Dark hazard: Large-scale discovery of unknown hidden sensitive operations in Android apps

Dark hazard: Large-scale discovery of unknown hidden sensitive operations in Android apps

Hidden sensitive operations (HSO) such as stealing privacy user data upon receiving an SMS message are increasingly utilized by mobile malware and other potentially-harmful apps (PHAs) to evade detection. Identification of such behaviors is hard, due to the challenge in triggering them during an app...

Full description

Saved in:
Bibliographic Details
Main Authors: PAN, Xiaorui, WANG, Xueqiang, DUAN, Yue, WANG, Xiaofeng, YIN, Heng
Format: text
Language:English
Published: Institutional Knowledge at Singapore Management University 2017
Subjects:
Databases and Information Systems
OS and Networks
Online Access:https://ink.library.smu.edu.sg/sis_research/8173
https://ink.library.smu.edu.sg/context/sis_research/article/9176/viewcontent/ndss2017_05A_1_Pan_paper__2_.pdf
Tags: Add Tag
No Tags, Be the first to tag this record!
Institution: Singapore Management University
Language: English
id sg-smu-ink.sis_research-9176
record_format dspace
spelling sg-smu-ink.sis_research-91762023-09-26T10:31:40Z Dark hazard: Large-scale discovery of unknown hidden sensitive operations in Android apps PAN, Xiaorui WANG, Xueqiang DUAN, Yue WANG, Xiaofeng YIN, Heng Hidden sensitive operations (HSO) such as stealing privacy user data upon receiving an SMS message are increasingly utilized by mobile malware and other potentially-harmful apps (PHAs) to evade detection. Identification of such behaviors is hard, due to the challenge in triggering them during an app’s runtime. Current static approaches rely on the trigger conditions or hidden behaviors known beforehand and therefore cannot capture previously unknown HSO activities. Also these techniques tend to be computationally intensive and therefore less suitable for analyzing a large number of apps. As a result, our understanding of real-world HSO today is still limited, not to mention effective means to mitigate this threat. In this paper, we present HSOMINER, an innovative machinelearning based program analysis technique that enables a largescale discovery of unknown HSO activities. Our approach leverages a set of program features that characterize an HSO branch1 and can be relatively easy to extract from an app. These features summarize a set of unique observations about an HSO condition, its paths and the relations between them, and are designed to be general for finding hidden suspicious behaviors. Particularly, we found that a trigger condition is less likely to relate to the path of its branch through data flows or shared resources, compared with a legitimate branch. Also, the behaviors exhibited by the two paths of an HSO branch tend to be conspicuously different (innocent on one side and sinister on the other). Most importantly, even though these individual features are not sufficiently accurate for capturing HSO on their own, collectively they are shown to be highly effective in identifying such behaviors. This differentiating power is harnessed by HSOMINER to classify Android apps, which achieves a high precision (>98%) and coverage (>94%), and is also efficient as discovered in our experiments. The new tool was further used in a measurement study involving 338,354 realworld apps, the largest one ever conducted on suspicious hidden operations. Our research brought to light the pervasiveness of HSO activities, which are present in 18.7% of the apps we analyzed, surprising trigger conditions (e.g., click on a certain region of a view) and behaviors (e.g., hiding operations in a dynamically generated receiver), which help better understand the problem and contribute to more effective defense against this new threat to the mobile platform. 2017-03-01T08:00:00Z text application/pdf https://ink.library.smu.edu.sg/sis_research/8173 info:doi/10.14722/ndss.2017.23265 https://ink.library.smu.edu.sg/context/sis_research/article/9176/viewcontent/ndss2017_05A_1_Pan_paper__2_.pdf http://creativecommons.org/licenses/by-nc-nd/4.0/ Research Collection School Of Computing and Information Systems eng Institutional Knowledge at Singapore Management University Databases and Information Systems OS and Networks
institution Singapore Management University
building SMU Libraries
continent Asia
country Singapore
Singapore
content_provider SMU Libraries
collection InK@SMU
language English
topic Databases and Information Systems
OS and Networks
spellingShingle Databases and Information Systems
OS and Networks
PAN, Xiaorui
WANG, Xueqiang
DUAN, Yue
WANG, Xiaofeng
YIN, Heng
Dark hazard: Large-scale discovery of unknown hidden sensitive operations in Android apps
description Hidden sensitive operations (HSO) such as stealing privacy user data upon receiving an SMS message are increasingly utilized by mobile malware and other potentially-harmful apps (PHAs) to evade detection. Identification of such behaviors is hard, due to the challenge in triggering them during an app’s runtime. Current static approaches rely on the trigger conditions or hidden behaviors known beforehand and therefore cannot capture previously unknown HSO activities. Also these techniques tend to be computationally intensive and therefore less suitable for analyzing a large number of apps. As a result, our understanding of real-world HSO today is still limited, not to mention effective means to mitigate this threat. In this paper, we present HSOMINER, an innovative machinelearning based program analysis technique that enables a largescale discovery of unknown HSO activities. Our approach leverages a set of program features that characterize an HSO branch1 and can be relatively easy to extract from an app. These features summarize a set of unique observations about an HSO condition, its paths and the relations between them, and are designed to be general for finding hidden suspicious behaviors. Particularly, we found that a trigger condition is less likely to relate to the path of its branch through data flows or shared resources, compared with a legitimate branch. Also, the behaviors exhibited by the two paths of an HSO branch tend to be conspicuously different (innocent on one side and sinister on the other). Most importantly, even though these individual features are not sufficiently accurate for capturing HSO on their own, collectively they are shown to be highly effective in identifying such behaviors. This differentiating power is harnessed by HSOMINER to classify Android apps, which achieves a high precision (>98%) and coverage (>94%), and is also efficient as discovered in our experiments. The new tool was further used in a measurement study involving 338,354 realworld apps, the largest one ever conducted on suspicious hidden operations. Our research brought to light the pervasiveness of HSO activities, which are present in 18.7% of the apps we analyzed, surprising trigger conditions (e.g., click on a certain region of a view) and behaviors (e.g., hiding operations in a dynamically generated receiver), which help better understand the problem and contribute to more effective defense against this new threat to the mobile platform.
format text
author PAN, Xiaorui
WANG, Xueqiang
DUAN, Yue
WANG, Xiaofeng
YIN, Heng
author_facet PAN, Xiaorui
WANG, Xueqiang
DUAN, Yue
WANG, Xiaofeng
YIN, Heng
author_sort PAN, Xiaorui
title Dark hazard: Large-scale discovery of unknown hidden sensitive operations in Android apps
title_short Dark hazard: Large-scale discovery of unknown hidden sensitive operations in Android apps
title_full Dark hazard: Large-scale discovery of unknown hidden sensitive operations in Android apps
title_fullStr Dark hazard: Large-scale discovery of unknown hidden sensitive operations in Android apps
title_full_unstemmed Dark hazard: Large-scale discovery of unknown hidden sensitive operations in Android apps
title_sort dark hazard: large-scale discovery of unknown hidden sensitive operations in android apps
publisher Institutional Knowledge at Singapore Management University
publishDate 2017
url https://ink.library.smu.edu.sg/sis_research/8173
https://ink.library.smu.edu.sg/context/sis_research/article/9176/viewcontent/ndss2017_05A_1_Pan_paper__2_.pdf
_version_ 1779157191192739840

Similar Items