ABSTRACT
While many test input generation techniques have been proposed to improve the code coverage of dynamic analysis, they are still inefficient in triggering hidden malicious behaviors protected by anti-analysis techniques. In this work, we design and implement Droid-AntiRM, a new approach seeking to tame anti-analysis automatically and improve automated dynamic analysis. Our approach leverages three key observations: 1) Logic-bomb based anti-analysis techniques control the execution of certain malicious behaviors; 2) Anti-analysis techniques are normally implemented through condition statements; 3) Anti-analysis techniques normally have no dependence on program inputs. Based on these observations, Droid-AntiRM uses various techniques to detect anti-analysis in malware samples, and rewrite the condition statements in anti-analysis cases through bytecode instrumentation, thus forcing the hidden behavior to be executed at runtime. Through a study of 3187 malware samples, we find that 32.50% of them employ various anti-analysis techniques. Our experiments demonstrate that Droid-AntiRM can identify anti-analysis instances from 30 malware samples with a true positive rate of 89.15% and zero false negative. By taming the identified anti-analysis, Droid-AntiRM can greatly improve the automated dynamic analysis, successfully triggering 44 additional hidden malicious behaviors from the 30 samples. Further performance evaluation shows that Droid-AntiRM has good efficiency to perform large-scale analysis.
- American Mathematical Society 2015. Decompiler. American Mathematical Society. http://www.javadecompilers.com.Google Scholar
- Saswat Anand, Mayur Naik, Mary Jean Harrold, and Hongseok Yang. 2012. Automated concolic testing of smartphone apps. In Proceedings of the ACM SIGSOFT 20th International Symposium on the Foundations of Software Engineering. ACM, 59. Google ScholarDigital Library
- Daniel Arp, Michael Spreitzenbarth, Malte Hubner, Hugo Gascon, Konrad Rieck, and CERT Siemens. 2014. DREBIN: Effective and Explainable Detection of Android Malware in Your Pocket. In NDSS.Google Scholar
- Steven Arzt, Siegfried Rasthofer, and Eric Bodden. 2013. Instrumenting android and java applications as easy as abc. In International Conference on Runtime Verification. Springer, 364--381.Google ScholarCross Ref
- Steven Arzt, Siegfried Rasthofer, Christian Fritz, Eric Bodden, Alexandre Bartel, Jacques Klein, Yves Le Traon, Damien Octeau, and Patrick McDaniel. 2014. Flowdroid: Precise context, flow, field, object-sensitive and life cycle-aware taint analysis for android apps. Acm Sigplan Notices 49, 6 (2014), 259--269. Google ScholarDigital Library
- Kathy Wain Yee Au, Yi Fan Zhou, Zhen Huang, and David Lie. 2012. Pscout: analyzing the android permission specification. In Proceedings of the 2012 ACM conference on Computer and communications security. ACM, 217--228. Google ScholarDigital Library
- Yinzhi Cao, Yanick Fratantonio, Antonio Bianchi, Manuel Egele, Christopher Kruegel, Giovanni Vigna, and Yan Chen. 2015. EdgeMiner: Automatically Detecting Implicit Control Flow Transitions through the Android Framework. In NDSS.Google Scholar
- Julian Dolby, Stephen J Fink, and Manu Sridharan. 2015. TJ Watson libraries for analysis (WALA). American Mathematical Society. http://wala.sf.net.Google Scholar
- Ken Dunham, Shane Hartman, Manu Quintans, Jose Andre Morales, and Tim Strazzere. 2014. Android Malware and Analysis. CRC Press. Google ScholarDigital Library
- William Enck, Peter Gilbert, Seungyeop Han, Vasant Tendulkar, Byung-Gon Chun, Landon P Cox, Jaeyeon Jung, Patrick McDaniel, and Anmol N Sheth. 2014. TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones. ACM Transactions on Computer Systems (TOCS) 32, 2 (2014), 5. Google ScholarDigital Library
- Yanick Fratantonio, Antonio Bianchi, William Robertson, Engin Kirda, Christopher Kruegel, and Giovanni Vigna. 2016. Triggerscope: Towards detecting logic bombs in android applications. In Security and Privacy (SP), 2016 IEEE Symposium on. IEEE, 377--396.Google ScholarCross Ref
- Patrice Godefroid, Nils Klarlund, and Koushik Sen. 2005. DART: directed automated random testing. In ACM Sigplan Notices, Vol. 40. ACM, 213--223. Google ScholarDigital Library
- Michael I Gordon, Deokhwan Kim, Jeff H Perkins, Limei Gilham, Nguyen Nguyen, and Martin C Rinard. 2015. Information Flow Analysis of Android Applications in DroidSafe. In NDSS. Citeseer.Google Scholar
