Detecting Vulnerable Android Inter-App Communication in Dynamically Loaded Code

Java reflection and dynamic class loading (DCL) are effective features for enhancing the functionalities of Android apps. However, these features can be abused by sophisticated malware to bypass detection schemes. Advanced malware can utilize reflection and DCL in conjunction with Android Inter-App Communication (IAC) to launch collusion attacks using two or more apps. Such dynamically revealed malicious behaviors enable a new type of stealthy, collusive attacks, bypassing all existing detection mechanisms. In this paper, we present DINA, a novel hybrid analysis approach for identifying malicious IAC behaviors concealed within dynamically loaded code through reflective/DCL calls. DINA continuously appends reflection and DCL invocations to control-flow graphs; it then performs incremental dynamic analysis on such augmented graphs to detect the misuse of reflection and DCL that may lead to malicious, yet concealed, IAC activities. Our extensive evaluation on 3,000 real-world Android apps and 14,000 malicious apps corroborates the prevalent usage of reflection and DCL, and reveals previously unknown and potentially harmful, hidden IAC behaviors in real-world apps.

[1]  Alireza Sadeghi,et al.  Practical, Formal Synthesis and Automatic Enforcement of Security Policies for Android , 2016, 2016 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).

[2]  Alexander Serebrenik,et al.  Challenges for Static Analysis of Java Reflection - Literature Review and Empirical Study , 2017, 2017 IEEE/ACM 39th International Conference on Software Engineering (ICSE).

[3]  Marco Pistoia,et al.  Dynamic detection of inter-application communication vulnerabilities in Android , 2015, ISSTA.

[4]  Kai Chen,et al.  Unleashing the Walking Dead: Understanding Cross-App Remote Infections on Mobile WebViews , 2017, CCS.

[5]  Eric Bodden,et al.  Harvesting Runtime Values in Android Applications That Feature Anti-Analysis Techniques , 2016, NDSS.

[6]  Shahid Alam,et al.  DyDroid: Measuring Dynamic Code Loading and Its Security Implications in Android Applications , 2017, 2017 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).

[7]  Nenad Medvidovic,et al.  A SEALANT for Inter-App Security Holes in Android , 2017, 2017 IEEE/ACM 39th International Conference on Software Engineering (ICSE).

[8]  Jacques Klein,et al.  DroidRA: taming reflection to support whole-program analysis of Android apps , 2016, ISSTA.

[9]  Fabio Massacci,et al.  StaDynA: Addressing the Problem of Dynamic Code Updates in the Security Analysis of Android Applications , 2015, CODASPY.

[10]  Suman Nath,et al.  PUMA: programmable UI-automation for large-scale dynamic analysis of mobile apps , 2014, MobiSys.

[11]  Thomas M. Chen,et al.  Automated generation of colluding apps for experimental research , 2017, Journal of Computer Virology and Hacking Techniques.

[12]  Mayur Naik,et al.  Dynodroid: an input generation system for Android apps , 2013, ESEC/FSE 2013.

[13]  Alessandra Gorla,et al.  Automated Test Input Generation for Android: Are We There Yet? (E) , 2015, 2015 30th IEEE/ACM International Conference on Automated Software Engineering (ASE).

[14]  Jacques Klein,et al.  I know what leaked in your pocket: uncovering privacy leaks on Android Apps with Static Taint Analysis , 2014, ArXiv.

[15]  Eric Bodden,et al.  A Machine-learning Approach for Classifying and Categorizing Android Sources and Sinks , 2014, NDSS.

[16]  Mira Mezini,et al.  Taming reflection: Aiding static analysis in the presence of reflection and custom class loaders , 2011, 2011 33rd International Conference on Software Engineering (ICSE).

[17]  Gang Wang,et al.  Collusive Data Leak and More: Large-scale Threat Analysis of Inter-app Communications , 2017, AsiaCCS.

[18]  Jacques Klein,et al.  IccTA: Detecting Inter-Component Privacy Leaks in Android Apps , 2015, 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering.

[19]  Gregg Rothermel,et al.  An Efficient, Robust, and Scalable Approach for Analyzing Interacting Android Apps , 2017, 2017 IEEE/ACM 39th International Conference on Software Engineering (ICSE).

[20]  Sam Malek,et al.  Determination and Enforcement of Least-Privilege Architecture in Android , 2017, 2017 IEEE International Conference on Software Architecture (ICSA).

[21]  Jacques Klein,et al.  ApkCombiner: Combining Multiple Android Apps to Support Inter-App Analysis , 2015, SEC.

[22]  Jun Sun,et al.  Auditing Anti-Malware Tools by Evolving Android Malware and Dynamic Loading Technique , 2017, IEEE Transactions on Information Forensics and Security.

[23]  Wei You,et al.  Mass Discovery of Android Traffic Imprints through Instantiated Partial Execution , 2017, CCS.

[24]  David Lie,et al.  IntelliDroid: A Targeted Input Generator for the Dynamic Analysis of Android Malware , 2016, NDSS.