2010)
Sabanal, P.: Hiding behind ART. IBM, https://www.blackhat.com/docs/asia-15/materials/asia-15-Sabanal-Hiding-Behind-ART.pdf. Accessed 4 Aug 2017
Google Inc.: Configuring ART, https://source.android.com/devices/tech/dalvik/configure. Accessed 4 Aug 2017
Google Inc.: Android 5.0 Behavior Changes, https://developer.android.com/guide/practices/verifying-apps-art.html. Accessed 4 Aug 2017
Google Inc.: Android 7.0 for Developers, https://developer.android.com/about/versions/nougat/android-7.0.html. Accessed 4 Aug 2017
Google Inc.: Implementing ART Just-In-Time (JIT) Compiler, https://source.android.com/devices/tech/dalvik/jit-compiler. Accessed 4 Aug 2017
Google Inc.: Configure Apps with Over 64K Methods, https://developer.android.com/studio/build/multidex.html. Accessed 4 Aug 2017
Github.: DEX-to-DEX Optimisations, https://github.com/anestisb/oatdump_plus#dex-to-dex-optimisations. Accessed 4 Aug 2017
Github.: Oat2dex, https://github.com/lollipopgood/oat2dex. Accessed 4 Aug 2017
Dalvik and ART, http://newandroidbook.com/files/Andevcon-ART.pdf. Accessed 4 Aug 2017
Github.: ProbeDroid, https://github.com/ZSShen/ProbeDroid. Accessed 4 Aug 2017
Symantec.: Internet Security Threat ReportInternet ReportVOLUME, https://www.symantec.com/content/dam/symantec/docs/reports/istr-21-2016-en.pdf. Accessed 4 Aug 2017
Zhong, X.: ART JIT in Android N, http://connect.linaro.org/resource/las16/las16-201/. Accessed 4 Aug 2017
Acknowledgments
This project is partially funded by Mitacs Canada and Irdeto Corporation.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Wan, J., Zulkernine, M., Eisen, P., Liem, C. (2017). Defending Application Cache Integrity of Android Runtime. In: Liu, J., Samarati, P. (eds) Information Security Practice and Experience. ISPEC 2017. Lecture Notes in Computer Science(), vol 10701. Springer, Cham. https://doi.org/10.1007/978-3-319-72359-4_45
Download citation
DOI: https://doi.org/10.1007/978-3-319-72359-4_45
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-72358-7
Online ISBN: 978-3-319-72359-4
eBook Packages: Computer ScienceComputer Science (R0)