DOCSLIB.ORG

Tackling Runtime-Based Obfuscation in Android with TIRO

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Tackling Runtime-Based Obfuscation in Android with TIRO Tackling runtime-based obfuscation in Android with TIRO Michelle Y. Wong and David Lie University of Toronto Abstract analysis as well for efficiency and greater code cover- age [1,2, 12]. As a result, malware authors have increas- Obfuscation is used in malware to hide malicious activ- ingly turned to obfuscation to hide their actions and con- ity from manual or automatic program analysis. On the fuse both static and dynamic analysis tools. The presence Android platform, malware has had a history of using ob- of obfuscation does not indicate malicious intent in and fuscation techniques such as Java reflection, code pack- of itself, as many legitimate applications employ code ing and value encryption. However, more recent mal- obfuscation to protect intellectual property. However, be- ware has turned to employing obfuscation that subverts cause of its prevalence among malware, it is crucial that the integrity of the Android runtime (ART or Dalvik), a malware analyzers have the ability to deobfuscate An- technique we call runtime-based obfuscation. Once sub- droid applications in order to determine if an application verted, the runtime no longer follows the normally ex- is indeed malicious or not. pected rules of code execution and method invocation, There exist a variety of obfuscation techniques on the raising the difficulty of deobfuscating and analyzing mal- Android platform. Many common techniques, such as ware that use these techniques. Java reflection, value encryption, dynamically decrypt- In this work, we propose TIRO, a deobfuscation ing and loading code, and calling native methods have framework for Android using an approach of Target- been identified and discussed in the literature [11,22,26]. Instrument-Run-Observe. TIRO provides a unified These techniques have a common property in that they framework that can deobfuscate malware that use a com- exploit facilities provided by the Java programming lan- bination of traditional obfuscation and newer runtime- guage, which is the main development language for An- based obfuscation techniques. We evaluate and use droid applications, and thus we call these language- TIRO on a dataset of modern Android malware samples based obfuscation techniques. In contrast, malware au- and find that TIRO can automatically detect and reverse thors may eschew Java and execute entirely in native language-based and runtime-based obfuscation. We also code, obfuscating with techniques seen in x86 mal- evaluate TIRO on a corpus of 2000 malware samples ware [3,8, 17, 20, 24]. We call this technique full-native from VirusTotal and find that runtime-based obfuscation code obfuscation. techniques are present in 80% of the samples, demon- strating that runtime-based obfuscation is a significant In this paper, we identify a third option—obfuscation tool employed by Android malware authors today. techniques that subvert ART, the Android RunTime, which we call runtime-based obfuscation techniques. These techniques subtly alter the way method invoca- 1 Introduction tions are resolved and code is executed. Runtime-based obfuscation has advantages over both language-based There are currently an estimated 2.8 million applica- and full-native code obfuscation. While language-based tions on the Google Play store, with thousands being obfuscation techniques have to occur immediately before added and many more existing applications being up- the obfuscated code is called, runtime-based obfuscation dated daily. A large market with many users naturally techniques can occur in one place and alter code exe- draws attackers who create and distribute malicious ap- cution in a seemingly unrelated part of the application. plications (i.e. malware) for fun and profit. While dy- This significantly raises the difficulty of deobfuscating namic analyses [10, 27, 28, 34] can be used to detect code, as code execution no longer follows expected con- and analyze malware, anti-malware tools often use static ventions and analysis can no longer be performed piece- 1 meal on an application, but must examine the entire ap- 2. We present the design and implementation of TIRO, plication as a whole. Compared to full-native code ob- a framework for Android-based deobfuscation that fuscation, runtime-based obfuscation allows a malware can handle both language-based and runtime-based developer to still use the convenient Java-based API li- obfuscation techniques. braries provided by the framework. Malware that use na- 3. We evaluate TIRO on a corpus of 34 modern mal- tive code obfuscation will either have to use language- or ware samples provided by the Android Malware runtime-based obfuscation to hide its Android API use, team at Google. We also run TIRO on 2000 obfus- or risk compatibility loss if it tries to access APIs directly. cated malware samples downloaded from VirusTo- Our study of obfuscated malware suggests that authors tal to measure the prevalence of various runtime- almost universally employ language- and runtime-based based obfuscation techniques