Sensitive behavior analysis of android applications on unrooted devices in the wild
Dynamic analysis is widely used in malware detection, taint analysis, vulnerability detection, and other areas for enhancing the security of Android. Compared to static analysis, dynamic analysis is immune to common code obfuscation techniques and dynamic code loading. Existing dynamic analysis tech...
Saved in:
Main Author: | |
---|---|
Format: | text |
Language: | English |
Published: |
Institutional Knowledge at Singapore Management University
2019
|
Subjects: | |
Online Access: | https://ink.library.smu.edu.sg/etd_coll/222 https://ink.library.smu.edu.sg/cgi/viewcontent.cgi?article=1222&context=etd_coll |
Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
Institution: | Singapore Management University |
Language: | English |
Summary: | Dynamic analysis is widely used in malware detection, taint analysis, vulnerability detection, and other areas for enhancing the security of Android. Compared to static analysis, dynamic analysis is immune to common code obfuscation techniques and dynamic code loading. Existing dynamic analysis techniques rely on in-lab running environment (e.g., modified systems, rooted devices, or emulators) and require automatic input generators to execute the target app. However, these techniques could be bypassed by anti-analysis techniques that allow apps to hide sensitive behavior when an in-lab environment is detected through predefined heuristics (e.g., IMEI number of the device is invalid). Meanwhile, current input generators are still not intelligent enough to invoke adequate app behavior and provide sufficient code coverage. Therefore, it is an important research direction to investigate dynamic analysis techniques which enable a more complete execution under real running environments. This thesis focuses on dynamically analyzing app behavior by using public APIs and side-channel information, such that the techniques can be deployed on unrooted devices used by public users.
We first propose an advanced code obfuscation technique to hide small pieces of sensitive code with a code-reuse technique. This technique can hinder existing static analysis as well as dynamic analysis based on code-level events, such as API calls or Dalvik instructions. We implement a semi-automatic tool named AndroidCubo and show that it protects both Java and native code at a small runtime overhead.
Since relying on code-level event monitoring for revealing underlying app behavior can be bypassed by obfuscation and anti-analysis techniques, we propose a novel technique to dynamically monitoring apps by observing changes to public resources on the device. We propose to observe the resources with public APIs and virtual file interfaces to monitor sensitive behavior, and then use machine learning techniques to identify the initiating app of the behavior. We implement a system named UpDroid which contains a monitor published on Google Play and a server-side analyzer. UpDroid can be easily deployed on devices used by the public and successfully monitor sensitive behavior of the app that is being analyzed. This work is a successful investigation of dynamic analysis on unrooted devices.
To conduct more fine-grained analysis on apps, we propose to use GPU interrupt timing information to infer the launched app and concrete behavior within a running app, such as layout switching. We obtain GPU interrupt timing information from a side channel - /proc/interrupts. We sample the number of the raised GPU interrupt and get the timing series while an activity occurs on the device to generate a feature vector for that activity. Then, we use machine learning techniques to train classification models for the activities. With the models, we are able to identify different types of app activities, e.g., identify the launched app or disdinguish the activities within an app. This work further demonstrates the effectiveness of dynamic analysis on unrooted devices.
Finally, we conduct a simulation study for dynamically analyzing the factors that would affect the malware spreading on unrooted devices. In this work, we recruit participants to spread out messages, which simulates the malware spreading messages sent from infected mobile devices, to their friends. Each message contains a malicious-look link to simulate the malware downloading links. When the participants spread out the messages, we use dynamic analysis to monitor the status of their devices and record the infection rate. The results show that spreading method, relationship, contact frequency would significantly affect the spreading of malware by analyzing the infection rates of different statuses of the device and the differences of the spreading messages. |
---|