ABSTRACT
Repackaging popular benign apps with malicious payload used to be the most common way to spread Android malware. Nevertheless, since 2016, we have observed an alarming new trend to Android ecosystem: a growing number of Android malware samples abuse recent app-virtualization innovation as a new distribution channel. App-virtualization enables a user to run multiple copies of the same app on a single device, and tens of millions of users are enjoying this convenience. However, cybercriminals repackage various malicious APK files as plugins into an app-virtualization platform, which is flexible to launch arbitrary plugins without the hassle of installation. This new style of repackaging gains the ability to bypass anti-malware scanners by hiding the grafted malicious payload in plugins, and it also defies the basic premise embodied by existing repackaged app detection solutions.
As app-virtualization-based apps are not necessarily malware, in this paper, we aim to make a verdict on them prior to run time. Our in-depth study results in two key observations: 1) the proxy layer between plugin apps and the Android framework is the core of app-virtualization mechanism, and it reveals the feature of finite state transitions; 2) malware typically loads plugins stealthily and hides malicious behaviors. These insights motivate us to develop a two-layer detection approach, called VAHunt. First, we design a stateful detection model to identify the existence of an app-virtualization engine in APK files. Second, we perform data flow analysis to extract fingerprinting features to differentiate between malicious and benign loading strategies. Since October 2019, we have tested VAHunt in Antiy AVL Mobile Security, a leading mobile security company, to detect more than 139K app-virtualization-based samples. Compared with the ground truth, VAHunt achieves 0.7% false negatives and zero false positive. Our automated detection frees security analysts from the burden of reverse engineering.
Supplemental Material
- Li Li, Daoyuan Li, Tegawendë F. Bissyandë, Jacques Klein, Yves Le Traon, David Lo, and Lorenzo Cavallaro. Understanding Android App Piggybacking: A Systematic Study of Malicious Code Grafting. IEEE Transactions on Information Forensics and Security, 12(6), June 2017.Google Scholar
- Kobra Khanmohammadi, Neda Ebrahimi, Abdelwahab Hamou-Lhadj, and Raphaël Khoury. Empirical Study of Android Repackaged Applications. Empirical Software Engineering, 24(6), December 2019.Google Scholar
- Li Li, Tegawende F. Bissyande, and Jacques Klein. Rebooting Research on Detecting Repackaged Android Apps: Literature Review and Benchmark. IEEE Transactions on Software Engineering, February 2019.Google ScholarCross Ref
- LBE Tech. How Parallel Space helps you run multiple accounts on Android. http://blog.parallelspace-app.com/how-parallel-space-helps-you-run-multiple-accounts-on-android/, July 2016.Google Scholar
- asLody. VirtualApp. https://github.com/asLody/VirtualApp, 2019.Google Scholar
- Qihoo360. DroidPlugin. https://github.com/DroidPluginTeam/DroidPlugin, 2019.Google Scholar
- JohnC. Mobile App Virtualization: Why the Best Architecture (Should) Always Win. https://sierraware.com/blog/?p=75, May 2015.Google Scholar
- Dan Price. How to Run Multiple Copies of the Same App on Android. https://www.makeuseof.com/tag/run-multiple-app-copies-android/, December 2019.Google Scholar
- Joe Birch. Modularizing Android Applications. https://medium.com/google-developer-experts/modularizing-android-applications-9e2d18f244a0, August 2018.Google Scholar
- Jianqiang Bao. Android App-Hook and Plug-In Technology. CRC Press, 1st edition, September 2019.Google ScholarCross Ref
