Things You May Not Know About Android (Un)Packers: A Systematic Study based on Whole-System Emulation

Duan, Yue; Zhang, Mu; Bhaskar, Abhishek Vasisht; Yin, Heng; Pan, Xiaorui; Li, Tongxin; Wang, Xueqiang; Wang, Xiaofeng

doi:10.14722/ndss.2018.23296

Cited by 63 publications

(34 citation statements)

References 20 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Furthermore, as to be evaluated in Sec. III-C3, our crowdsourcing is much more effective in terms of port discovery than typical Android static analysis, which cannot handle dynamic code loading [65], [67], complex implicit flows [43], [66], and advanced code obfuscation [46], [78].…”

Section: Discovery Via Crowdsourcingmentioning

confidence: 99%

“…They identified potential open ports in 6.8% of the top 24,000 Android apps, among which around 400 apps were likely vulnerable and 57 were manually confirmed. Nevertheless, OPAnalyzer still suffers from the inherent limitation of static analysis (i.e., the code detected might not execute) and the incapability of typical Android static analysis to handle dynamic code loading [65], [67], complex implicit flows [43], [66], and advanced code obfuscation [46], [78]. Moreover, the focus of OPAnalyzer is about detecting permission-misuserelated vulnerabilities in TCP open ports (via pre-selected sink APIs), while the entire picture of open ports in the Android ecosystem is still largely unexplored.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Understanding Open Ports in Android Applications: Discovery, Diagnosis, and Security Assessment

Wu¹,

Gao²,

Chang³

et al. 2019

Proceedings 2019 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

Open TCP/UDP ports are traditionally used by servers to provide application services, but they are also found in many Android apps. In this paper, we present the first openport analysis pipeline, covering the discovery, diagnosis, and security assessment, to systematically understand open ports in Android apps and their threats. We design and deploy a novel ondevice crowdsourcing app and its server-side analytic engine to continuously monitor open ports in the wild. Over a period of ten months, we have collected over 40 million port monitoring records from 3,293 users in 136 countries worldwide, which allow us to observe the actual execution of open ports in 925 popular apps and 725 built-in system apps. The crowdsourcing also provides us a more accurate view of the pervasiveness of open ports in Android apps at 15.3%, much higher than the previous estimation of 6.8%. We also develop a new static diagnostic tool to reveal that 61.8% of the open-port apps are solely due to embedded SDKs, and 20.7% suffer from insecure API usages. Finally, we perform three security assessments of open ports: (i) vulnerability analysis revealing five vulnerability patterns in open ports of popular apps, e.g., Instagram, Samsung Gear, Skype, and the widely-embedded Facebook SDK, (ii) inter-device connectivity measurement in 224 cellular networks and 2,181 WiFi networks through crowdsourced network scans, and (iii) experimental demonstration of effective denial-of-service attacks against mobile open ports.

show abstract

Section: Discovery Via Crowdsourcingmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Understanding Open Ports in Android Applications: Discovery, Diagnosis, and Security Assessment

Wu¹,

Gao²,

Chang³

et al. 2019

Proceedings 2019 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

show abstract

“…These tools may operate at different levels, e.g., Java code level, Dex bytecode level and native code level. Native code level protection is much stronger than Java-level protection, thus state-of-the-art commercial packers utilize native code obfuscation to increase the complexity of reverse engineering [33]. As a side effect, Android malware also take advantage of native code obfuscation to evade detection.…”

Section: Android App Obfuscationmentioning

confidence: 99%

Deobfuscating Android Native Binary Code

Kan

Wang

et al. 2019

2019 IEEE/ACM 41st International Conference on Software Engineering: Companion Proceedings (ICSE-Companion)

View full text Add to dashboard Cite

With the popularity of Android apps, different techniques have been proposed to enhance app protection. As an effective approach to prevent reverse engineering, obfuscation can be used to serve both benign and malicious purposes. In recent years, more and more sensitive logic or data have been implemented as obfuscated native code because of the limitations of Java bytecode. As a result, native code obfuscation becomes a great obstacle for security analysis to understand the complicated logic. In this paper, we propose DiANa, an automated system to facilitate the deobfuscation of native binary code in Android apps. Specifically, given a binary obfuscated by Obfuscator-LLVM (the most popular native code obfuscator), DiANa is capable of recovering the original Control Flow Graph. To the best of our knowledge, DiANa is the first system that aims to tackle the problem of Android native binary deobfuscation. We have applied DiANa in different scenarios, and the experimental results demonstrate the effectiveness of DiANa based on generic similarity comparison metrics.

show abstract

“…Nevertheless, five years after Aafer et al's publication, the mentioned evasion techniques, reflection, native code, encryption, dynamic loading are widely used by malware. Even benign applications now use packers that use these techniques to protect their code [6].…”

Section: Designing An Experimentsmentioning

confidence: 99%

Android Malware Analysis: From Technical Difficulties to Scientific Challenges

Lalande

2019

Innovative Security Solutions for Information Technology and Communications

View full text Add to dashboard Cite

Ten years ago, Google released the first version of its new operating system: Android. With an open market for third party applications, attackers started to develop malicious applications. Researchers started new works too. Inspired by previous techniques for Windows or GNU/Linux malware, a lot of papers introduced new ways of detecting, classifying, defeating Android malware. In this paper, we propose to explore the technical difficulties of experimenting with Android malware. These difficulties are encountered by researchers, each time they want to publish a solid experiment validating their approach. How to choose malware samples? How to process a large amount of malware? What happens if the experiment needs to execute dynamically a sample? The end of the paper presents the upcoming scientific challenges of the community interested in malware analysis.

show abstract

Things You May Not Know About Android (Un)Packers: A Systematic Study based on Whole-System Emulation

Cited by 63 publications

References 20 publications

Understanding Open Ports in Android Applications: Discovery, Diagnosis, and Security Assessment

Understanding Open Ports in Android Applications: Discovery, Diagnosis, and Security Assessment

Deobfuscating Android Native Binary Code

Android Malware Analysis: From Technical Difficulties to Scientific Challenges

Contact Info

Product

Resources

About