Network-based detection of Android malicious apps

Users leverage mobile devices for their daily Internet needs by running various mobile applications (apps) such as social networking, e-mailing, news-reading, and video/audio streaming. Mobile device have become major targets for malicious apps due to their heavy network activity and is a research challenge in the current era. The majority of the research reported in the literature is focused on host-based systems rather than the network-based; unable to detect malicious activities occurring on mobile device through the Internet. This paper presents a detection app model for classification of apps. We investigate the accuracy of various machine learning models, in the context of known and unknown apps, benign and normal apps, with or without encrypted message-based app, and operating system version independence of classification. The best resulted machine learning(ML)-based model is embedded into the detection app for efficient and effective detection. We collect a dataset of network activities of 18 different malware families-based apps and 14 genuine apps and use it to develop ML-based detectors. We show that, it is possible to detect malicious app using network traces with the traditional ML techniques, and results revealed the accuracy (95–99.9 %) in detection of apps in different scenarios. The model proposed is proved efficient and suitable for mobile devices. Due to the widespread penetration of Android OS into the market, it has become the main target for the attackers. Hence, the proposed system is deployed on Android environment.     

国内第三方Android应用市场安全性的检测

根据目前第三方Android应用市场应用存在的重新打包行为,随机选取国内官方的150个应用以及作为对比的第三方应用市场的572个同款应用,设计了Android重新打包应用安全检测系统。该系统先进行相似性计算,细粒度识别出重新打包应用,再通过逆向工程获得其资源文件,根据系统API与权限之间的映射匹配分析其越权行为,并根据构建的方法控制流图分析其权限滥用行为。系统通过并行化处理检测出第三方应用市场存在33.17%的重新打包应用,其中19.58%修改了权限。在修改过权限的应用中,45.95%存在越权行为,27.03%存在滥用权限行为。     

大规模移动应用第三方库自动检测和分类方法

移动应用中广泛使用第三方库来帮助开发和增强应用功能.很多关于移动应用分析以及访问控制的研究工作,需要在分析之前对第三方库进行检测、过滤或者对其进行功能分类.当前大部分研究工作都使用白名单的方式来检测第三方库或者对其功能进行分类.然而,通过白名单检测第三方库不完善且不准确,其原因包括：（1）第三方库的种类和数量很大,（2）常见的代码混淆或者第三方库伪装等技术使得白名单方法不能准确的识别第三方库.本文提出一种第三方库自动检测和分类方法,包括基于多级聚类技术准确识别第三方库,以及基于机器学习对第三方库的功能进行准确分类.实验对超过130,000个Android应用进行分析,验证所提出方法的有效性.实验总共检测到4,916个不同的第三方库.在人工标记的数据集上,通过十折交叉验证,对第三方库分类的准确率达到84.28%.将训练好的分类器应用于全部4,916个检测到的第三方库,人工进行抽样验证的准确率达到75%.     

An application for plagiarized source code detection based on a parse tree kernel

Program plagiarism detection is a task of detecting plagiarized code pairs among a set of source codes. In this paper, we propose a code plagiarism detection system that uses a parse tree kernel. Our parse tree kernel calculates a similarity value between two source codes in terms of their parse tree similarity. Since parse trees contain the essential syntactic structure of source codes, the system effectively handles structural information. The contributions of this paper are two-fold. First, we propose a parse tree kernel that is optimized for program source code. The evaluation shows that our system based on this kernel outperforms well-known baseline systems. Second, we collected a large number of real-world Java source codes from a university programming class. This test set was manually analyzed and tagged by two independent human annotators to mark plagiarized codes. It can be used to evaluate the performance of various detection systems in real-world environments. The experiments with the test set show that the performance of our plagiarism detection system reaches to 93% level of human annotators.     

面向海量软件的未知恶意代码检测方法

软件应用市场级别的安全审查需要同时具备准确性和可扩展性。然而,当前的审查机制效率通常较低,难以应对新的威胁。我们通过研究发现,恶意软件作者通过对几个合法应用重打包,将同一段恶意代码放在不同的应用中进行传播。这样,恶意代码通常出现在几个同源应用中多出的代码部分和非同源应用中相同的代码部分。基于上述发现,我们开发出一套大规模的软件应用检测系统——MassVet。它无需知道恶意代码的代码特征或行为特征就可以快速的检测恶意代码。现有的检测机制通常会利用一些复杂的程序分析,而本文方法仅需要通过对比上传的软件应用与市场上存在的应用,尤其关注具有相同视图结构的应用中不同的代码,以及互不相关的应用中相同的部分。当移除公共库和一些合法的重用代码片段后,这些相同或不同的代码部分就变得高度可疑。我们把应用的视图结构或函数的控制流图映射为一个值,并基于此进行DiffCom分析。我们设计了基于流水线的分析引擎,并对来自33个应用市场共计120万个软件应用进行了大规模分析。实验证明我们的方法可以在10秒内检测一个应用,并且误报率很低。另外,在检测覆盖率上,MassVet超过了VirusTotal中的54个扫描器（包括NOD32、Symantec和McAfee等）,扫描出近10万个恶意软件,其中超过20个为零日（zero-day）恶意软件,下载次数超过百万。另外,这些应用也揭示了很多有趣的现象,例如谷歌的审查策略和恶意软件作者躲避检测策略之间的不断对抗,导致Google Play中一些被下架的应用会重新出现等。     