- Google. Enable multidex for apps with over 64K methods. https://developer.android.com/studio/build/multidex, 2019.Google Scholar
- Cong Zheng and Tongbo Luo. PluginPhantom: New Android Trojan Abuses "DroidPlugin" Framework. https://dwz.cn/tsm8kSF4, 2016.Google Scholar
- Tom Spring. Apps Carrying HummingBad Variant Booted From Google Play. https://threatpost.com/hummingbad-variant-booted-from-google-play/123280/, January 2017.Google Scholar
- Tongbo Luo, Cong Zheng, Zhi Xu, and Xin Ouyang. Anti-Plugin: Don't Let Your App Play as an Android Plugin. BlackHat Asia, 2017.Google Scholar
- Cong Zheng, Wenjun Hu, and Zhi Xu. Android Plugin Becomes a Catastrophe to Android Ecosystem. In Proceedings of the 1st Workshop on Radical and Experiential Security (RESEC'18), 2018.Google ScholarDigital Library
- Lei Zhang, Zhemin Yang, Yuyu He, Mingqi Li, Sen Yang, Min Yang, Yuan Zhang, and Zhiyun Qian. App in the Middle: Demystify Application Virtualization in Android and its Security Threats. In Proceedings of the 45th International Conference on Measurement and Modeling of Computer Systems (SIGMETRICS'19), 2019.Google ScholarDigital Library
- Luman Shi, Jianming Fu, Zhengwei Guo, and Jiang Ming. "Jekyll and Hyde" is Risky: Shared-Everything Threat Mitigation in Dual-Instance Apps. In Proceedings of the 17th ACM International Conference on Mobile Systems, Applications, and Services (Mobisys'19), 2019.Google Scholar
- Deshun Dai, Ruixuan Li, Junwei Tang, Ali Davanian, and Heng Yin. Parallel Space Traveling: A Security Analysis of App-Level Virtualization in Android. In Proceedings of the 25th ACM Symposium on Access Control Models and Technologies (SACMAT'20), 2020.Google Scholar
- Wu Zhou, Yajin Zhou, Xuxian Jiang, and Peng Ning. Detecting Repackaged Smartphone Applications in Third-Party Android Marketplaces. In Proceedings of the 2nd ACM Conference on Data and Application Security and Privacy (CODASPY'12), 2012.Google Scholar
- Wu Zhou, Yajin Zhou, Michael Grace, Xuxian Jiang, and Shihong Zou. Fast, Scalable Detection of Piggybacked Mobile Applications. In Proceedings of the 3rd ACM Conference on Data and Application Security and Privacy (CODASPY'13), 2013.Google Scholar
- Jonathan Crussell, Clint Gibler, and Hao Chen. AnDarwin: Scalable Detection of Semantically Similar Android Applications. In Jason Crampton, Sushil Jajodia, and Keith Mayes, editors, Proceedings of the 18th European Symposium on Research in Computer Security (ESORICS'13), 2013.Google Scholar
- Kai Chen, Peng Liu, and Yingjun Zhang. Achieving Accuracy and Scalability Simultaneously in Detecting Application Clones on Android Markets. In Proceedings of the 36th International Conference on Software Engineering (ICSE'14), 2014.Google ScholarDigital Library
- Fangfang Zhang, Heqing Huang, Sencun Zhu, Dinghao Wu, and Peng Liu. ViewDroid: Towards Obfuscation-Resilient Mobile Application Repackaging Detection. In Proceedings of the 2014 ACM Conference on Security and Privacy in Wireless & Mobile Networks (WiSec'14), 2014.Google Scholar
- Zhiyong Shan, Iulian Neamtiu, and Raina Samuel. Self-Hiding Behavior in Android Apps: Detection and Characterization. In Proceedings of the 40th International Conference on Software Engineering (ICSE'18), 2018.Google Scholar
- Steven Arzt, Siegfried Rasthofer, Christian Fritz, Eric Bodden, Alexandre Bartel, Jacques Klein, Yves Le Traon, Damien Octeau, and Patrick McDaniel. FlowDroid: Precise Context, Flow, Field, Object-sensitive and Lifecycle-aware Taint Analysis for Android Apps. In Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI'14), 2014.Google ScholarDigital Library
- Antiy AVL Mobile Security. Guarding the Security of Mobile Intelligence Era. https://www.avlsec.com/en/home, [online].Google Scholar
- Jim Smith and Ravi Nair. Virtual Machines: Versatile Platforms for Systems and Processes (The Morgan Kaufmann Series in Computer Architecture and Design). Morgan Kaufmann Publishers Inc., San Francisco, CA, USA, 2005.Google ScholarDigital Library
- VMware. VMware Workstation. https://www.vmware.com/, [online].Google Scholar
- Fabrice Bellard. QEMU, a Fast and Portable Dynamic Translator. In Proceedings of the 2005 Annual Conference on USENIX Annual Technical Conference (ATC'05), 2005.Google Scholar
- Michael Backes, Sven Bugiel, Christian Hammer, Oliver Schranz, and Philipp von Styp-Rekowsky. Boxify: Full-fledged App Sandboxing for Stock Android. In Proceedings of the 24th USENIX Conference on Security Symposium (USENIX Security'15), 2015.Google Scholar
- Antonio Bianchi, Yanick Fratantonio, Christopher Kruegel, and Giovanni Vigna. NJAS: Sandboxing Unmodified Applications in non-rooted Devices Running stock Android. In Proceedings of the 5th Annual ACM CCS Workshop on Security and Privacy in Smartphones and Mobile Devices (SPSM'15), 2015.Google Scholar
- Chaoting Xuan, Gong Chen, and Erich Stuntebeck. DroidPill: Pwn Your Daily-Use Apps. In Proceedings of the 12nd ACM ASIA Conference on Computer and Communications Security (ASIACCS'17), 2017.Google Scholar
- Thi Van Anh Pham, Italo Ivan Dacosta Petrocelli, Eleonora Losiouk, John Stephan, Kévin Huguenin, and Jean-Pierre Hubaux. HideMyApp: Hiding the Presence of Sensitive Apps on Android. In Proceedings of the 28th USENIX Conference on Security Symposium (USENIX Security'19), 2019.Google Scholar
- Sebastian Poeplau, Yanick Fratantonio, Antonio Bianchi, Christopher Kruegel, and Giovanni Vigna. Execute This! Analyzing Unsafe and Malicious Dynamic Code Loading in Android Applications. In Proceedings of the 21th Network and Distributed System Security Symposium (NDSS'14), 2014.Google Scholar
- Zhengyang Qu, Shahid Alam, Yan Chen, Xiaoyong Zhou, Wangjun Hong, and Ryan Riley. DyDroid: Measuring Dynamic Code Loading and Its Security Implications in Android Applications. In Proceedings of the 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN'17), 2017.Google ScholarCross Ref
- Pew Research Center. An Analysis of Android App Permissions. http://www.pewinternet.org/2015/11/10/an-analysis-of-android-app-permissions/, 2015.Google Scholar
- Jianjun Huang, Xiangyu Zhang, Lin Tan, Peng Wang, and Bin Liang. AsDroid: Detecting Stealthy Behaviors in Android Applications by User Interface and Program Behavior Contradiction. In Proceedings of the 36th International Conference on Software Engineering (ICSE'14), 2014.Google ScholarDigital Library
- Mohsin Junaid, Jiang Ming, and David Kung. StateDroid: Stateful Detection of Stealthy Attacks in Android Apps via Horn-Clause Verification. In Proceedings of the 34th Annual Computer Security Applications Conference (ACSAC'18), 2018.Google ScholarDigital Library
- Google. Intents and Intent Filters. https://developer.android.com/guide/components/intents-filters, 2019.Google Scholar
- Android AAPT. https://androidaapt.com/, 2019.Google Scholar
- Android dexdump. http://manpages.ubuntu.com/manpages/xenial/man1/dexdump.1.html, 2019.Google Scholar
- Chris Chao-Chun Cheng, Chen Shi, Neil Zhenqiang Gong, and Yong Guan. EviHunter: Identifying Digital Evidence in the Permanent Storage of Android Devices via Static Analysis. In Proceedings of the 25th ACM SIGSAC Conference on Computer and Communications Security (CCS'18), 2018.Google Scholar
- Google. Google Developer Content Policy. https://play.google.com/about/developer-content-policy.html, 2020.Google Scholar
