Download malware? no, thanks: how formal methods can block update attacks

In mobile malware landscape there are many techniques to inject malicious payload in a trusted application: one of the most common is represented by the so-called update attack. After an apparently innocuous application is installed on the victim's device, the user is asked to update the application, and a malicious behavior is added to the application. In this paper we propose a static method based on model checking able to identify this kind of attack. In addiction, our method is able to localize the malicious payload at method-level. We obtain an accuracy very close to 1 in identifying families implementing update attack using a real Android dataset composed by 2,581 samples.

[1]  Christopher Krügel,et al.  Execute This! Analyzing Unsafe and Malicious Dynamic Code Loading in Android Applications , 2014, NDSS.

[2]  XiaoFeng Wang,et al.  Upgrading Your Android, Elevating My Malware: Privilege Escalation through Mobile OS Updating , 2014, 2014 IEEE Symposium on Security and Privacy.

[3]  Sevil Sen,et al.  "Do You Want to Install an Update of This Application?" A Rigorous Analysis of Updated Android Applications , 2015, 2015 IEEE 2nd International Conference on Cyber Security and Cloud Computing.

[4]  Yajin Zhou,et al.  Systematic Detection of Capability Leaks in Stock Android Smartphones , 2012, NDSS.

[5]  Stefan Katzenbeisser,et al.  Detecting Malicious Code by Model Checking , 2005, DIMVA.

[6]  Antonella Santone,et al.  Infer Gene Regulatory Networks from Time Series Data with Probabilistic Model Checking , 2015, 2015 IEEE/ACM 3rd FME Workshop on Formal Methods in Software Engineering.

[7]  Kevin Fu,et al.  Secure Software Updates: Disappointments and New Challenges , 2006, HotSec.

[8]  Antonella Santone,et al.  Incremental construction of systems: An efficient characterization of the lacking sub-system , 2013, Sci. Comput. Program..

[9]  Dan Arp,et al.  Drebin : � Efficient and Explainable Detection of Android Malware in Your Pocket , 2014 .

[10]  Rance Cleaveland,et al.  The NCSU Concurrency Workbench , 1996, CAV.

[11]  Antonella Santone,et al.  Abstract Interpretation and Model Checking for Checking Secure Information Flow in Concurrent Systems , 2003, Fundam. Informaticae.

[12]  Colin Stirling,et al.  An Introduction to Modal and Temporal Logics for CCS , 1991, Concurrency: Theory, Language, And Architecture.

[13]  Yajin Zhou,et al.  RiskRanker: scalable and accurate zero-day android malware detection , 2012, MobiSys '12.

[14]  Giordano Tamburrelli,et al.  Probabilistic Verification at Runtime for Self-Adaptive Systems , 2013, Assurances for Self-Adaptive Systems.

[15]  Gerardo Canfora,et al.  Composition-Malware: Building Android Malware at Run Time , 2015, 2015 10th International Conference on Availability, Reliability and Security.

[16]  Wenke Lee,et al.  Jekyll on iOS: When Benign Apps Become Evil , 2013, USENIX Security Symposium.

[17]  Konrad Rieck,et al.  DREBIN: Effective and Explainable Detection of Android Malware in Your Pocket , 2014, NDSS.

[18]  Tayssir Touili,et al.  PoMMaDe: pushdown model-checking for malware detection , 2013, ESEC/FSE 2013.

[19]  Thomas Schreck,et al.  Mobile-sandbox: having a deeper look into android applications , 2013, SAC '13.

[20]  Robin Milner,et al.  Communication and concurrency , 1989, PHI Series in computer science.

[21]  Tayssir Touili,et al.  Efficient Malware Detection Using Model-Checking , 2012, FM.

[22]  Antonella Santone,et al.  Application of Equivalence Checking in a Loan Origination Process in Banking Industry , 2013, 2013 Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises.

[23]  Yajin Zhou,et al.  Dissecting Android Malware: Characterization and Evolution , 2012, 2012 IEEE Symposium on Security and Privacy.

[24]  Eric Filiol,et al.  Formalization of Viruses and Malware Through Process Algebras , 2010, 2010 International Conference on Availability, Reliability and Security.

[25]  Gerardo Canfora,et al.  Obfuscation Techniques against Signature-Based Detection: A Case Study , 2015, 2015 Mobile Systems Technologies Workshop (MST).

[26]  Tayssir Touili,et al.  Model-Checking for Android Malware Detection , 2014, APLAS.

[27]  Antonella Santone,et al.  Identification of Android Malware Families with Model Checking , 2016, ICISSP.

[28]  L. Tenenboim-Chekina,et al.  Detecting application update attack on mobile devices through network featur , 2013, 2013 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS).

[29]  Antonella Santone,et al.  Abstract reduction in directed model checking CCS processes , 2012, Acta Informatica.