Auditing Anti-Malware Tools by Evolving Android Malware and Dynamic Loading Technique

Although a previous paper shows that existing anti-malware tools (AMTs) may have high detection rate, the report is based on existing malware and thus it does not imply that AMTs can effectively deal with future malware. It is desirable to have an alternative way of auditing AMTs. In our previous paper, we use malware samples from android malware collection Genome to summarize a malware meta-model for modularizing the common attack behaviors and evasion techniques in reusable features. We then combine different features with an evolutionary algorithm, in which way we evolve malware for variants. Previous results have shown that the existing AMTs only exhibit detection rate of 20%–30% for 10 000 evolved malware variants. In this paper, based on the modularized attack features, we apply the dynamic code generation and loading techniques to produce malware, so that we can audit the AMTs at runtime. We implement our approach, named Mystique-S, as a service-oriented malware generation system. Mystique-S automatically selects attack features under various user scenarios and delivers the corresponding malicious payloads at runtime. Relying on dynamic code binding (via service) and loading (via reflection) techniques, Mystique-S enables dynamic execution of payloads on user devices at runtime. Experimental results on real-world devices show that existing AMTs are incapable of detecting most of our generated malware. Last, we propose the enhancements for existing AMTs.

[1]  Hao Chen,et al.  Attack of the Clones: Detecting Cloned Applications on Android Markets , 2012, ESORICS.

[2]  C. Castillo Android Malware Past , Present , and Future , 2011 .

[3]  Sevil Sen,et al.  Automatic Generation of Mobile Malwares Using Genetic Programming , 2015, EvoApplications.

[4]  Giovanni Squillero,et al.  Towards automated malware creation: code generation and code integration , 2014, SAC.

[5]  Yang Liu,et al.  Mystique: Evolving Android Malware for Auditing Anti-Malware Tools , 2016, AsiaCCS.

[6]  Julian Schütte,et al.  An antivirus API for Android malware recognition , 2013, 2013 8th International Conference on Malicious and Unwanted Software: "The Americas" (MALWARE).

[7]  Jan-Christoph Küster,et al.  Runtime Verification Meets Android Security , 2012, NASA Formal Methods.

[8]  Zhen Huang,et al.  PScout: analyzing the Android permission specification , 2012, CCS.

[9]  Pim van den Broek Optimization of Product Instantiation using Integer Programming , 2010, SPLC Workshops.

[10]  Alessandra Gorla,et al.  Mining Apps for Abnormal Usage of Sensitive Data , 2015, 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering.

[11]  Ping Zhang,et al.  A taxonomy of privilege escalation attacks in Android applications , 2014, Int. J. Secur. Networks.

[12]  Ying Zou,et al.  Detecting Android Malware Using Clone Detection , 2015, Journal of Computer Science and Technology.

[13]  Klaus Pohl,et al.  Software Product Line Engineering - Foundations, Principles, and Techniques , 2005 .

[14]  Apu Kapadia,et al.  Soundcomber: A Stealthy and Context-Aware Sound Trojan for Smartphones , 2011, NDSS.

[15]  Marcelo R. Campo,et al.  Survey on network-based botnet detection methods , 2014, Secur. Commun. Networks.

[16]  Hendra Gunadi,et al.  Efficient Runtime Monitoring with Metric Temporal Logic: A Case Study in the Android Operating System , 2014, FM.

[17]  Xuxian Jiang,et al.  Catch Me If You Can: Evaluating Android Anti-Malware Against Transformation Attacks , 2014, IEEE Transactions on Information Forensics and Security.

[18]  David A. Mundie,et al.  An Ontology for Malware Analysis , 2013, 2013 International Conference on Availability, Reliability and Security.

[19]  Konrad Rieck,et al.  DREBIN: Effective and Explainable Detection of Android Malware in Your Pocket , 2014, NDSS.

[20]  Hisao Ishibuchi,et al.  Evolutionary many-objective optimization: A short review , 2008, 2008 IEEE Congress on Evolutionary Computation (IEEE World Congress on Computational Intelligence).

[21]  Tim Menzies,et al.  On the value of user preferences in search-based software engineering: A case study in software product lines , 2013, 2013 35th International Conference on Software Engineering (ICSE).

[22]  Kai Chen,et al.  From System Services Freezing to System Server Shutdown in Android: All You Need Is a Loop in an App , 2015, CCS.

