49 research outputs found
A Survey and Evaluation of Android-Based Malware Evasion Techniques and Detection Frameworks
Android platform security is an active area of research where malware detection techniques continuously evolve to identify novel malware and improve the timely and accurate detection of existing malware. Adversaries are constantly in charge of employing innovative techniques to avoid or prolong malware detection effectively. Past studies have shown that malware detection systems are susceptible to evasion attacks where adversaries can successfully bypass the existing security defenses and deliver the malware to the target system without being detected. The evolution of escape-resistant systems is an open research problem. This paper presents a detailed taxonomy and evaluation of Android-based malware evasion techniques deployed to circumvent malware detection. The study characterizes such evasion techniques into two broad categories, polymorphism and metamorphism, and analyses techniques used for stealth malware detection based on the malware’s unique characteristics. Furthermore, the article also presents a qualitative and systematic comparison of evasion detection frameworks and their detection methodologies for Android-based malware. Finally, the survey discusses open-ended questions and potential future directions for continued research in mobile malware detection
Understanding Android Obfuscation Techniques: A Large-Scale Investigation in the Wild
In this paper, we seek to better understand Android obfuscation and depict a
holistic view of the usage of obfuscation through a large-scale investigation
in the wild. In particular, we focus on four popular obfuscation approaches:
identifier renaming, string encryption, Java reflection, and packing. To obtain
the meaningful statistical results, we designed efficient and lightweight
detection models for each obfuscation technique and applied them to our massive
APK datasets (collected from Google Play, multiple third-party markets, and
malware databases). We have learned several interesting facts from the result.
For example, malware authors use string encryption more frequently, and more
apps on third-party markets than Google Play are packed. We are also interested
in the explanation of each finding. Therefore we carry out in-depth code
analysis on some Android apps after sampling. We believe our study will help
developers select the most suitable obfuscation approach, and in the meantime
help researchers improve code analysis systems in the right direction
Analysing the Security of Google's implementation of OpenID Connect
Many millions of users routinely use their Google accounts to log in to
relying party (RP) websites supporting the Google OpenID Connect service.
OpenID Connect, a newly standardised single-sign-on protocol, builds an
identity layer on top of the OAuth 2.0 protocol, which has itself been widely
adopted to support identity management services. It adds identity management
functionality to the OAuth 2.0 system and allows an RP to obtain assurances
regarding the authenticity of an end user. A number of authors have analysed
the security of the OAuth 2.0 protocol, but whether OpenID Connect is secure in
practice remains an open question. We report on a large-scale practical study
of Google's implementation of OpenID Connect, involving forensic examination of
103 RP websites which support its use for sign-in. Our study reveals serious
vulnerabilities of a number of types, all of which allow an attacker to log in
to an RP website as a victim user. Further examination suggests that these
vulnerabilities are caused by a combination of Google's design of its OpenID
Connect service and RP developers making design decisions which sacrifice
security for simplicity of implementation. We also give practical
recommendations for both RPs and OPs to help improve the security of real world
OpenID Connect systems
Privacy Leaks through Data Hijacking Attack on Mobile Systems
To persistently eavesdrop on the mobile devices, attackers may obtain the elevated privilege and inject malicious modules into the user devices. Unfortunately, the attackers may not be able to obtain the privilege for a long period of time since the exploitable vulnerabilities may be fixed or the malware may be removed. In this paper, we propose a new data hijacking attack for the mobile apps. By employing the proposed method, the attackers are only required to obtain the root privilege of the user devices once, and they can persistently eavesdrop without any change to the original device. Specifically, we design a new approach to construct a shadow system by hijacking user data files. In the shadow system, attackers possess the identical abilities to the victims. For instance, if a victim has logged into the email app, the attacker can also access the email server in the shadow system without authentication in a long period of time. Without reauthentication of the app, it is difficult for victims to notice the intrusion since the whole eavesdropping is performed on other devices (rather than the user devices). In our experiments, we evaluate the effectiveness of the proposed attack and the result demonstrates that even the Android apps released by the top developers cannot resist this attack. Finally, we discuss some approaches to defend the proposed attack