I know what leaked in your pocket: uncovering privacy leaks on Android Apps with Static Taint Analysis

Android applications may leak privacy data carelessly or maliciously. In this work we perform inter-component data-flow analysis to detect privacy leaks between components of Android applications. Unlike all current approaches, our tool, called IccTA, propagates the context between the components, which improves the precision of the analysis. IccTA outperforms all other available tools by reaching a precision of 95.0% and a recall of 82.6% on DroidBench. Our approach detects 147 inter-component based privacy leaks in 14 applications in a set of 3000 real-world applications with a precision of 88.4%. With the help of ApkCombiner, our approach is able to detect inter-app based privacy leaks

Picking on the family: disrupting android malware triage by forcing misclassification

Machine learning classification algorithms are widely applied to different malware analysis problems because of their proven abilities to learn from examples and perform relatively well with little human input. Use cases include the labelling of malicious samples according to families during triage of suspected malware. However, automated algorithms are vulnerable to attacks. An attacker could carefully manipulate the sample to force the algorithm to produce a particular output. In this paper we discuss one such attack on Android malware classifiers. We design and implement a prototype tool, called IagoDroid, that takes as input a malware sample and a target family, and modifies the sample to cause it to be classified as belonging to this family while preserving its original semantics. Our technique relies on a search process that generates variants of the original sample without modifying their semantics. We tested IagoDroid against RevealDroid, a recent, open source, Android malware classifier based on a variety of static features. IagoDroid successfully forces misclassification for 28 of the 29 representative malware families present in the DREBIN dataset. Remarkably, it does so by modifying just a single feature of the original malware. On average, it finds the first evasive sample in the first search iteration, and converges to a 100% evasive population within 4 iterations. Finally, we introduce RevealDroid*, a more robust classifier that implements several techniques proposed in other adversarial learning domains. Our experiments suggest that RevealDroid* can correctly detect up to 99% of the variants generated by IagoDroid

Comparison of plantar pressure distribution with the x-ray morphology of the foot skeleton

Hintergrund: Die Metatarsalgie ist ein sehr heterogenes Krankheitsbild mit vielfältigen Ursachen. Als zugrunde liegender Pathomechanismus wird eine übermäßige plantare Druckbelastung im Bereich der Metatarsalköpfchen beziehungsweise eine Überlastung einzelner Metatarsalköpfchen bei verändertem Vorfußalignment angenommen. Operative Techniken zielen durch entsprechende Verkürzungs- oder Umstellungsosteotomien auf einen Druckausgleich ab und liefern diesbezüglich unterschiedliche, zum Teil widersprüchliche Ergebnisse. In dieser Studie soll geklärt werden inwieweit von der Röntgenmorphologie des Fußskeletts auf die Belastungsverhältnisse im Vorfußbereich geschlossen werden kann. Insgesamt ist diese Thematik bisher selten untersucht und unzureichend geklärt. Methodik: Primär erfolgte die Einteilung in eine Patientengruppe, 46 Füße mit Metatarsalgie, und 40 asymptomatische Füße als Vergleichskollektiv. In belasteten dorsoplantaren Röntgenaufnahmen wurden der Metatarsalindex (Plus-Minus-Index und Maestroindex) und der Intermetatarsale-1/2-Winkel gemessen und dementsprechend zum Vergleich Untergruppen gebildet. Die plantare Druckverteilung wurde durch dynamische Messungen im Gehen unter Verwendung des Emed-x/R Systems der Firma Novel bestimmt und hinsichtlich Spitzendruck, Druck-Zeit-Integral, Maximalkraft und Kraft-Zeit-Integral unter den Metatarsalköpfchen mit der Röntgenmorphologie verglichen. Ergebnisse: Es fand sich ein deutlicher Zusammenhang zwischen der zu MT1 relativen Länge von MT2 und der plantaren Druckverteilung im Sinne einer Belastungssteigerung unter MH2 bei verlängertem Metatarsale 2. Die übrigen Metatarsallängen schienen kaum Auswirkung auf die plantaren Druckverhältnisse zu haben. Des Weiteren bewirkte ein großer Intermetatarsalwinkel tendenziell eine Belastungssteigerung unter MH2 und Minderung unter MH1. Insgesamt fanden sich bei gesunden Füßen weniger ausgeprägte Zusammenhänge. Im Vergleich zu gesunden war bei Füßen mit Metatarsalgie die Belastung im zentralen Vorfußbereich deutlich erhöht, der Intermetatarsalwinkel vergrößert und unerwartet das erste Metatarsale länger als das zweite. Diskussion: Die Resultate zeigten übereinstimmend, dass die individuelle Struktur des Fußskeletts beziehungsweise eine Abweichung im Sinne eines auffälligen Metatarsalindex mit Überlängen einzelner Metatarsalia oder ein großer Intermetatarsalwinkel nur teilweise die Entstehung von Metatarsalgien erklärt. Sie stellt lediglich eine Komponente im Zusammenspiel von Weichgewebe, Ballenarchitektur, Kapsel-Band-Strukturen und muskulären Wechselwirkungen dar. Die durch biomechanische Hebelwirkung bei Fehlstellungen des Fußskeletts entstehenden Kräfte gewinnen erst bei vorgeschädigtem Fuß an Einfluss. Ein gesunder Fuß scheint in der Lage Besonderheiten des Fußskeletts auszugleichen. Eine große interindividuelle Variabilität der plantaren Druckverteilung suggeriert eine große Spannbreite an physiologischen Druckwerten mit der Schwierigkeit die Grenze zum Pathologischen zu definieren.Comparison of plantar pressure distribution with the x-ray morphology of the foot skeleto

