Droid-AntiRM: Taming Control Flow Anti-analysis to Support Automated Dynamic Analysis of Android Malware

While many test input generation techniques have been proposed to improve the code coverage of dynamic analysis, they are still inefficient in triggering hidden malicious behaviors protected by anti-analysis techniques. In this work, we design and implement Droid-AntiRM, a new approach seeking to tame anti-analysis automatically and improve automated dynamic analysis. Our approach leverages three key observations: 1) Logic-bomb based anti-analysis techniques control the execution of certain malicious behaviors; 2) Anti-analysis techniques are normally implemented through condition statements; 3) Anti-analysis techniques normally have no dependence on program inputs. Based on these observations, Droid-AntiRM uses various techniques to detect anti-analysis in malware samples, and rewrite the condition statements in anti-analysis cases through bytecode instrumentation, thus forcing the hidden behavior to be executed at runtime. Through a study of 3187 malware samples, we find that 32.50% of them employ various anti-analysis techniques. Our experiments demonstrate that Droid-AntiRM can identify anti-analysis instances from 30 malware samples with a true positive rate of 89.15% and zero false negative. By taming the identified anti-analysis, Droid-AntiRM can greatly improve the automated dynamic analysis, successfully triggering 44 additional hidden malicious behaviors from the 30 samples. Further performance evaluation shows that Droid-AntiRM has good efficiency to perform large-scale analysis.

[1]  Eric Bodden,et al.  Harvesting Runtime Values in Android Applications That Feature Anti-Analysis Techniques , 2016, NDSS.

[2]  Koushik Sen,et al.  DART: directed automated random testing , 2005, PLDI '05.

[3]  Matthew L. Dering,et al.  Composite Constant Propagation: Application to Android Inter-Component Communication Analysis , 2015, 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering.

[4]  Zhen Huang,et al.  PScout: analyzing the Android permission specification , 2012, CCS.

[5]  Yuan Zhang,et al.  Vetting undesirable behaviors in android apps with permission use analysis , 2013, CCS.

[6]  Aristide Fattori,et al.  CopperDroid: Automatic Reconstruction of Android Malware Behaviors , 2015, NDSS.

[7]  Hui Ye,et al.  DroidFuzzer: Fuzzing the Android Apps with Intent-Filter Tag , 2013, MoMM '13.

[8]  Christopher Krügel,et al.  EdgeMiner: Automatically Detecting Implicit Control Flow Transitions through the Android Framework , 2015, NDSS.

[9]  Wenke Lee,et al.  CHEX: statically vetting Android apps for component hijacking vulnerabilities , 2012, CCS.

[10]  Yajin Zhou,et al.  Dissecting Android Malware: Characterization and Evolution , 2012, 2012 IEEE Symposium on Security and Privacy.

[11]  Jacques Klein,et al.  FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps , 2014, PLDI.

[12]  Sankardas Roy,et al.  Amandroid: A Precise and General Inter-component Data Flow Analysis Framework for Security Vetting of Android Apps , 2014, CCS.

[13]  Hongseok Yang,et al.  Automated concolic testing of smartphone apps , 2012, SIGSOFT FSE.

[14]  Konrad Rieck,et al.  DREBIN: Effective and Explainable Detection of Android Malware in Your Pocket , 2014, NDSS.

[15]  Julian Schütte,et al.  ConDroid: Targeted Dynamic Analysis of Android Applications , 2015, 2015 IEEE 29th International Conference on Advanced Information Networking and Applications.

[16]  Jeff H. Perkins,et al.  Information Flow Analysis of Android Applications in DroidSafe , 2015, NDSS.

[17]  Christopher Krügel,et al.  TriggerScope: Towards Detecting Logic Bombs in Android Applications , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[18]  David Lie,et al.  IntelliDroid: A Targeted Input Generator for the Dynamic Analysis of Android Malware , 2016, NDSS.

[19]  Bo Chen,et al.  Supporting Transparent Snapshot for Bare-metal Malware Analysis on Mobile Devices , 2017, ACSAC.

[20]  Eric Bodden,et al.  Instrumenting Android and Java Applications as Easy as abc , 2013, RV.

[21]  Ken Dunham,et al.  Android Malware and Analysis , 2014 .

[22]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[23]  Nicolas Christin,et al.  Evading android runtime analysis via sandbox detection , 2014, AsiaCCS.

[24]  Christopher Krügel,et al.  Exploring Multiple Execution Paths for Malware Analysis , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[25]  Yajin Zhou,et al.  Malton: Towards On-Device Non-Invasive Mobile Malware Analysis for ART , 2017, USENIX Security Symposium.

[26]  Xiangyu Zhang,et al.  Locating faults through automated predicate switching , 2006, ICSE.

[27]  Ziming Zhao,et al.  Morpheus: automatically generating heuristics to detect Android emulators , 2014, ACSAC '14.

[28]  Jacques Klein,et al.  Effective inter-component communication mapping in Android with Epicc: an essential step towards holistic security analysis , 2013 .

[29]  Valérie Viet Triem Tong,et al.  Kharon dataset: Android malware under a microscope , 2016 .

[30]  Sotiris Ioannidis,et al.  Rage against the virtual machine: hindering dynamic analysis of Android malware , 2014, EuroSec '14.

[31]  Xiaolei Wang,et al.  DroidContext: Identifying Malicious Mobile Privacy Leak Using Context , 2016, 2016 IEEE Trustcom/BigDataSE/ISPA.

[32]  Fengwei Zhang,et al.  Ninja: Towards Transparent Tracing and Debugging on ARM , 2017, USENIX Security Symposium.

[33]  Eric Bodden,et al.  How Current Android Malware Seeks to Evade Automated Code Analysis , 2015, WISTP.

[34]  Mayur Naik,et al.  Dynodroid: an input generation system for Android apps , 2013, ESEC/FSE 2013.

[35]  Christopher Krügel,et al.  BareDroid: Large-Scale Analysis of Android Apps on Real Devices , 2015, ACSAC 2015.

[36]  Eric Bodden,et al.  A Machine-learning Approach for Classifying and Categorizing Android Sources and Sinks , 2014, NDSS.

[37]  Xiaolei Wang,et al.  Accurate mobile malware detection and classification in the cloud , 2015, SpringerPlus.

[38]  Heng Yin,et al.  DroidScope: Seamlessly Reconstructing the OS and Dalvik Semantic Views for Dynamic Android Malware Analysis , 2012, USENIX Security Symposium.

[39]  Fei Peng,et al.  X-Force: Force-Executing Binary Programs for Security Applications , 2014, USENIX Security Symposium.