260 research outputs found
Eight years of rider measurement in the Android malware ecosystem: evolution and lessons learned
Despite the growing threat posed by Android malware,
the research community is still lacking a comprehensive
view of common behaviors and trends exposed by malware families
active on the platform. Without such view, the researchers
incur the risk of developing systems that only detect outdated
threats, missing the most recent ones. In this paper, we conduct
the largest measurement of Android malware behavior to date,
analyzing over 1.2 million malware samples that belong to 1.2K
families over a period of eight years (from 2010 to 2017). We
aim at understanding how the behavior of Android malware
has evolved over time, focusing on repackaging malware. In
this type of threats different innocuous apps are piggybacked
with a malicious payload (rider), allowing inexpensive malware
manufacturing.
One of the main challenges posed when studying repackaged
malware is slicing the app to split benign components apart from
the malicious ones. To address this problem, we use differential
analysis to isolate software components that are irrelevant to the
campaign and study the behavior of malicious riders alone. Our
analysis framework relies on collective repositories and recent
advances on the systematization of intelligence extracted from
multiple anti-virus vendors. We find that since its infancy in
2010, the Android malware ecosystem has changed significantly,
both in the type of malicious activity performed by the malicious
samples and in the level of obfuscation used by malware to avoid
detection. We then show that our framework can aid analysts
who attempt to study unknown malware families. Finally, we
discuss what our findings mean for Android malware detection
research, highlighting areas that need further attention by the
research community.Accepted manuscrip
Understanding Android Obfuscation Techniques: A Large-Scale Investigation in the Wild
In this paper, we seek to better understand Android obfuscation and depict a
holistic view of the usage of obfuscation through a large-scale investigation
in the wild. In particular, we focus on four popular obfuscation approaches:
identifier renaming, string encryption, Java reflection, and packing. To obtain
the meaningful statistical results, we designed efficient and lightweight
detection models for each obfuscation technique and applied them to our massive
APK datasets (collected from Google Play, multiple third-party markets, and
malware databases). We have learned several interesting facts from the result.
For example, malware authors use string encryption more frequently, and more
apps on third-party markets than Google Play are packed. We are also interested
in the explanation of each finding. Therefore we carry out in-depth code
analysis on some Android apps after sampling. We believe our study will help
developers select the most suitable obfuscation approach, and in the meantime
help researchers improve code analysis systems in the right direction
Detecting Repackaged Android Applications Using Perceptual Hashing
The last decade has shown a steady rate of Android device dominance in market share and the emergence of hundreds of thousands of apps available to the public. Because of the ease of reverse engineering Android applications, repackaged malicious apps that clone existing code have become a severe problem in the marketplace. This research proposes a novel repackaged detection system based on perceptual hashes of vetted Android apps and their associated dynamic user interface (UI) behavior. Results show that an average hash approach produces 88% accuracy (indicating low false negative and false positive rates) in a sample set of 4878 Android apps, including 2151 repackaged apps. The approach is the first dynamic method proposed in the research community using image-based hashing techniques with reasonable performance to other known dynamic approaches and the possibility for practical implementation at scale for new applications entering the Android market
Is Your Smartphone Really Safe? A Wake-up Call on Android Antivirus Software Effectiveness
A decade ago, researchers raised severe concerns about Android smartphones’ security by extensively assessing and recognising the limitations of Android antivirus software. Considering the significant increase in the economic role of smartphones in recent years, we would expect that security measures are significantly improved by now. To test this assumption, we conducted a relatively extensive study to evaluate the effectiveness of off-the-shelf antivirus software in detecting malicious applications injected into legitimate Android applications.
We specifically repackaged seven widely used Android applications with 100 obfuscated malware instances. We submitted the 700 samples to the VirusTotal web portal, testing the effectiveness of the over 70 free and commercial antiviruses available in detecting them.
For the obfuscation part, we intentionally employed publicly available tools that could be used by “just” a tech-savvy adversary. We used a combination of well-known and novel (but still simple) obfuscation techniques. Surprisingly (or perhaps unsurprisingly?), our findings indicate that almost 76% of the samples went utterly undetected. Even when our samples were detected, this occurred for a handful (never more than 4) of Android antivirus software available on VirusTotal. This lack of awareness of the effectiveness of Android antivirus is critical because the false sense of security given by antivirus software could prompt users to install applications from untrusted sources, allowing attackers to install a persistent threat within another application easily
DroidSieve:Fast and Accurate Classification of Obfuscated Android Malware
With more than two million applications, Android marketplaces require automatic and scalable methods to efficiently vet apps for the absence of malicious threats. Recent techniques have successfully relied on the extraction of lightweight syntactic features suitable for machine learning classification, but despite their promising results, the very nature of such features suggest they would unlikely-on their own-be suitable for detecting obfuscated Android malware. To address this challenge, we propose DroidSieve, an Android malware classifier based on static analysis that is fast, accurate, and resilient to obfuscation. For a given app, DroidSieve first decides whether the app is malicious and, if so, classifies it as belonging to a family of related malware. DroidSieve exploits obfuscation-invariant features and artifacts introduced by obfuscation mechanisms used in malware. At the same time, these purely static features are designed for processing at scale and can be extracted quickly. For malware detection, we achieve up to 99.82% accuracy with zero false positives; for family identification of obfuscated malware, we achieve 99.26% accuracy at a fraction of the computational cost of state-of-The-Art techniques
A fog computing solution for context-based privacy leakage detection for android healthcare devices
Intelligent medical service system integrates wireless internet of things (WIoT), including medical sensors, wireless communications, and middleware techniques, so as to collect and analyze patients' data to examine their physical conditions by many personal health devices (PHDs) in real time. However, large amount of malicious codes on the Android system can compromise consumers' privacy, and further threat the hospital management or even the patients' health. Furthermore, this sensor-rich system keeps generating large amounts of data and saturates the middleware system. To address these challenges, we propose a fog computing security and privacy protection solution. Specifically, first, we design the security and privacy protection framework based on the fog computing to improve tele-health and tele-medicine infrastructure. Then, we propose a context-based privacy leakage detection method based on the combination of dynamic and static information. Experimental results show that the proposed method can achieve higher detection accuracy and lower energy consumption compared with other state-of-art methods.This work was supported by the National Natural Science Foundation of China (General Program) under Grant No.61572253, the 13th Five-Year Plan Equipment Pre-Research Projects Fund under Grant No.61402420101HK02001, and the Aviation Science Fund under Grant No. 2016ZC52030
- …