Results 1 - 10
of
31
Apposcopy: Semantics-Based Detection of Android Malware through Static Analysis∗
"... We present Apposcopy, a new semantics-based approach for identifying a prevalent class of Android malware that steals private user information. Apposcopy incorporates (i) a high-level language for specifying signatures that describe seman-tic characteristics of malware families and (ii) a static ana ..."
Abstract
-
Cited by 14 (4 self)
- Add to MetaCart
(Show Context)
We present Apposcopy, a new semantics-based approach for identifying a prevalent class of Android malware that steals private user information. Apposcopy incorporates (i) a high-level language for specifying signatures that describe seman-tic characteristics of malware families and (ii) a static anal-ysis for deciding if a given application matches a malware signature. The signature matching algorithm of Apposcopy uses a combination of static taint analysis and a new form of program representation called Inter-Component Call Graph to efficiently detect Android applications that have certain control- and data-flow properties. We have evaluated Ap-poscopy on a corpus of real-world Android applications and show that it can effectively and reliably pinpoint malicious applications that belong to certain malware families.
Android Taint Flow Analysis for App Sets
"... One approach to defending against malicious Android applications has been to analyze them to detect potential information leaks. This paper describes a new static taint analysis for Android that com-bines and augments the FlowDroid and Epicc analyses to precisely track both inter-component and intra ..."
Abstract
-
Cited by 12 (1 self)
- Add to MetaCart
(Show Context)
One approach to defending against malicious Android applications has been to analyze them to detect potential information leaks. This paper describes a new static taint analysis for Android that com-bines and augments the FlowDroid and Epicc analyses to precisely track both inter-component and intra-component data flow in a set of Android applications. The analysis takes place in two phases: given a set of applications, we first determine the data flows en-abled individually by each application, and the conditions under which these are possible; we then build on these results to enu-merate the potentially dangerous data flows enabled by the set of applications as a whole. This paper describes our analysis method, implementation, and experimental results.
AppSealer: Automatic Generation of Vulnerability-Specific Patches for Preventing Component Hijacking Attacks in Android Applications
- In Proceedings of the 21th Annual Network and Distributed System Security Symposium (NDSS’14
, 2014
"... Abstract—Component hijacking is a class of vulnerabilities commonly appearing in Android applications. When these vul-nerabilities are triggered by attackers, the vulnerable apps can exfiltrate sensitive information and compromise the data integrity on Android devices, on behalf of the attackers. It ..."
Abstract
-
Cited by 9 (2 self)
- Add to MetaCart
(Show Context)
Abstract—Component hijacking is a class of vulnerabilities commonly appearing in Android applications. When these vul-nerabilities are triggered by attackers, the vulnerable apps can exfiltrate sensitive information and compromise the data integrity on Android devices, on behalf of the attackers. It is often unrealis-tic to purely rely on developers to fix these vulnerabilities for two reasons: 1) it is a time-consuming process for the developers to confirm each vulnerability and release a patch for it; and 2) the developers may not be experienced enough to properly fix the problem. In this paper, we propose a technique for automatic patch generation. Given a vulnerable Android app (without source code) and a discovered component hijacking vulnerability, we automatically generate a patch to disable this vulnerability. We have implemented a prototype called AppSealer and evaluated its efficacy on apps with component hijacking vulnerabilities. Our evaluation on 16 real-world vulnerable Android apps demon-strates that the generated patches can effectively track and mitigate component hijacking vulnerabilities. Moreover, after going through a series of optimizations, the patch code only represents a small portion (15.9 % on average) of the entire program. The runtime overhead introduced by AppSealer is also minimal, merely 2 % on average. I.
AsDroid: Detecting stealthy behaviors in android applications by user interface and program behavior contradiction
- In Proceedings of the IEEE/ACM International Conference on Software Engineering (ICSE
, 2014
"... Android smartphones are becoming increasingly popular. The open nature of Android allows users to install mis-cellaneous applications, including the malicious ones, from third-party marketplaces without rigorous sanity checks. A large portion of existing malwares perform stealthy opera-tions such as ..."
