"Jekyll and Hyde" is Risky: Shared-Everything Threat Mitigation in Dual-Instance Apps

Recent developed application-level virtualization brings a groundbreaking innovation to Android ecosystem: a host app is able to load and launch arbitrary guest APK files without the hassle of installation. Powered by this technology, the so-called "dual-instance apps" are becoming increasingly popular as they can run dual copies of the same app on a single device (e.g., login Facebook simultaneously with two different accounts). Given the large demand from smartphone users, it is imperative to understand how secure dual-instance apps are. However, little work investigates their potential security risks. Even worse, new Android malware variants have been accused of skimming the cream off application-level virtualization. They abuse legitimate virtualization engines to launch phishing attacks or even thwart static detection. We first demonstrate that, current dual-instance apps design introduces serious "shared-everything" threats to users, and severe attacks such as permission escalation and privacy leak have become tremendously easier. Unfortunately, we find that most critical apps cannot discriminate between host app and Android system. In addition, traditional fingerprinting features targeting Android sandboxes are futile as well. To inform users that an app is running in an untrusted environment, we study the inherent features of dual-instance app environment and propose six robust fingerprinting features to detect whether an app is being launched by the host app. We test our approach, called DiPrint, with a set of dual-instance apps collected from popular app stores, Android systems, and virtualization-based malware. Our evaluation shows that DiPrint is able to accurately identify dual-instance apps with negligible overhead.

[1]  Ziming Zhao,et al.  Morpheus: automatically generating heuristics to detect Android emulators , 2014, ACSAC '14.

[2]  Michael Backes,et al.  AppGuard - Enforcing User Requirements on Android Apps , 2013, TACAS.

[3]  Vijay Laxmi,et al.  A robust dynamic analysis system preventing SandBox detection by Android malware , 2015, SIN.

[4]  Wei Zhang,et al.  System Log-Based Android Root State Detection , 2017, ICCCS.

[5]  Ross J. Anderson,et al.  Aurasium: Practical Policy Enforcement for Android Applications , 2012, USENIX Security Symposium.

[6]  Gong Chen,et al.  DroidPill: Pwn Your Daily-Use Apps , 2017, AsiaCCS.

[7]  Mike Just,et al.  On the impact of warning interfaces for enabling the detection of Potentially Unwanted Applications , 2016 .

[8]  Fabrice Bellard,et al.  QEMU, a Fast and Portable Dynamic Translator , 2005, USENIX ATC, FREENIX Track.

[9]  Hao Chen,et al.  I-ARM-Droid : A Rewriting Framework for In-App Reference Monitors for Android Applications , 2012 .

[10]  Tsutomu Matsumoto,et al.  SandPrint: Fingerprinting Malware Sandboxes to Provide Intelligence for Sandbox Evasion , 2016, RAID.

[11]  Carsten Kleiner,et al.  BYOD — Bring Your Own Device , 2013, HMD Praxis der Wirtschaftsinformatik.

[12]  Sencun Zhu,et al.  ViewDroid: towards obfuscation-resilient mobile application repackaging detection , 2014, WiSec '14.

[13]  Tal Garfinkel,et al.  Compatibility Is Not Transparency: VMM Detection Myths and Realities , 2007, HotOS.

[14]  Norbert Pohlmann,et al.  Towards Understanding Privacy Implications of Adware and Potentially Unwanted Programs , 2018, ESORICS.

[15]  Xuxian Jiang,et al.  AppInk: watermarking android apps for repackaging deterrence , 2013, ASIA CCS '13.

[16]  John C. S. Lui,et al.  DroidTrace: A ptrace based Android dynamic analysis system with forward execution capability , 2014, 2014 International Wireless Communications and Mobile Computing Conference (IWCMC).

[17]  Todd D. Millstein,et al.  Dr. Android and Mr. Hide: fine-grained permissions in android applications , 2012, SPSM '12.

[18]  Mu Zhang,et al.  AppSealer: Automatic Generation of Vulnerability-Specific Patches for Preventing Component Hijacking Attacks in Android Applications , 2014, NDSS.

[19]  张静言 送你一台计算机—VMware Workstation , 2001 .

[20]  Edgar R. Weippl,et al.  Enter Sandbox: Android Sandbox Comparison , 2014, ArXiv.

[21]  Konstantin Beznosov,et al.  Android Rooting: Methods, Detection, and Evasion , 2015, SPSM@CCS.

