Skip to main content
SpringerLink
Log in

Defining and Detecting Environment Discrimination in Android Apps

  • Conference paper
  • First Online:
Security and Privacy in Communication Networks (SecureComm 2017)

Abstract

Environment discrimination—a program behaving differently on different platforms—is used in many contexts. For example, malware can use environment discrimination to thwart detection attempts: as malware detectors employ automated dynamic analysis while running the potentially malicious program in a virtualized environment, the malware author can make the program virtual environment-aware so the malware turns off the nefarious behavior when it is running in a virtualized environment. Therefore, an approach for detecting environment discrimination can help security researchers and practitioners better understand the behavior of, and consequently counter, malware. In this paper we formally define environment discrimination, and propose an approach based on abstract traces and symbolic execution to detect discrimination in Android apps. Furthermore, our approach discovers what API calls expose the environment information to malware, which is a valuable reference for virtualization developers to improve their products. We also apply our approach to the real malware and third-party-researcher designed benchmark apps. The result shows that the algorithm and framework we proposed achieves 97% accuracy.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 109.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 143.00
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Chaffey, D.: Mobile marketing statistics compilation. http://www.smartinsights.com/mobile-marketing/mobile-marketing-analytics/mobile-marketing-statistics/. Accessed 5 June 2017

  2. Christian, L.: 8,400 new android malware samples every day. https://www.gdatasoftware.com/blog/2017/04/29712-8-400-new-android-malware-samples-every-day/. Accessed 25 May 2017

  3. Vidas, T., Christin, N.: Evading android runtime analysis via sandbox detection. In: Proceedings of the 9th ACM Symposium on Information, Computer and Communications Security, pp. 447–458. ACM (2014)

    Google Scholar 

  4. Shimpi, A.L., Klug, B.: They’re (almost) all dirty: the state of cheating in android benchmarks. http://www.anandtech.com/show/7384/state-of-cheating-in-android-benchmarks/. Accessed 19 May 2017

  5. Hruska, J.: Samsung goes legit, stops cheating on benchmarks with latest android update. http://www.extremetech.com/computing/177841-samsungs-latest-android-update-no-longer-cheats-on-benchmarks/. Accessed 11 June 2017

  6. Mack, E.: HTC admits boosting one M8 benchmarks; makes it a feature. http://www.cnet.com/news/is-the-htc-one-m8-that-good-benchmark-cheating-alleged-again/. Accessed 10 June 2017

  7. Hotten, R.: Volkswagen: the scandal explained. http://www.bbc.com/news/business-34324772/. Accessed 4 Jun 2017

  8. Bartussek, W., Parnas, D.L.: Using assertions about traces to write abstract specifications for software modules. In: Bracchi, G., Lockemann, P.C. (eds.) ECI 1978. LNCS, vol. 65, pp. 211–236. Springer, Heidelberg (1978). https://doi.org/10.1007/3-540-08934-9_80

    Chapter  Google Scholar 

  9. Guttag, J.V., Horning, J.J.: The algebraic specification of abstract data types. Acta Inform. 10(1), 27–52 (1978)

    Article  MathSciNet  Google Scholar 

  10. McLean, J.: A formal method for the abstract specification of software. J. ACM (JACM) 31(3), 600–627 (1984)

    Article  Google Scholar 

  11. James, J.C.: Symbolic execution and program testing. Commun. ACM 19(7), 385–394 (1976)

    Article  MathSciNet  Google Scholar 

  12. Clarke, L.A.: A program testing system. In: Proceedings of the 1976 Annual Conference, pp. 488–491. ACM (1976)

    Google Scholar 

  13. Yan, L.K., Yin, H.: Droidscope: seamlessly reconstructing the OS and Dalvik semantic views for dynamic Android malware analysis. In: USENIX Security Symposium, pp. 569–584 (2012)

    Google Scholar 

  14. Enck, W., Gilbert, P., Han, S., Tendulkar, V., Chun, B.G., Cox, L.P., Jung, J., McDaniel, P., Sheth, A.N.: Taintdroid: an information-flow tracking system for realtime privacy monitoring on smartphones. ACM Trans. Comput. Syst. (TOCS) 32(2), 5 (2014)

    Article  Google Scholar 

  15. Sarwar, G., Mehani, O., Boreli, R., Kaafar, M.A.: On the effectiveness of dynamic taint analysis for protecting against private information leaks on android-based devices. In: SECRYPT, pp. 461–468 (2013)

    Google Scholar 

  16. Slowinska, A., Bos, H.: Pointless tainting? Evaluating the practicality of pointer tainting. In: Proceedings of the 4th ACM European Conference on Computer Systems, pp. 61–74. ACM (2009)

    Google Scholar 

  17. Cavallaro, L., Saxena, P., Sekar, R.: On the limits of information flow techniques for malware analysis and containment. In: Zamboni, D. (ed.) DIMVA 2008. LNCS, vol. 5137, pp. 143–163. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-70542-0_8

    Chapter  Google Scholar 

  18. Lindorfer, M., Neugschwandtner, M., Weichselbaum, L., Fratantonio, Y., Van Der Veen, V., Platzer, C.: ANDRUBIS -1,000,000 apps later: a view on current android malware behaviors. In: Proceedings of the the 3rd International Workshop on Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS) (2014)

    Google Scholar 

  19. Lantz, P., Desnos, A., Yang, K.: Droidbox: Android application sandbox (2012)

    Google Scholar 

  20. Willems, C., Holz, T., Freiling, F.: Toward automated dynamic malware analysis using CWSandbox. IEEE Secur. Priv. 2, 32–39 (2007)

