AndroDialysis: Analysis of Android Intent Effectiveness in Malware Detection

© 2016 Elsevier Ltd The wide popularity of Android systems has been accompanied by increase in the number of malware targeting these systems. This is largely due to the open nature of the Android framework that facilitates the incorporation of third-party applications running on top of any Android device. Inter-process communication is one of the most notable features of the Android framework as it allows the reuse of components across process boundaries. This mechanism is used as gateway to access different sensitive services in the Android framework. In the Android platform, this communication system is usually driven by a late runtime binding messaging object known as Intent. In this paper, we evaluate the effectiveness of Android Intents (explicit and implicit) as a distinguishing feature for identifying malicious applications. We show that Intents are semantically rich features that are able to encode the intentions of malware when compared to other well-studied features such as permissions. We also argue that this type of feature is not the ultimate solution. It should be used in conjunction with other known features. We conducted experiments using a dataset containing 7406 applications that comprise 1846 clean and 5560 infected applications. The results show detection rate of 91% using Android Intent against 83% using Android permission. Additionally, experiment on combination of both features results in detection rate of 95.5%

The influence of mobile ad fraud on intercompany relationships : the case of Hang My Ads

Mestrado em MarketingDesde o seu início, a indústria da publicidade mobile tem vindo a enfrentar problemas de fraude associados a grandes perdas financeiras e danos na forma como as empresas se relacionam. O presente estudo explora os efeitos dos problemas de fraude nas relações entre empresas da indústria; abordando o ecosistema da publicidade das aplicações mobile, o contexto focal da Hang My Ads e os processos de adaptação necessários para lidar com os efeitos da fraude. O ecosistema da publicidade de aplicações mobile revela organizar-se em advertisers, intermediários, publishers e empresas de tecnologia, e é marcado por desafios como a fraude, a falta de transparência e a falta de regulamentação. Advertisers e publishers parecem adaptar-se de formas semelhantes, embora diferenças sejam detetadas nos processos de planeamento e agendamento do serviço, produção, e ?outro? ? onde advertisers adaptam mais e investem mais recursos; mas também ao nível de estrutura organizacional ? onde as adaptações parecem estar relacionadas com a dimensão da empresa. Além disto, a investigação confirma a ocorrência de adaptações ao nível da díade, que se propagam para a rede de empresas mais alargada. Além de perdas financeiras e baixo ROI, a realocação de orçamentos de acordo com a competência do publisher para lidar com fraude é confirmada; o estudo revela ainda como efeitos da fraude danos aos níveis da experiência do utilizador, da reputação da indústria e da eficiência das empresas. Um esquema visual do mapeamento do ecosistema e um modelo de análise modificado são propostos.Since its emergence, the mobile advertising industry has been struggling with fraud issues that cause great financial losses and damage how companies relate to one another. The present study exlores the effects of fraud issues taking place in the mobile advertising industry on intercompany relationships; particularly, it looks at the mobile app advertising ecosystem, the focal context of Hang My Ads and the adaptation processes undertaken by advertisers and publishers to tackle the effects of fraud. The mobile app advertising ecosystem is found to be organized in advertisers, intermediates, publishers and technology companies, and characterized by marking challenges such as fraud, lack of transparency and lack of regulation. Advertisers and publishers seem to adapt in similar ways to one another, but differences are found at the processes of service planning and scheduling, production, and "other" - where advertisers adapt more and seem to invest more resources; and at the level of organization structure - where adaptations appear to be related with company size. Furthermore, the case confirms the occurrence of adaptations taking place in the dyad and propagating to the broader network. In addition to financial losses and poor ROI, the reallocation of budgets according to a publisher's competence to handle fraud is confirmed; moreover, it is found that damages at the levels of user experience, industry's reputation and companies' efficiency are caused by fraud. A visual scheme of the ecosystem's mapping and a modified framework of analysis are proposed.info:eu-repo/semantics/publishedVersio

