According to the Symantec and F-Secure threat reports, mobile malware development in 2013 and 2014 has continued to focus almost exclusively (similar to 99%) on the android platform. Malware writers are applying steal...
详细信息
According to the Symantec and F-Secure threat reports, mobile malware development in 2013 and 2014 has continued to focus almost exclusively (similar to 99%) on the android platform. Malware writers are applying stealthy mutations (obfuscations) to create malware variants, thwarting detection by signature-based detectors. In addition, the plethora of more sophisticated detectors making use of static analysis techniques to detect such variants operate only at the bytecode level, meaning that malware embedded in nativecode goes undetected. A recent study shows that 86% of the most popular android applications contain nativecode, making nativecode malware a plausible threat vector. This paper proposes Droidnative, an android malware detector that uses specific control flow patterns to reduce the effect of obfuscations and provides automation. As far as we know, Droidnative is the first system that builds cross-platform (x86 and ARM) semantic-based signatures at the android native code level, allowing the system to detect malware embedded in either bytecode or nativecode. When tested with a dataset of 5490 samples, Droidnative achieves a detection rate (DR) of 93.57% and a false positive rate of 2.7%. When tested with traditional malware variants, it achieves a DR of 99.48%, compared to the DRs of academic and commercial tools that range from 8.33% to 93.22%. (C) 2016 Elsevier Ltd. All rights reserved.
From a little research experiment to an essential component of military arsenals, malicious software has constantly been growing and evolving for more than three decades. On the other hand, from a negligible market sh...
详细信息
From a little research experiment to an essential component of military arsenals, malicious software has constantly been growing and evolving for more than three decades. On the other hand, from a negligible market share, the android operating system is nowadays the most widely used mobile operating system, becoming a desirable target for large-scale malware distribution. While scientific literature has followed this trend, one aspect has been understudied: the role of nativecode in malicious android apps. android apps are written in high-level languages, but thanks to the Java native Interface (JNI), android also supports calling native (C/C++) library functions. While allowing nativecode in android apps has a strong positive impact from a performance perspective, it dramatically complicates its analysis because bytecode and nativecode need different abstractions and analysis algorithms, and they thus pose different challenges and limitations. Consequently, these difficulties are often (ab)used to hide malicious payloads. In this work, we propose a novel methodology to reverse engineering android apps focusing on suspicious patterns related to native components, i.e., surreptitious code that requires further inspection. We implemented a static analysis tool based on such methodology, which can bridge the "Java" and the native worlds and perform an in-depth analysis of tag code blocks responsible for suspicious behavior. These tags benefit the human facing the reverse engineering task: they clearly indicate which part of the code to focus on to find malicious code. Then, we performed a longitudinal analysis of android malware over the past 10 years and compared the recent malicious samples with actual top apps on the Google Play Store. Our work depicts typical behaviors of modern malware, its evolution, and how it abuses the native layer to complicate the analysis, especially with dynamic code loading and novel anti-analysis techniques. Finally, we show a use cas
The need to account for nativecode in android apps is becoming urgent as the usage of nativecode is growing in both benign and malicious apps. However, most current state-of-the-art analysis tools cannot effectively...
详细信息
The need to account for nativecode in android apps is becoming urgent as the usage of nativecode is growing in both benign and malicious apps. However, most current state-of-the-art analysis tools cannot effectively analyze the data-flow behavior of nativecode. On the one hand, existing native dynamic analysis tools are primarily based on test input generation tools to analyze android apps and are therefore unable to locate nativecode quickly. On the other hand, existing native static analysis tools are based on symbolic execution to analyze nativecode and are therefore limited by the path and state explosion issues. In order to effectively analyze the behavior of sensitive data in the nativecode, we first propose JNFuzz, a fuzzing module for androidnative libraries based on Client/Server architecture. Then, we propose JNFuzz-Droid, a lightweight automated fuzzing and taint analysis framework for android native code, based on this. JNFuzz-Droid first locates the android native code to which sensitive data is passed and then uses JNFuzz to fuzz the nativecode to improve code coverage while analyzing the data flow in nativecode with a dynamic binary tool. Experimental results on benchmarks and real-world apps show that JNFuzz-Droid can effectively detect the leakage or transfer of sensitive data in app nativecode and outperforms the state-of-the-art native analysis tools.
暂无评论