Detection of Repackaged Android Malware with Code-Heterogeneity Features

During repackaging, malware writers statically inject malcode and modify the control flow to ensure its execution. Repackaged malware is difficult to detect by existing classification techniques, partly because of their behavioral similarities to benign apps. By exploring the app's internal different behaviors, we propose a new Android repackaged malware detection technique based on code heterogeneity analysis. Our solution strategically partitions the code structure of an app into multiple dependence-based regions (subsets of the code). Each region is independently classified on its behavioral features. We point out the security challenges and design choices for partitioning code structures at the class and method level graphs, and present a solution based on multiple dependence relations. We have performed experimental evaluation with over 7,542 Android apps. For repackaged malware, our partition-based detection reduces false negatives (i.e., missed detection) by 30-fold, when compared to the non-partition-based approach. Overall, our approach achieves a false negative rate of 0.35 percent and a false positive rate of 2.97 percent.

[1]  Lei Zhang,et al.  Towards a scalable resource-driven approach for detecting repackaged Android applications , 2014, ACSAC.

[2]  Konrad Rieck,et al.  Structural detection of android malware using embedded call graphs , 2013, AISec.

[3]  Wenke Lee,et al.  Checking More and Alerting Less: Detecting Privacy Leakages via Enhanced Data-flow Analysis and Peer Voting , 2015, NDSS.

[4]  Ninghui Li,et al.  Using probabilistic generative models for ranking risks of Android apps , 2012, CCS.

[5]  Konrad Rieck,et al.  DREBIN: Effective and Explainable Detection of Android Malware in Your Pocket , 2014, NDSS.

[6]  Juanru Li,et al.  AppSpear: Bytecode Decrypting and DEX Reassembling for Packed Android Malware , 2015, RAID.

[7]  Gang Tan,et al.  NativeGuard: protecting android applications from third-party native libraries , 2014, WiSec '14.

[8]  Yajin Zhou,et al.  Dissecting Android Malware: Characterization and Evolution , 2012, 2012 IEEE Symposium on Security and Privacy.

[9]  Chao Yang,et al.  DroidMiner: Automated Mining and Characterization of Fine-grained Malicious Behaviors in Android Applications , 2014, ESORICS.

[10]  Hao Chen,et al.  AnDarwin: Scalable Detection of Semantically Similar Android Applications , 2013, ESORICS.

[11]  Barbara G. Ryder,et al.  Analysis of Code Heterogeneity for High-Precision Classification of Repackaged Malware , 2016, 2016 IEEE Security and Privacy Workshops (SPW).

[12]  Wenke Lee,et al.  CHEX: statically vetting Android apps for component hijacking vulnerabilities , 2012, CCS.

[13]  Yajin Zhou,et al.  Fast, scalable detection of "Piggybacked" mobile applications , 2013, CODASPY.

[14]  Simin Nadjm-Tehrani,et al.  Crowdroid: behavior-based malware detection system for Android , 2011, SPSM '11.

[15]  Heng Yin,et al.  DroidAPIMiner: Mining API-Level Features for Robust Malware Detection in Android , 2013, SecureComm.

[16]  Hao Chen,et al.  AndroidLeaks: Automatically Detecting Potential Privacy Leaks in Android Applications on a Large Scale , 2012, TRUST.

[17]  Xuxian Jiang,et al.  Profiling user-trigger dependence for Android malware detection , 2015, Comput. Secur..

[18]  Xin Sun,et al.  Detecting Code Reuse in Android Applications Using Component-Based Control Flow Graph , 2014, SEC.

[19]  Karim O. Elish,et al.  Comprehensive Behavior Profiling for Proactive Android Malware Detection , 2014, ISC.

[20]  Christopher Krügel,et al.  EdgeMiner: Automatically Detecting Implicit Control Flow Transitions through the Android Framework , 2015, NDSS.

[21]  Xiangyu Zhang,et al.  Plagiarizing Smartphone Applications: Attack Strategies and Defense Techniques , 2012, ESSoS.

[22]  Gang Wang,et al.  Collusive Data Leak and More: Large-scale Threat Analysis of Inter-app Communications , 2017, AsiaCCS.

[23]  Jacques Klein,et al.  FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps , 2014, PLDI.

[24]  Barbara G. Ryder,et al.  A Sharper Sense of Self: Probabilistic Reasoning of Program Behaviors for Anomaly Detection with Context Sensitivity , 2016, 2016 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).

[25]  Sencun Zhu,et al.  ViewDroid: towards obfuscation-resilient mobile application repackaging detection , 2014, WiSec '14.

[26]  Gang Wang,et al.  MR-Droid: A Scalable and Prioritized Analysis of Inter-App Communication Risks , 2017, 2017 IEEE Security and Privacy Workshops (SPW).

[27]  Aleksandrina Kovacheva,et al.  Efficient Code Obfuscation for Android , 2013, IAIT.

[28]  Jacques Klein,et al.  DroidRA: taming reflection to support whole-program analysis of Android apps , 2016, ISSTA.

[29]  Barbara G. Ryder,et al.  Probabilistic Program Modeling for High-Precision Anomaly Classification , 2015, 2015 IEEE 28th Computer Security Foundations Symposium.

[30]  Karim O. Elish,et al.  On the Need of Precise Inter-App ICC Classification for Detecting Android , 2015 .

[31]  Aristide Fattori,et al.  CopperDroid: Automatic Reconstruction of Android Malware Behaviors , 2015, NDSS.

[32]  Thorsten Holz,et al.  Slicing droids: program slicing for smali code , 2013, SAC '13.

[33]  Xiapu Luo,et al.  DexHunter: Toward Extracting Hidden Code from Packed Android Applications , 2015, ESORICS.

[34]  Arun Lakhotia,et al.  DroidLegacy: Automated Familial Classification of Android Malware , 2014, PPREW'14.

[35]  Steve Hanna,et al.  Juxtapp: A Scalable System for Detecting Code Reuse among Android Applications , 2012, DIMVA.

[36]  Yajin Zhou,et al.  Detecting repackaged smartphone applications in third-party android marketplaces , 2012, CODASPY '12.

[37]  Zhen Huang,et al.  PScout: analyzing the Android permission specification , 2012, CCS.

[38]  Jing Tao,et al.  MIGDroid: Detecting APP-Repackaging Android malware via method invocation graph , 2014, 2014 23rd International Conference on Computer Communication and Networks (ICCCN).

[39]  Hao Chen,et al.  Attack of the Clones: Detecting Cloned Applications on Android Markets , 2012, ESORICS.

[40]  Naren Ramakrishnan,et al.  Causality reasoning about network events for detecting stealthy malware activities , 2016, Comput. Secur..

[41]  Karim O. Elish,et al.  High Precision Screening for Android Malware with Dimensionality Reduction , 2014, 2014 13th International Conference on Machine Learning and Applications.

[42]  Peng Wang,et al.  Finding Unknown Malice in 10 Seconds: Mass Vetting for New Threats at the Google-Play Scale , 2015, USENIX Security Symposium.

[43]  David A. Wagner,et al.  Analyzing inter-application communication in Android , 2011, MobiSys '11.

[44]  Hao Chen,et al.  RetroSkeleton: retrofitting android apps , 2013, MobiSys '13.

[45]  Tao Xie,et al.  AppContext: Differentiating Malicious and Benign Mobile App Behaviors Using Context , 2015, 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering.