Malton: Towards On-Device Non-Invasive Mobile Malware Analysis for ART

It’s an essential step to understand malware’s behaviors for developing effective solutions. Though a number of systems have been proposed to analyze Android malware, they have been limited by incomplete view of inspection on a single layer. What’s worse, various new techniques (e.g., packing, anti-emulator, etc.) employed by the latest malware samples further make these systems ineffective. In this paper, we propose Malton, a novel on-device non-invasive analysis platform for the new Android runtime (i.e., the ART runtime). As a dynamic analysis tool, Malton runs on real mobile devices and provides a comprehensive view of malware’s behaviors by conducting multi-layer monitoring and information flow tracking, as well as efficient path exploration. We have carefully evaluated Malton using real-world malware samples. The experimental results showed that Malton is more effective than existing tools, with the capability to analyze sophisticated malware samples and provide a comprehensive view of malicious behaviors of these samples.

[1]  Corina S. Pasareanu,et al.  JPF-SE: A Symbolic Execution Extension to Java PathFinder , 2007, TACAS.

[2]  Vitor Monte Afonso,et al.  Identifying Android malware using dynamically obtained features , 2014, Journal of Computer Virology and Hacking Techniques.

[3]  Ali Feizollah,et al.  The Evolution of Android Malware and Android Analysis Techniques , 2017, ACM Comput. Surv..

[4]  Xiapu Luo,et al.  On Tracking Information Flows through JNI in Android Applications , 2014, 2014 44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks.

[5]  Mauro Conti,et al.  CRePE: Context-Related Policy Enforcement for Android , 2010, ISC.

[6]  Yajin Zhou,et al.  Dissecting Android Malware: Characterization and Evolution , 2012, 2012 IEEE Symposium on Security and Privacy.

[7]  Michael Backes,et al.  ARTist: The Android Runtime Instrumentation and Security Toolkit , 2016, 2017 IEEE European Symposium on Security and Privacy (EuroS&P).

[8]  Yajin Zhou,et al.  Blender: Self-randomizing Address Space Layout for Android Apps , 2016, RAID.

[9]  Valérie Viet Triem Tong,et al.  Capturing Android Malware Behaviour Using System Flow Graph , 2014, NSS.

[10]  Shih-Hao Hung,et al.  DroidDolphin: a dynamic Android malware detection framework using big data and machine learning , 2014, RACS '14.

[11]  Xiapu Luo,et al.  DexHunter: Toward Extracting Hidden Code from Packed Android Applications , 2015, ESORICS.

[12]  Alireza Sadeghi,et al.  A Taxonomy and Qualitative Comparison of Program Analysis Techniques for Security Assessment of Android Software , 2017, IEEE Transactions on Software Engineering.

[13]  Angelos D. Keromytis,et al.  NaClDroid: Native Code Isolation for Android Applications , 2016, ESORICS.

[14]  Hao Huang,et al.  Defensor: Lightweight and Efficient Security-Enhanced Framework for Android , 2014, 2014 IEEE 13th International Conference on Trust, Security and Privacy in Computing and Communications.

[15]  Gianluca Dini,et al.  MADAM: A Multi-level Anomaly Detector for Android Malware , 2012, MMM-ACNS.

[16]  Valérie Viet Triem Tong,et al.  GroddDroid: a gorilla for triggering malicious behaviors , 2015, 2015 10th International Conference on Malicious and Unwanted Software (MALWARE).

[17]  Aristide Fattori,et al.  CopperDroid: Automatic Reconstruction of Android Malware Behaviors , 2015, NDSS.

[18]  Nikolaj Bjørner,et al.  Z3: An Efficient SMT Solver , 2008, TACAS.

[19]  Eric Bodden,et al.  Harvesting Runtime Values in Android Applications That Feature Anti-Analysis Techniques , 2016, NDSS.

[20]  Christopher Krügel,et al.  Going Native: Using a Large-Scale Analysis of Android Apps to Create a Practical Native-Code Sandboxing Policy , 2016, NDSS.

[21]  Tao Wei,et al.  DroidLogger: Reveal suspicious behavior of Android applications via instrumentation , 2012, 2012 7th International Conference on Computing and Convergence Technology (ICCCT).

[22]  Stephen McCamant,et al.  DTA++: Dynamic Taint Analysis with Targeted Control-Flow Propagation , 2011, NDSS.