in the wild and find methods to hide their use of Android APIs in Java. that 80% use a form of runtime-based obfuscation. To study both language- and runtime-based obfusca- tion in Android malware, we propose TIRO, a tool that We begin by providing background on the Android can handle both types of obfuscation techniques within runtime and classical language-based obfuscation tech- a single deobfuscation framework. TIRO is an acronym niques in Section2. We then introduce and explain for the automated approach taken to defeat obfuscation runtime-based obfuscation techniques in Section3. We — Target-Instrument-Run-Observe. TIRO first analyzes present TIRO, a deobfuscation framework that can han- the application code to target locations where obfusca- dle both language- and runtime-based obfuscation in tion may occur, and applies instrumentation either in the Section4 and provide implementation details in Sec- application or runtime to monitor for obfuscation and tion5. We present an analysis of obfuscated Android collect run-time information. TIRO then runs the ap- malware in Section6 and show how T IRO can deobfus- plication with specially generated inputs that will trig- cate these applications. We analyze our findings and our ger the instrumentation. Finally, TIRO observes the re- limitations in Section7. Related work is discussed in sults of running the instrumented application to deter- Section8. Finally, we conclude in Section9. mine whether obfuscation occurred and if so, produce the deobfuscated code. TIRO performs these steps itera- 2 Background tively until it can no longer detect any new obfuscation. This iterative mechanism enables it to work on a variety Android applications are implemented in Java, compiled of obfuscated applications and techniques. into DEX bytecode, and executed in either the Dalvik TIRO’s hybrid static-dynamic design is rooted in an Virtual Machine or the Android Runtime (ART).1 The integration with IntelliDroid [31], which implements tar- Dalvik VM, used in Android versions prior to 4.4, inter- geted dynamic execution for Android applications. TIRO prets the DEX bytecode and uses just-in-time (JIT) com- uses this targeting to drive its dynamic analysis to lo- pilation for frequently executed code segments. ART, a cations of obfuscation, saving it from having to execute separate runtime introduced in Android 4.4 and set as the unrelated parts of the application. However, IntelliDroid default in Android 5.0, adds ahead-of-time (AOT) com- uses static analysis and is susceptible to language-based pilation (using the dex2oat tool) to a DEX interpreter. and runtime-based obfuscation, which can make its anal- Starting in Android 7.0, ART also includes profile-based ysis incomplete. By using an iterative design that feeds smart compilation that uses a mixture of interpretation, dynamic information back into static analysis for de- JIT, and AOT compilation to boost application perfor- obfuscation, TIRO can incrementally increase the com- mance. pleteness of this targeting, which further improves its de- We briefly discuss traditional language-based obfusca- obfuscation capabilities. In this synergistic combination, tion and full-native code obfuscation techniques: IntelliDroid improves TIRO’s efficiency by targeting its Reflection. Java provides the ability to dynamically in- dynamic analysis toward obfuscation code and TIRO im- stantiate and invoke methods using reflection. Because proves IntelliDroid’s completeness by incorporating de- the target of reflected method invocations is only known obfuscated information back into its targeting. Succes- at run-time, this frustrates static analysis and can make sive iterations allow each to refine the results of the other. the targets of these calls unresolvable (e.g. by using We make three main contributions in this paper: an encrypted string), thus hiding call edges and data ac- cesses. 1. We identify and describe a family of runtime-based obfuscation techniques in ART, including DEX file Value encryption. Key values and strings in an applica- hooking, class modification, ArtMethod hooking, tion can be encrypted so they are not visible to static anal- method entry-point hooking and instruction hook- ysis. When executed, code in the application decrypts ing/overwriting. 1https://source.android.com/devices/tech/dalvik/ 2 the values, allowing the application to use the plain text Java code. As a result, applications that use native code at run-time. Value encryption is often combined with re- obfuscation still need obfuscation for Java code if they flection to hide the names of classes or methods targeted want to be able to make Android API calls reliably. by reflected calls. Dynamic loading. Code located outside the main ap- 3 Runtime-based obfuscation plication package (APK) can be executed through dy- namic code loading. This is often used in packed ap- Before we describe runtime-based obfuscation, we first plications, where the hidden code is stored as an en- describe how code is loaded and executed in the ART crypted binary file within the APK package and de- runtime. Figure1 illustrates three major steps in loading crypted when the application is launched.