Remedying Security Concerns at an Internet Scale

The state of security across the Internet is poor, and it has been so since the advent of the modern Internet. While the research community has made tremendous progress over the years in learning how to design and build secure computer systems, network protocols, and algorithms, we are far from a world where we can truly trust the security of deployed Internet systems. In reality, we may never reach such a world. Security concerns continue to be identified at scale through-out the software ecosystem, with thousands of vulnerabilities discovered each year. Meanwhile, attacks have become ever more frequent and consequential.As Internet systems will continue to be inevitably affected by newly found security concerns, the research community must develop more effective ways to remedy these issues. To that end, in this dissertation, we conduct extensive empirical measurements to understand how remediation occurs in practice for Internet systems, and explore methods for spurring improved remediation behavior. This dissertation provides a treatment of the complete remediation life cycle, investigating the creation, dissemination, and deployment of remedies. We start by focusing on security patches that address vulnerabilities, and analyze at scale their creation process, characteristics of the resulting fixes, and how these impact vulnerability remediation. We then investigate and systematize how administrators of Internet systems deploy software updates which patch vulnerabilities across the many machines they manage on behalf of organizations. Finally, we conduct the first systematic exploration of Internet-scale outreach efforts to disseminate information about security concerns and their remedies to system administrators, with an aim of driving their remediation decisions. Our results show that such outreach campaigns can effectively galvanize positive reactions.Improving remediation, particularly at scale, is challenging, as the problem space exhibits many dimensions beyond traditional computer technical considerations, including human, social, organizational, economic, and policy facets. To make meaningful progress, this work uses a diversity of empirical methods, from software data mining to user studies to Internet-wide network measurements, to systematically collect and evaluate large-scale datasets. Ultimately, this dissertation establishes broad empirical grounding on security remediation in practice today, as well as new approaches for improved remediation at an Internet scale

The Dilemma of Security Smells and How to Escape It

A single mobile app can now be more complex than entire operating systems ten years ago, thus security becomes a major concern for mobile apps. Unfortunately, previous studies focused rather on particular aspects of mobile application security and did not provide a holistic overview of security issues. Therefore, they could not accurately understand the fundamental flaws to propose effective solutions to common security problems. In order to understand these fundamental flaws, we followed a hybrid strategy, i.e., we collected reported issues from existing work, and we actively identified security-related code patterns that violate best practices in software development. We further introduced the term ``security smell,'' i.e., a security issue that could potentially lead to a vulnerability. As a result, we were able to establish comprehensive security smell catalogues for Android apps and related components, i.e., inter-component communication, web communication, app servers, and HTTP clients. Furthermore, we could identify a dilemma of security smells, because most security smells require unique fixes that increase the code complexity, which in return increases the risk of introducing more security smells. With this knowledge, we investigate the interaction of our security smells with the 192 Mitre CAPEC attack mechanism categories of which the majority could be mitigated with just a few additional security measures. These measures, a String class with behavior and the more thorough use of secure default values and paradigms, would simplify the application logic and at the same time largely increase security if implemented appropriately. We conclude that application security has to focus on the String class, which has not largely changed over the last years, and secure default values and paradigms since they are the smallest common denominator for a strong foundation to build resilient applications. Moreover, we provide an initial implementation for a String class with behavior, however the further exploration remains future work. Finally, the term ``security smell'' is now widely used in academia and eases the communication among security researchers

The Viability and Potential Consequences of IoT-Based Ransomware

With the increased threat of ransomware and the substantial growth of the Internet of Things (IoT) market, there is significant motivation for attackers to carry out IoT-based ransomware campaigns. In this thesis, the viability of such malware is tested. As part of this work, various techniques that could be used by ransomware developers to attack commercial IoT devices were explored. First, methods that attackers could use to communicate with the victim were examined, such that a ransom note was able to be reliably sent to a victim. Next, the viability of using "bricking" as a method of ransom was evaluated, such that devices could be remotely disabled unless the victim makes a payment to the attacker. Research was then performed to ascertain whether it was possible to remotely gain persistence on IoT devices, which would improve the efficacy of existing ransomware methods, and provide opportunities for more advanced ransomware to be created. Finally, after successfully identifying a number of persistence techniques, the viability of privacy-invasion based ransomware was analysed. For each assessed technique, proofs of concept were developed. A range of devices -- with various intended purposes, such as routers, cameras and phones -- were used to test the viability of these proofs of concept. To test communication hijacking, devices' "channels of communication" -- such as web services and embedded screens -- were identified, then hijacked to display custom ransom notes. During the analysis of bricking-based ransomware, a working proof of concept was created, which was then able to remotely brick five IoT devices. After analysing the storage design of an assortment of IoT devices, six different persistence techniques were identified, which were then successfully tested on four devices, such that malicious filesystem modifications would be retained after the device was rebooted. When researching privacy-invasion based ransomware, several methods were created to extract information from data sources that can be commonly found on IoT devices, such as nearby WiFi signals, images from cameras, or audio from microphones. These were successfully implemented in a test environment such that ransomable data could be extracted, processed, and stored for later use to blackmail the victim. Overall, IoT-based ransomware has not only been shown to be viable but also highly damaging to both IoT devices and their users. While the use of IoT-ransomware is still very uncommon "in the wild", the techniques demonstrated within this work highlight an urgent need to improve the security of IoT devices to avoid the risk of IoT-based ransomware causing havoc in our society. Finally, during the development of these proofs of concept, a number of potential countermeasures were identified, which can be used to limit the effectiveness of the attacking techniques discovered in this PhD research

