Large-Scale Analysis of Remote Code Injection Attacks in Android Apps

It is pretty well known that insecure code updating procedures for Android allow remote code injection attack. However, other than codes, there are many resources in Android that have to be updated, such as temporary files, images, databases, and configurations (XML and JSON). Security of update procedures for these resources is largely unknown. This paper investigates general conditions for remote code injection attacks on these resources. Using this, we design and implement a static detection tool that automatically identifies apps that meet these conditions. We apply the detection tool to a large dataset comprising 9,054 apps, from three different types of datasets: official market, third-party market, and preinstalled apps. As a result, 97 apps were found to be potentially vulnerable, with 53 confirmed as vulnerable to remote code injection attacks.

[1]  Bernd Freisleben,et al.  Why eve and mallory love android: an analysis of android SSL (in)security , 2012, CCS.

[2]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[3]  Zhenkai Liang,et al.  Man-in-the-browser-cache: Persisting HTTPS attacks via browser cache poisoning , 2015, Computers & security.

[4]  Zhenkai Liang,et al.  Web-to-Application Injection Attacks on Android: Characterization and Detection , 2015, ESORICS.

[5]  Peng Wang,et al.  AsDroid: detecting stealthy behaviors in Android applications by user interface and program behavior contradiction , 2014, ICSE.

[6]  XiaoFeng Wang,et al.  Upgrading Your Android, Elevating My Malware: Privilege Escalation through Mobile OS Updating , 2014, 2014 IEEE Symposium on Security and Privacy.

[7]  Heng Yin,et al.  Code Injection Attacks on HTML5-based Mobile Apps: Characterization, Detection and Mitigation , 2014, CCS.

[8]  Latifur Khan,et al.  SMV-Hunter: Large Scale, Automated Detection of SSL/TLS Man-in-the-Middle Vulnerabilities in Android Apps , 2014, NDSS.

[9]  Sandro Etalle,et al.  Hybrid Static-Runtime Information Flow and Declassification Enforcement , 2013, IEEE Transactions on Information Forensics and Security.

[10]  Byung-Gon Chun,et al.  TaintDroid: an information flow tracking system for real-time privacy monitoring on smartphones , 2014, Commun. ACM.

[11]  Khaled Elleithy,et al.  Rogue Access Point Detection: Taxonomy, Challenges, and Future Directions , 2016, Wirel. Pers. Commun..

[12]  Grant Joseph Smith Analysis and Prevention of Code-Injection Attacks on Android OS , 2014 .

[13]  Igor Nai Fovino,et al.  A Permission verification approach for android mobile applications , 2015, Comput. Secur..

[14]  David W. Binkley,et al.  Program slicing , 2008, 2008 Frontiers of Software Maintenance.

[15]  Shanqing Guo,et al.  PaddyFrog: systematically detecting confused deputy vulnerability in Android applications , 2015, Secur. Commun. Networks.

[16]  Yajin Zhou,et al.  Dissecting Android Malware: Characterization and Evolution , 2012, 2012 IEEE Symposium on Security and Privacy.

[17]  Yue Chen,et al.  Detecting injected behaviors in HTML5-based Android applications , 2016, J. High Speed Networks.

[18]  Hyunwoo Choi,et al.  Enabling Automatic Protocol Behavior Analysis for Android Applications , 2016, CoNEXT.

[19]  David Brumley,et al.  An empirical study of cryptographic misuse in android applications , 2013, CCS.

[20]  Xiao Zhang,et al.  Attacks on Android Clipboard , 2014, DIMVA.

[21]  Wenke Lee,et al.  CHEX: statically vetting Android apps for component hijacking vulnerabilities , 2012, CCS.

[22]  Christopher Krügel,et al.  Grab 'n Run: Secure and Practical Dynamic Code Loading for Android Applications , 2015, ACSAC 2015.

[23]  Yajin Zhou,et al.  Systematic Detection of Capability Leaks in Stock Android Smartphones , 2012, NDSS.

[24]  Alexander Aiken,et al.  Interactively verifying absence of explicit information flows in Android apps , 2015, OOPSLA.

[25]  Jacques Klein,et al.  Dexpler: converting Android Dalvik bytecode to Jimple for static analysis with Soot , 2012, SOAP '12.

[26]  Jacques Klein,et al.  Effective Inter-Component Communication Mapping in Android: An Essential Step Towards Holistic Security Analysis , 2013, USENIX Security Symposium.

[27]  Ondrej Lhoták,et al.  The Soot framework for Java program analysis: a retrospective , 2011 .

[28]  Hao Chen,et al.  AndroidLeaks: Automatically Detecting Potential Privacy Leaks in Android Applications on a Large Scale , 2012, TRUST.

[29]  Xuxian Jiang,et al.  Profiling user-trigger dependence for Android malware detection , 2015, Comput. Secur..

[30]  Christopher Krügel,et al.  EdgeMiner: Automatically Detecting Implicit Control Flow Transitions through the Android Framework , 2015, NDSS.

[31]  Jacques Klein,et al.  FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps , 2014, PLDI.

[32]  Jacques Klein,et al.  Static Analysis for Extracting Permission Checks of a Large Scale Framework: The Challenges and Solutions for Analyzing Android , 2014, IEEE Transactions on Software Engineering.