ABSTRACT
Static analysis of Android applications can be hindered by the presence of the popular dynamic code update techniques: dynamic class loading and reflection. Recent Android malware samples do actually use these mechanisms to conceal their malicious behavior from static analyzers. These techniques defuse even the most recent static analyzers that usually operate under the "closed world" assumption (the targets of reflective calls can be resolved at analysis time; only classes reachable from the class path at analysis time are used at runtime). Our proposed solution allows existing static analyzers to remove this assumption. This is achieved by combining static and dynamic analysis of applications in order to reveal the hidden/updated behavior and extend static analysis results with this information. This paper presents design, implementation and preliminary evaluation results of our solution called StaDynA.
- AndroGuard: Reverse engineering, malware and goodware analysis of Android applications. Available Online. https://code.google.com/p/androguard/.Google Scholar
- Android - App Manifest - Permission http://developer.android.com/guide/topics/manifest/permission-element.html.Google Scholar
- Android Security Tips. Available Online. http://developer.android.com/training/articles/security-tips.html.Google Scholar
- AndroidBest -- Android market. http://androidbest.ru/.Google Scholar
- AndroidDrawer -- Android market. http://www.androiddrawer.com/.Google Scholar
- AndroidLife -- Android market. http://androidlife.ru/.Google Scholar
- Anruan -- Android market. http://www.anruan.com/.Google Scholar
- AppsApk -- Android market. http://www.appsapk.com/.Google Scholar
- F-Droid -- Android market. https://f-droid.org/.Google Scholar
- Google Play -- Android official market. https://play.google.com/store/apps.Google Scholar
- UI/Application Exerciser Monkey. Available Online. http://developer.android.com/tools/help/monkey.html.Google Scholar
- S. Arzt, S. Rasthofer, C. Fritz, E. Bodden, A. Bartel, J. Klein, Y. Le Traon, D. Octeau, and P. McDaniel. FlowDroid: Precise Context, Flow, Field, Object-sensitive and Lifecycle-aware Taint Analysis for Android Apps. In Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation, pages 259--269, 2014. Google ScholarDigital Library
- K. W. Y. Au, Y. F. Zhou, Z. Huang, and D. Lie. PScout: Analyzing the Android Permission Specification. In Proceedings of the 2012 ACM Conference on Computer and Communications Security, pages 217--228, 2012. Google ScholarDigital Library
- A. Bartel, J. Klein, Y. Le Traon, and M. Monperrus. Automatically Securing Permission-based Software by Reducing the Attack Surface: An Application to Android. In Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering, pages 274--277, 2012. Google ScholarDigital Library
- R. Bhoraskar, S. Han, J. Jeon, T. Azim, S. Chen, J. Jung, S. Nath, R. Wang, and D. Wetherall. Brahmastra: Driving Apps to Test the Security of Third-Party Components. In 23rd USENIX Security Symposium (USENIX Security 14), pages 1021--1036, August 2014. Google ScholarDigital Library
- D. G. Bobrow, R. P. Gabriel, and J. L. White. Object-oriented programming. chapter CLOS in Context: The Shape of the Design Space, pages 29--61. MIT Press, 1993. Google ScholarDigital Library
- E. Bodden, A. Sewe, J. Sinschek, H. Oueslati, and M. Mezini. Taming Reflection: Aiding Static Analysis in the Presence of Reflection and Custom Class Loaders. In Proceedings of the 33rd International Conference on Software Engineering, pages 241--250, 2011. Google ScholarDigital Library
- J. Bogda and A. Singh. Can a Shape Analysis Work at Run-time? In Proceedings of the 2001 Symposium on\ JavaTM Virtual Machine Research and Technology Symposium - Volume 1, pages 2--2, 2001. Google ScholarDigital Library
- F. Chung. Custom Class Loading in Dalvik. Available Online. http://android-developers.blogspot.it/2011/07/custom-class-loading-in-dalvik.html.Google Scholar
- M. Conti, B. Crispo, E. Fernandes, and Y. Zhauniarovich. CR-ePE: A System for Enforcing Fine-Grained Context-Related Policies on Android. IEEE Transactions on Information Forensics and Security, 7(5):1426--1438, 2012. Google ScholarDigital Library
