It is generally challenging to tell apart malware from benign applications. To make this decision, human analysts are frequently interested in runtime values: targets of reflective method calls, URLs to which data is sent, target telephone numbers of SMS messages, and many more. However, obfuscation and string encryption, used by malware as well as goodware, often not only render human inspections, but also static analyses ineffective. In addition, malware frequently tricks dynamic analyses by detecting the execution environment emulated by the analysis tool and then refraining from malicious behavior. In this work we therefore present HARVESTER, an approach to fully automatically extract runtime values from Android applications. HARVESTER is designed to extract values even from highly obfuscated state-of-the-art malware samples that obfuscate method calls using reflection, hide sensitive values in native code, load code dynamically and apply anti-analysis techniques. The approach combines program slicing with code generation and dynamic execution. Experiments on 16,799 current malware samples show that HARVESTER fully automatically extracts many sensitive values, with perfect precision. The process usually takes less than three minutes and does not require human interaction. In particular, it goes without simulating UI inputs. Two case studies further show that by integrating the extracted values back into the app, HARVESTER can increase the recall of existing static and dynamic analysis tools such as FlowDroid and TaintDroid. Permission to freely reproduce all or part of this paper for noncommercial purposes is granted provided that copies bear this notice and the full citation on the first page. Reproduction for commercial purposes is strictly prohibited without the prior written consent of the Internet Society, the first-named author (for reproduction of an entire paper only), and the author's employer if the paper was prepared within the scope of employment.
No abstract
Dynamic analysis is an important tool for assessing software quality during testing. It not only helps analysts identify performance bottlenecks and functional errors, but also provides a means for finding security vulnerabilities. For example, analysts can determine the servers to which a mobile app connects, which sensitive data it transfers, and which cryptographic protocols it uses for the transfer. While many approaches for monitoring a running Android app exist, most work silently assumes that a suitable execution environment is available. When analyzing hundreds of apps at the same time, however, a single phone on the analyst's desk is not enough. Emulators are not always an alternative as we show, because apps can behave differently on real hardware. In this paper, we discuss the challenges for providing a largescale testing environment with real Android devices on physical hardware. We further present DFarm, a software and hardware system to configure and control hundreds of Android phones in a private testing cloud. We discuss electrical wiring, USB and WiFi connectivity, automatic configuration, and load balancing. We evaluate DFarm on a range between 1 and more than 70 devices. We show that it provides near-linear scaling for dynamic app analysis when adding new devices, while retaining the original device's computation and network performance. CCS CONCEPTS • Software and its engineering → Software verification and validation; • Security and privacy → Software and application security.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.
customersupport@researchsolutions.com
10624 S. Eastern Ave., Ste. A-614
Henderson, NV 89052, USA
Copyright © 2024 scite LLC. All rights reserved.
Made with 💙 for researchers
Part of the Research Solutions Family.