Sensitive behavior analysis of android applications on unrooted devices in the wild

Dynamic analysis is widely used in malware detection, taint analysis, vulnerability detection, and other areas for enhancing the security of Android. Compared to static analysis, dynamic analysis is immune to common code obfuscation techniques and dynamic code loading. Existing dynamic analysis tech...

Full description

Saved in:
Bibliographic Details
Main Author: TANG, Xiaoxiao
Format: text
Language:English
Published: Institutional Knowledge at Singapore Management University 2019
Subjects:
Online Access:https://ink.library.smu.edu.sg/etd_coll/222
https://ink.library.smu.edu.sg/cgi/viewcontent.cgi?article=1222&context=etd_coll
Tags: Add Tag
No Tags, Be the first to tag this record!
Institution: Singapore Management University
Language: English
id sg-smu-ink.etd_coll-1222
record_format dspace
institution Singapore Management University
building SMU Libraries
continent Asia
country Singapore
Singapore
content_provider SMU Libraries
collection InK@SMU
language English
topic Sensitive behaviour
dynamic analysis
unrooted device
Android
Software Engineering
Systems Architecture
spellingShingle Sensitive behaviour
dynamic analysis
unrooted device
Android
Software Engineering
Systems Architecture
TANG, Xiaoxiao
Sensitive behavior analysis of android applications on unrooted devices in the wild
description Dynamic analysis is widely used in malware detection, taint analysis, vulnerability detection, and other areas for enhancing the security of Android. Compared to static analysis, dynamic analysis is immune to common code obfuscation techniques and dynamic code loading. Existing dynamic analysis techniques rely on in-lab running environment (e.g., modified systems, rooted devices, or emulators) and require automatic input generators to execute the target app. However, these techniques could be bypassed by anti-analysis techniques that allow apps to hide sensitive behavior when an in-lab environment is detected through predefined heuristics (e.g., IMEI number of the device is invalid). Meanwhile, current input generators are still not intelligent enough to invoke adequate app behavior and provide sufficient code coverage. Therefore, it is an important research direction to investigate dynamic analysis techniques which enable a more complete execution under real running environments. This thesis focuses on dynamically analyzing app behavior by using public APIs and side-channel information, such that the techniques can be deployed on unrooted devices used by public users. We first propose an advanced code obfuscation technique to hide small pieces of sensitive code with a code-reuse technique. This technique can hinder existing static analysis as well as dynamic analysis based on code-level events, such as API calls or Dalvik instructions. We implement a semi-automatic tool named AndroidCubo and show that it protects both Java and native code at a small runtime overhead. Since relying on code-level event monitoring for revealing underlying app behavior can be bypassed by obfuscation and anti-analysis techniques, we propose a novel technique to dynamically monitoring apps by observing changes to public resources on the device. We propose to observe the resources with public APIs and virtual file interfaces to monitor sensitive behavior, and then use machine learning techniques to identify the initiating app of the behavior. We implement a system named UpDroid which contains a monitor published on Google Play and a server-side analyzer. UpDroid can be easily deployed on devices used by the public and successfully monitor sensitive behavior of the app that is being analyzed. This work is a successful investigation of dynamic analysis on unrooted devices. To conduct more fine-grained analysis on apps, we propose to use GPU interrupt timing information to infer the launched app and concrete behavior within a running app, such as layout switching. We obtain GPU interrupt timing information from a side channel - /proc/interrupts. We sample the number of the raised GPU interrupt and get the timing series while an activity occurs on the device to generate a feature vector for that activity. Then, we use machine learning techniques to train classification models for the activities. With the models, we are able to identify different types of app activities, e.g., identify the launched app or disdinguish the activities within an app. This work further demonstrates the effectiveness of dynamic analysis on unrooted devices. Finally, we conduct a simulation study for dynamically analyzing the factors that would affect the malware spreading on unrooted devices. In this work, we recruit participants to spread out messages, which simulates the malware spreading messages sent from infected mobile devices, to their friends. Each message contains a malicious-look link to simulate the malware downloading links. When the participants spread out the messages, we use dynamic analysis to monitor the status of their devices and record the infection rate. The results show that spreading method, relationship, contact frequency would significantly affect the spreading of malware by analyzing the infection rates of different statuses of the device and the differences of the spreading messages.
format text
author TANG, Xiaoxiao