- M. Egele, D. Brumley, Y. Fratantonio, and C. Kruegel. An Empirical Study of Cryptographic Misuse in Android Applications. In Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security, pages 73--84, 2013. Google ScholarDigital Library
- W. Enck, P. Gilbert, B.-G. Chun, L. P. Cox, J. Jung, P. McDaniel, and A. N. Sheth. TaintDroid: An Information-flow Tracking System for Realtime Privacy Monitoring on Smartphones. In Proceedings of the 9th USENIX Conference on Operating Systems Design and Implementation, pages 1--6, 2010. Google ScholarDigital Library
- W. Enck, D. Octeau, P. McDaniel, and S. Chaudhuri. A Study of Android Application Security. In Proceedings of the 20th USENIX Conference on Security, pages 21--21, 2011. Google ScholarDigital Library
- F-Secure. Trojan:Android/FakeNotify Gets Updated. Available Online, Dec. 2011. http://www.f-secure.com/weblog/archives/00002291.html?tduid=f57e2769518f081721ffca586e797b2a.Google Scholar
- A. P. Felt, E. Chin, S. Hanna, D. Song, and D. Wagner. Android Permissions Demystified. In Proceedings of the 18th ACM Conference on Computer and Communications Security, pages 627--638, 2011. Google ScholarDigital Library
- E. Fernandes, B. Crispo, and M. Conti. FM 99.9, Radio virus: Exploiting FM radio broadcasts for malware deployment. Information Forensics and Security, IEEE Transactions on, 8(6):1027--1037, 2013. Google ScholarDigital Library
- H. Gascon, F. Yamaguchi, D. Arp, and K. Rieck. Structural Detection of Android Malware Using Embedded Call Graphs. In Proceedings of the 2013 ACM Workshop on Artificial Intelligence and Security, pages 45--54, 2013. Google ScholarDigital Library
- C. Gibler, J. Crussell, J. Erickson, and H. Chen. AndroidLeaks: Automatically Detecting Potential Privacy Leaks in Android Applications on a Large Scale. In Proceedings of the 5th International Conference on Trust and Trustworthy Computing, pages 291--307, 2012. Google ScholarDigital Library
- M. Grace, Y. Zhou, Q. Zhang, S. Zou, and X. Jiang. RiskRanker: Scalable and Accurate Zero-day Android Malware Detection. In Proceedings of the 10th International Conference on Mobile Systems, Applications, and Services, pages 281--294, 2012. Google ScholarDigital Library
- M. Hirzel, D. von Dinklage, A. Diwan, and M. Hind.Fast Online Pointer Analysis. ACM Transactions on Programming Languages and Systems, 29(2), 2007. Google ScholarDigital Library
- J. Hoffmann, M. Ussath, T. Holz, and M. Spreitzenbarth. Slicing Droids: Program Slicing for Smali Code. In Proceedings of the 28th Annual ACM Symposium on Applied Computing, pages 1844--1851, 2013. Google ScholarDigital Library
- C. Hu and I. Neamtiu. Automating GUI Testing for Android Applications. In Proceedings of the 6th International Workshop on Automation of Software Test, pages 77--83, 2011. Google ScholarDigital Library
- X. Hu, T.-c. Chiueh, and K. G. Shin. Large-scale Malware Indexing Using Function-call Graphs. In Proceedings of the 16th ACM Conference on Computer and Communications Security, pages 611--620, 2009. Google ScholarDigital Library
- S. Liang and G. Bracha. Dynamic Class Loading in the Java Virtual Machine. In Proceedings of the 13th ACM SIGPLAN Conference on Object-oriented Programming, Systems, Languages, and Applications, pages 36--44, 1998. Google ScholarDigital Library
- M. Lindorfer, M. Neugschwandtner, L. Weichselbaum, Y. Fratantonio, V. van der Veen, and C. Platzer. Andrubis - 1,000,000 Apps Later: A View on Current Android Malware Behaviors. In Proceedings of the the 3rd International Workshop on Building Analysis Datasets and Gathering Experience Returns forSecurity (BADGERS), 2014.Google Scholar
- B. Livshits, J. Whaley, and M. S. Lam. Reflection Analysis for Java. In Proceedings of the Third Asian Conference on Programming Languages and Systems, pages 139--160, 2005. Google ScholarDigital Library
- Pandalabs. New Malware Attack through Google Play. Available Online, Feb. 2014.http://pandalabs.pandasecurity.com/new-malware-attack-through-google-play/.Google Scholar
- S. Poeplau, Y. Fratantonio, A. Bianchi, C. Kruegel, and G. Vigna. Execute This! Analyzing Unsafe and Malicious Dynamic Code Loading in Android Applications. In Proceedings of the 21st Annual Network & Distributed System Security Symposium, 2014.Google ScholarCross Ref
