DyDroid: Measuring Dynamic Code Loading and Its Security Implications in Android Applications

Qu, Zhengyang; Alam, Shahid; Chen, Yan; Zhou, Xiaoyong; Hong, Wangjun; Riley, Ryan

doi:10.1109/dsn.2017.14

Cited by 25 publications

(15 citation statements)

References 27 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Furthermore, as to be evaluated in Sec. III-C3, our crowdsourcing is much more effective in terms of port discovery than typical Android static analysis, which cannot handle dynamic code loading [65], [67], complex implicit flows [43], [66], and advanced code obfuscation [46], [78].…”

Section: Discovery Via Crowdsourcingmentioning

confidence: 99%

“…In particular, 25.1% of them use dynamic code loading [65] or advanced code obfuscation [78]. They are therefore not possibly detected by a pure static analysis [46], [67]. This indicates that crowdsourcing is much more effective than Android static analysis in the context of open port discovery.…”

Section: ) Open Ports In Popular Appsmentioning

confidence: 99%

“…They identified potential open ports in 6.8% of the top 24,000 Android apps, among which around 400 apps were likely vulnerable and 57 were manually confirmed. Nevertheless, OPAnalyzer still suffers from the inherent limitation of static analysis (i.e., the code detected might not execute) and the incapability of typical Android static analysis to handle dynamic code loading [65], [67], complex implicit flows [43], [66], and advanced code obfuscation [46], [78]. Moreover, the focus of OPAnalyzer is about detecting permission-misuserelated vulnerabilities in TCP open ports (via pre-selected sink APIs), while the entire picture of open ports in the Android ecosystem is still largely unexplored.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Understanding Open Ports in Android Applications: Discovery, Diagnosis, and Security Assessment

Wu¹,

Gao²,

Chang³

et al. 2019

Proceedings 2019 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

Open TCP/UDP ports are traditionally used by servers to provide application services, but they are also found in many Android apps. In this paper, we present the first openport analysis pipeline, covering the discovery, diagnosis, and security assessment, to systematically understand open ports in Android apps and their threats. We design and deploy a novel ondevice crowdsourcing app and its server-side analytic engine to continuously monitor open ports in the wild. Over a period of ten months, we have collected over 40 million port monitoring records from 3,293 users in 136 countries worldwide, which allow us to observe the actual execution of open ports in 925 popular apps and 725 built-in system apps. The crowdsourcing also provides us a more accurate view of the pervasiveness of open ports in Android apps at 15.3%, much higher than the previous estimation of 6.8%. We also develop a new static diagnostic tool to reveal that 61.8% of the open-port apps are solely due to embedded SDKs, and 20.7% suffer from insecure API usages. Finally, we perform three security assessments of open ports: (i) vulnerability analysis revealing five vulnerability patterns in open ports of popular apps, e.g., Instagram, Samsung Gear, Skype, and the widely-embedded Facebook SDK, (ii) inter-device connectivity measurement in 224 cellular networks and 2,181 WiFi networks through crowdsourced network scans, and (iii) experimental demonstration of effective denial-of-service attacks against mobile open ports.

show abstract

Section: Discovery Via Crowdsourcingmentioning

confidence: 99%

Section: ) Open Ports In Popular Appsmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Understanding Open Ports in Android Applications: Discovery, Diagnosis, and Security Assessment

Wu¹,

Gao²,

Chang³

et al. 2019

Proceedings 2019 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

show abstract

“…Because ClickScanner cannot fetch the content of the code, it is impossible to know whether this code is used to perform click fraud. Hence, one future direction of this research is to support context-based static analysis to infer the purpose of the loaded code or instruction and analyze the dynamically loaded code using tools like DyDroid [37]. Limitation 2: Other types of ad views.…”

Section: Case 3 Humanoid Attack Through Infected Ad Sdksmentioning

confidence: 99%

Dissecting Click Fraud Autonomy in the Wild

Zhu

Meng

et al. 2021

Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security

View full text Add to dashboard Cite

Although the use of pay-per-click mechanisms stimulates the prosperity of the mobile advertisement network, fraudulent ad clicks result in huge financial losses for advertisers. Extensive studies identify click fraud according to click/traffic patterns based on dynamic analysis. However, in this study, we identify a novel click fraud, named humanoid attack, which can circumvent existing detection schemes by generating fraudulent clicks with similar patterns to normal clicks. We implement the first tool ClickScanner to detect humanoid attacks on Android apps based on static analysis and variational AutoEncoders (VAEs) with limited knowledge of fraudulent examples. We define novel features to characterize the patterns of humanoid attacks in the apps' bytecode level. ClickScanner builds a data dependency graph (DDG) based on static analysis to extract these key features and form a feature vector. We then propose a classification model only trained on benign datasets to overcome the limited knowledge of humanoid attacks.We leverage ClickScanner to conduct the first large-scale measurement on app markets (i.e., 120,000 apps from Google Play and Huawei AppGallery) and reveal several unprecedented phenomena. First, even for the top-rated 20,000 apps, ClickScanner still identifies 157 apps as fraudulent, which shows the prevalence of humanoid attacks. Second, it is observed that the ad SDK-based attack (i.e., the fraudulent codes are in the third-party ad SDKs) is now a dominant attack approach. Third, the manner of attack is notably different across apps of various categories and popularities. Finally, we notice there are several existing variants of the humanoid attack. Additionally, our measurements demonstrate the proposed ClickScanner is accurate and time-efficient (i.e., the detection overhead is only 15.35% of those of existing schemes).

show abstract

“…Dynamic loading: Android supports applications to load additional binaries at run time by dynamic loading. In order to evade static detection, malicious application developers separate the core functionality of the application into independent libraries and load them dynamically [27]. erefore, malicious applications always employ dynamic loading to hide malicious behavior.…”

Section: The Features Of Malicious Applicationsmentioning

confidence: 99%

Android Malware Detection Using Fine-Grained Features

Mao

Guan

et al. 2020

Scientific Programming

View full text Add to dashboard Cite

Nowadays, Android applications declare as many permissions as possible to provide more function for the users, which also poses severe security threat to them. Although many Android malware detection methods based on permissions have been developed, they are ineffective when malicious applications declare few dangerous permissions or when the dangerous permissions declared by malicious applications are similar with those declared by benign applications. This limitation is attributed to the use of too few information for classification. We propose a new method named fine-grained dangerous permission (FDP) method for detecting Android malicious applications, which gathers features that better represent the difference between malicious applications and benign applications. Among these features, the fine-grained feature of dangerous permissions applied in components is proposed for the first time. We evaluate 1700 benign applications and 1600 malicious applications and demonstrate that FDP achieves a TP rate of 94.5%. Furthermore, compared with other related detection approaches, FDP can detect more malware families and only requires 15.205 s to analyze one application on average, which demonstrates its applicability for practical implementation.

show abstract

DyDroid: Measuring Dynamic Code Loading and Its Security Implications in Android Applications

Cited by 25 publications

References 27 publications

Understanding Open Ports in Android Applications: Discovery, Diagnosis, and Security Assessment

Understanding Open Ports in Android Applications: Discovery, Diagnosis, and Security Assessment

Dissecting Click Fraud Autonomy in the Wild

Android Malware Detection Using Fine-Grained Features

Contact Info

Product

Resources

About