[23]  Xuxian Jiang,et al.  DroidChameleon: evaluating Android anti-malware against transformation attacks , 2013, ASIA CCS '13.

[24]  Tilo Müller,et al.  A game of Droid and Mouse: The threat of split-personality malware on Android , 2015, Comput. Secur..

[25]  Klaus Pohl,et al.  Software Product Line Engineering , 2005 .

[26]  Yanick Fratantonio,et al.  ANDRUBIS -- 1,000,000 Apps Later: A View on Current Android Malware Behaviors , 2014, 2014 Third International Workshop on Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS).

[27]  Kyo Chul Kang,et al.  Feature-Oriented Domain Analysis (FODA) Feasibility Study , 1990 .

[28]  Yves Le Traon,et al.  Combining Multi-Objective Search and Constraint Solving for Configuring Large Software Product Lines , 2015, 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering.

[29]  Christopher Krügel,et al.  Extracting probable command and control signatures for detecting botnets , 2014, SAC.

[30]  Andrea Valdi,et al.  AndroTotal: a flexible, scalable toolbox and service for testing mobile malware detectors , 2013, SPSM '13.

[31]  Sven Apel,et al.  Tailoring dynamic software product lines , 2011, GPCE '11.

[32]  Mu Zhang,et al.  Semantics-Aware Android Malware Classification Using Weighted Contextual API Dependency Graphs , 2014, CCS.

[33]  Christopher Krügel,et al.  Execute This! Analyzing Unsafe and Malicious Dynamic Code Loading in Android Applications , 2014, NDSS.

[34]  Sotiris Ioannidis,et al.  Rage against the virtual machine: hindering dynamic analysis of Android malware , 2014, EuroSec '14.

[35]  Mark Ryan,et al.  New privacy issues in mobile telephony: fix and verification , 2012, CCS.

[36]  Don S. Batory,et al.  Feature Models, Grammars, and Propositional Formulas , 2005, SPLC.

[37]  Yuanyuan Zhang,et al.  Search based software engineering for software product line engineering: a survey and directions for future work , 2014, SPLC.

[38]  Yajin Zhou,et al.  Fast, scalable detection of "Piggybacked" mobile applications , 2013, CODASPY.

[39]  Hisao Ishibuchi,et al.  Evolutionary many-objective optimization , 2008, 2008 3rd International Workshop on Genetic and Evolving Systems.

[40]  Aristide Fattori,et al.  CopperDroid: Automatic Reconstruction of Android Malware Behaviors , 2015, NDSS.

[41]  Somesh Jha,et al.  Testing malware detectors , 2004, ISSTA '04.

[42]  John C. S. Lui,et al.  ADAM: An Automatic and Extensible Platform to Stress Test Android Anti-virus Systems , 2012, DIMVA.

[43]  Tilo Müller,et al.  Divide-and-Conquer: Why Android Malware Cannot Be Stopped , 2014, 2014 Ninth International Conference on Availability, Reliability and Security.

[44]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[45]  Yang Liu,et al.  Semantic modelling of Android malware for effective malware comprehension, detection, and classification , 2016, ISSTA.

[46]  Tao Xie,et al.  AppContext: Differentiating Malicious and Benign Mobile App Behaviors Using Context , 2015, 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering.

[47]  Sevil Sen,et al.  "Do You Want to Install an Update of This Application?" A Rigorous Analysis of Updated Android Applications , 2015, 2015 IEEE 2nd International Conference on Cyber Security and Cloud Computing.

[48]  Giorgio Giacinto,et al.  Stealth attacks: An extended insight into the obfuscation effects on Android malware , 2015, Comput. Secur..

[49]  Yajin Zhou,et al.  Dissecting Android Malware: Characterization and Evolution , 2012, 2012 IEEE Symposium on Security and Privacy.

[50]  Michael Backes,et al.  ARTist: The Android Runtime Instrumentation and Security Toolkit , 2016, 2017 IEEE European Symposium on Security and Privacy (EuroS&P).

[51]  Kai Chen,et al.  Towards Discovering and Understanding Unexpected Hazards in Tailoring Antivirus Software for Android , 2015, AsiaCCS.

[52]  Christopher Krügel,et al.  BareDroid: Large-Scale Analysis of Android Apps on Real Devices , 2015, ACSAC 2015.

[53]  Yuan Zhang,et al.  AppIntent: analyzing sensitive data transmission in android for privacy leakage detection , 2013, CCS.