Toward a more dependable hybrid analysis of android malware using aspect-oriented programming

Abstract The growing threat to user privacy by Android applications (app) has tremendously increased the need for more reliable and accessible analysis techniques. This paper presents AspectDroid 1 —an offline app-level hybrid analysis system designed to investigate Android applications for possible unwanted activities. It leverages static bytecode instrumentation to weave in analysis routines into an existing application to provide efficient dataflow analysis, detection of resource abuse, and analytics of suspicious behaviors, which are then monitored dynamically at runtime. Unlike operating system or framework dependent approaches, AspectDroid does not require porting from one version of Android to another, nor does it depend on a particular Android runtime, making it a more adaptable and easier to use technique. We evaluate the strength of our dataflow algorithm on 105 apps from the DroidBench corpus, with experimental results demonstrating that AspectDroid can detect tagged data with 94.68% accuracy. Furthermore, we compare and contrast the behavioral patterns in 100 malware samples from the Drebin dataset ( Arp et al., 2014 ) and 100 apps downloaded from Google Play. Our results showed more traces of sensitive data exfiltration, abuse of resources, as well as suspicious use of programming concepts like reflection, native code, and dynamic classes in the malware set than the Google Play apps. In terms of runtime overhead, our experiments indicate AspectDroid can comprehensively log relevant security concerns with an approximate overhead of 1 MB memory and a 5.9% average increase in CPU usage.

[1]  Sahin Albayrak,et al.  An Android Application Sandbox system for suspicious software detection , 2010, 2010 5th International Conference on Malicious and Unwanted Software.

[2]  Aristide Fattori,et al.  CopperDroid: Automatic Reconstruction of Android Malware Behaviors , 2015, NDSS.

[3]  Yliès Falcone,et al.  Runtime Verification and Enforcement for Android Applications with RV-Droid , 2012, RV.

[4]  Isil Dillig,et al.  Apposcopy: semantics-based detection of Android malware through static analysis , 2014, SIGSOFT FSE.

[5]  Christopher Krügel,et al.  BareDroid: Large-Scale Analysis of Android Apps on Real Devices , 2015, ACSAC 2015.

[6]  Konrad Rieck,et al.  DREBIN: Effective and Explainable Detection of Android Malware in Your Pocket , 2014, NDSS.

[7]  Jeffrey K. Hollingsworth,et al.  An API for Runtime Code Patching , 2000, Int. J. High Perform. Comput. Appl..

[8]  Mu Zhang,et al.  Efficient, context-aware privacy leakage confinement for android applications without firmware modding , 2014, AsiaCCS.

[9]  Todd D. Millstein,et al.  Dr. Android and Mr. Hide: fine-grained permissions in android applications , 2012, SPSM '12.

[10]  Yanick Fratantonio,et al.  Andrubis: Android Malware Under the Magnifying Glass , 2014 .

[11]  Hao Chen,et al.  AndroidLeaks: Automatically Detecting Potential Privacy Leaks in Android Applications on a Large Scale , 2012, TRUST.

[12]  Golden G. Richard,et al.  AspectDroid: Android App Analysis System , 2016, CODASPY.

[13]  Vitor Monte Afonso,et al.  Identifying Android malware using dynamically obtained features , 2014, Journal of Computer Virology and Hacking Techniques.

[14]  Yajin Zhou,et al.  Dissecting Android Malware: Characterization and Evolution , 2012, 2012 IEEE Symposium on Security and Privacy.

[15]  Amit Vasudevan,et al.  SPiKE: engineering malware analysis tools using unobtrusive binary-instrumentation , 2006, ACSC.

[16]  Michael Backes,et al.  AppGuard - Enforcing User Requirements on Android Apps , 2013, TACAS.

[17]  Jacques Klein,et al.  Improving Privacy on Android Smartphones Through In-Vivo Bytecode Instrumentation , 2012, ArXiv.

[18]  Harish Patil,et al.  Pin: building customized program analysis tools with dynamic instrumentation , 2005, PLDI '05.

[19]  Hahn-Ming Lee,et al.  DroidMat: Android Malware Detection through Manifest and API Calls Tracing , 2012, 2012 Seventh Asia Joint Conference on Information Security.

[20]  Heng Yin,et al.  DroidScope: Seamlessly Reconstructing the OS and Dalvik Semantic Views for Dynamic Android Malware Analysis , 2012, USENIX Security Symposium.

[21]  Yajin Zhou,et al.  Hey, You, Get Off of My Market: Detecting Malicious Apps in Official and Alternative Android Markets , 2012, NDSS.

[22]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[23]  Angelos Stavrou,et al.  Behavioral Analysis of Android Applications Using Automated Instrumentation , 2013, 2013 IEEE Seventh International Conference on Software Security and Reliability Companion.

[24]  Qin Zhao,et al.  Transparent dynamic instrumentation , 2012, VEE '12.

[25]  Patrick D. McDaniel,et al.  On lightweight mobile phone application certification , 2009, CCS.

[26]  Steve Hanna,et al.  Android permissions demystified , 2011, CCS '11.

[27]  Christopher Krügel,et al.  Going Native: Using a Large-Scale Analysis of Android Apps to Create a Practical Native-Code Sandboxing Policy , 2016, NDSS.

[28]  William Enck,et al.  AppsPlayground: automatic security analysis of smartphone applications , 2013, CODASPY.

[29]  Gregor Kiczales,et al.  Aspect-oriented programming , 2001, ESEC/FSE-9.

[30]  Mu Zhang,et al.  AppSealer: Automatic Generation of Vulnerability-Specific Patches for Preventing Component Hijacking Attacks in Android Applications , 2014, NDSS.

[31]  Cristina V. Lopes,et al.  Aspect-oriented programming , 1999, ECOOP Workshops.