DroidNative: Automating and optimizing detection of Android native code malware variants

Alam, Shahid; Qu, Zhengyang; Riley, Ryan; Chen, Yan; Rastogi, Vaibhav

doi:10.1016/j.cose.2016.11.011

Cited by 95 publications

(71 citation statements)

References 34 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…This is the case of APIs that load dynamic code, use reflection or use of cryptography. These are specially relevant to malware detection as they enable the execution of dynamic code [34] and allow the deobfuscation of encrypted code [3]: i) JAVA NATIVE: This API category captures libraries that are used to bridge the Java runtime environment with the Android native environment. The most relevant API in this category is java.lang.System.loadLibrary(), which can load ELF executables prior to their interaction through the Java Native Interface (JNI).…”

Section: A Behaviorsmentioning

confidence: 99%

See 1 more Smart Citation

Eight Years of Rider Measurement in the Android Malware Ecosystem

Suárez-Tangil

Stringhini

2022

IEEE Trans. Dependable and Secure Comput.

View full text Add to dashboard Cite

Despite the growing threat posed by Android malware, the research community is still lacking a comprehensive view of common behaviors and trends exposed by malware families active on the platform. Without such view, the researchers incur the risk of developing systems that only detect outdated threats, missing the most recent ones. In this paper, we conduct the largest measurement of Android malware behavior to date, analyzing over 1.2 million malware samples that belong to 1.2K families over a period of eight years (from 2010 to 2017). We aim at understanding how the behavior of Android malware has evolved over time, focusing on repackaging malware. In this type of threats different innocuous apps are piggybacked with a malicious payload (rider), allowing inexpensive malware manufacturing.One of the main challenges posed when studying repackaged malware is slicing the app to split benign components apart from the malicious ones. To address this problem, we use differential analysis to isolate software components that are irrelevant to the campaign and study the behavior of malicious riders alone. Our analysis framework relies on collective repositories and recent advances on the systematization of intelligence extracted from multiple anti-virus vendors. We find that since its infancy in 2010, the Android malware ecosystem has changed significantly, both in the type of malicious activity performed by the malicious samples and in the level of obfuscation used by malware to avoid detection. We then show that our framework can aid analysts who attempt to study unknown malware families. Finally, we discuss what our findings mean for Android malware detection research, highlighting areas that need further attention by the research community.

show abstract

Section: A Behaviorsmentioning

confidence: 99%

“…We refer the reader to Appendix A 2 Other Dalvik executables and APKs embedded into the main app (see Section II-B). 3 Such as the busybox toolbox. for an illustrative example of the type of text executables embedded within the resources of an app.…”

Section: B Text Executablesmentioning

confidence: 99%

Eight Years of Rider Measurement in the Android Malware Ecosystem

Suárez-Tangil

Stringhini

2022

IEEE Trans. Dependable and Secure Comput.

View full text Add to dashboard Cite

show abstract

“…In [84], the same concept of control flow graph was used to build API calls' graphs and construct semantic signatures to detect unknown malware variants. Also, in [85], the control flow graphs have been built based on native code for constructing semantic signatures that can be used to detect malicious behaviour in both bytecode or native code. • Data dependency graph DDG is a common program analysis structure which represents inter-procedural flows of data through a program [86].…”

Section: Semantic Featuresmentioning

confidence: 99%

“…In [105], a Program Dependence Graphs (PDG) has been used to construct semantic code-based signatures to detect the code similarity between apps. Also, in [85], semantic-based signatures have been generated based on the Annotated Control Flow Graph (ACFG) to detect suspicious behaviour in app's native code. The analysed applications have been broken up into a set of ACFGs to construct its signature, and if the constructed signature matches a malware pattern within a given threshold, the app is labelled as malware.…”

Section: Detection Phasementioning

confidence: 99%

The Android malware detection systems between hope and reality

2019

View full text Add to dashboard Cite

The widespread use of Android-based smartphones made it an important target for malicious applications' developers. So, a large number of frameworks have been proposed to tackle the huge number of daily published malwares. Despite there are many review papers that have been conducted in order to shed light on the works that achieved in Android malware analysing domain, the number of conducted review papers do not fit with the importance of this research field and with the volume of achieved works. Also, there is no comprehensive taxonomy for all research trends in the field of analysing malicious applications targeting the Android system. Furthermore, none of the existing review papers contains a schematic model that makes it easy for the reader to know the methods and methodologies used in a particular field of research without much effort. This paper aims at proposing a comprehensive taxonomy and suggesting a new schematic review approach. To this end, a review of a large number of works that achieved between 2009 and 2019 has been conducted. The achieved study includes more than 200 papers that have different goals such as apps' behaviour analysis, automatic user interface triggers or packer/unpacker frameworks development. Also, a comprehensive taxonomy has been proposed so that most of the previous works can be classified under it. To the best of our knowledge, the suggested taxonomy is the widest and the most comprehensive in terms of the covered research trends. Moreover, we have proposed a detailed schematic model (called Schematic Review Model) illustrates the process of detecting the malignant applications of an Android in the light of the studied works and the proposed taxonomy. To our knowledge, this is the first time that the Android malware detection methods have been explained in this way with this amount of detail. Furthermore, the studied researches have been analysed according to multiple criteria such as used analysing method, used features, used detection method, and used dataset. Also, the features used in the studied works were discussed in detail by dividing it into multiple classes. Moreover, the challenges facing Android's malware analysing methods were discussed in detail. Finally, it has been concluded that there are gaps between the size and the goal of the conducted works and the number of malicious apps published every day, so some future works areas have been proposed and discussed.

show abstract

“…Recent work suggested that native code had been widely used [21,22,47] in Android apps, which severely complicates the process of static analysis. As Java bytecode can be easily decompiled, malware developers usually hide the malicious payload and core functionalities in the native code to evade detection [6,7,18,21].…”

Section: Introductionmentioning

confidence: 99%

Deobfuscating Android Native Binary Code

Kan

Wang

et al. 2019

2019 IEEE/ACM 41st International Conference on Software Engineering: Companion Proceedings (ICSE-Companion)

View full text Add to dashboard Cite

With the popularity of Android apps, different techniques have been proposed to enhance app protection. As an effective approach to prevent reverse engineering, obfuscation can be used to serve both benign and malicious purposes. In recent years, more and more sensitive logic or data have been implemented as obfuscated native code because of the limitations of Java bytecode. As a result, native code obfuscation becomes a great obstacle for security analysis to understand the complicated logic. In this paper, we propose DiANa, an automated system to facilitate the deobfuscation of native binary code in Android apps. Specifically, given a binary obfuscated by Obfuscator-LLVM (the most popular native code obfuscator), DiANa is capable of recovering the original Control Flow Graph. To the best of our knowledge, DiANa is the first system that aims to tackle the problem of Android native binary deobfuscation. We have applied DiANa in different scenarios, and the experimental results demonstrate the effectiveness of DiANa based on generic similarity comparison metrics.

show abstract

DroidNative: Automating and optimizing detection of Android native code malware variants

Cited by 95 publications

References 34 publications

Eight Years of Rider Measurement in the Android Malware Ecosystem

Eight Years of Rider Measurement in the Android Malware Ecosystem

The Android malware detection systems between hope and reality

Deobfuscating Android Native Binary Code

Contact Info

Product

Resources

About