- V. Rastogi, Y. Chen, and W. Enck. AppsPlayground: Automatic Security Analysis of SmartphoneApplications. In Proceedings of the Third ACM Conference on Data and Application Security and Privacy, pages 209--220, 2013. Google ScholarDigital Library
- V. Rastogi, Y. Chen, and X. Jiang. DroidChameleon: Evaluating Android Anti-malware Against Transformation Attacks. In Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security, pages 329--334, 2013. Google ScholarDigital Library
- D. Sosnoski. Java programming dynamics, Part 1: Java classes and class loading. Available Online. http://www.ibm.com/developerworks/library/j-dyn0429/.Google Scholar
- D. Sounthiraraj, J. Sahs, G. Greenwood, Z. Lin, and L. Khan. SMV-Hunter: Large Scale, Automated Detection of SSL/TLS Man-in-the-Middle Vulnerabilities in Android Apps. In Proceedings of the 21st Annual Network and Distributed System Security Symposium, San Diego, CA, February 2014.Google Scholar
- T. Wang, K. Lu, L. Lu, S. Chung, and W. Lee. Jekyll on iOS: When Benign Apps Become Evil. In Proceedings of the 22nd USENIX Conference on Security, pages 559--572, 2013. Google ScholarDigital Library
- E. R. Wognsen and H. S. Karlsen. Static Analysis of Dalvik Bytecode and Reflection in Android. Master's thesis, Aalborg University, 2012.Google Scholar
- L. K. Yan and H. Yin. DroidScope: Seamlessly Reconstructing the OS and Dalvik Semantic Views for Dynamic Android Malware Analysis. In Proceedings of the 21st USENIX Conference on Security Symposium, pages 29--29, 2012. Google ScholarDigital Library
- Y. Zhauniarovich, O. Gadyatskaya, and B. Crispo. DEMO: Enabling Trusted Stores for Android. In Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security, pages 1345--1348, 2013. Google ScholarDigital Library
- Y. Zhauniarovich, G. Russello, M. Conti, B. Crispo, and E. Fernandes. MOSES: Supporting and Enforcing Security Profiles on Smartphones. IEEE Transactions on Dependable and Secure Computing, 11(3):211--223, May 2014. Google ScholarDigital Library
- C. Zheng, S. Zhu, S. Dai, G. Gu, X. Gong, X. Han, and W. Zou. SmartDroid: An Automatic System for Revealing UI-based Trigger Conditions in Android Applications. In Proceedings of the Second ACM\ Workshop on Security and Privacy in Smartphones and Mobile Devices, pages 93--104, 2012. Google ScholarDigital Library
- Y. Zhongyang, Z. Xin, B. Mao, and L. Xie. DroidAlarm: An All-sided Static Analysis Tool for Android Privilege-escalation Malware. In Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security, pages 353--358, 2013. Google ScholarDigital Library
- Y. Zhou and X. Jiang. An Analysis of the AnserverBot Trojan. Available Online, September 2011. http://www.csc.ncsu.edu/faculty/jiang/ pubs/AnserverBot_Analysis.pdf.Google Scholar
- Y. Zhou and X. Jiang. Dissecting Android Malware: Characterization and Evolution. In Proceedings of the 2012 IEEE Symposium on Security and Privacy, pages 95--109, 2012. Google ScholarDigital Library
Index Terms
- StaDynA: Addressing the Problem of Dynamic Code Updates in the Security Analysis of Android Applications
Recommendations
StaDART: Addressing the problem of dynamic code updates in the security analysis of android applications
Highlights- A set of benchmark apps to test static analysis tools for reflection resolution.
AbstractDynamic code update techniques (Android Studio – support for dynamic delivery), such as dynamic class loading and reflection, enable Android apps to extend their functionality at runtime. At the same time, these techniques are misused ...
On the unsoundness of static analysis for Android GUIs
SOAP 2016: Proceedings of the 5th ACM SIGPLAN International Workshop on State Of the Art in Program AnalysisAndroid software presents exciting new challenges for the static analysis community. However, static analyses for Android are typically unsound. This is due to the lack of specification of the Android framework, the continuous evolution of framework ...
P/Taint: unified points-to and taint analysis
Static information-flow analysis (especially taint-analysis) is a key technique in software security, computing where sensitive or untrusted data can propagate in a program. Points-to analysis is a fundamental static program analysis, computing what ...
Comments