Load more

Recommended publications
  • Android (Operating System) 1 Android (Operating System)
    Android (operating system) 1 Android (operating system) Android Home screen displayed by Samsung Nexus S with Google running Android 2.3 "Gingerbread" Company / developer Google Inc., Open Handset Alliance [1] Programmed in C (core), C++ (some third-party libraries), Java (UI) Working state Current [2] Source model Free and open source software (3.0 is currently in closed development) Initial release 21 October 2008 Latest stable release Tablets: [3] 3.0.1 (Honeycomb) Phones: [3] 2.3.3 (Gingerbread) / 24 February 2011 [4] Supported platforms ARM, MIPS, Power, x86 Kernel type Monolithic, modified Linux kernel Default user interface Graphical [5] License Apache 2.0, Linux kernel patches are under GPL v2 Official website [www.android.com www.android.com] Android is a software stack for mobile devices that includes an operating system, middleware and key applications.[6] [7] Google Inc. purchased the initial developer of the software, Android Inc., in 2005.[8] Android's mobile operating system is based on a modified version of the Linux kernel. Google and other members of the Open Handset Alliance collaborated on Android's development and release.[9] [10] The Android Open Source Project (AOSP) is tasked with the maintenance and further development of Android.[11] The Android operating system is the world's best-selling Smartphone platform.[12] [13] Android has a large community of developers writing applications ("apps") that extend the functionality of the devices. There are currently over 150,000 apps available for Android.[14] [15] Android Market is the online app store run by Google, though apps can also be downloaded from third-party sites.
    [Show full text]
  • Android Operating System
    Software Engineering ISSN: 2229-4007 & ISSN: 2229-4015, Volume 3, Issue 1, 2012, pp.-10-13. Available online at http://www.bioinfo.in/contents.php?id=76 ANDROID OPERATING SYSTEM NIMODIA C. AND DESHMUKH H.R. Babasaheb Naik College of Engineering, Pusad, MS, India. *Corresponding Author: Email- [email protected], [email protected] Received: February 21, 2012; Accepted: March 15, 2012 Abstract- Android is a software stack for mobile devices that includes an operating system, middleware and key applications. Android, an open source mobile device platform based on the Linux operating system. It has application Framework,enhanced graphics, integrated web browser, relational database, media support, LibWebCore web browser, wide variety of connectivity and much more applications. Android relies on Linux version 2.6 for core system services such as security, memory management, process management, network stack, and driver model. Architecture of Android consist of Applications. Linux kernel, libraries, application framework, Android Runtime. All applications are written using the Java programming language. Android mobile phone platform is going to be more secure than Apple’s iPhone or any other device in the long run. Keywords- 3G, Dalvik Virtual Machine, EGPRS, LiMo, Open Handset Alliance, SQLite, WCDMA/HSUPA Citation: Nimodia C. and Deshmukh H.R. (2012) Android Operating System. Software Engineering, ISSN: 2229-4007 & ISSN: 2229-4015, Volume 3, Issue 1, pp.-10-13. Copyright: Copyright©2012 Nimodia C. and Deshmukh H.R. This is an open-access article distributed under the terms of the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original author and source are credited.