The Dilemma of Security Smells and How to Escape It

A single mobile app can now be more complex than entire operating systems ten years ago, thus security becomes a major concern for mobile apps. Unfortunately, previous studies focused rather on particular aspects of mobile application security and did not provide a holistic overview of security issues. Therefore, they could not accurately understand the fundamental flaws to propose effective solutions to common security problems. In order to understand these fundamental flaws, we followed a hybrid strategy, i.e., we collected reported issues from existing work, and we actively identified security-related code patterns that violate best-practices in software development. Based on these findings, we compiled a list of security smells, i.e., security issues that could potentially lead to a vulnerability. As a result, we were able to establish comprehensive security smell catalogues for Android apps and related components, i.e., inter-component communication, web communication, app servers, and HTTP clients. Furthermore, we could identify a dilemma of security smells, because most security smells require unique fixes that increase the code complexity, which in return increases the risk of introducing more security smells. With this knowledge, we investigate the interaction of our security smells with the 192 Mitre CAPEC attack mechanism categories of which the majority could be mitigated with just a few additional security measures. These measures, a String class with behavior and the more thorough use of secure default values and paradigms, would simplify the application logic and at the same time largely increase security if implemented appropriately. We conclude that application security has to focus on the String class, which has not largely changed over the last years, and secure default values and paradigms since they are the smallest common denominator for a strong foundation to build resilient applications. Moreover, we provide an initial implementation for a String class with behavior, however the further exploration remains future work. Finally, the term "security smell" is now widely used in academia and eases the communication among security researchers

Towards Detecting Compromised Accounts on Social Networks

Compromising social network accounts has become a profitable course of action for cybercriminals. By hijacking control of a popular media or business account, attackers can distribute their malicious messages or disseminate fake information to a large user base. The impacts of these incidents range from a tarnished reputation to multi-billion dollar monetary losses on financial markets. In our previous work, we demonstrated how we can detect large-scale compromises (i.e., so-called campaigns) of regular online social network users. In this work, we show how we can use similar techniques to identify compromises of individual high-profile accounts. High-profile accounts frequently have one characteristic that makes this detection reliable -- they show consistent behavior over time. We show that our system, were it deployed, would have been able to detect and prevent three real-world attacks against popular companies and news agencies. Furthermore, our system, in contrast to popular media, would not have fallen for a staged compromise instigated by a US restaurant chain for publicity reasons