author_facet TANG, Xiaoxiao
author_sort TANG, Xiaoxiao
title Sensitive behavior analysis of android applications on unrooted devices in the wild
title_short Sensitive behavior analysis of android applications on unrooted devices in the wild
title_full Sensitive behavior analysis of android applications on unrooted devices in the wild
title_fullStr Sensitive behavior analysis of android applications on unrooted devices in the wild
title_full_unstemmed Sensitive behavior analysis of android applications on unrooted devices in the wild
title_sort sensitive behavior analysis of android applications on unrooted devices in the wild
publisher Institutional Knowledge at Singapore Management University
publishDate 2019
url https://ink.library.smu.edu.sg/etd_coll/222
https://ink.library.smu.edu.sg/cgi/viewcontent.cgi?article=1222&context=etd_coll
_version_ 1712300926738366464
spelling sg-smu-ink.etd_coll-12222019-09-10T05:37:03Z Sensitive behavior analysis of android applications on unrooted devices in the wild TANG, Xiaoxiao Dynamic analysis is widely used in malware detection, taint analysis, vulnerability detection, and other areas for enhancing the security of Android. Compared to static analysis, dynamic analysis is immune to common code obfuscation techniques and dynamic code loading. Existing dynamic analysis techniques rely on in-lab running environment (e.g., modified systems, rooted devices, or emulators) and require automatic input generators to execute the target app. However, these techniques could be bypassed by anti-analysis techniques that allow apps to hide sensitive behavior when an in-lab environment is detected through predefined heuristics (e.g., IMEI number of the device is invalid). Meanwhile, current input generators are still not intelligent enough to invoke adequate app behavior and provide sufficient code coverage. Therefore, it is an important research direction to investigate dynamic analysis techniques which enable a more complete execution under real running environments. This thesis focuses on dynamically analyzing app behavior by using public APIs and side-channel information, such that the techniques can be deployed on unrooted devices used by public users. We first propose an advanced code obfuscation technique to hide small pieces of sensitive code with a code-reuse technique. This technique can hinder existing static analysis as well as dynamic analysis based on code-level events, such as API calls or Dalvik instructions. We implement a semi-automatic tool named AndroidCubo and show that it protects both Java and native code at a small runtime overhead. Since relying on code-level event monitoring for revealing underlying app behavior can be bypassed by obfuscation and anti-analysis techniques, we propose a novel technique to dynamically monitoring apps by observing changes to public resources on the device. We propose to observe the resources with public APIs and virtual file interfaces to monitor sensitive behavior, and then use machine learning techniques to identify the initiating app of the behavior. We implement a system named UpDroid which contains a monitor published on Google Play and a server-side analyzer. UpDroid can be easily deployed on devices used by the public and successfully monitor sensitive behavior of the app that is being analyzed. This work is a successful investigation of dynamic analysis on unrooted devices. To conduct more fine-grained analysis on apps, we propose to use GPU interrupt timing information to infer the launched app and concrete behavior within a running app, such as layout switching. We obtain GPU interrupt timing information from a side channel - /proc/interrupts. We sample the number of the raised GPU interrupt and get the timing series while an activity occurs on the device to generate a feature vector for that activity. Then, we use machine learning techniques to train classification models for the activities. With the models, we are able to identify different types of app activities, e.g., identify the launched app or disdinguish the activities within an app. This work further demonstrates the effectiveness of dynamic analysis on unrooted devices. Finally, we conduct a simulation study for dynamically analyzing the factors that would affect the malware spreading on unrooted devices. In this work, we recruit participants to spread out messages, which simulates the malware spreading messages sent from infected mobile devices, to their friends. Each message contains a malicious-look link to simulate the malware downloading links. When the participants spread out the messages, we use dynamic analysis to monitor the status of their devices and record the infection rate. The results show that spreading method, relationship, contact frequency would significantly affect the spreading of malware by analyzing the infection rates of different statuses of the device and the differences of the spreading messages. 2019-07-01T07:00:00Z text application/pdf https://ink.library.smu.edu.sg/etd_coll/222 https://ink.library.smu.edu.sg/cgi/viewcontent.cgi?article=1222&context=etd_coll http://creativecommons.org/licenses/by-nc-nd/4.0/ Dissertations and Theses Collection (Open Access) eng Institutional Knowledge at Singapore Management University Sensitive behaviour dynamic analysis unrooted device Android Software Engineering Systems Architecture