[23]  Jean-François Lalande,et al.  Repackaging Android Applications for Auditing Access to Private Data , 2012, 2012 Seventh International Conference on Availability, Reliability and Security.

[24]  David Brumley,et al.  Unleashing Mayhem on Binary Code , 2012, 2012 IEEE Symposium on Security and Privacy.

[25]  Yuan Zhang,et al.  Vetting undesirable behaviors in android apps with permission use analysis , 2013, CCS.

[26]  Giovanni Vigna,et al.  MalGene: Automatic Extraction of Malware Analysis Evasion Signature , 2015, CCS.

[27]  Ross J. Anderson,et al.  Aurasium: Practical Policy Enforcement for Android Applications , 2012, USENIX Security Symposium.

[28]  Ziming Zhao,et al.  Morpheus: automatically generating heuristics to detect Android emulators , 2014, ACSAC '14.

[29]  Julian Schütte,et al.  AppCaulk: Data Leak Prevention by Injecting Targeted Taint Tracking into Android Apps , 2014, 2014 IEEE 13th International Conference on Trust, Security and Privacy in Computing and Communications.

[30]  Suman Nath,et al.  PUMA: programmable UI-automation for large-scale dynamic analysis of mobile apps , 2014, MobiSys.

[31]  Eric Bodden,et al.  DroidForce: Enforcing Complex, Data-centric, System-wide Policies in Android , 2014, 2014 Ninth International Conference on Availability, Reliability and Security.

[32]  Heng Yin,et al.  DroidScope: Seamlessly Reconstructing the OS and Dalvik Semantic Views for Dynamic Android Malware Analysis , 2012, USENIX Security Symposium.

[33]  Fei Peng,et al.  X-Force: Force-Executing Binary Programs for Security Applications , 2014, USENIX Security Symposium.

[34]  Yuewu Wang,et al.  DeepDroid: Dynamically Enforcing Enterprise Policy on Android Devices , 2015, NDSS.

[35]  John C. S. Lui,et al.  DroidTrace: A ptrace based Android dynamic analysis system with forward execution capability , 2014, 2014 International Wireless Communications and Mobile Computing Conference (IWCMC).

[36]  Chao Yang,et al.  Using Provenance Patterns to Vet Sensitive Behaviors in Android Apps , 2015, SecureComm.

[37]  Mu Zhang,et al.  Efficient, context-aware privacy leakage confinement for android applications without firmware modding , 2014, AsiaCCS.

[38]  Sotiris Ioannidis,et al.  Rage against the virtual machine: hindering dynamic analysis of Android malware , 2014, EuroSec '14.

[39]  Valerio Costamagna,et al.  ARTDroid: A Virtual-Method Hooking Framework on Android ART Runtime , 2016, IMPS@ESSoS.

[40]  Wenke Lee,et al.  Checking More and Alerting Less: Detecting Privacy Leakages via Enhanced Data-flow Analysis and Peer Voting , 2015, NDSS.

[41]  Yanick Fratantonio,et al.  ANDRUBIS -- 1,000,000 Apps Later: A View on Current Android Malware Behaviors , 2014, 2014 Third International Workshop on Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS).

[42]  Michalis Faloutsos,et al.  ProfileDroid: multi-layer profiling of android applications , 2012, Mobicom '12.

[43]  Sakir Sezer,et al.  EMULATOR vs REAL PHONE: Android Malware Detection Using Machine Learning , 2017, IWSPA@CODASPY.

[44]  Hongseok Yang,et al.  Automated concolic testing of smartphone apps , 2012, SIGSOFT FSE.

[45]  Angelos Stavrou,et al.  Behavioral Analysis of Android Applications Using Automated Instrumentation , 2013, 2013 IEEE Seventh International Conference on Software Security and Reliability Companion.

[46]  Sam Malek,et al.  A Framework for Automated Security Testing of Android Applications on the Cloud , 2012, 2012 IEEE Sixth International Conference on Software Security and Reliability Companion.

[47]  Zheng Wei,et al.  LazyTainter: Memory-Efficient Taint Tracking in Managed Runtimes , 2014, SPSM@CCS.

[48]  Bongjae Kim,et al.  Enhancing security enforcement on unmodified Android , 2013, SAC '13.

[49]  Yuan Zhang,et al.  AppIntent: analyzing sensitive data transmission in android for privacy leakage detection , 2013, CCS.

