MoonlightBox: Mining Android API Histories for Uncovering Release-Time Inconsistencies

Li, Li; Bissyandé, Tegawendé F.; Klein, Jacques

doi:10.1109/issre.2018.00031

Cited by 23 publications

(14 citation statements)

References 34 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…A more realistic setting would be to limit the testing samples to not include duplicated versions of the apps in the training set. An ideal approach could be to take app release time into consideration when preparing the training/testing set, e.g., testing apps are all released after the testing set, which is an ideal situation since the malware detector cannot learn from future samples, as suggested by Li et al [40]. Nevertheless, this is also not the main focus of this paper, we leave it as future work.…”

Section: Threats To Validitymentioning

confidence: 99%

On the Impact of Sample Duplication in Machine-Learning-Based Android Malware Detection

Zhao

Wang

et al. 2021

ACM Trans. Softw. Eng. Methodol.

Self Cite

View full text Add to dashboard Cite

Malware detection at scale in the Android realm is often carried out using machine learning techniques. State-of-the-art approaches such as DREBIN and MaMaDroid are reported to yield high detection rates when assessed against well-known datasets. Unfortunately, such datasets may include a large portion of duplicated samples, which may bias recorded experimental results and insights. In this article, we perform extensive experiments to measure the performance gap that occurs when datasets are de-duplicated. Our experimental results reveal that duplication in published datasets has a limited impact on supervised malware classification models. This observation contrasts with the finding of Allamanis on the general case of machine learning bias for big code. Our experiments, however, show that sample duplication more substantially affects unsupervised learning models (e.g., malware family clustering). Nevertheless, we argue that our fellow researchers and practitioners should always take sample duplication into consideration when performing machine-learning-based (via either supervised or unsupervised learning) Android malware detections, no matter how significant the impact might be.

show abstract

Section: Threats To Validitymentioning

confidence: 99%

On the Impact of Sample Duplication in Machine-Learning-Based Android Malware Detection

Zhao

Wang

et al. 2021

ACM Trans. Softw. Eng. Methodol.

Self Cite

View full text Add to dashboard Cite

show abstract

“…The release date we leveraged to select apps is based on the last modification date of the app, which, unfortunately, is known to be not reliable. Indeed, as shown in our previous work [43], according to the last modification date, some apps may access APIs that do not yet exist at that time i.e., such APIs are introduced posterior to the last modification date. Nonetheless, the time information is not critical to our approach, and hence we believe its impact on our results is limited.…”

Section: Discussion and Limitationsmentioning

confidence: 86%

Taming Reflection

Sun

Bissyandé

et al. 2021

ACM Trans. Softw. Eng. Methodol.

Self Cite

View full text Add to dashboard Cite

Android developers heavily use reflection in their apps for legitimate reasons. However, reflection is also significantly used for hiding malicious actions. Unfortunately, current state-of-the-art static analysis tools for Android are challenged by the presence of reflective calls, which they usually ignore. Thus, the results of their security analysis, e.g., for private data leaks, are incomplete, given the measures taken by malware writers to elude static detection. We propose a new instrumentation-based approach to address this issue in a non-invasive way. Specifically, we introduce to the community a prototype tool called DroidRA, which reduces the resolution of reflective calls to a composite constant propagation problem and then leverages the COAL solver to infer the values of reflection targets. After that, it automatically instruments the app to replace reflective calls with their corresponding Java calls in a traditional paradigm. Our approach augments an app so that it can be more effectively statically analyzable, including by such static analyzers that are not reflection-aware. We evaluate DroidRA on benchmark apps as well as on real-world apps, and we demonstrate that it can indeed infer the target values of reflective calls and subsequently allow state-of-the-art tools to provide more sound and complete analysis results.

show abstract

“…Furthermore, we leverage the app assembly time to build app lineages in this work. The app assembly time, as experimentally revealed by Li et al [40], may not be accurate to represent the app release time. Hence, the app lineages we leverage to study the evolution of DICI usages may not be reliable as well.…”

Section: Limitationsmentioning

confidence: 96%

Borrowing your enemy’s arrows: the case of code reuse in Android via direct inter-app code invocation

Gao

Kong

et al. 2020

Proceedings of the 28th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Softw

Self Cite

View full text Add to dashboard Cite

The Android ecosystem offers different facilities to enable communication among app components and across apps to ensure that rich services can be composed through functionality reuse. At the heart of this system is the Inter-component communication (ICC) scheme, which has been largely studied in the literature. Less known in the community is another powerful mechanism that allows for direct inter-app code invocation which opens up for different reuse scenarios, both legitimate or malicious. This paper exposes the general workflow for this mechanism, which beyond ICCs, enables app developers to access and invoke functionalities (either entire Java classes, methods or object fields) implemented in other apps using official Android APIs. We experimentally showcase how this reuse mechanism can be leveraged to łplagiarize" supposedly-protected functionalities. Typically, we were able to leverage this mechanism to bypass security guards that a popular video broadcaster has placed for preventing access to its video database from outside its provided app. We further contribute with a static analysis toolkit, named DICIDer, for detecting direct inter-app code invocations in apps. An empirical analysis of the usage prevalence of this reuse mechanism is then conducted. Finally, we discuss the usage contexts as well as the implications of this studied reuse mechanism. CCS CONCEPTS • Security and privacy → Software security engineering.

show abstract

MoonlightBox: Mining Android API Histories for Uncovering Release-Time Inconsistencies

Cited by 23 publications

References 34 publications

On the Impact of Sample Duplication in Machine-Learning-Based Android Malware Detection

On the Impact of Sample Duplication in Machine-Learning-Based Android Malware Detection

Taming Reflection

Borrowing your enemy’s arrows: the case of code reuse in Android via direct inter-app code invocation

Contact Info

Product

Resources

About