    [Show full text]
  • History and Evolution of the Android OS
    View metadata, citation and similar papers at core.ac.uk brought to you by CORE provided by Springer - Publisher Connector CHAPTER 1 History and Evolution of the Android OS I’m going to destroy Android, because it’s a stolen product. I’m willing to go thermonuclear war on this. —Steve Jobs, Apple Inc. Android, Inc. started with a clear mission by its creators. According to Andy Rubin, one of Android’s founders, Android Inc. was to develop “smarter mobile devices that are more aware of its owner’s location and preferences.” Rubin further stated, “If people are smart, that information starts getting aggregated into consumer products.” The year was 2003 and the location was Palo Alto, California. This was the year Android was born. While Android, Inc. started operations secretly, today the entire world knows about Android. It is no secret that Android is an operating system (OS) for modern day smartphones, tablets, and soon-to-be laptops, but what exactly does that mean? What did Android used to look like? How has it gotten where it is today? All of these questions and more will be answered in this brief chapter. Origins Android first appeared on the technology radar in 2005 when Google, the multibillion- dollar technology company, purchased Android, Inc. At the time, not much was known about Android and what Google intended on doing with it. Information was sparse until 2007, when Google announced the world’s first truly open platform for mobile devices. The First Distribution of Android On November 5, 2007, a press release from the Open Handset Alliance set the stage for the future of the Android platform.
    [Show full text]
  • Tutorial: Setup for Android Development
    Tutorial: Setup for Android Development Adam C. Champion, Ph.D. CSE 5236: Mobile Application Development Autumn 2019 Based on material from C. Horstmann [1], J. Bloch [2], C. Collins et al. [4], M.L. Sichitiu (NCSU), V. Janjic (Imperial College London), CSE 2221 (OSU), and other sources 1 Outline • Getting Started • Android Programming 2 Getting Started (1) • Need to install Java Development Kit (JDK) (not Java Runtime Environment (JRE)) to write Android programs • Download JDK for your OS: https://adoptopenjdk.net/ * • Alternatively, for OS X, Linux: – OS X: Install Homebrew (http://brew.sh) via Terminal, – Linux: • Debian/Ubuntu: sudo apt install openjdk-8-jdk • Fedora/CentOS: yum install java-1.8.0-openjdk-devel * Why OpenJDK 8? Oracle changed Java licensing (commercial use costs $$$); Android SDK tools require version 8. 3 Getting Started (2) • After installing JDK, download Android SDK from http://developer.android.com • Simplest: download and install Android Studio bundle (including Android SDK) for your OS • Alternative: brew cask install android- studio (Mac/Homebrew) • We’ll use Android Studio with SDK included (easiest) 4 Install! 5 Getting Started (3) • Install Android Studio directly (Windows, Mac); unzip to directory android-studio, then run ./android-studio/bin/studio64.sh (Linux) 6 Getting Started (4) • Strongly recommend testing Android Studio menu → Preferences… or with real Android device File → Settings… – Android emulator: slow – Faster emulator: Genymotion [14], [15] – Install USB drivers for your Android device! • Bring up Android SDK Manager – Install Android 5.x–8.x APIs, Google support repository, Google Play services – Don’t worry about non-x86 Now you’re ready for Android development! system images 7 Outline • Getting Started • Android Programming 8 Introduction to Android • Popular mobile device Mobile OS Market Share OS: 73% of worldwide Worldwide (Jul.
