Obfuscapk: An open-source black-box obfuscation tool for Android apps

Abstract Obfuscapk is an open-source automatic obfuscation tool for Android apps that works in a black-box fashion (i.e., it does not need the app source code). Obfuscapk supports advanced obfuscation features and has a modular architecture that could be straightforwardly extended to support new obfuscation techniques. This paper introduces the architecture, the main obfuscation techniques implemented in Obfuscapk, as well as the basics of the Obfuscapk CLI. Finally, the paper discusses an actual use-case for Obfuscapk, and an empirical assessment on the reliability of the tool on a set of 1000 "most downloaded" APKs from the Google Play Store

Estado del arte utilizando mapeo sistemático para las técnicas de análisis de malware en android

Los ataques de Malware enfocados en Android son un problema global, para prevenir los ataques a dispositivos móviles se han propuesto técnicas para estudiar los diversos tipos de programas maliciosos. En la presente investigación se formuló un estado del arte mediante mapeo sistemático, para extraer las revistas y conferencias de mayor relevancia, de 2017 al 2021. La revisión de literatura sistemática analizó las técnicas de Malware en Android, para construir un esquema de clasificación y ponerlos en la estructura de análisis estáticos, dinámicos e híbridos. La taxonomía reveló los métodos, herramientas y sistemas de aprendizaje más utilizados, por lo que se encontraron las mejoras y limitaciones de cada una de las técnicas de análisis. Los datos cuantitativos mostrados por la métrica de acurracy con la que se identifico´ un promedio con respecto a los resultados: análisis estático = 95.36%, análisis dinámico = 92.44% y análisis hibrido = 96.81%. Por tanto, estos resultados muestran que el análisis híbrido cuenta con ventajas sobre las técnicas de análisis estático o dinámico, reduciendo sus limitaciones y mejorando la detección de Malware en Android. Finalmente, la mejor opción para analizar el malware es el aprendizaje supervisado para clasificar las nuevas generaciones de Malware a partir de dos características: sus familias y la frecuencia de uso.Malware attacks go to Android are a global prob lem, so that to prevent attacks on mobile devices, some techniques have been proposed to study the differents types of malicious programs. In this research, a state of the art was formulated using a systematic mapping, to extract the most relevant journals and conferences, from 2017 to 2021. The systematic literature review analyzed the Malware techniques in Android, in order to build a scheme of classification and put them into the structure of static, dynamic, or hybrid analyzes. The taxonomy revealed the methods, tools and learning systems more used, so that found the improvements and limitations of each of the analysis techniques. Quantitative data showed by the accuracy metric, were: static analysis = 95.36%, dynamic analysis = 92.44% and hybrid analysis = 96.81%. Therefore, these results show that the hybrid analysis has some advantages over the static or dynamic analysis technique, reducing its limitations and improving the detection of Malware in Android. Finally, the better option to analize malware is the supervised learning to classify the new generations of Malware from two features: their families and frequency used

Novel Attacks and Defenses in the Userland of Android

In the last decade, mobile devices have spread rapidly, becoming more and more part of our everyday lives; this is due to their feature-richness, mobility, and affordable price. At the time of writing, Android is the leader of the market among operating systems, with a share of 76% and two and a half billion active Android devices around the world. Given that such small devices contain a massive amount of our private and sensitive information, the economic interests in the mobile ecosystem skyrocketed. For this reason, not only legitimate apps running on mobile environments have increased dramatically, but also malicious apps have also been on a steady rise. On the one hand, developers of mobile operating systems learned from security mistakes of the past, and they made significant strides in blocking those threats right from the start. On the other hand, these high-security levels did not deter attackers. In this thesis, I present my research contribution about the most meaningful attack and defense scenarios in the userland of the modern Android operating system. I have emphasized "userland'' because attack and defense solutions presented in this thesis are executing in the userspace of the operating system, due to the fact that Android is slightly different from traditional operating systems. After the necessary technical background, I show my solution, RmPerm, in order to enable Android users to better protect their privacy by selectively removing permissions from any app on any Android version. This operation does not require any modification to the underlying operating system because we repack the original application. Then, using again repackaging, I have developed Obfuscapk; it is a black-box obfuscation tool that can work with every Android app and offers a free solution with advanced state of the art obfuscation techniques -- especially the ones used by malware authors. Subsequently, I present a machine learning-based technique that focuses on the identification of malware in resource-constrained devices such as Android smartphones. This technique has a very low resource footprint and does not rely on resources outside the protected device. Afterward, I show how it is possible to mount a phishing attack -- the historically preferred attack vector -- by exploiting two recent Android features, initially introduced in the name of convenience. Although a technical solution to this problem certainly exists, it is not solvable from a single entity, and there is the need for a push from the entire community. But sometimes, even though there exists a solution to a well-known vulnerability, developers do not take proper precautions. In the end, I discuss the Frame Confusion vulnerability; it is often present in hybrid apps, and it was discovered some years ago, but I show how it is still widespread. I proposed a methodology, implemented in the FCDroid tool, for systematically detecting the Frame Confusion vulnerability in hybrid Android apps. The results of an extensive analysis carried out through FCDroid on a set of the most downloaded apps from the Google Play Store prove that 6.63% (i.e., 1637/24675) of hybrid apps are potentially vulnerable to Frame Confusion. The impact of such results on the Android users' community is estimated in 250.000.000 installations of vulnerable apps

