EspyDroid+: Precise reflection analysis of android apps

Abstract Malicious smartphone apps use reflection APIs to exfiltrate user data and steal personal information. These malware use reflection along with parameter obfuscation and encryption to evade detection by static analysis. Dynamic analysis is a possible approach to detect such run-time malicious behavior. However, dynamic analysis of a software, usually, results in the exploration of a large, potentially exponential, number of program branches. Many of these program paths are not useful to analyze the reflection APIs, and significantly affect the efficiency of the dynamic analysis. In this paper, we propose a hybrid analysis approach named EspyDroid+ 1 that overcomes the drawbacks of static analysis in analyzing the obfuscated and run-time dependent parameters of reflection APIs. EspyDroid+ incorporates Reflection Guided Static Slicing (RGSS), an efficient approach to deal with exploration of large number of program paths by pruning irrelevant program paths and ensures that the resultant paths get executed during the subsequent dynamic analysis. We observed that EspyDroid+ successfully removed 59.91% of the total paths on a test dataset consisting of 660 apps without any loss of semantics. We conclude that EspyDroid+ is effective, fast, and scalable in uncovering reflection API induced privacy leaks.

[1]  Fabio Massacci,et al.  StaDynA: Addressing the Problem of Dynamic Code Updates in the Security Analysis of Android Applications , 2015, CODASPY.

[2]  Alireza Sadeghi,et al.  Reducing Combinatorics in GUI Testing of Android Applications , 2016, 2016 IEEE/ACM 38th International Conference on Software Engineering (ICSE).

[3]  Gang Wang,et al.  Collusive Data Leak and More: Large-scale Threat Analysis of Inter-app Communications , 2017, AsiaCCS.

[4]  Kyungmin Lee,et al.  Malicious Adware Detection on Android Platform using Dynamic Random Forest , 2019, IMIS.

[5]  Vijay Laxmi,et al.  A robust dynamic analysis system preventing SandBox detection by Android malware , 2015, SIN.

[6]  Ali A. Ghorbani,et al.  Towards a Network-Based Framework for Android Malware Detection and Characterization , 2017, 2017 15th Annual Conference on Privacy, Security and Trust (PST).

[7]  Christopher Krügel,et al.  TriggerScope: Towards Detecting Logic Bombs in Android Applications , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[8]  Baowen Xu,et al.  Slicing object-oriented java programs , 2001, SIGP.

[9]  Nataniel P. Borges Data flow oriented UI testing: exploiting data flows and UI elements to test Android applications , 2017, ISSTA.

[10]  Wei Wang,et al.  Effective android malware detection with a hybrid model based on deep autoencoder and convolutional neural network , 2018, Journal of Ambient Intelligence and Humanized Computing.

[11]  Mayur Naik,et al.  Dynodroid: an input generation system for Android apps , 2013, ESEC/FSE 2013.

[12]  Jacques Klein,et al.  DroidRA: taming reflection to support whole-program analysis of Android apps , 2016, ISSTA.

[13]  Nicolas Christin,et al.  Evading android runtime analysis via sandbox detection , 2014, AsiaCCS.

[14]  Ali A. Ghorbani,et al.  Toward Developing a Systematic Approach to Generate Benchmark Android Malware Datasets and Classification , 2018, 2018 International Carnahan Conference on Security Technology (ICCST).

[15]  Ranveer Chandra,et al.  Contextual Fuzzing: Automated Mobile App Testing Under Dynamic Device and Environment Conditions , 2013 .

[16]  Jacques Klein,et al.  FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps , 2014, PLDI.

[17]  Sencun Zhu,et al.  Droid-AntiRM: Taming Control Flow Anti-analysis to Support Automated Dynamic Analysis of Android Malware , 2017, ACSAC.

[18]  Sam Malek,et al.  A whitebox approach for automated security testing of Android applications on the cloud , 2012, 2012 7th International Workshop on Automation of Software Test (AST).

[19]  Yue Jia,et al.  Sapienz: multi-objective automated testing for Android applications , 2016, ISSTA.