    [Show full text]
  • The Future Going Back in Time to Abuse Android's
    Back To The Future Going Back In Time To Abuse Android’s JIT !1 $ whoami • Benjamin Watson • Director of Security Research @VerSprite Security • Android • @rotlogix !2 Agenda • Inspiration and Overview • Android 4.4.4 JIT Internals & Abuse • Android 7.1.1 JIT Internals & Abuse • Android Oreo • Tools • Future Challenges • Conclusion !3 Back To The Future Going Back In Time To Abuse Android’s JIT !4 Making Android Malware Great The First Time !5 On The Shoulders Of Giants !6 On the Shoulders of Giants @mattifestation @rwincey !7 Shellcode Execution in .NET using MSIL- Based JIT Overwrite • @mattifestation discovered the CPBLK opcode, which is effectively the MSIL equivalent to memcpy • He used to this opcode to overwrite a JIT’ed .NET method with shellcode • https://www.exploit-monday.com/2013/04/ MSILbasedShellcodeExec.html !8 Java Shellcode Execution • @rwincey uses the Unsafe API to overwrite a JIT’ed Java method with shellcode • https://www.slideshare.net/RyanWincey/java- shellcodeoffice !9 On the Shoulders of Giants • After absorbing Matt and Ryan’s research, I was left with one question … “ Is this also possible in Android? “ … !10 Motivation • These techniques discussed today are post-exploitation in nature • We already have installed a malicious application or gain code execution in Java through an arbitrary application • Our goal is to execute shellcode in memory entirely through Java without loading additional shared-libraries, or utilizing JNI !11 Motivation • This means that a simple “application” can have a self- contained solution
    [Show full text]
  • Race Detection for Android Applications
    Race Detection for Android Applications Pallavi Maiya Aditya Kanade Rupak Majumdar Indian Institute of Science Indian Institute of Science MPI-SWS [email protected] [email protected] [email protected] Abstract asynchronous tasks to each other. Asynchronous tasks running on the same thread may themselves be reordered non-deterministically Programming environments for smartphones expose a concur- subject to certain rules. While the model can effectively hide laten- rency model that combines multi-threading and asynchronous event- cies, enabling innovative features, programming is complex and pro- based dispatch. While this enables the development of efficient and grams can have many subtle bugs due to non-determinism. feature-rich applications, unforeseen thread interleavings coupled In this paper, we formalize the concurrency semantics of the An- with non-deterministic reorderings of asynchronous tasks can lead droid programming model. Coming up with this formalization re- to subtle concurrency errors in the applications. quired a thorough study of the Android framework and a careful In this paper, we formalize the concurrency semantics of the An- mapping of execution scenarios in Android to more formal execu- happens-before droid programming model. We further define the tion traces. We view an Android application as comprising multi- relation for Android applications, and develop a dynamic race de- ple asynchronous tasks that are executed on one or more threads. tection technique based on this relation. Our relation generalizes An asynchronous task, once started on a thread, runs to completion the so far independently studied happens-before relations for multi- and can make both synchronous and asynchronous procedure calls.
    [Show full text]
  • A Research on Android Technology with New Version Naugat(7.0,7.1)
    IOSR Journal of Computer Engineering (IOSR-JCE) e-ISSN: 2278-0661,p-ISSN: 2278-8727, Volume 19, Issue 2, Ver. I (Mar.-Apr. 2017), PP 65-77 www.iosrjournals.org A Research On Android Technology With New Version Naugat(7.0,7.1) Nikhil M. Dongre , Tejas S. Agrawal, Ass.prof. Sagar D. Pande (Dept. CSE, Student of PRPCOE, SantGadge baba Amravati University, [email protected] contact no: 8408895842) (Dept. CSE, Student of PRMCEAM, SantGadge baba Amravati University, [email protected] contact no: 9146951658) (Dept. CSE, Assistant professor of PRPCOE, SantGadge baba Amravati University, [email protected], contact no:9405352824) Abstract: Android “Naugat” (codenamed Android N in development) is the seventh major version of Android Operating System called Android 7.0. It was first released as a Android Beta Program build on March 9 , 2016 with factory images for current Nexus devices, which allows supported devices to be upgraded directly to the Android Nougat beta via over-the-air update. Nougat is introduced as notable changes to the operating system and its development platform also it includes the ability to display multiple apps on-screen at once in a split- screen view with the support for inline replies to notifications, as well as an OpenJDK-based Java environment and support for the Vulkan graphics rendering API, and "seamless" system updates on supported devices. Keywords: jellybean, kitkat, lollipop, marshmallow, naugat I. Introduction This research has been done to give you the best details toward the exciting new frontier of open source mobile development. Android is the newest mobile device operating system, and this is one of the first research to help the average programmer become a fearless Android developer.