    Article  Google Scholar 

  21. Bayer, U., Kruegel, C., Kirda, E.: TTAnalyze: a tool for analyzing malware. (na, 2006)

    Google Scholar 

  22. Norman safeground antivirus software. http://www.norman.com/. Accessed 8 June 2017

  23. Dinaburg, A., Royal, P., Sharif, M., Lee, W.: Ether: malware analysis via hardware virtualization extensions. In: Proceedings of the 15th ACM Conference on Computer and Communications Security, pp. 51–62. ACM (2008)

    Google Scholar 

  24. Rastogi, V., Chen, Y., Enck, W.: Appsplayground: automatic security analysis of smartphone applications. In: Proceedings of the Third ACM Conference on Data and Application Security and Privacy, pp. 209–220. ACM (2013)

    Google Scholar 

  25. Fattori, A., Paleari, R., Martignoni, L., Monga, M.: Dynamic and transparent analysis of commodity production systems. In: Proceedings of the IEEE/ACM International Conference on Automated Software Engineering, pp. 417–426. ACM (2010)

    Google Scholar 

  26. Hruska J.: Android and security. http://googlemobile.blogspot.it/2012/02/android-and-security.html/. Accessed 11 May 2017

  27. Jiang, X., Wang, X.: “Out-of-the-Box” monitoring of VM-based high-interaction honeypots. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 198–218. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-74320-0_11

    Chapter  Google Scholar 

  28. Bellard, F.: QEMU, a fast and portable dynamic translator. In: USENIX Annual Technical Conference, FREENIX Track, p. 41 (2005)

    Google Scholar 

  29. Fogla, P., Lee, W.: Evading network anomaly detection systems: formal reasoning and practical techniques. In: Proceedings of the 13th ACM Conference on Computer and Communications Security, pp. 59–68. ACM (2006)

    Google Scholar 

  30. Lau, B., Svajcer, V.: Measuring virtual machine detection in malware using DSD tracer. J. Comput. Virol. 6(3), 181–195 (2010)

    Article  Google Scholar 

  31. Paleari, R., Martignoni, L., Roglia, G.F., Bruschi, D.: A fistful of red-pills: how to automatically generate procedures to detect CPU emulators. In: Proceedings of the USENIX Workshop on Offensive Technologies (WOOT), vol. 41, p. 86 (2009)

    Google Scholar 

  32. Petsas, T., Voyatzis, G., Athanasopoulos, E., Polychronakis, M., Ioannidis, S.: Rage against the virtual machine: hindering dynamic analysis of Android malware. In: Proceedings of the Seventh European Workshop on System Security, p. 5. ACM (2014)

    Google Scholar 

  33. Jing, Y., Zhao, Z., Ahn, G.J., Hu, H.: Morpheus: automatically generating heuristics to detect Android emulators. In: Proceedings of the 30th Annual Computer Security Applications Conference, pp. 216–225. ACM (2014)

    Google Scholar 

  34. Kirat, D., Vigna, G., Kruegel, C.: Barecloud: bare-metal analysis-based evasive malware detection. In: 23rd USENIX Security Symposium (USENIX Security 2014), pp. 287–301 (2014)

    Google Scholar 

  35. Balzarotti, D., Cova, M., Karlberger, C., Kirda, E., Kruegel, C.M., Vigna, G.: Efficient detection of split personalities in malware. In: NDSS (2010)

    Google Scholar 

Download references

Acknowledgement

The effort described in this article was partially sponsored by the U.S. Army Research Laboratory Cyber Security Collaborative Research Alliance under Contract Number W911NF-13-2-0045. The views and conclusions contained in this document are those of the authors, and should not be interpreted as representing the official policies, either expressed or implied, of the Army Research Laboratory or the U.S. Government. The U.S. Government is authorized to reproduce and distribute reprints for Government purposes notwithstanding any copyright notation hereon.

Author information

Authors and Affiliations

  1. University of California, Davis, USA

    Yunfeng Hong, Chun-Ming Lai & S. Felix Wu

  2. University of California, Riverside, USA

    Yongjian Hu

  3. New Jersey Institute of Technology, Newark, USA

    Iulian Neamtiu

  4. Pennsylvania State University, State College, USA

    Patrick McDaniel

  5. U.S. Army Research Laboratory, Maryland, USA

    Paul Yu & Hasan Cam

  6. Arizona State University, Tempe, USA

    Gail-Joon Ahn

Authors
  1. Yunfeng Hong
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Yongjian Hu
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Chun-Ming Lai
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. S. Felix Wu
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Iulian Neamtiu
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Patrick McDaniel
    View author publications

    You can also search for this author in PubMed Google Scholar

  7. Paul Yu
    View author publications

    You can also search for this author in PubMed Google Scholar

  8. Hasan Cam
    View author publications

    You can also search for this author in PubMed Google Scholar

  9. Gail-Joon Ahn
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Yunfeng Hong .

Editor information

Editors and Affiliations

  1. Wilfrid Laurier University, Waterloo, Ontario, Canada

    Xiaodong Lin

  2. University of New Brunswick, Fredericton, New Brunswick, Canada

    Ali Ghorbani

  3. University at Buffalo, Buffalo, New York, USA

    Kui Ren

  4. Pennsylvania State University, Philadelphia, Pennsylvania, USA

    Sencun Zhu

  5. Anhui Normal University, Wuhu, China

    Aiqing Zhang

Rights and permissions

Reprints and permissions

Copyright information

© 2018 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Hong, Y. et al. (2018). Defining and Detecting Environment Discrimination in Android Apps. In: Lin, X., Ghorbani, A., Ren, K., Zhu, S., Zhang, A. (eds) Security and Privacy in Communication Networks. SecureComm 2017. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 238. Springer, Cham. https://doi.org/10.1007/978-3-319-78813-5_26

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-78813-5_26

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-78812-8

  • Online ISBN: 978-3-319-78813-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation