PANDORA applies non-deterministic obfuscation randomly to Android

Android, a Linux-based operating system, is currently the most popular platform for mobile devices like smart-phones and tablets. Recently, two closely related security threats have become a major concern of the research community: software piracy and malware. This paper studies the capabilities of code obfuscation for the purposes of plagiarized software and malware diversification. Within the scope of this work, the PANDORA (PANDORA Applies Non-Deterministic Obfuscation Randomly to Android) transformation system for Android bytecode was designed and implemented, combining techniques for data and object-oriented design obfuscation. Our evaluation results indicate deficiencies of the malware detection engines currently used in 46 popular antivirus products, which in most cases were not able to detect samples obfuscated with PANDORA. Furthermore, this paper reveals shortcomings of the Androsim tool and potentially other static software similarity algorithms, recently proposed to address the piracy problem in Android.

[1]  Philip S. Yu,et al.  GPLAG: detection of software plagiarism by program dependence graph analysis , 2006, KDD '06.

[2]  Stephen Drape,et al.  Metrics-based Evaluation of Slicing Obfuscations , 2007, Third International Symposium on Information Assurance and Security.

[3]  Yuval Elovici,et al.  “Andromaly”: a behavioral malware detection framework for android devices , 2012, Journal of Intelligent Information Systems.

[4]  Joonhyouk Jang,et al.  Android application's copyright protection technology based on forensic mark , 2012, RACS.

[5]  David Schuler,et al.  Detecting Software Theft with API Call Sequence Sets , 2006, Softwaretechnik-Trends.

[6]  David Schuler,et al.  A dynamic birthmark for java , 2007, ASE.

[7]  Sencun Zhu,et al.  Detecting Software Theft via System Call Based Birthmarks , 2009, 2009 Annual Computer Security Applications Conference.

[8]  Xuxian Jiang,et al.  DroidChameleon: evaluating Android anti-malware against transformation attacks , 2013, ASIA CCS '13.

[9]  Yajin Zhou,et al.  Hey, You, Get Off of My Market: Detecting Malicious Apps in Official and Alternative Android Markets , 2012, NDSS.

[10]  Laurie J. Hendren,et al.  Obfuscating Java: The Most Pain for the Least Gain , 2007, CC.

[11]  Xiangyu Zhang,et al.  Plagiarizing Smartphone Applications: Attack Strategies and Defense Techniques , 2012, ESSoS.

[12]  David W. Binkley,et al.  Program slicing , 2008, 2008 Frontiers of Software Maintenance.

[13]  Gianluca Dini,et al.  MADAM: A Multi-level Anomaly Detector for Android Malware , 2012, MMM-ACNS.

[14]  Yajin Zhou,et al.  Detecting repackaged smartphone applications in third-party android marketplaces , 2012, CODASPY '12.

[15]  Anthony Desnos Android: From Reversing to Decompilation , 2011 .

[16]  D. Hurlbut Fuzzy Hashing for Digital Forensic Investigators , 2009 .

[17]  Stephen Drape,et al.  Slicing obfuscations: design, correctness, and evaluation , 2007, DRM '07.

[18]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[19]  Jaeyoung Choi,et al.  A method for detecting illegally copied APK files on the network , 2012, RACS.

[20]  Donald E. Knuth,et al.  The art of computer programming. Vol.2: Seminumerical algorithms , 1981 .

[21]  Heng Yin,et al.  DroidScope: Seamlessly Reconstructing the OS and Dalvik Semantic Views for Dynamic Android Malware Analysis , 2012, USENIX Security Symposium.

[22]  David W. Binkley,et al.  Interprocedural slicing using dependence graphs , 1988, SIGP.

[23]  Ding‐Zhu Du,et al.  Wiley Series in Discrete Mathematics and Optimization , 2014 .

[24]  Akito Monden,et al.  Design and evaluation of birthmarks for detecting theft of java programs , 2004, IASTED Conf. on Software Engineering.

[25]  Laurie Hendren,et al.  Soot: a Java bytecode optimization framework , 2010, CASCON.

[26]  Seong-je Cho,et al.  An anti-piracy mechanism based on class separation and dynamic loading for Android applications , 2012, RACS.

[27]  Akito Monden,et al.  Dynamic Software Birthmarks to Detect the Theft of Windows Applications , 2004 .

[28]  John C. S. Lui,et al.  ADAM: An Automatic and Extensible Platform to Stress Test Android Anti-virus Systems , 2012, DIMVA.

[29]  Christian S. Collberg,et al.  A Taxonomy of Obfuscating Transformations , 1997 .

[30]  Thomas Schreck,et al.  Mobile-sandbox: having a deeper look into android applications , 2013, SAC '13.

[31]  Christian S. Collberg,et al.  Surreptitious Software - Obfuscation, Watermarking, and Tamperproofing for Software Protection , 2009, Addison-Wesley Software Security Series.

[32]  Clark Thomborson,et al.  Metrics-based Evaluation of Slicing Obfuscations , 2007 .

[33]  S. Bartolini,et al.  Inclusion of a Montgomery Multiplier Unit into an Embedded Processor's Datapath to Speed-up Elliptic Curve Cryptography , 2007 .

[34]  Aiden A. Bruen,et al.  Cryptography, information theory, and error-correction - a handbook for the 21st century , 2005, Wiley-Interscience series in discrete mathematics and optimization.

[35]  John R. Vacca Network and System Security , 2010 .

[36]  Donald Ervin Knuth,et al.  The Art of Computer Programming, Volume II: Seminumerical Algorithms , 1970 .

[37]  Frederick B. Cohen,et al.  Operating system protection through program evolution , 1993, Comput. Secur..

[38]  Anthony Desnos,et al.  Android: Static Analysis Using Similarity Distance , 2012, 2012 45th Hawaii International Conference on System Sciences.

[39]  Yajin Zhou,et al.  Dissecting Android Malware: Characterization and Evolution , 2012, 2012 IEEE Symposium on Security and Privacy.