Studying JavaScript Security Through Static Analysis

Mit dem stetigen Wachstum des Internets wächst auch das Interesse von Angreifern. Ursprünglich sollte das Internet Menschen verbinden; gleichzeitig benutzen aber Angreifer diese Vernetzung, um Schadprogramme wirksam zu verbreiten. Insbesondere JavaScript ist zu einem beliebten Angriffsvektor geworden, da es Angreifer ermöglicht Bugs und weitere Sicherheitslücken auszunutzen, und somit die Sicherheit und Privatsphäre der Internetnutzern zu gefährden. In dieser Dissertation fokussieren wir uns auf die Erkennung solcher Bedrohungen, indem wir JavaScript Code statisch und effizient analysieren. Zunächst beschreiben wir unsere zwei Detektoren, welche Methoden des maschinellen Lernens mit statischen Features aus Syntax, Kontroll- und Datenflüssen kombinieren zur Erkennung bösartiger JavaScript Dateien. Wir evaluieren daraufhin die Verlässlichkeit solcher statischen Systeme, indem wir bösartige JavaScript Dokumente umschreiben, damit sie die syntaktische Struktur von bestehenden gutartigen Skripten reproduzieren. Zuletzt studieren wir die Sicherheit von Browser Extensions. Zu diesem Zweck modellieren wir Extensions mit einem Graph, welcher Kontroll-, Daten-, und Nachrichtenflüsse mit Pointer Analysen kombiniert, wodurch wir externe Flüsse aus und zu kritischen Extension-Funktionen erkennen können. Insgesamt wiesen wir 184 verwundbare Chrome Extensions nach, welche die Angreifer ausnutzen könnten, um beispielsweise beliebigen Code im Browser eines Opfers auszuführen.As the Internet keeps on growing, so does the interest of malicious actors. While the Internet has become widespread and popular to interconnect billions of people, this interconnectivity also simplifies the spread of malicious software. Specifically, JavaScript has become a popular attack vector, as it enables to stealthily exploit bugs and further vulnerabilities to compromise the security and privacy of Internet users. In this thesis, we approach these issues by proposing several systems to statically analyze real-world JavaScript code at scale. First, we focus on the detection of malicious JavaScript samples. To this end, we propose two learning-based pipelines, which leverage syntactic, control and data-flow based features to distinguish benign from malicious inputs. Subsequently, we evaluate the robustness of such static malicious JavaScript detectors in an adversarial setting. For this purpose, we introduce a generic camouflage attack, which consists in rewriting malicious samples to reproduce existing benign syntactic structures. Finally, we consider vulnerable browser extensions. In particular, we abstract an extension source code at a semantic level, including control, data, and message flows, and pointer analysis, to detect suspicious data flows from and toward an extension privileged context. Overall, we report on 184 Chrome extensions that attackers could exploit to, e.g., execute arbitrary code in a victim's browser

Understanding and assessing security on Android via static code analysis

Smart devices have become a rich source of sensitive information including personal data (contacts and account data) and context information like GPS data that is continuously aggregated by onboard sensors. As a consequence, mobile platforms have become a prime target for malicious and over-curious applications. The growing complexity and the quickly rising number of mobile apps have further reinforced the demand for comprehensive application security vetting. This dissertation presents a line of work that advances security testing on Android via static code analysis. In the first part of this dissertation, we build an analysis framework that statically models the complex runtime behavior of apps and Android’s application framework (on which apps are built upon) to extract privacy and security-relevant data-flows. We provide the first classification of Android’s protected resources within the framework and generate precise API-to-permission mappings that excel over prior work. We then propose a third-party library detector for apps that is resilient against common code obfuscations to measure the outdatedness of libraries in apps and to attribute vulnerabilities to the correct software component. Based on these results, we identify root causes of app developers not updating their dependencies and propose actionable items to remedy the current status quo. Finally, we measure to which extent libraries can be updated automatically without modifying the application code.Smart Devices haben sich zu Quellen persönlicher Daten (z.B. Kontaktdaten) und Kontextinformationen (z.B. GPS Daten), die kontinuierlich über Sensoren gesammelt werden, entwickelt. Aufgrund dessen sind mobile Platformen ein attraktives Ziel für Schadsoftware geworden. Die stetig steigende App Komplexität und Anzahl verfügbarer Apps haben zusätzlich ein Bedürfnis für gründliche Sicherheitsüberprüfungen von Applikationen geschaffen. Diese Dissertation präsentiert eine Reihe von Forschungsarbeiten, die Sicherheitsbewertungen auf Android durch statische Code Analyse ermöglicht. Zunächst wurde ein Analyseframework gebaut, dass das komplexe Laufzeitverhalten von Apps und Android’s Applikationsframework (dessen Funktionalität Apps nutzen) statisch modelliert, um sicherheitsrelevante Datenflüsse zu extrahieren. Zudem ermöglicht diese Arbeit eine Klassifizierung geschützter Framework Funktionalität und das Generieren präziser Mappings von APIs-auf-Berechtigungen. Eine Folgearbeit stellt eine obfuskierungs-resistente Technik zur Erkennung von Softwarekomponenten innerhalb der App vor, um die Aktualität der Komponenten und, im Falle von Sicherheitlücken, den Urheber zu identifizieren. Darauf aufbauend wurde Ursachenforschung betrieben, um herauszufinden wieso App Entwickler Komponenten nicht aktualisieren und wie man diese Situation verbessern könnte. Abschließend wurde untersucht bis zu welchem Grad man veraltete Komponenten innerhalb der App automatisch aktualisieren kann