[50]  Chenxiong Qian,et al.  Toward Engineering a Secure Android Ecosystem , 2016, ACM Comput. Surv..

[51]  Thomas Schreck,et al.  Mobile-sandbox: having a deeper look into android applications , 2013, SAC '13.

[52]  John C. S. Lui,et al.  TaintART: A Practical Multi-level Information-Flow Tracking System for Android RunTime , 2016, CCS.

[53]  Yu Le,et al.  VulHunter: Toward Discovering Vulnerabilities in Android Applications , 2015, IEEE Micro.

[54]  Dawson R. Engler,et al.  KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs , 2008, OSDI.

[55]  Michael Backes,et al.  AppGuard - Enforcing User Requirements on Android Apps , 2013, TACAS.

[56]  Lei Zhang,et al.  Attack Tree Based Android Malware Detection with Hybrid Analysis , 2014, 2014 IEEE 13th International Conference on Trust, Security and Privacy in Computing and Communications.

[57]  Bridgett M. vonHoldt,et al.  STRUCTURE HARVESTER: a website and program for visualizing STRUCTURE output and implementing the Evanno method , 2011, Conservation Genetics Resources.

[58]  Yang Bai,et al.  Test Generation for Embedded Executables via Concolic Execution in a Real Environment , 2015, IEEE Transactions on Reliability.

[59]  Konrad Rieck,et al.  DREBIN: Effective and Explainable Detection of Android Malware in Your Pocket , 2014, NDSS.

[60]  Juanru Li,et al.  AppSpear: Bytecode Decrypting and DEX Reassembling for Packed Android Malware , 2015, RAID.

[61]  Shahid Alam,et al.  DroidNative: Semantic-Based Detection of Android Native Code Malware , 2016, ArXiv.

[62]  Gang Tan,et al.  NativeGuard: protecting android applications from third-party native libraries , 2014, WiSec '14.

[63]  Xue Liu,et al.  Effective Real-Time Android Application Auditing , 2015, 2015 IEEE Symposium on Security and Privacy.

[64]  William Enck,et al.  AppsPlayground: automatic security analysis of smartphone applications , 2013, CODASPY.

[65]  Hao Chen,et al.  I-ARM-Droid : A Rewriting Framework for In-App Reference Monitors for Android Applications , 2012 .

[66]  Nicholas Nethercote,et al.  Valgrind: a framework for heavyweight dynamic binary instrumentation , 2007, PLDI '07.

[67]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[68]  Yuan-Cheng Lai,et al.  Identifying android malicious repackaged applications by thread-grained system call sequences , 2013, Comput. Secur..

[69]  Christian Platzer,et al.  MARVIN: Efficient and Comprehensive Mobile App Classification through Static and Dynamic Analysis , 2015, 2015 IEEE 39th Annual Computer Software and Applications Conference.

[70]  Christopher Krügel,et al.  NJAS: Sandboxing Unmodified Applications in non-rooted Devices Running stock Android , 2015, SPSM@CCS.

[71]  Ting Chen,et al.  State of the art: Dynamic symbolic execution for automated test generation , 2013, Future Gener. Comput. Syst..

[72]  Julian Schütte,et al.  ConDroid: Targeted Dynamic Analysis of Android Applications , 2015, 2015 IEEE 29th International Conference on Advanced Information Networking and Applications.

[73]  Christopher Krügel,et al.  TriggerScope: Towards Detecting Logic Bombs in Android Applications , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[74]  Michael Backes,et al.  Boxify: Full-fledged App Sandboxing for Stock Android , 2015, USENIX Security Symposium.

[75]  Nicolas Christin,et al.  Evading android runtime analysis via sandbox detection , 2014, AsiaCCS.

[76]  Johannes Köstler,et al.  Kynoid: Real-time enforcement of fine-grained, user-defined, and data-centric security policies for Android , 2013, Inf. Secur. Tech. Rep..

[77]  Toshihiro Yamauchi,et al.  DroidTrack: Tracking and Visualizing Information Diffusion for Preventing Information Leakage on Android , 2014, J. Internet Serv. Inf. Secur..

[78]  Lei Xue,et al.  Adaptive Unpacking of Android Apps , 2017, 2017 IEEE/ACM 39th International Conference on Software Engineering (ICSE).