A game of Droid and Mouse: The threat of split-personality malware on Android

In the work at hand, we first demonstrate that Android malware can bypass current automated analysis systems, including AV solutions, mobile sandboxes, and the Google Bouncer. A tool called Sand-Finger allowed us to fingerprint Android-based analysis systems. By analyzing the fingerprints of ten unique analysis environments from different vendors, we were able to find characteristics in which all tested environments differ from actual hardware. Depending on the availability of an analysis system, malware can either behave benignly or load malicious code dynamically at runtime. We also have investigated the widespread of dynamic code loading among benign and malicious apps, and found that malicious apps make use of this technique more often. About one third out of 14,885 malware samples we analyzed was found to dynamically load and execute code. To hide malicious code from analysis, it can be loaded from encrypted assets or via network connections. As we show, however, even dynamic scripts which call existing functions enable an attacker to execute arbitrary code. To demonstrate the effectiveness of both dynamic code and script loading, we create proof-of-concept malware that surpasses up-to-date malware scanners for Android and show that known samples can enter the Google Play Store by modifying them only slightly.

[1]  Christopher Krügel,et al.  Execute This! Analyzing Unsafe and Malicious Dynamic Code Loading in Android Applications , 2014, NDSS.

[2]  Sotiris Ioannidis,et al.  Rage against the virtual machine: hindering dynamic analysis of Android malware , 2014, EuroSec '14.

[3]  Christopher Krügel,et al.  Efficient Detection of Split Personalities in Malware , 2010, NDSS.

[4]  Christopher Krügel,et al.  BareBox: efficient malware analysis on bare-metal , 2011, ACSAC '11.

[5]  Felix C. Freiling,et al.  Towards Dynamic Malware Analysis to Increase Mobile Device Security423 , 2008, Sicherheit.

[6]  Chi-Sung Laih,et al.  Malware Virtualization-Resistant Behavior Detection , 2011, 2011 IEEE 17th International Conference on Parallel and Distributed Systems.

[7]  Xuxian Jiang,et al.  DroidChameleon: evaluating Android anti-malware against transformation attacks , 2013, ASIA CCS '13.

[8]  Hubert Ritzdorf,et al.  Analysis of the communication between colluding applications on modern smartphones , 2012, ACSAC '12.

[9]  David A. Wagner,et al.  Bifocals: Analyzing WebView Vulnerabilities in Android Applications , 2013, WISA.

[10]  Martina Lindorfer,et al.  Detecting Environment-Sensitive Malware , 2011, RAID.

[11]  Konrad Rieck,et al.  DREBIN: Effective and Explainable Detection of Android Malware in Your Pocket , 2014, NDSS.

[12]  Julian Schütte,et al.  Native code execution control for attack mitigation on android , 2013, SPSM '13.

[13]  Yuval Elovici,et al.  Google Android: A Comprehensive Security Assessment , 2010, IEEE Security & Privacy.

[14]  Julian Schütte,et al.  On the Effectiveness of Malware Protection on Android An evaluation of Android antivirus , 2013 .

[15]  Felix C. Freiling,et al.  Toward Automated Dynamic Malware Analysis Using CWSandbox , 2007, IEEE Secur. Priv..

[16]  Tilo Müller,et al.  PANDORA applies non-deterministic obfuscation randomly to Android , 2013, 2013 8th International Conference on Malicious and Unwanted Software: "The Americas" (MALWARE).

[17]  Tilo Müller,et al.  Divide-and-Conquer: Why Android Malware Cannot Be Stopped , 2014, 2014 Ninth International Conference on Availability, Reliability and Security.

[18]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[19]  Christian Platzer,et al.  A View to a Kill: WebView Exploitation , 2013, LEET.

[20]  Michael Becher,et al.  Kernel-Level Interception and Applications on Mobile Devices , 2008 .

[21]  Christopher Krügel,et al.  Limits of Static Analysis for Malware Detection , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[22]  Michael Spreitzenbarth,et al.  Dissecting the Droid: Forensic Analysis of Android and its malicious Applications (Sezierung eines Androiden) , 2013 .

[23]  Herbert Bos,et al.  Dynamic Analysis of Android Malware , 2013 .

[24]  Yuval Elovici,et al.  “Andromaly”: a behavioral malware detection framework for android devices , 2012, Journal of Intelligent Information Systems.

[25]  Sahin Albayrak,et al.  An Android Application Sandbox system for suspicious software detection , 2010, 2010 5th International Conference on Malicious and Unwanted Software.

[26]  Mira Mezini,et al.  Taming reflection: Aiding static analysis in the presence of reflection and custom class loaders , 2011, 2011 33rd International Conference on Software Engineering (ICSE).

[27]  Engin Kirda,et al.  A View on Current Malware Behaviors , 2009, LEET.

[28]  Nicolas Christin,et al.  Evading android runtime analysis via sandbox detection , 2014, AsiaCCS.

[29]  Ahmad-Reza Sadeghi,et al.  Privilege Escalation Attacks on Android , 2010, ISC.

[30]  Thomas Schreck,et al.  Mobile-sandbox: having a deeper look into android applications , 2013, SAC '13.

[31]  Christopher Krügel,et al.  Detecting System Emulators , 2007, ISC.

[32]  Heng Yin,et al.  Attacks on WebView in the Android system , 2011, ACSAC '11.

[33]  Julian Schütte,et al.  An antivirus API for Android malware recognition , 2013, 2013 8th International Conference on Malicious and Unwanted Software: "The Americas" (MALWARE).

[34]  Ahmad-Reza Sadeghi,et al.  Towards Taming Privilege-Escalation Attacks on Android , 2012, NDSS.

[35]  Wenliang Du,et al.  On the effectiveness of API-level access control using bytecode rewriting in Android , 2013, ASIA CCS '13.

[36]  Xu Chen,et al.  Towards an understanding of anti-virtualization and anti-debugging behavior in modern malware , 2008, 2008 IEEE International Conference on Dependable Systems and Networks With FTCS and DCC (DSN).

[37]  Laurie Hendren,et al.  Soot: a Java bytecode optimization framework , 2010, CASCON.