Android Hooking Revisited

Android malware is continuously growing in terms of numbers and evolving in terms of evasion techniques as well as scope and methods to penetrate. To address these threats many approaches have been proposed leading to an arms race between malware and analysts. Trying to dissect a malware is by no means an easy task as benign code is coupled with malicious one, which in turn might be obfuscated etc. All the above clearly hinder the analysis, therefore, dynamic analysis often comes to the rescue. Nonetheless, since malware often manage to detect it, they stop their activity, preventing their analysis. To break this loop hooking methods can be used, yet their majority either depends on modified environments or they cannot provide a lot of functionality to the analyst. In this work we introduce Ronin which facilitates app analysis by allowing the analyst to easily create hooks in apps in stock Android devices. This way, the underlying mechanisms can be easier understood and modified to analyse an app in more depth.

[1]  Konrad Rieck,et al.  DREBIN: Effective and Explainable Detection of Android Malware in Your Pocket , 2014, NDSS.

[2]  Yajin Zhou,et al.  Blender: Self-randomizing Address Space Layout for Android Apps , 2016, RAID.

[3]  Ali Feizollah,et al.  The Evolution of Android Malware and Android Analysis Techniques , 2017, ACM Comput. Surv..

[4]  Tao Xie,et al.  WHYPER: Towards Automating Risk Assessment of Mobile Applications , 2013, USENIX Security Symposium.

[5]  Ziming Zhao,et al.  Morpheus: automatically generating heuristics to detect Android emulators , 2014, ACSAC '14.

[6]  Jacques Klein,et al.  Dexpler: converting Android Dalvik bytecode to Jimple for static analysis with Soot , 2012, SOAP '12.

[7]  Isil Dillig,et al.  Apposcopy: semantics-based detection of Android malware through static analysis , 2014, SIGSOFT FSE.

[8]  Heng Yin,et al.  DroidAPIMiner: Mining API-Level Features for Robust Malware Detection in Android , 2013, SecureComm.

[9]  Yajin Zhou,et al.  Malton: Towards On-Device Non-Invasive Mobile Malware Analysis for ART , 2017, USENIX Security Symposium.

[10]  Alessandro Armando,et al.  Breaking and fixing the Android Launching Flow , 2013, Comput. Secur..

[11]  Stephen Kell,et al.  The missing link: explaining ELF static linking, semantically , 2016, OOPSLA.

[12]  Jacques Klein,et al.  Understanding Android App Piggybacking: A Systematic Study of Malicious Code Grafting , 2017, IEEE Transactions on Information Forensics and Security.

[13]  Or Peles,et al.  One Class to Rule Them All: 0-Day Deserialization Vulnerabilities in Android , 2015, WOOT.

[14]  Gianluca Stringhini,et al.  Eight Years of Rider Measurement in the Android Malware Ecosystem , 2018, IEEE Transactions on Dependable and Secure Computing.

[15]  Heng Yin,et al.  DroidScope: Seamlessly Reconstructing the OS and Dalvik Semantic Views for Dynamic Android Malware Analysis , 2012, USENIX Security Symposium.

[16]  Zhen Huang,et al.  PScout: analyzing the Android permission specification , 2012, CCS.

[17]  Wenke Lee,et al.  From Zygote to Morula: Fortifying Weakened ASLR on Android , 2014, 2014 IEEE Symposium on Security and Privacy.

[18]  Xingquan Zhu,et al.  Machine Learning for Android Malware Detection Using Permission and API Calls , 2013, 2013 IEEE 25th International Conference on Tools with Artificial Intelligence.

[19]  Vijay Laxmi,et al.  A robust dynamic analysis system preventing SandBox detection by Android malware , 2015, SIN.

[20]  Valerio Costamagna,et al.  ARTDroid: A Virtual-Method Hooking Framework on Android ART Runtime , 2016, IMPS@ESSoS.

[21]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[22]  Alessandro Armando,et al.  Would You Mind Forking This Process? A Denial of Service Attack on Android (and Some Countermeasures) , 2012, SEC.

[23]  Yanick Fratantonio,et al.  Andrubis: Android Malware Under the Magnifying Glass , 2014 .

[24]  Hahn-Ming Lee,et al.  DroidMat: Android Malware Detection through Manifest and API Calls Tracing , 2012, 2012 Seventh Asia Joint Conference on Information Security.

[25]  Michael Backes,et al.  Boxify: Full-fledged App Sandboxing for Stock Android , 2015, USENIX Security Symposium.