[20]  Michael Pradel,et al.  Making Malory Behave Maliciously: Targeted Fuzzing of Android Execution Environments , 2017, 2017 IEEE/ACM 39th International Conference on Software Engineering (ICSE).

[21]  Yanick Fratantonio,et al.  ANDRUBIS -- 1,000,000 Apps Later: A View on Current Android Malware Behaviors , 2014, 2014 Third International Workshop on Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS).

[22]  Mira Mezini,et al.  Taming reflection: Aiding static analysis in the presence of reflection and custom class loaders , 2011, 2011 33rd International Conference on Software Engineering (ICSE).

[23]  Thorsten Holz,et al.  Slicing droids: program slicing for smali code , 2013, SAC '13.

[24]  Eric Bodden,et al.  Harvesting Runtime Values in Android Applications That Feature Anti-Analysis Techniques , 2016, NDSS.

[25]  Gaurang Shah,et al.  Software Testing Automation using Appium , 2014 .

[26]  Iulian Neamtiu,et al.  Targeted and depth-first exploration for systematic testing of android apps , 2013, OOPSLA.

[27]  John Hatcliff,et al.  Kaveri: Delivering the Indus Java Program Slicer to Eclipse , 2005, FASE.

[28]  Valérie Viet Triem Tong,et al.  Kharon dataset: Android malware under a microscope , 2016 .

[29]  Suman Nath,et al.  SmartAds: bringing contextual ads to mobile apps , 2013, MobiSys '13.

[30]  Vijay Laxmi,et al.  Unraveling Reflection Induced Sensitive Leaks in Android Apps , 2017, CRiSIS.

[31]  Sencun Zhu,et al.  Privacy Risk Analysis and Mitigation of Analytics Libraries in the Android Ecosystem , 2020, IEEE Transactions on Mobile Computing.

[32]  Hrushikesh Zadgaonkar,et al.  Robotium Automated Testing for Android , 2013 .

[33]  Arash Habibi Lashkari,et al.  Extensible Android Malware Detection and Family Classification Using Network-Flows and API-Calls , 2019, 2019 International Carnahan Conference on Security Technology (ICCST).

[34]  Ondrej Lhoták,et al.  The Soot framework for Java program analysis: a retrospective , 2011 .

[35]  Klaus Havelund,et al.  Model Checking Programs , 2004, Automated Software Engineering.

[36]  Mark Weiser,et al.  Program Slicing , 1981, IEEE Transactions on Software Engineering.

[37]  Xiangliang Zhang,et al.  Detecting Android malicious apps and categorizing benign apps with ensemble of classifiers , 2018, Future Gener. Comput. Syst..

[38]  Sankardas Roy,et al.  Amandroid: A Precise and General Inter-component Data Flow Analysis Framework for Security Vetting of Android Apps , 2014, CCS.

[39]  Muttukrishnan Rajarajan,et al.  sPECTRA: A precise framEwork for analyzing CrypTographic vulneRabilities in Android apps , 2017, 2017 14th IEEE Annual Consumer Communications & Networking Conference (CCNC).

[40]  Yajin Zhou,et al.  Dissecting Android Malware: Characterization and Evolution , 2012, 2012 IEEE Symposium on Security and Privacy.

[41]  William Enck,et al.  AppsPlayground: automatic security analysis of smartphone applications , 2013, CODASPY.

[42]  Jun Sun,et al.  Towards Model Checking Android Applications , 2018, IEEE Transactions on Software Engineering.

[43]  Jacques Klein,et al.  IccTA: Detecting Inter-Component Privacy Leaks in Android Apps , 2015, 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering.

[44]  Jie Liu,et al.  Reflection Analysis for Java: Uncovering More Reflective Targets Precisely , 2017, 2017 IEEE 28th International Symposium on Software Reliability Engineering (ISSRE).

[45]  Matthew L. Dering,et al.  Composite Constant Propagation: Application to Android Inter-Component Communication Analysis , 2015, 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering.