TriggerScope: Towards Detecting Logic Bombs in Android Applications

Fratantonio, Yanick; Bianchi, Antonio; Robertson, William; Kirda, Engin; Kruegel, Christopher; Vigna, Giovanni

doi:10.1109/sp.2016.30

Cited by 124 publications

(118 citation statements)

References 26 publications

Supporting

Mentioning

115

Contrasting

Unclassified

Order By: Relevance

“…In this example, it is obvious that the infected version of the application is subscribing to a notification service that will be triggered by the Android OS whenever the BOOT_COMPLETED event occurs. In addition, SMS_RECEIVED allows the subscriber to access all incoming SMS messages [14]. While the former action is used by the malware as a form of evasion, the latter is used to steal the Transaction Authorization Code (TAC) [15] [16].…”

Section: Introductionmentioning

confidence: 99%

AndroDialysis: Analysis of Android Intent Effectiveness in Malware Detection

Feizollah

Anuar

Salleh

et al. 2017

Computers & Security

203

View full text Add to dashboard Cite

The wide popularity of Android systems has been accompanied by increase in the number of malware targeting these systems. This is largely due to the open nature of the Android framework that facilitates the incorporation of third-party applications running on top of any Android device. Inter-process communication is one of the most notable features of the Android framework as it allows the reuse of components across process boundaries. This mechanism is used as gateway to access different sensitive services in the Android framework. In the Android platform, this communication system is usually driven by a late runtime binding messaging object known as Intent. In this paper, we evaluate the effectiveness of Android Intents (explicit and implicit) as a distinguishing feature for identifying malicious applications. We show that Intents are semantically rich features that are able to encode the intentions of malware when compared to other well-studied features such as permissions. We also argue that this type of feature is not the ultimate solution. It should be used in conjunction with other known features. We conducted experiments using a dataset containing 7,406 applications that comprise of 1,846 clean and 5,560 infected applications. The results show detection rate of 91% using Android Intent against 83% using Android permission. Additionally, experiment on combination of both features results in detection rate of 95.5%.

show abstract

Section: Introductionmentioning

confidence: 99%

AndroDialysis: Analysis of Android Intent Effectiveness in Malware Detection

Feizollah

Anuar

Salleh

et al. 2017

Computers & Security

203

View full text Add to dashboard Cite

show abstract

“…In past years, symbolic execution has made big progress. Several static approaches (such as Intellidroid [39] and TriggerScope [18]) were proposed to vet Android apps using symbolic execution. However, these static approaches may have both higher false positives and negatives in the context faced in this paper.…”

Section: Eoe Countermeasure Discussionmentioning

confidence: 99%

Automated Generation of Event-Oriented Exploits in Android Hybrid Apps

Yang

Huang

2018

Proceedings 2018 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

Abstract-Recently more and more Android apps integrate the embedded browser, known as "WebView", to render web pages and run JavaScript code without leaving these apps. WebView provides a powerful feature that allows event handlers defined in the native context (i.e., Java in Android) to handle web events that occur in WebView. However, as shown in prior work, this feature suffers from remote attacks, which we generalize as EventOriented Exploit (EOE) in this paper, such that adversaries may remotely access local critical functionalities through event handlers in WebView without any permission or authentication.In this paper, we propose a novel approach, EOEDroid, which can automatically vet event handlers in a given hybrid app using selective symbolic execution and static analysis. If a vulnerability is found, EOEDroid also automatically generates exploit code to help developers and analysts verify the vulnerability. To support exploit code generation, we also systematically study web events, event handlers and their trigger constraints.We evaluated our approach on 3,652 most popular apps. The result showed that our approach found 97 total vulnerabilities in 58 apps, including 2 cross-frame DOM manipulation, 53 phishing, 30 sensitive information leakage, 1 local resources access, and 11 Intent abuse vulnerabilities. We also found a potential backdoor in a high profile app that could be used to steal users' sensitive information, such as IMEI. Even though developers attempted to close it, EOEDroid found that adversaries were still able to exploit it by triggering two events together and feeding event handlers with well designed input.

show abstract

“…For defeating dynamic tools, malicious applications contain countermeasures for interacting and testing their environment: emulators can be detected because of the lack of hardware components or because emulation side-effects [14]; reconnaissance techniques can recognize known analysis tools; logic bombs may encapsulate the payload and prevent its execution [4]; malicious code may require that the user uses the graphical interface of the application. Thus, any fully automated experiment on a dataset may suffer from these countermeasures and there are little chances to observe the dynamic behavior of a malware sample at runtime.…”

Section: A Lessons Learned From Manual Investigationmentioning

confidence: 99%