Effective Real-Time Android Application Auditing

Xia, Mingyuan; Gong, Li-Hua; Lyu, Yuanhao; Qi, Zhengwei; Li, Xue

doi:10.1109/sp.2015.60

Cited by 93 publications

(54 citation statements)

References 19 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Many previous efforts were made to pursue in-depth analysis of application behaviors. Ded [22], DroidSIFT [41], CHEX [28], PEG [18], FlowDroid [15], DroidSafe [24] and AppAudit [38] practiced static dataflow analysis to identify specific code (e.g. malicious code or heavy computation code [20]) in Android apps.…”

Section: Question Set 4: Android Unpackersmentioning

confidence: 99%

Things You May Not Know About Android (Un)Packers: A Systematic Study based on Whole-System Emulation

Duan

Zhang

Bhaskar

et al. 2018

Proceedings 2018 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

Abstract-The prevalent usage of runtime packers has complicated Android malware analysis, as both legitimate and malicious apps are leveraging packing mechanisms to protect themselves against reverse engineer. Although recent efforts have been made to analyze particular packing techniques, little has been done to study the unique characteristics of Android packers. In this paper, we report the first systematic study on mainstream Android packers, in an attempt to understand their security implications. For this purpose, we developed DROIDUNPACK, a whole-system emulation based Android packing analysis framework, which compared with existing tools, relies on intrinsic characteristics of Android runtime (rather than heuristics), and further enables virtual machine inspection to precisely recover hidden code and reveal packing behaviors. Running our tool on 6 major commercial packers, 93,910 Android malware samples and 3 existing state-of-the-art unpackers, we found that not only are commercial packing services abused to encrypt malicious or plagiarized contents, they themselves also introduce securitycritical vulnerabilities to the apps being packed. Our study further reveals the prevalence and rapid evolution of custom packers used by malware authors, which cannot be defended against using existing techniques, due to their design weaknesses.

show abstract

Section: Question Set 4: Android Unpackersmentioning

confidence: 99%

Things You May Not Know About Android (Un)Packers: A Systematic Study based on Whole-System Emulation

Duan

Zhang

Bhaskar

et al. 2018

Proceedings 2018 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

show abstract

“…The work most closely related to IntelliDroid are hybrid static/dynamic analyses such as AppAudit [42], ContentScope [28], AppIntent [45], SmartDroid [48], SmvHunter [37] and Brahmastra [9]. The main difference between IntelliDroid and these systems is the level of fidelity of the injected inputs.…”

Section: Related Workmentioning

confidence: 99%

IntelliDroid: A Targeted Input Generator for the Dynamic Analysis of Android Malware

Wong¹,

Lie²

2016

Proceedings 2016 Network and Distributed System Security Symposium

151

View full text Add to dashboard Cite

Abstract-While dynamic malware analysis methods generally provide better precision than purely static methods, they have the key drawback that they can only detect malicious behavior if it is executed during analysis. This requires inputs that trigger the malicious behavior to be applied during execution. All current methods, such as hard-coded tests, random fuzzing and concolic testing, can provide good coverage but are inefficient because they are unaware of the specific capabilities of the dynamic analysis tool. In this work, we introduce IntelliDroid, a generic Android input generator that can be configured to produce inputs specific to a dynamic analysis tool, for the analysis of any Android application. Furthermore, IntelliDroid is capable of determining the precise order that the inputs must be injected, and injects them at what we call the device-framework interface such that system fidelity is preserved. This enables it to be paired with full-system dynamic analysis tools such as TaintDroid. Our experiments demonstrate that IntelliDroid requires an average of 72 inputs and only needs to execute an average of 5% of the application to detect malicious behavior. When evaluated on 75 instances of malicious behavior, IntelliDroid successfully identifies the behavior, extracts path constraints, and executes the malicious code in all but 5 cases. On average, IntelliDroid performs these tasks in 138.4 seconds per application.

show abstract

“…Current approaches involve static and dynamic analysis, used in combination. A recent paper [4] described how to combine the two, and presented impressive results. The students examined the work described in the paper, and especially the limitations.…”

Section: Agile Research In Academiamentioning

confidence: 99%

Agile Research for Cybersecurity: Creating Authoritative, Actionable Knowledge When Speed Matters

Linger

Goldrich

Bishop

et al. 2017

Proceedings of the 50th Hawaii International Conference on System Sciences (2017)

View full text Add to dashboard Cite

show abstract

Effective Real-Time Android Application Auditing

Cited by 93 publications

References 19 publications

Things You May Not Know About Android (Un)Packers: A Systematic Study based on Whole-System Emulation

Things You May Not Know About Android (Un)Packers: A Systematic Study based on Whole-System Emulation

IntelliDroid: A Targeted Input Generator for the Dynamic Analysis of Android Malware

Agile Research for Cybersecurity: Creating Authoritative, Actionable Knowledge When Speed Matters

Contact Info

Product

Resources

About