Enriching reverse engineering through visual exploration of Android binaries

The appearance of the Android platform and its popularity has resulted in a sharp rise in the number of reported vulnerabilities and consequently in the number of mobile threats. Leveraging openness of Android app markets and the lack of security testing, malware authors commonly employ a suite of widely available tools to facilitate the app development. Analysis of individual apps for malware detection often requires understanding of app functionality and complex, time-consuming analysis of its behavior. Since tools tend to leave traces in the program structure, we can potentially use visual exploration of these artifacts to enrich reverse engineering of malware analysis. In this paper, we focus on this approach and investigate internal structure of Android executable files and their characteristics under various tools and development conditions. We show that the majority of obfuscation and optimization tools leave distinct artifacts that can be leveraged in Android binary analysis to trace origin of a malware sample on hand.

[1]  Xinwen Zhang,et al.  Apex: extending Android permission model and enforcement with user-defined runtime constraints , 2010, ASIACCS '10.

[2]  Jason Nieh,et al.  A measurement study of google play , 2014, SIGMETRICS '14.

[3]  Xuxian Jiang,et al.  DroidChameleon: evaluating Android anti-malware against transformation attacks , 2013, ASIA CCS '13.

[4]  Ninghui Li,et al.  Android permissions: a perspective combining risks and benefits , 2012, SACMAT '12.

[5]  Dimitrios Tzovaras,et al.  Towards Visualizing Mobile Network Data , 2013, ISCIS.

[6]  Sencun Zhu,et al.  ViewDroid: towards obfuscation-resilient mobile application repackaging detection , 2014, WiSec '14.

[7]  Hahn-Ming Lee,et al.  DroidMat: Android Malware Detection through Manifest and API Calls Tracing , 2012, 2012 Seventh Asia Joint Conference on Information Security.

[8]  Paul C. van Oorschot,et al.  A methodology for empirical analysis of permission-based security models and its application to android , 2010, CCS '10.

[9]  Kwan-Liu Ma,et al.  MobiVis: A Visualization System for Exploring Mobile Data , 2008, 2008 IEEE Pacific Visualization Symposium.

[10]  Johannes Köstler,et al.  Kynoid: Real-time enforcement of fine-grained, user-defined, and data-centric security policies for Android , 2013, Inf. Secur. Tech. Rep..

[11]  小林 明大,et al.  楽々!Android Studioはじめの一歩 , 2015 .

[12]  John C. S. Lui,et al.  ADAM: An Automatic and Extensible Platform to Stress Test Android Anti-virus Systems , 2012, DIMVA.

[13]  Yajin Zhou,et al.  Hey, You, Get Off of My Market: Detecting Malicious Apps in Official and Alternative Android Markets , 2012, NDSS.

[14]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[15]  Yajin Zhou,et al.  RiskRanker: scalable and accurate zero-day android malware detection , 2012, MobiSys '12.

[16]  Shashi Shekhar,et al.  QUIRE: Lightweight Provenance for Smart Phone Operating Systems , 2011, USENIX Security Symposium.

[17]  Zhenlong Yuan,et al.  Droid-Sec: deep learning in android malware detection , 2015, SIGCOMM 2015.

[18]  R. Nigam Covering the global threat landscape OBFUSCATION IN ANDROID MALWARE, AND HOW TO FIGHT BACK , 2014 .

[19]  Alastair R. Beresford,et al.  MockDroid: trading privacy for application functionality on smartphones , 2011, HotMobile '11.

[20]  Yajin Zhou,et al.  Fast, scalable detection of "Piggybacked" mobile applications , 2013, CODASPY.

[21]  Heng Yin,et al.  DroidAPIMiner: Mining API-Level Features for Robust Malware Detection in Android , 2013, SecureComm.

[22]  Yuan Zhang,et al.  Vetting undesirable behaviors in android apps with permission use analysis , 2013, CCS.

[23]  Lior Rokach,et al.  Mobile malware detection through analysis of deviations in application network behavior , 2014, Comput. Secur..

[24]  Jason Crampton,et al.  Sleeping android: the danger of dormant permissions , 2013, SPSM '13.

[25]  Heng Yin,et al.  DroidScope: Seamlessly Reconstructing the OS and Dalvik Semantic Views for Dynamic Android Malware Analysis , 2012, USENIX Security Symposium.

[26]  Konrad Rieck,et al.  DREBIN: Effective and Explainable Detection of Android Malware in Your Pocket , 2014, NDSS.

[27]  Tilo Müller,et al.  PANDORA applies non-deterministic obfuscation randomly to Android , 2013, 2013 8th International Conference on Malicious and Unwanted Software: "The Americas" (MALWARE).

[28]  Patrick D. McDaniel,et al.  On lightweight mobile phone application certification , 2009, CCS.