[22]  Sotiris Ioannidis,et al.  Rage against the virtual machine: hindering dynamic analysis of Android malware , 2014, EuroSec '14.

[23]  Azzedine Benameur,et al.  All your Root Checks are Belong to Us: The Sad State of Root Detection , 2015, MobiWac.

[24]  Michael Rohs,et al.  BYOD: bring your own device , 2004 .

[25]  Vashek Matyas,et al.  Experimental large-scale review of attractors for detection of potentially unwanted applications , 2018, Comput. Secur..

[26]  Georg Disterer,et al.  BYOD Bring Your Own Device , 2013 .

[27]  Christopher Krügel,et al.  NJAS: Sandboxing Unmodified Applications in non-rooted Devices Running stock Android , 2015, SPSM@CCS.

[28]  Yajin Zhou,et al.  RiskRanker: scalable and accurate zero-day android malware detection , 2012, MobiSys '12.

[29]  Joshua Ellul,et al.  AndroNeo: Hardening Android Malware Sandboxes by Predicting Evasion Heuristics , 2017, WISTP.

[30]  Yulong Zhang,et al.  Towards Discovering and Understanding Task Hijacking in Android , 2015, USENIX Security Symposium.

[31]  Hao Chen,et al.  RetroSkeleton: retrofitting android apps , 2013, MobiSys '13.

[32]  Long Nguyen-Vu,et al.  Android Rooting: An Arms Race between Evasion and Detection , 2017, Secur. Commun. Networks.

[33]  Wei You,et al.  Reference Hijacking: Patching, Protecting and Analyzing on Unmodified and Non-rooted Android Devices , 2016, 2016 IEEE/ACM 38th International Conference on Software Engineering (ICSE).

[34]  Kai Chen,et al.  Droidmarking: resilient software watermarking for impeding android application repackaging , 2014, ASE.

[35]  Gail-Joon Ahn,et al.  Defining and Detecting Environment Discrimination in Android Apps , 2017, SecureComm.

[36]  Karthik Dantu,et al.  Reptor: Enabling API Virtualization on Android for Platform Openness , 2017, MobiSys.

[37]  Peng Wang,et al.  Finding Unknown Malice in 10 Seconds: Mass Vetting for New Threats at the Google-Play Scale , 2015, USENIX Security Symposium.

[38]  Steve Hanna,et al.  Juxtapp: A Scalable System for Detecting Code Reuse among Android Applications , 2012, DIMVA.

[39]  A. Porter Phishing on Mobile Devices , 2011 .

[40]  Yajin Zhou,et al.  Dissecting Android Malware: Characterization and Evolution , 2012, 2012 IEEE Symposium on Security and Privacy.

[41]  Mauro Conti,et al.  Mirage: Toward a Stealthier and Modular Malware Analysis Sandbox for Android , 2017, ESORICS.

[42]  Eric Bodden,et al.  DroidForce: Enforcing Complex, Data-centric, System-wide Policies in Android , 2014, 2014 Ninth International Conference on Availability, Reliability and Security.

[43]  Xuanzhe Liu,et al.  Flexible Installability of Android Apps with App-level Virtualization based Decomposition , 2017, ArXiv.

[44]  Lan Huang,et al.  An Improved Privacy-Preserving Framework for Location-Based Services Based on Double Cloaking Regions with Supplementary Information Constraints , 2017, Secur. Commun. Networks.

[45]  Robert N. M. Watson,et al.  Ignoring the Great Firewall of China , 2006, Privacy Enhancing Technologies.

[46]  Michael Backes,et al.  Boxify: Full-fledged App Sandboxing for Stock Android , 2015, USENIX Security Symposium.

[47]  Nicolas Christin,et al.  Evading android runtime analysis via sandbox detection , 2014, AsiaCCS.

[48]  Tilo Müller,et al.  Divide-and-Conquer: Why Android Malware Cannot Be Stopped , 2014, 2014 Ninth International Conference on Availability, Reliability and Security.

[49]  Wenzhi Chen,et al.  A Lightweight Virtualization Solution for Android Devices , 2015, IEEE Transactions on Computers.

[50]  Michalis Polychronakis,et al.  Spotless Sandboxes: Evading Malware Analysis Systems Using Wear-and-Tear Artifacts , 2017, 2017 IEEE Symposium on Security and Privacy (SP).