- Swati Khandelwal. Nasty Android Malware that Infected Millions Returns to Google Play Store. https://thehackernews.com/2017/01/hummingbad-android-malware.html, 2017.Google Scholar
- Rafia Shaikh. Chinese Ad Company That Turned Out to Be a Cyber Crime Group Is Back with "a Whale of a Tale". https://wccftech.com/hummingwhale-android-malware/, 2017.Google Scholar
- Cong Zheng, Wenjun Hu, and Zhi Xu. A New Trend in Android Adware: Abusing Android Plugin Frameworks. https://researchcenter.paloaltonetworks.com/2017/03/unit42-new-trend-android-adware-abusing-android-plugin-frameworks/, 2017.Google Scholar
- Aswathi B.L. Sensitivity, Specificity, Accuracy and the relationship between them. http://www.lifenscience.com/bioinformatics/sensitivity-specificity-accuracy-and, 2009.Google Scholar
- Joe. Java Clone, Shallow Copy and Deep Copy. https://javapapers.com/core-java/java-clone-shallow-copy-and-deep-copy/, 2014.Google Scholar
- Google. SafetyNet Attestation API. https://developer.android.com/training/safetynet/attestation, 2019.Google Scholar
- Lei Xue, Xiapu Luo, Le Yu, Shuai Wang, and Dinghao Wu. Adaptive Unpacking of Android Apps. In Proceedings of the 39th International Conference on Software Engineering (ICSE'17), 2017.Google Scholar
- Yue Duan, Mu Zhang, Abhishek Vasisht Bhaskar, Heng Yin, Xiaorui Pan, Tongxin Li, Xueqiang Wang, and XiaoFeng Wang. Things You May Not Know About Android (Un) Packers: A Systematic Study based on Whole-System Emulation. In Proceedings of the 25th Network and Distributed System Security Symposium (NDSS'18), 2018.Google ScholarCross Ref
- Yueqian Zhang, Xiapu Luo, and Haoyang Yin. DexHunter: Toward Extracting Hidden Code from Packed Android Applications. In Proceedings of the 20th European Symposium on Research in Computer Security (ESORICS'15), 2015.Google ScholarCross Ref
- Shengqu Xi, Shao Yang, Xusheng Xiao, Yuan Yao, Yayuan Xiong, Fengyuan Xu, Haoyu Wang, Peng Gao, Zhuotao Liu, Feng Xu, and Jian Lu. DeepIntent: Deep Icon-Behavior Learning for Detecting Intention-Behavior Discrepancy in Mobile Apps. In Proceedings of the 26th ACM SIGSAC Conference on Computer and Communications Security (CCS'19), 2019.Google ScholarDigital Library
- rovo89. Xposed Module Repository. https://repo.xposed.info/, 2019.Google Scholar
- Avast Threat Intelligence Team. Malware posing as dual instance app steals users' Twitter credentials. https://blog.avast.com/malware-posing-as-dual-instance-app-steals-users-twitter-credentials, 2016.Google Scholar
Index Terms
- VAHunt: Warding Off New Repackaged Android Malware in App-Virtualization's Clothing
Recommendations
Lightweight, Obfuscation-Resilient Detection and Family Identification of Android Malware
The number of malicious Android apps is increasing rapidly. Android malware can damage or alter other files or settings, install additional applications, and so on. To determine such behaviors, a security analyst can significantly benefit from ...
How Current Android Malware Seeks to Evade Automated Code Analysis
Information Security Theory and PracticeAbstractFirst we report on a new threat campaign, underway in Korea, which infected around 20,000 Android users within two months. The campaign attacked mobile users with malicious applications spread via different channels, such as email attachments or ...
Profiling user-trigger dependence for Android malware detection
As mobile computing becomes an integral part of the modern user experience, malicious applications have infiltrated open marketplaces for mobile platforms. Malware apps stealthily launch operations to retrieve sensitive user or device data or abuse ...
Comments