Deep Ground Truth Analysis of Current Android Malware

Wei, Fengguo; Li, Yuping; Roy, Subhadeep; Ou, Xinming; Zhou, Wu

doi:10.1007/978-3-319-60876-1_12

Cited by 310 publications

(260 citation statements)

References 13 publications

Supporting

Mentioning

255

Contrasting

Unclassified

Order By: Relevance

“…Let us use an example to demonstrate how Ripple can help in detecting malicious program behaviors in the presence of reflection and code obfuscation. Code obfuscation via reflection is a commonly used anti‐analysis technique . Ripple can be applied to infer the hidden targets accessed at reflective calls by exploiting the type information around so that the hidden malicious behaviors can be exposed.…”

Section: Discussionmentioning

confidence: 99%

“…35 Ripple can be applied to infer the hidden targets accessed at reflective calls by exploiting the type information around so that the hidden malicious behaviors can be exposed. Figure 12 illustrates a code snippet adapted from an example discussed in, 35 which is taken from an Android malware, called Obad. 36 In the code shown, each "..." stands for some encrypted string generated by an obfuscation tool.…”

Section: Discussionmentioning

confidence: 99%

“…Reflection is responsible for a number of security exploits in Android apps. 35 In general, a malicious app retrieves class and method names as strings externally and invokes methods in payload classes via reflection to perform malicious activities, which are thus disguised from some signature-based anti-virus software. For example, Obad 36 and FakeInstaller 37 represent the 2 most sophisticated malware families, 38 as they combine reflection and code obfuscation to hide their malicious behaviors.…”

Section: Reflection-related Security Issuesmentioning

confidence: 99%

“…Reflection is responsible for a number of security exploits in Android apps . In general, a malicious app retrieves class and method names as strings externally and invokes methods in payload classes via reflection to perform malicious activities, which are thus disguised from some signature‐based anti‐virus software.…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

Ripple: Reflection analysis for Android apps in incomplete information environments

Zhang

Tan

et al. 2018

Softw Pract Exp

View full text Add to dashboard Cite

Summary Reflection poses grave problems for static security analysis, despite its widespread use in Android apps. In general, string inference has been mainly used to handle reflection, resulting in significantly missed security vulnerabilities. In this work, we bring forward the ubiquity of incomplete information environments (IIEs) for Android apps, where some critical dataflows are missing during static analysis and the need for resolving reflective calls under IIEs. We present Ripple, the first IIE‐aware static reflection analysis for Android apps that resolves reflective calls more soundly than string inference. Validation with 17 popular Android apps from Google Play demonstrates the effectiveness of Ripple in discovering reflective targets with a low false positive rate (due to its trade‐off made among soundness, precision, and scalability). As a result, Ripple enables FlowDroid, a taint analysis for Android apps, to find hundreds of sensitive data leakages that would otherwise be missed. As a fundamental analysis, Ripple will be valuable for many security analysis clients, since more program behaviors can now be analyzed under IIEs.

show abstract

Section: Discussionmentioning

confidence: 99%

Section: Discussionmentioning

confidence: 99%

Section: Reflection-related Security Issuesmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Ripple: Reflection analysis for Android apps in incomplete information environments

Zhang

Tan

et al. 2018

Softw Pract Exp

View full text Add to dashboard Cite

show abstract

“…In order to investigate the presence of malicious and undesirable apps in our dataset, we uploaded all the apps to VirusTotal [31], an online analysis service that aggregates more than 60 anti-virus engines, which is widely adopted by the research community. Previous studies [40,96] have suggested that some anti-virus engines may not always report reliable results. In order to deal with such potential false positives, we analyzed the results grouped by how many engines (AV-rank) flag a sample as malware.…”

Section: Malware Prevalencementioning

confidence: 98%

Beyond Google Play

Wang

Liu

Liang

et al. 2018

Proceedings of the Internet Measurement Conference 2018

View full text Add to dashboard Cite

China is one of the largest Android markets in the world. As Chinese users cannot access Google Play to buy and install Android apps, a number of independent app stores have emerged and compete in the Chinese app market. Some of the Chinese app stores are pre-installed vendor-specific app markets (e.g., Huawei, Xiaomi and OPPO), whereas others are maintained by large tech companies (e.g., Baidu, Qihoo 360 and Tencent). The nature of these app stores and the content available through them vary greatly, including their trustworthiness and security guarantees.As of today, the research community has not studied the Chinese Android ecosystem in depth. To fill this gap, we present the first large-scale comparative study that covers more than 6 million Android apps downloaded from 16 Chinese app markets and Google Play. We focus our study on catalog similarity across app stores, their features, publishing dynamics, and the prevalence of various forms of misbehavior (including the presence of fake, cloned and malicious apps). Our findings also suggest heterogeneous developer behavior across app stores, in terms of code maintenance, use of third-party services, and so forth. Overall, Chinese app markets perform substantially worse when taking active measures to protect mobile users and legit developers from deceptive and abusive actors, showing a significantly higher prevalence of malware, fake, and cloned apps than Google Play. CCS CONCEPTS• Information systems → Web mining; • Security and privacy → Mobile and wireless security; • Networks → Mobile networks;

show abstract

Detection of malware applications from centrality measures of syscall graph

Surendran¹,

Thomas²

2022

Concurrency and Computation

View full text Add to dashboard Cite

These days it is found that malware authors tend to create new variants of existing Android malware by using various kinds of obfuscation techniques. These kinds of obfuscated malware applications can bypass all the current antimalware products which rely on static analysis techniques to detect the malicious behavior. Hence, it is essential to develop innovative dynamic analysis mechanisms for Android malware detection. It is known that, the malicious behavior of statically obfuscated malware applications can get reflected in the system call (syscall) trace generated by them. Most of the existing syscall based mechanisms depend only on the features derived from the syscall counts for malware detection. These syscall count related features are inadequate to capture many other useful characteristics related to the syscalls in a sequence.In order to overcome this limitation, we modeled the syscall trace of an application as an ordered graph which enabled to infer various kinds of features in the form of centrality measures related to that syscall trace of the application. Then, these centrality measures are fed to an ML model to predict the malicious behavior. From the implementation results, we found that our mechanism can detect malware apps with an accuracy of 0.99.

show abstract

Deep Ground Truth Analysis of Current Android Malware

Cited by 310 publications

References 13 publications

Ripple: Reflection analysis for Android apps in incomplete information environments

Ripple: Reflection analysis for Android apps in incomplete information environments

Beyond Google Play

Detection of malware applications from centrality measures of syscall graph

Contact Info

Product

Resources

About