Unraveling Reflection Induced Sensitive Leaks in Android Apps

Reflection is a programming language feature that permits analysis and transformation of the behavior of classes used in programs in general, and in apps in particular at the runtime. Reflection facilitates various features such as dynamic class loading, method invocation, and attribute usage at runtime. These language features allow the development of apps that may obtain and exchange information that is unavailable at compile time. Unfortunately, malware authors leverage reflection to subvert the malware detection by static analyzers as reflection can hinder taint analysis used by static analyzers for analysis of sensitive leaks. Even the latest, and probably the best performing static analyzers are not able to detect information leaks in the malware via reflection. In this paper, we propose EspyDroid, a system that combines dynamic analysis with code instrumentation for a more precise detection of leaks in malicious apps via reflection with code obfuscation. The evaluation of EspyDroid on the benchmark, VirusShare, and Playstore apps shows substantial improvement in detection of sensitive leaks via reflection.

[1]  Somesh Jha,et al.  Composite Constant Propagation and its Application to Android Program Analysis , 2016, IEEE Transactions on Software Engineering.

[2]  Eric Bodden,et al.  Harvesting Runtime Values in Android Applications That Feature Anti-Analysis Techniques , 2016, NDSS.

[3]  Jacques Klein,et al.  FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps , 2014, PLDI.

[4]  Fabio Massacci,et al.  StaDynA: Addressing the Problem of Dynamic Code Updates in the Security Analysis of Android Applications , 2015, CODASPY.

[5]  Tulika Mitra,et al.  Automated Partitioning of Android Applications for Trusted Execution Environments , 2016, 2016 IEEE/ACM 38th International Conference on Software Engineering (ICSE).

[6]  Sandro Etalle,et al.  Hybrid Static-Runtime Information Flow and Declassification Enforcement , 2013, IEEE Transactions on Information Forensics and Security.

[7]  Yifei Zhang,et al.  Ripple: Reflection Analysis for Android Apps in Incomplete Information Environments , 2017, CODASPY.

[8]  Mu Zhang,et al.  Towards Automatic Generation of Security-Centric Descriptions for Android Apps , 2015, CCS.

[9]  Jacques Klein,et al.  Effective inter-component communication mapping in Android with Epicc: an essential step towards holistic security analysis , 2013 .

[10]  Sankardas Roy,et al.  Amandroid: A Precise and General Inter-component Data Flow Analysis Framework for Security Vetting of Android Apps , 2014, CCS.

[11]  Muttukrishnan Rajarajan,et al.  sPECTRA: A precise framEwork for analyzing CrypTographic vulneRabilities in Android apps , 2017, 2017 14th IEEE Annual Consumer Communications & Networking Conference (CCNC).

[12]  Yanick Fratantonio,et al.  ANDRUBIS -- 1,000,000 Apps Later: A View on Current Android Malware Behaviors , 2014, 2014 Third International Workshop on Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS).

[13]  Mira Mezini,et al.  Taming reflection: Aiding static analysis in the presence of reflection and custom class loaders , 2011, 2011 33rd International Conference on Software Engineering (ICSE).

[14]  Vijay Laxmi,et al.  Detection of Information Leaks via Reflection in Android Apps , 2017, AsiaCCS.

[15]  Thomas W. Reps,et al.  Precise interprocedural dataflow analysis via graph reachability , 1995, POPL '95.

[16]  Jacques Klein,et al.  DroidRA: taming reflection to support whole-program analysis of Android apps , 2016, ISSTA.

[17]  Jacques Klein,et al.  IccTA: Detecting Inter-Component Privacy Leaks in Android Apps , 2015, 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering.

[18]  Isil Dillig,et al.  Apposcopy: semantics-based detection of Android malware through static analysis , 2014, SIGSOFT FSE.

[19]  Jeff H. Perkins,et al.  Information Flow Analysis of Android Applications in DroidSafe , 2015, NDSS.

[20]  Ondrej Lhoták,et al.  The Soot framework for Java program analysis: a retrospective , 2011 .

[21]  David Lie,et al.  IntelliDroid: A Targeted Input Generator for the Dynamic Analysis of Android Malware , 2016, NDSS.