Abstract
-
Cited by 9 (1 self)
- Add to MetaCart
(Show Context)
Android smartphones are becoming increasingly popular. The open nature of Android allows users to install mis-cellaneous applications, including the malicious ones, from third-party marketplaces without rigorous sanity checks. A large portion of existing malwares perform stealthy opera-tions such as sending short messages, making phone calls and HTTP connections, and installing additional malicious components. In this paper, we propose a novel technique to detect such stealthy behavior. We model stealthy be-havior as the program behavior that mismatches with user interface, which denotes the user’s expectation of program behavior. We use static program analysis to attribute a top level function that is usually a user interaction func-tion with the behavior it performs. Then we analyze the text extracted from the user interface component associated with the top level function. Semantic mismatch of the two indicates stealthy behavior. To evaluate AsDroid, we down-load a pool of 182 apps that are potentially problematic by looking at their permissions. Among the 182 apps, AsDroid reports stealthy behaviors in 113 apps, with 28 false posi-tives and 11 false negatives.
Amandroid: A Precise and General Inter-component Data Flow Analysis Framework for Security Vetting of Android Apps
- in CCS. ACM
"... We propose a new approach to conduct static analysis for security vetting of Android apps, and built a general frame-work, called Amandroid for determining points-to informa-tion for all objects in an Android app in a flow and context-sensitive way across Android apps components. We show that: (a) t ..."
Abstract
-
Cited by 7 (1 self)
- Add to MetaCart
(Show Context)
We propose a new approach to conduct static analysis for security vetting of Android apps, and built a general frame-work, called Amandroid for determining points-to informa-tion for all objects in an Android app in a flow and context-sensitive way across Android apps components. We show that: (a) this type of comprehensive analysis is completely feasible in terms of computing resources needed with mod-ern hardware, (b) one can easily leverage the results from this general analysis to build various types of specialized se-curity analyses – in many cases the amount of additional coding needed is around 100 lines of code, and (c) the re-sult of those specialized analyses leveraging Amandroid is at least on par and often exceeds prior works designed for the specific problems, which we demonstrate by comparing Amandroid’s results with those of prior works whenever we can obtain the executable of those tools. Since Amandroid’s analysis directly handles inter-component control and data flows, it can be used to address security problems that re-sult from interactions among multiple components from ei-ther the same or different apps. Amandroid’s analysis is sound in that it can provide assurance of the absence of the specified security problems in an app with well-specified and reasonable assumptions on Android runtime system and its library.
I know what leaked in your pocket: uncovering privacy leaks on Android Apps with Static Taint Analysis
"... ar ..."
(Show Context)
ApkCombiner: Combining Multiple Android Apps to Support Inter-App Analysis
"... Abstract. Android apps are made of components which can leak infor-mation between one another using the ICC mechanism. With the growing momentum of Android, a number of research contributions have led to tools for the intra-app analysis of Android apps. Unfortunately, these state-of-the-art approach ..."
Abstract
-
Cited by 3 (2 self)
- Add to MetaCart
(Show Context)
Abstract. Android apps are made of components which can leak infor-mation between one another using the ICC mechanism. With the growing momentum of Android, a number of research contributions have led to tools for the intra-app analysis of Android apps. Unfortunately, these state-of-the-art approaches, and the associated tools, have long left out the security flaws that arise across the boundaries of single apps, in the interaction between several apps. In this paper, we present a tool called ApkCombiner which aims at reducing an inter-app communica-tion problem to an intra-app inter-component communication problem. In practice, ApkCombiner combines different apps into a single apk on which existing tools can indirectly perform inter-app analysis. We have evaluated ApkCombiner on a dataset of 3,000 real-world Android apps, to demonstrate its capability to support static context-aware inter-app analysis scenarios. 1
Information Flows as a Permission Mechanism
- In Proc. of the ACM/IEEE International Conference on Automated Software Engineering (ASE’14
, 2014
"... ABSTRACT This paper proposes Flow Permissions, an extension to the Android permission mechanism. Unlike the existing permission mechanism, our permission mechanism contains semantic information based on information flows. Flow Permissions allow users to examine and grant per-app information flows w ..."