Improving Mobile-Malware Investigations with Static and Dynamic Code Analysis Techniques

Similar to the PC world, the abundance of mobile malware has become a serious threat to smartphone users. Thousands of new apps or app versions are uploaded to popular app stores every day. All of them need to be analyzed against violations of the app store's content policy. In particular, one wishes to detect whether an application contains malicious behavior. Similarly, antivirus companies check thousands of apps every day to determine whether or not they are malicious. Both app store operators and antivirus vendors face the same problem: it is generally challenging to tell apart malware from benign applications. This is because malware developers aim to hide their applications' malicious behavior as long as possible from being detected by applying different obfuscation techniques. The raising sophistication with which such measures are implemented pose a serious problem not just to automated malware detection approaches but also to the manual analysis of potential malware by human experts. In this dissertation, we propose a novel reverse engineering framework that includes different approaches for automatically extracting insights of the behavior of an Android application. In particular, we propose a novel approach, based on machine-learning, to automatically identify sensitive source and sink API methods. Furthermore, we propose an approach to automatically extract concrete runtime values, such as SMS messages or URLs, at any code location. The approach combines static and dynamic code analysis techniques in such a way that it is resistant against common obfuscation techniques. A further contribution is an approach that extracts concrete environment conditions that need to be fulfilled in order to reach a certain code location. This approach is based on code fuzzing that gets supported by static and dynamic code analysis techniques. All these approaches provide different insights into the analyzed application, in particular how and under which circumstances the application communicates with its environment. The reliable extraction of these insights requires novel solutions that address fundamental limitations of current static and dynamic code analysis approaches. We, therefore, also contribute new code analysis techniques that reduce well-known limitations of code analysis, such as reflective method calls or inter-component communications, resulting in incomplete callgraphs, or complex path conditions that result in reachability problems. All the insights that are extracted by our proposed approaches help human experts in speeding up their malware investigations. Manual malware investigations benefit from the automatic extraction of precise insights of the behavior of an application, which otherwise requires a time-consuming, manual analysis. On the other hand, existing automated code analysis approaches that are used during malware investigations benefit from our new techniques by reducing well-known limitations. This improves the detection rate of these approaches

SuSi: A Tool for the Fully Automated Classification and Categorization of Android Sources and Sinks

Today’s smartphone users face a security dilemma: many apps they install operate on privacy-sensitive data, although they might originate from developers whose trustworthiness is hard to judge. Researchers have proposed more and more sophisticated static and dynamic analysis tools as an aid to assess the behavior of such applications. Those tools, however, are only as good as the privacy policies they are configured with. Policies typically refer to a list of sources of sensitive data as well as sinks which might leak data to untrusted observers. Sources and sinks are a moving target: new versions of the mobile operating system regularly introduce new methods, and security tools need to be reconfigured to take them into account. In this work we show that, at least for the case of Android, the API comprises hundreds of sources and sinks. We propose SuSi, a novel and fully automated machine-learning approach for identifying sources and sinks directly from the Android source code. On our training set, SuSi achieves a recall and precision of more than 92%. To provide more fine-grained information, SuSi further categorizes the sources (e.g., unique identifier, location information, etc.) and sinks (e.g., network, file, etc.), with an average precision and recall of about 89%. We also show that many current program analysis tools can be circumvented because they use hand-picked lists of source and sinks which are largely incomplete, hence allowing many potential data leaks to go unnoticed

How to do it Wrong: Smartphone Antivirus and Security Applications Under Fire: Presentation held at Dev Con 2016, 12th October 2016, Plymouth

Todays evil often comes in the form of ransomware, keyloggers, or spyware, against which AntiVirus applications are usually an end users only means of protection. But current security apps not only scan for malware, they also aid end users by detecting malicious URLs, scams or phishing attacks. Generally, security apps appear so self-evidently useful that institutions such as online-banking providers even require users to install anti-virus programs. In this talk, however, we show that the installation of security applications, at least in the context of smartphones, can sometimes open the phone to a number of attack vectors, making the system more instead of less vulnerable to attacks. In a recent research we conducted on Android security apps from renowned vendors such as Kaspersky, McAfee, Androhelm, Eset, Malwarebytes or Avira. When conducting a study of the apps security features (Antivirus and Privacy Protection, Device Protection, Secure Web Browsing, etc.) it came as a shock to us that every inspected application contained critical vulnerabilities, and that in the end no single of the promoted security features proved to be sufficiently secure. In a simple case, we would have been able to harm the app vendors business model by upgrading a trial version into a premium one at no charge. In other instances, attackers would be able to harm the end user by completely disabling the malware-scanning engine remotely. Or how about accessing confidential data by exploiting broken SSL communication, broken self-developed advanced crypto implementations or through SQL-injections? Yes, we can. On top, we were able to bypass the secure browsing protection and abuse it for code execution. The most alarming findings, however, were security applications that we were able to actually turn into a remote access trojan (RAT) or into ransomware. In light of all those findings, one must seriously question whether the advice to install a security app onto ones smartphone is a wise one. In this talk, we will not only explain our findings in detail but also propose possible security fixes