Low-Resource Footprint, Data-Driven Malware Detection on Android

Resource-constrained systems are becoming more and more common as users migrate from PCs to mobile devices and as IoT systems enter the mainstream. At the same time, it is not acceptable to reduce the level of security hence it is necessary to accommodate the required security into the system-imposed resource constraints. This paper introduces BAdDroIds, a mobile application leveraging machine learning for detecting malware on resource constrained devices. BAdDroIds executes in background and transparently analyzes the applications as soon as they are installed, i.e., before infecting the device. BAdDroIds relies on static analysis techniques and features provided by the Android OS to build up sound and complete models of Android apps in terms of permissions and API invocations. It uses ad-hoc supervised classification techniques to allow resource-efficient malware detection. By exploiting the intrinsic nature of data, it has been possible to implement a state-of-the-art data-driven model which provides deep insights on the detection problem and can be efficiently executed on the device itself as it requires a very limited computational effort. Besides its limited resource footprint, BAdDroIds is extremely effective: an extensive experimental evaluation shows that BAdDroIds outperforms the currently available solutions in terms of accuracy, which is around 99%

Low-Resource Footprint, Data-Driven Malware Detection on Android

Resource-constrained systems are becoming more and more common as users migrate from PCs to mobile devices and as IoT systems enter the mainstream. At the same time, it is not acceptable to reduce the level of security hence it is necessary to accommodate the required security into the system-imposed resource constraints. This paper introduces BAdDroIds, a mobile application leveraging machine learning for detecting malware on resource constrained devices. BAdDroIds executes in background and transparently analyzes the applications as soon as they are installed, i.e., before infecting the device. BAdDroIds relies on static analysis techniques and features provided by the Android OS to build up sound and complete models of Android apps in terms of permissions and API invocations. It uses ad-hoc supervised classification techniques to allow resource-efficient malware detection. By exploiting the intrinsic nature of data, it has been possible to implement a state-of-the-art data-driven model which provides deep insights on the detection problem and can be efficiently executed on the device itself as it requires a very limited computational effort. Besides its limited resource footprint, BAdDroIds is extremely effective: an extensive experimental evaluation shows that BAdDroIds outperforms the currently available solutions in terms of accuracy, which is around 99%

Low-Resource Footprint, Data-Driven Malware Detection on Android

none5nononeS. Aonzo, A. Merlo, M. Migliardi, L. Oneto, F. PalmieriAonzo, S.; Merlo, A.; Migliardi, M.; Oneto, L.; Palmieri, F

Détection de programmes malveillants dédiée aux appareils mobiles

La conception d’une méthode efficace de détection de programmes malveillants dédiée aux appareils mobiles se place dans le contexte d’une architecture multiservices centrée sur le paiement mobile appelée ATISCOM. Cette architecture est développée par le Laboratoire de recherche en réseautique et informatique mobile de Polytechnique Montréal en collaboration avec Flexgroups et subventionnée par le CRSNG. Plusieurs enjeux dans ce projet sont dédiés à la sécurité de la plateforme qui est très sensible puisque elle doit manipuler des informations privées et financières et fonctionner en réseau et sur des appareils mobiles. La menace la plus importante pour les téléphones intelligents est celle du malware, ou logiciel malveillant, et ce mémoire propose d’y répondre. Nous avons établi une revue de littérature du domaine de la détection de malware sur Android, la plateforme choisie pour ce projet. Elle montre la présence importante des logiciels malveillants dans les environnements mobiles, la menace qu’ils représentent et leur évolution. Celle-ci décrit ensuite les domaines principaux de l’analyse statique et dynamique, sur serveur et sur appareil mobile. Elle montre de plus la présence grandissante de l’apprentissage automatique, et le meilleur équilibre entre précision et performance des systèmes hybrides. Après analyse des méthodes basées sur l’analyse dynamique (et statique) sur appareil mobile les plus prometteuses, nous distinguons leurs lacunes et décidons de bâtir une architecture client-serveur hybride utilisant l’apprentissage automatique pour pallier à ces dernières. La tâche se révèlera trop importante pour une simple maîtrise et nous concentrerons nos efforts sur une méthode d’analyse statique légère pouvant offrir une précision suffisante et rouler sur mobile. Ceci constituera la première pierre pour construire la méthode hybride de l’architecture idéale. ----------ABSTRACT: The design of an efficient malware detection method for mobile device is part of the ATISCOM architecture, which aims to be multiservices, centered on mobile payment. This architecture is developed by LARIM at Polytechnique Montreal, with its industrial partner Flexgroups and with the financial help of CRSNG. There are multiple goals in this project dedicated to improve the security of the platform, which is supposed to handle private and financial information on mobile devices and networks, and thus is very sensitive. The main threat for mobile security is mobile malware, and this work tries to answer it. We start this paper with a literature review on malware detection for Android, which will be the chosen platform for this project. It first shows the high and increasing number of malware for smartphones in the news. We then describe the sub-domains, such as static and dynamic analysis, server-side and on-device detection. This also shows that machine learning takes a big chunk of the recent papers in the domain, and that the best compromise between precision and performance is often attained by hybrid systems. We review the latest and most interesting papers in the dynamic analysis sub-domain and a few static analysis papers, all for on-device detection. We list their weaknesses (and also the numbers on performance and precision for future comparison) and decide to make our own machine learning clientserver hybrid method. But it would be too huge a work for a simple master so we’ll focus on a lightweight static analysis on-device detection method for starters