Chapter Three - Effectiveness of state-of-the-art dynamic analysis techniques in identifying diverse Android malware and future enhancements

Abstract Since its launch in 2007, Google's open source mobile operating system Android has become the most prominent OS for smartphones. Availability of 3 million Android apps on official repository, Google Play Store, and a not too tightly controlled environment for app developers have added to the popularity of Android and growth of Android devices. This, however, has also provided an opportunity for malware writers to create inroads into Android devices through malicious apps on App stores including Google Play. These malicious apps may access and leak sensitive information such as details of calls, SMS, emails, pictures, contacts, location, password, etc. Loss of this personal data may lead to fraud, financial loss, threatening, etc. Various solutions based on static, dynamic, or hybrid analysis are proposed by state-of-the-art in the last decade. However, malware writers have also come up with ingenious ways of circumventing detection tools. Recent malware deploy threats like obfuscated and encrypted code, dynamic code loading, and reflection, etc. which fail static analysis approaches employing bytecode for analysis. Dynamic analysis is robust against these evasive methods because it executes the application in the controlled environment. In this chapter, we review dynamic analysis techniques for Android and evaluate these experimentally. We discuss various antidetection methods used by recent Android malware to circumvent even dynamic analysis. We compare the effectiveness of various state-of-the-art dynamic analysis techniques against antidetection techniques. With this chapter, we try to highlight issues and challenges concerned to Android malware analysis techniques that require the attention of research community to avoid loss of end user.

[1]  Alessandra Gorla,et al.  Automated Test Input Generation for Android: Are We There Yet? (E) , 2015, 2015 30th IEEE/ACM International Conference on Automated Software Engineering (ASE).

[2]  Yajin Zhou,et al.  Detecting Passive Content Leaks and Pollution in Android Applications , 2013, NDSS.

[3]  Vijay Laxmi,et al.  Unraveling Reflection Induced Sensitive Leaks in Android Apps , 2017, CRiSIS.

[4]  Wenbin Yao,et al.  Cross-site Scripting Attacks on Android Hybrid Applications , 2017, ICCSP '17.

[5]  Leonard Barolli,et al.  Improving Results of Forensics Analysis by Semantic-Based Suggestion System , 2018, EIDWT.

[6]  Muttukrishnan Rajarajan,et al.  Android Security: A Survey of Issues, Malware Penetration, and Defenses , 2015, IEEE Communications Surveys & Tutorials.

[7]  Marco Pistoia,et al.  Dynamic detection of inter-application communication vulnerabilities in Android , 2015, ISSTA.

[8]  Stephen Smalley,et al.  Security Enhanced (SE) Android: Bringing Flexible MAC to Android , 2013, NDSS.

[9]  Eric Bodden,et al.  Harvesting Runtime Values in Android Applications That Feature Anti-Analysis Techniques , 2016, NDSS.

[10]  Anindya Iqbal,et al.  Vulnerability detection in recent Android apps: An empirical study , 2017, 2017 International Conference on Networking, Systems and Security (NSysS).

[11]  Christopher Krügel,et al.  Going Native: Using a Large-Scale Analysis of Android Apps to Create a Practical Native-Code Sandboxing Policy , 2016, NDSS.

[12]  Simin Nadjm-Tehrani,et al.  Crowdroid: behavior-based malware detection system for Android , 2011, SPSM '11.

[13]  Iulian Neamtiu,et al.  Targeted and depth-first exploration for systematic testing of android apps , 2013, OOPSLA.

[14]  Yanick Fratantonio,et al.  ANDRUBIS -- 1,000,000 Apps Later: A View on Current Android Malware Behaviors , 2014, 2014 Third International Workshop on Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS).

[15]  Suman Nath,et al.  PUMA: programmable UI-automation for large-scale dynamic analysis of mobile apps , 2014, MobiSys.

[16]  David Lie,et al.  IntelliDroid: A Targeted Input Generator for the Dynamic Analysis of Android Malware , 2016, NDSS.

[17]  Edgar R. Weippl,et al.  Enter Sandbox: Android Sandbox Comparison , 2014, ArXiv.

[18]  Joydeep Mitra,et al.  Ghera: A Repository of Android App Vulnerability Benchmarks , 2017, PROMISE.

[19]  Mayur Naik,et al.  Dynodroid: an input generation system for Android apps , 2013, ESEC/FSE 2013.

[20]  Christopher Krügel,et al.  TriggerScope: Towards Detecting Logic Bombs in Android Applications , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[21]  Hahn-Ming Lee,et al.  DroidMat: Android Malware Detection through Manifest and API Calls Tracing , 2012, 2012 Seventh Asia Joint Conference on Information Security.

[22]  Aleksandrina Kovacheva,et al.  Efficient Code Obfuscation for Android , 2013, IAIT.

[23]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[24]  Robert H. Deng,et al.  DeepRefiner: Multi-layer Android Malware Detection System Applying Deep Neural Networks , 2018, 2018 IEEE European Symposium on Security and Privacy (EuroS&P).

[25]  Vijay Laxmi,et al.  Detection of Information Leaks via Reflection in Android Apps , 2017, AsiaCCS.

[26]  Hubert Ritzdorf,et al.  Analysis of the communication between colluding applications on modern smartphones , 2012, ACSAC '12.

[27]  Lei Zhang,et al.  Towards a scalable resource-driven approach for detecting repackaged Android applications , 2014, ACSAC.

[28]  Bülent Yener,et al.  A Survey On Automated Dynamic Malware Analysis Evasion and Counter-Evasion: PC, Mobile, and Web , 2017, ROOTS.

[29]  Heng Yin,et al.  DroidScope: Seamlessly Reconstructing the OS and Dalvik Semantic Views for Dynamic Android Malware Analysis , 2012, USENIX Security Symposium.

[30]  William Enck,et al.  Defending Users against Smartphone Apps: Techniques and Future Directions , 2011, ICISS.

[31]  Fabio Massacci,et al.  StaDynA: Addressing the Problem of Dynamic Code Updates in the Security Analysis of Android Applications , 2015, CODASPY.

[32]  Abdelouahid Derhab,et al.  MalDozer: Automatic framework for android malware detection using deep learning , 2018, Digit. Investig..

[33]  Thomas Schreck,et al.  Mobile-sandbox: having a deeper look into android applications , 2013, SAC '13.

[34]  Ziming Zhao,et al.  Morpheus: automatically generating heuristics to detect Android emulators , 2014, ACSAC '14.

[35]  Christopher Krügel,et al.  BareDroid: Large-Scale Analysis of Android Apps on Real Devices , 2015, ACSAC 2015.

[36]  Hao Chen,et al.  Attack of the Clones: Detecting Cloned Applications on Android Markets , 2012, ESORICS.

[37]  Qinghua Zheng,et al.  Android Malware Familial Classification and Representative Sample Selection via Frequent Subgraph Analysis , 2018, IEEE Transactions on Information Forensics and Security.

[38]  Zhenkai Liang,et al.  Monet: A User-Oriented Behavior-Based Malware Variants Detection System for Android , 2016, IEEE Transactions on Information Forensics and Security.

[39]  Christopher Krügel,et al.  Grab 'n Run: Secure and Practical Dynamic Code Loading for Android Applications , 2015, ACSAC.

[40]  Yibo Xue,et al.  Fine-grained Android Malware Detection based on Deep Learning , 2018, 2018 IEEE Conference on Communications and Network Security (CNS).

[41]  Neha Narula,et al.  Native Client: A Sandbox for Portable, Untrusted x86 Native Code , 2009, IEEE Symposium on Security and Privacy.

[42]  Golden G. Richard,et al.  Acquisition and analysis of volatile memory from android devices , 2012, Digit. Investig..

[43]  Vrizlynn L. L. Thing,et al.  Securing Android , 2015, ACM Comput. Surv..

[44]  Ali Feizollah,et al.  The Evolution of Android Malware and Android Analysis Techniques , 2017, ACM Comput. Surv..

[45]  Xiapu Luo,et al.  On Tracking Information Flows through JNI in Android Applications , 2014, 2014 44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks.

[46]  Vijay Laxmi,et al.  A robust dynamic analysis system preventing SandBox detection by Android malware , 2015, SIN.

[47]  Suman Nath,et al.  Brahmastra: Driving Apps to Test the Security of Third-Party Components , 2014, USENIX Security Symposium.

[48]  Sencun Zhu,et al.  ViewDroid: towards obfuscation-resilient mobile application repackaging detection , 2014, WiSec '14.

[49]  Christopher Krügel,et al.  A survey on automated dynamic malware-analysis techniques and tools , 2012, CSUR.

[50]  Eric Filiol,et al.  Glassbox: Dynamic Analysis Platform for Malware Android Applications on Real Devices , 2017, ICISSP.

[51]  Angelos D. Keromytis,et al.  NaClDroid: Native Code Isolation for Android Applications , 2016, ESORICS.

[52]  William Enck,et al.  AppsPlayground: automatic security analysis of smartphone applications , 2013, CODASPY.

[53]  Thomas Schreck,et al.  Mobile-Sandbox: combining static and dynamic analysis with machine-learning techniques , 2015, International Journal of Information Security.

[54]  Junwei Tang,et al.  Identify and Inspect Libraries in Android Applications , 2018, Wirel. Pers. Commun..

[55]  Gang Tan,et al.  NativeGuard: protecting android applications from third-party native libraries , 2014, WiSec '14.

[56]  Juanru Li,et al.  Android Malware Forensics: Reconstruction of Malicious Events , 2012, 2012 32nd International Conference on Distributed Computing Systems Workshops.

[57]  John C. S. Lui,et al.  DroidTrace: A ptrace based Android dynamic analysis system with forward execution capability , 2014, 2014 International Wireless Communications and Mobile Computing Conference (IWCMC).

[58]  Sotiris Ioannidis,et al.  Rage against the virtual machine: hindering dynamic analysis of Android malware , 2014, EuroSec '14.

[59]  Sam Malek,et al.  A Large-Scale Empirical Study on the Effects of Code Obfuscations on Android Apps and Anti-Malware Products , 2018, 2018 IEEE/ACM 40th International Conference on Software Engineering (ICSE).

[60]  Steve Hanna,et al.  Juxtapp: A Scalable System for Detecting Code Reuse among Android Applications , 2012, DIMVA.

[61]  Yajin Zhou,et al.  Detecting repackaged smartphone applications in third-party android marketplaces , 2012, CODASPY '12.

[62]  Ross J. Anderson,et al.  Aurasium: Practical Policy Enforcement for Android Applications , 2012, USENIX Security Symposium.

[63]  William K. Robertson,et al.  CuriousDroid: Automated User Interface Interaction for Android Application Analysis Sandboxes , 2016, Financial Cryptography.

[64]  Ahmad-Reza Sadeghi,et al.  XManDroid: A New Android Evolution to Mitigate Privilege Escalation Attacks , 2011 .

[65]  Shahid Alam,et al.  DroidNative: Automating and optimizing detection of Android native code malware variants , 2017, Comput. Secur..

[66]  Doo-Hwan Bae,et al.  Automated model-based Android GUI testing using multi-level GUI comparison criteria , 2016, 2016 31st IEEE/ACM International Conference on Automated Software Engineering (ASE).