- Wenjun Hu and Z Xiao. 2014. Guess where i am-android: detection and prevention of emulator evading on android. HitCon.Google Scholar
- Yiming Jing, Ziming Zhao, Gail-Joon Ahn, and Hongxin Hu. 2014. Morpheus: automatically generating heuristics to detect Android emulators. In Proceedings of the 30th Annual Computer Security Applications Conference. ACM, 216--225. Google ScholarDigital Library
- Nicolas Kiss, Jean-François Lalande, Mourad Leslous, and Valérie Viet Triem Tong. 2016. Kharon dataset: Android malware under a microscope. In The Learning from Authoritative Security Experiment Results (LASER) workshop. The USENIX Association.Google Scholar
- Guan Le, Jia Shijie, Chen Bo, Zhang Fengwei, Luo Bo, Lin Jingqiang, Liu Peng, Xing Xinyu, and Xia Luning. 2017. Supporting Transparent Snapshot for Bare-metal Malware Analysis on Mobile Devices. In Proceedings of the 33rd Annual Computer Security Applications Conference. ACM. Google ScholarDigital Library
- Long Lu, Zhichun Li, Zhenyu Wu, Wenke Lee, and Guofei Jiang. 2012. Chex: statically vetting android apps for component hijacking vulnerabilities. In Proceedings of the 2012 ACM conference on Computer and communications security. ACM, 229--240. Google ScholarDigital Library
- Aravind Machiry, Rohan Tahiliani, and Mayur Naik. 2013. Dynodroid: An input generation system for android apps. In Proceedings of the 2013 9th Joint Meeting on Foundations of Software Engineering. ACM, 224--234. Google ScholarDigital Library
- Andreas Moser, Christopher Kruegel, and Engin Kirda. 2007. Exploring multiple execution paths for malware analysis. In Security and Privacy, 2007. SP'07. IEEE Symposium on. IEEE, 231--245. Google ScholarDigital Library
- Simone Mutti, Yanick Fratantonio, Antonio Bianchi, Luca Invernizzi, Jacopo Corbetta, Dhilung Kirat, Christopher Kruegel, and Giovanni Vigna. 2015. BareDroid: Large-scale analysis of Android apps on real devices. In Proceedings of the 31st Annual Computer Security Applications Conference. ACM, 71--80. Google ScholarDigital Library
- Zhenyu Ning and Fengwei Zhang. 2017. Ninja: Towards Transparent Tracing and Debugging on ARM. In In 26th USENIX Security Symposium (USENIX Security 17). ACM.Google Scholar
- Damien Octeau, Daniel Luchaup, Matthew Dering, Somesh Jha, and Patrick McDaniel. 2015. Composite constant propagation: Application to android inter-component communication analysis. In Proceedings of the 37th International Conference on Software Engineering-Volume 1. IEEE Press, 77--88. Google ScholarDigital Library
- Damien Octeau, Patrick McDaniel, Somesh Jha, Alexandre Bartel, Eric Bodden, Jacques Klein, and Yves Le Traon. 2013. Effective inter-component communication mapping in android with epicc: An essential step towards holistic security analysis. In Proceedings of the 22nd USENIX security symposium. 543--558. Google ScholarDigital Library
- MilaParkour. 2011. Contagio malware dump. blog sobre compartición de malware, recurso en línea disponible en: http://contagiodump.blogspot.com/, consultado el 8 (2011).Google Scholar
- Fei Peng, Zhui Deng, Xiangyu Zhang, Dongyan Xu, Zhiqiang Lin, and Zhendong Su. 2014. X-Force: Force-Executing Binary Programs for Security Applications. In USENIX Security Symposium. 829--844. Google ScholarDigital Library
- Thanasis Petsas, Giannis Voyatzis, Elias Athanasopoulos, Michalis Polychronakis, and Sotiris Ioannidis. 2014. Rage against the virtual machine: hindering dynamic analysis of android malware. In Proceedings of the Seventh European Workshop on System Security. ACM, 5. Google ScholarDigital Library
- Siegfried Rasthofer, Steven Arzt, and Eric Bodden. 2014. A Machine-learning Approach for Classifying and Categorizing Android Sources and Sinks. In NDSS.Google Scholar
- Siegfried Rasthofer, Steven Arzt, Marc Miltenberger, and Eric Bodden. 2016. Harvesting runtime values in android applications that feature anti-analysis techniques. In Proceedings of the Annual Symposium on Network and Distributed System Security (NDSS).Google ScholarCross Ref
- Siegfried Rasthofer, Irfan Asrar, Stephan Huber, and Eric Bodden. 2015. How current android malware seeks to evade automated code analysis. In IFIP International Conference on Information Security Theory and Practice. Springer, 187--202. Google ScholarDigital Library