Abstract
-
Cited by 3 (0 self)
- Add to MetaCart
(Show Context)
ABSTRACT This paper proposes Flow Permissions, an extension to the Android permission mechanism. Unlike the existing permission mechanism, our permission mechanism contains semantic information based on information flows. Flow Permissions allow users to examine and grant per-app information flows within an application (e.g., a permission for reading the phone number and sending it over the network) as well as cross-app information flows across multiple applications (e.g., a permission for reading the phone number and sending it to another application already installed on the user's phone). Our goal with Flow Permissions is to provide visibility into the holistic behavior of the applications installed on a user's phone. In order to support Flow Permissions on Android, we have developed a static analysis engine that detects flows within an Android application. We have also modified Android's existing permission mechanism and installation procedure to support Flow Permissions. We evaluate our prototype with 2,992 popular applications and 1,047 malicious applications and show that our design is practical and effective in deriving Flow Permissions. We validate our cross-app flow generation and installation procedure on a Galaxy Nexus smartphone.
Semantics-Aware Android malware classification using weighted contextual API dependency graphs
- in Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, ser. CCS ’14. ACM
"... The drastic increase of Android malware has led to a strong interest in developing methods to automate the malware analysis process. Existing automated Android malware detection and classification methods fall into two general categories: 1) signature-based and 2) machine learning-based. Signature-b ..."
Abstract
-
Cited by 2 (0 self)
- Add to MetaCart
(Show Context)
The drastic increase of Android malware has led to a strong interest in developing methods to automate the malware analysis process. Existing automated Android malware detection and classification methods fall into two general categories: 1) signature-based and 2) machine learning-based. Signature-based approaches can be easily evaded by bytecode-level transformation attacks. Prior learning-based works extract features from application syntax, rather than program semantics, and are also subject to evasion. In this paper, we propose a novel semantic-based approach that classifies An-droid malware via dependency graphs. To battle transformation attacks, we extract a weighted contextual API dependency graph as program semantics to construct feature sets. To fight against mal-ware variants and zero-day malware, we introduce graph similarity metrics to uncover homogeneous application behaviors while toler-ating minor implementation differences. We implement a prototype system, DroidSIFT, in 23 thousand lines of Java code. We evaluate our system using 2200 malware samples and 13500 benign sam-ples. Experiments show that our signature detection can correctly label 93 % of malware instances; our anomaly detector is capable of detecting zero-day malware with a low false negative rate (2%) and an acceptable false positive rate (5.15%) for a vetting purpose.
On the Need of Precise Inter-App ICC Classification for Detecting Android Malware Collusions*
"... Abstract—Malware collusion is a new threat against Android application security. It refers to the scenario where two or more applications interact with each other to perform malicious tasks. Most existing solutions assume the attack model of a stand-alone malicious application, and thus cannot detec ..."
Abstract
-
Cited by 2 (0 self)
- Add to MetaCart
(Show Context)
Abstract—Malware collusion is a new threat against Android application security. It refers to the scenario where two or more applications interact with each other to perform malicious tasks. Most existing solutions assume the attack model of a stand-alone malicious application, and thus cannot detect collusion. The objective of this position paper is to point out the need for practical solutions for detecting malware collusion. We show experimental evidence on the technical challenges associated with classifying benign Android inter-component communication (ICC) flows from colluding ones. We statically construct ICC Maps to capture pairwise communicating ICC channels of 2,644 real benign apps. We find that existing permission-based collusion-detection policies trigger a large number of false alerts in benign apps pairs. I.
