ABSTRACT
A huge number of Android applications are bundled with relatively independent modules either during the development or by intentionally repackaging. Undesirable behaviors such as stealthily acquiring and distributing user's private information are frequently discovered in some bundled third-party modules, i.e., advertising libraries or malicious code (we call the module tumor payload in this work), which sabotage the integrity of the original app and lie as a threat to both the security of mobile system and the user's privacy.
In this paper, we discuss how to purify an Android APK by resecting the tumor payload. Our work is based on two observations: 1) the tumor payload has its own characteristics, so it could be spotted through program analysis, and 2) the tumor payload is a relatively independent module so it can be resected without affecting the original app's function.
We propose APKLancet, an automatic Android application diagnosis and purification system, to detect and resect the tumor payload. Relying on features extracting from ad libraries, analytics plugins and an approximately 8,000 malware samples, APKLancet is capable of diagnosing an APK and discovering unwelcome code fragment. Then it makes use of the code fragment as index to employ fine-grained program analysis and detaches the entire tumor payload. More precisely, it conducts an automatic app patching process to preserve the original normal functions while resecting tumor payload. We test APKLancet by the Android apps bundled with representative tumor payloads from online sandbox system. The result shows that the purification process is feasible to resect tumor payload and repair the apps. Moreover, all of the above do not require any Android system modification, and the purified app does not introduce any performance latency.
- 1.2 percent of google play store is thief-ware, study shows. http://tinyurl.com/kvf7xvc . Online; accessed Nov-2013.Google Scholar
- Ad networks - android library statistics. http://www.appbrain.com/stats/libraries/ad.Google Scholar
- Ad vulna: A vulnaggressive (vulnerable & aggressive) adware threatening millions. http://tinyurl.com/pv4wts3. Online; accessed Nov-2013.Google Scholar
- android-apktool, a tool for reverse engineering android apk files. http://code.google.com/p/android-apktool/. Online; accessed Nov-2013.Google Scholar
- Android torch app with over 50m downloads silently sent user location and device data to advertisers. http://tinyurl.com/mhfyv3r. Online; accessed Nov-2013.Google Scholar
- Sanddroid - an automatic android program analysis sandbox. http://sanddroid.xjtu.edu.cn/. Online; accessed Nov-2013.Google Scholar
- Virustotal - free online virus, malware and url scanner. https://www.virustotal.com/ note = Online; accessed Nov-2013,.Google Scholar
- J. Crussell, C. Gibler, and H. Chen. Attack of the clones: Detecting cloned applications on android markets. In Computer Security--ESORICS 2012, pages 37--54. Springer, 2012.Google ScholarCross Ref
- J. Crussell, C. Gibler, and H. Chen. Andarwin: Scalable detection of semantically similar android applications. In Computer Security--ESORICS 2013, pages 182--199. Springer, 2013.Google ScholarCross Ref
- B. Davis, B. Sanders, A. Khodaverdian, and H. Chen. I-arm-droid: A rewriting framework for in-app reference monitors for android applications. Mobile Security Technologies, 2012, 2012.Google Scholar
- A. Desnos. Androguard: Reverse engineering, malware and goodware analysis of android applications... and more (ninja!).Google Scholar
- A. P. Felt, M. Finifter, E. Chin, S. Hanna, and D. Wagner. A survey of mobile malware in the wild. In Proceedings of the 1st ACM workshop on Security and privacy in smartphones and mobile devices, pages 3--14. ACM, 2011. Google ScholarDigital Library
- M. Grace, Y. Zhou, Q. Zhang, S. Zou, and X. Jiang. Riskranker: scalable and accurate zero-day android malware detection. In Proceedings of the 10th international conference on Mobile systems, applications, and services, pages 281--294. ACM, 2012. Google ScholarDigital Library
- S. Hanna, L. Huang, E. Wu, S. Li, C. Chen, and D. Song. Juxtapp: a scalable system for detecting code reuse among android applications. In Detection of Intrusions and Malware, and Vulnerability Assessment, pages 62--81. Springer, 2013. Google ScholarDigital Library
- J. Jeon, K. K. Micinski, J. A. Vaughan, A. Fogel, N. Reddy, J. S. Foster, and T. Millstein. Dr. android and mr. hide: fine-grained permissions in android applications. In Proceedings of the second ACM workshop on Security and privacy in smartphones and mobile devices, pages 3--14. ACM, 2012. Google ScholarDigital Library
- K. Kennedy, E. Gustafson, and H. Chen. Quantifying the effects of removing permissions from android applications.Google Scholar
- P. Pearce, A. P. Felt, G. Nunez, and D. Wagner. Addroid: Privilege separation for applications and advertisers in android. In Proceedings of the 7th ACM Symposium on Information, Computer and Communications Security, pages 71--72. ACM, 2012. Google ScholarDigital Library
- S. Shekhar, M. Dietz, and D. S. Wallach. Adsplit: Separating smartphone advertising from applications. CoRR, abs/1202.4030, 2012.Google Scholar
- G. Suarez-Tangil, J. Tapiador, P. Peris-Lopez, and A. Ribagorda. Evolution, detection and analysis of malware for smart devices. 2013.Google Scholar
- R. Xu, H. Saıdi, and R. Anderson. Aurasium: Practical policy enforcement for android applications. In Proceedings of the 21st USENIX Security Symposium, 2012. Google ScholarDigital Library
- X. Zhang, A. Ahlawat, and W. Du. Aframe: Isolating advertisements from mobile applications in android. 2013.Google Scholar
- W. Zhou, Y. Zhou, M. Grace, X. Jiang, and S. Zou. Fast, scalable detection of piggybacked mobile applications. In Proceedings of the third ACM conference on Data and application security and privacy, pages 185--196. ACM, 2013. Google ScholarDigital Library
- W. Zhou, Y. Zhou, X. Jiang, and P. Ning. Detecting repackaged smartphone applications in third-party android marketplaces. In Proceedings of the second ACM conference on Data and Application Security and Privacy, pages 317--326. ACM, 2012. Google ScholarDigital Library
- Y. Zhou and X. Jiang. Dissecting android malware: Characterization and evolution. In Security and Privacy (SP), 2012 IEEE Symposium on, pages 95--109. IEEE, 2012. Google ScholarDigital Library
- Y. Zhou, Z. Wang, W. Zhou, and X. Jiang. Hey, you, get off of my market: Detecting malicious apps in official and alternative android markets. In Proceedings of the 19th Annual Network and Distributed System Security Symposium, 2012.Google Scholar
Index Terms
- APKLancet: tumor payload diagnosis and purification for android applications
Recommendations
Understanding third-party libraries in mobile app analysis
ICSE-C '17: Proceedings of the 39th International Conference on Software Engineering CompanionThird-party libraries are widely used in mobile apps. Recent studies showed that third-party libraries account for more than 60% of the code in Android apps on average. As a result, program analysis on Android apps typically requires detecting or ...
Lib2Desc: automatic generation of security-centric Android app descriptions using third-party libraries
AbstractAndroid app developers are expected to specify the use of dangerous permissions in their app descriptions. The absence of such data indicates suspicious behavior. However, this is not always caused by the malicious intent of developers; it may be ...
REAPER: Real-time App Analysis for Augmenting the Android Permission System
CODASPY '19: Proceedings of the Ninth ACM Conference on Data and Application Security and PrivacyAndroid's app ecosystem relies heavily on third-party libraries as they facilitate code development and provide a steady stream of revenue for developers. However, while Android has moved towards a more fine-grained run time permission system, users ...
Comments