- Julian Schütte, Rafael Fedler, and Dennis Titze. 2015. Condroid: Targeted dynamic analysis of android applications. In Advanced Information Networking and Applications (AINA), 2015 IEEE 29th International Conference on. IEEE, 571--578.Google ScholarCross Ref
- Kimberly Tam, Salahuddin J Khan, Aristide Fattori, and Lorenzo Cavallaro. 2015. CopperDroid: Automatic Reconstruction of Android Malware Behaviors. In NDSS.Google Scholar
- Virus Total. 2012. VirusTotal-Free online virus, malware and URL scanner. Online: https://www.virustotal.com/en (2012).Google Scholar
- Timothy Vidas and Nicolas Christin. 2014. Evading android runtime analysis via sandbox detection. In Proceedings of the 9th ACM symposium on Information, computer and communications security. ACM, 447--458. Google ScholarDigital Library
- Xiaolei Wang, Yuexiang Yang, Chuan Tang, Yingzhi Zeng, and Jie He. 2016. DroidContext: Identifying Malicious Mobile Privacy Leak Using Context. In Trustcom/BigDataSE/ISPA, 2016 IEEE. IEEE, 807--814.Google ScholarCross Ref
- Xiaolei Wang, Yuexiang Yang, and Yingzhi Zeng. 2015. Accurate mobile malware detection and classification in the cloud. SpringerPlus 4, 1 (2015), 583.Google ScholarCross Ref
- Fengguo Wei, Sankardas Roy, Xinming Ou, and others. 2014. Amandroid: A precise and general inter-component data flow analysis framework for security vetting of android apps. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security. ACM, 1329--1341. Google ScholarDigital Library
- Michelle Y Wong and David Lie. 2016. Intellidroid: A targeted input generator for the dynamic analysis of android malware. In Proceedings of the Annual Symposium on Network and Distributed System Security (NDSS).Google ScholarCross Ref
- Lei Xue, Yajin Zhou, Ting Chen, Xiapu Luo, and Guofei Gu. 2017. Malton: Towards On-Device Non-Invasive Mobile Malware Analysis for ART. In In 26th USENIX Security Symposium (USENIX Security 17). ACM.Google Scholar
- Lok-Kwong Yan and Heng Yin. 2012. DroidScope: Seamlessly Reconstructing the OS and Dalvik Semantic Views for Dynamic Android Malware Analysis. In USENIX security symposium. 569--584. Google ScholarDigital Library
- Hui Ye, Shaoyin Cheng, Lanbo Zhang, and Fan Jiang. 2013. Droidfuzzer: Fuzzing the android apps with intent-filter tag. In Proceedings of International Conference on Advances in Mobile Computing & Multimedia. ACM, 68. Google ScholarDigital Library
- Xiangyu Zhang, Neelam Gupta, and Rajiv Gupta. 2006. Locating faults through automated predicate switching. In Proceedings of the 28th international conference on Software engineering. ACM, 272--281. Google ScholarDigital Library
- Yuan Zhang, Min Yang, Bingquan Xu, Zhemin Yang, Guofei Gu, Peng Ning, X Sean Wang, and Binyu Zang. 2013. Vetting undesirable behaviors in android apps with permission use analysis. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security. ACM, 611--622. Google ScholarDigital Library
- Yajin Zhou and Xuxian Jiang. 2012. Android malware genome project. Disponibile a http://www.malgenomeproject.org (2012).Google Scholar
Index Terms
- Droid-AntiRM: Taming Control Flow Anti-analysis to Support Automated Dynamic Analysis of Android Malware
Recommendations
A Survey On Automated Dynamic Malware Analysis Evasion and Counter-Evasion: PC, Mobile, and Web
ROOTS: Proceedings of the 1st Reversing and Offensive-oriented Trends SymposiumAutomated dynamic malware analysis systems are important in combating the proliferation of modern malware. Unfortunately, malware can often easily detect and evade these systems. Competition between malware authors and analysis system developers has ...
Droid Analytics: A Signature Based Analytic System to Collect, Extract, Analyze and Associate Android Malware
TRUSTCOM '13: Proceedings of the 2013 12th IEEE International Conference on Trust, Security and Privacy in Computing and CommunicationsSmartphones and mobile devices are rapidly becoming indispensable devices for many users. Unfortunately, they also become fertile grounds for hackers to deploy malware. There is an urgent need to have a "security analytic & forensic system" which can ...
Maaker: A framework for detecting and defeating evasion techniques in Android malware
AbstarctDynamic analysis is a prominent approach for understanding the real-behavior of Android malware. Malware mainly use evasions to underperform dynamic analysis. Although different approaches have been proposed to tackle evasive malware, they suffer ...
Comments