    [Show full text]
  • Android Operating System Documentation
    Android Operating System Documentation nonjurors!Ingelbert outmove uncomplaisantly. Mixolydian Carter sop, his gillie dances ventured harmlessly. Typical and isocheimenal Husein never solved his The system android Recent applications under the storage, you set to assign an operating system compatibility with a successful upload or in gdnative plugins. Simplify and accelerate secure delivery of open banking compliant APIs. Web application, etc, especially when it comes to notebook PCs. Why is my APK or IPA so big? In this section, apps, the default fallback is rarely used. The BIOS menu should appear. We covered different ways in which we made Android code more expressive and concise, operated and developed by Google, such as the OUYA console. Support for file upload fields in the Browser application. Newline indicates the end of a text line; it need not correspond to an actual single character, then advancing the clock or inserting events as necessary for the test. Send GIFs directly from the default keyboard. SDK that can be easily integrated into your Android build. Custom firmware is also the only way you can install newer versions of Android on devices that are no longer supported by their manufacturers. Core Guidelines and static checker tools for enforcing Guideline rules. New display support functions, which gives us a peek into the ongoing work on bringing the Android OS to yet another form factor. API Level of the latest platform version. It is always a wise idea to check the memory requirements before starting any project. And this will again not work if you use the incognito mode! Views are used to create layouts, lists, so a MIUI version upgrade is an exciting event.
    [Show full text]
  • Artdroid: a Virtual-Method Hooking Framework on Android ART Runtime
    ARTDroid: A Virtual-Method Hooking Framework on Android ART Runtime Valerio Costamagna Cong Zheng Universit`adegli studi di Torino Palo Alto Networks [email protected] Georgia Institute of Technology [email protected] techniques can dynamically launch specific behaviors, which can be only monitored in dynamic analysis en- Abstract vironment instead of static analysis. Besides, in obfus- cated apps, static analysis can only check the API-level Various static and dynamic analysis tech- behaviors of apps rather than the fine-grained behav- niques are developed to detect and analyze iors, such as the URL in network connections and the Android malware. Some advanced Android phone number of sending SMS behavior. malware can use Java reflection and JNI mech- Without above limitations of static analysis, the dy- anisms to conceal their malicious behaviors namic analysis approach is usually used for deeply an- for static analysis. Furthermore, for dynamic alyzing apps [SFE+13]. Currently, dynamic analysis analysis, emulator detection and integrity self- uses hooking techniques for monitoring behaviors of checking are used by Android malware to by- apps. The hooking techniques can be divided into two pass all recent Android sandboxes. In this main types: 1) hooking Android framework APIs by paper, we propose ARTDroid, a framework modifying Android system [ZAG+15][EGH+14], and for hooking virtual-methods calls supporting 2) hooking APIs used in the app process by static in- the latest Android runtime (ART). A virtual- strumentation [BGH+13][DC13]. Both of them have method is called by the ART runtime using a limitations to analyze trick samples.
    [Show full text]
  • Portable Customised Android OS for Different Computing Devices
    International Journal of Research in Engineering, Science and Management 495 Volume-3, Issue-3, March-2020 www.ijresm.com | ISSN (Online): 2581-5792 Portable Customised Android OS for Different Computing Devices Siddhesh Tawade1, Shrunkhal Shringarpure2, Swapnil Waghmare3 1,2Student, Department of Computer Engineering, Pillai HOC College of Engineering and Technology, Kharghar, India 3Assistant Professor, Department of Computer Engineering, Pillai HOC College of Engineering and Technology, Kharghar, India Abstract: Android is a software stack that includes operating Surpassed Apple iPhone shipments in various places of the system, middle ware, applications for the development of devices. world, clearly showing how Android is open for innovation. Android has evolved greatly and user experience in addition to Any smartphone manufacturer which sells an Android consumer level efficiency along with integration of android powered devices also expanded. Because of its promising features smartphone is using the Android Open Source Project. And to and characteristics like open source nature, rich user interface, be honest, virtually anyone making a smartphone today that consistent app API's. Android is being integrated and ported to isn’t an iPhone is leveraging the AOSP code. This includes various computing devices this includes smart phones, tablet, and Samsung, LG, HTC, Huawei, Xiaomi, ZTE, Honor, OnePlus, google pixel book. One major advantage of using android and many others. So it doesn’t matter if it’s Samsung’s version framework beyond the mobile devices is the android applications of Android (which is called Samsung Experience), or Xiaomi’s can talk to the functionality of all these devices powered by android and developers need not to write several applications for version of Android (which is called MIUI), Huawei’s version different computing systems.
    [Show full text]
  • 38 Toward Engineering a Secure Android Ecosystem: a Survey of Existing Techniques
    Toward Engineering a Secure Android Ecosystem: A Survey of Existing Techniques MENG XU, CHENGYU SONG, YANG JI, MING-WEI SHIH, KANGJIE LU, CONG ZHENG, RUIAN DUAN, YEONGJIN JANG, BYOUNGYOUNG LEE, CHENXIONG QIAN, SANGHO LEE, and TAESOO KIM, Georgia Institute of Technology The openness and extensibility of Android have made it a popular platform for mobile devices and a strong candidate to drive the Internet-of-Things. Unfortunately, these properties also leave Android vulnerable, attracting attacks for profit or fun. To mitigate these threats, numerous issue-specific solutions have been proposed. With the increasing number and complexity of security problems and solutions, we believe this is the right moment to step back and systematically re-evaluate the Android security architecture and security practices in the ecosystem. We organize the most recent security research on the Android platform into two categories: the software stack and the ecosystem. For each category, we provide a comprehensive narrative of the problem space, highlight the limitations of the proposed solutions, and identify open problems for future research. Based on our collection of knowledge, we envision a blueprint for engineering a secure, next-generationr Android ecosystem. CCS Concepts: Security and privacy → Mobile platform security; Malware and its mitigation;Social aspects of security and privacy Additional Key Words and Phrases: Android, mobile malware, survey, ecosystem ACM Reference Format: Meng Xu, Chengyu Song, Yang Ji, Ming-Wei Shih, Kangjie Lu, Cong Zheng, Ruian Duan, Yeongjin Jang, Byoungyoung Lee, Chenxiong Qian, Sangho Lee, and Taesoo Kim. 2016. Toward engineering a secure android ecosystem: A survey of existing techniques. ACM Comput.
    [Show full text]
  • Measuring User Perception for Detecting Unexpected Access to Sensitive Resource in Mobile Apps
    Measuring User Perception for Detecting Unexpected Access to Sensitive Resource in Mobile Apps Trung Tin Nguyen Duc Cuong Nguyen Michael Schilling CISPA Helmholtz Center for CISPA Helmholtz Center for CISPA Helmholtz Center for Information Security Information Security Information Security [email protected] [email protected] [email protected] Gang Wang Michael Backes University of Illinois at CISPA Helmholtz Center for Urbana-Champaign Information Security [email protected] [email protected] ABSTRACT KEYWORDS Understanding users’ perception of app behaviors is an important Android Security; User Interface; User Privacy; Permission; Unex- step to detect data access that violates user expectations. While pected Sensitive Resource Access; Usable Security existing works have used various proxies to infer user expecta- ACM Reference Format: tions (e.g., by analyzing app descriptions), how real-world users Trung Tin Nguyen, Duc Cuong Nguyen, Michael Schilling, Gang Wang, perceive an app’s data access when they interact with graphical and Michael Backes. 2021. Measuring User Perception for Detecting Un- user interfaces (UI) has not been fully explored. expected Access to Sensitive Resource in Mobile Apps. In Proceedings of In this paper, we aimed to fill this gap by directly measuring the 2021 ACM Asia Conference on Computer and Communications Security how end-users perceive app behaviors based on graphical UI el- (ASIA CCS ’21), June 7–11, 2021, Hong Kong, Hong Kong. ACM, New York, ements via extensive user studies. The results are used to build NY, USA, 15 pages. https://doi.org/10.1145/3433210.3437511 an automated tool - GUIBAT (Graphical User Interface Behavioral Analysis Tool) - that detects sensitive resource accesses that vio- 1 INTRODUCTION late user expectations.
    [Show full text]