一种面向Android应用第三方库的安全性分析框架

针对目前Android应用第三方库增大了应用程序攻击面的现状,随机选取国内5大知名官方市场上的305个应用进行了安全性分析研究,设计了Android第三方库安全性分析系统。该系统先进行第三方库的检测,细粒度识别出Android应用中的第三方库,再通过逆向工程技术静态分析apk文件,同时在Android模拟器中安装运行apk并监控它的相关行为,从而检测出第三方库带来的安全威胁。分析结果显示,相对于当下的移动漏洞扫描平台不能很好对第三方库进行安全检测的不足,该系统能够有效的检测应用中第三方库的漏洞,具有一定是实用性。     

On Locating Malicious Code in Piggybacked Android Apps

To devise efficient approaches and tools for detecting malicious packages in the Android ecosystem, researchers are increasingly required to have a deep understanding of malware. There is thus a need to provide a framework for dissecting malware and locating malicious program fragments within app code in order to build a comprehensive dataset of malicious samples. Towards addressing this need, we propose in this work a tool-based approach called HookRanker, which provides ranked lists of potentially malicious packages based on the way malware behaviour code is triggered. With experiments on a ground truth of piggybacked apps, we are able to automatically locate the malicious packages from piggybacked Android apps with an accuracy@5 of 83.6% for such packages that are triggered through method invocations and an accuracy@5 of 82.2% for such packages that are triggered independently.     

Field experience with obfuscating million-user iOS apps in large enterprise mobile development

In recent years, mobile apps have become the infrastructure of many popular Internet services. It is now common that a mobile app serves millions of users across the globe. By examining the code of these apps, reverse engineers can learn various knowledge about the design and implementation of the apps. Real-world cases have shown that the disclosed critical information allows malicious parties to abuse or exploit the app-provided services for unrightful profits, leading to significant financial losses. One of the most viable mitigations against malicious reverse engineering is to obfuscate the apps. Despite that security by obscurity is typically considered to be an unsound protection methodology, software obfuscation can indeed increase the cost of reverse engineering, thus delivering practical merits for protecting mobile apps. In this paper, we share our experience of applying obfuscation to multiple commercial iOS apps, each of which has millions of users. We discuss the necessity of adopting obfuscation for protecting modern mobile business, the challenges of software obfuscation on the iOS platform, and our efforts in overcoming these obstacles. We especially focus on factors that are unique to mobile software development that may affect the design and deployment of obfuscation techniques. We report the outcome of our obfuscation with empirical experiments. We additionally elaborate on the follow-up case studies about how our obfuscation affected the app publication process and how we responded to the negative impacts. This experience report can benefit mobile developers, security service providers, and Apple as the administrator of the iOS ecosystem.     

一种改进的基于抽象语法树的软件源代码比对算法

在软件同源性检测方法中,基于抽象语法树的比对方法能够有效地检测出基于代码全文拷贝、修改变量名、调整代码顺序等的抄袭手段,被广泛用于抄袭检测工具中。但基于抽象语法树的比对方法对于修改变量类型和添加无意义变量的抄袭手段束手无策。针对这种情况,提出了一种基于抽象语法树的改进思想,该思想通过剪去语法树中影响判断的叶子节点的手段来还原检测原文抄袭,能够达到有效检测修改变量类型和添加无意义变量等抄袭的目的。     

A study of the relation of mobile device attributes with the user-perceived quality of Android apps

The number of mobile applications (apps) and mobile devices has increased considerably over the past few years. Online app markets, such as the Google Play Store, use a star-rating mechanism to quantify the user-perceived quality of mobile apps. Users may rate apps on a five point (star) scale where a five star-rating is the highest rating. Having considered the importance of a high star-rating to the success of an app, recent studies continue to explore the relationship between the app attributes, such as User Interface (UI) complexity, and the user-perceived quality. However, the user-perceived quality reflects the users’ experience using an app on a particular mobile device. Hence, the user-perceived quality of an app is not solely determined by app attributes. In this paper, we study the relation of both device attributes and app attributes with the user-perceived quality of Android apps from the Google Play Store. We study 20 device attributes, such as the CPU and the display size, and 13 app attributes, such as code size and UI complexity. Our study is based on data from 30 types of Android mobile devices and 280 Android apps. We use linear mixed effect models to identify the device attributes and app attributes with the strongest relationship with the user-perceived quality. We find that the code size has the strongest relationship with the user-perceived quality. However, some device attributes, such as the CPU, have stronger relationships with the user-perceived quality than some app attributes, such as the number of UI inputs and outputs of an app. Our work helps both device manufacturers and app developers. Manufacturers can focus on the attributes that have significant relationships with the user-perceived quality. Moreover, app developers should be careful about the devices for which they make their apps available because the device attributes have a strong relationship with the ratings that users give to apps.     

一种基于BP神经网络的代码相似性检测方法

如何有效地检测程序设计课程作业中的抄袭现象是一个重要的问题。传统的抄袭检测方法主要利用代码的属性或结构信息来度量代码之间的相似性。给出了一种基于误差反向传播(BP算法)多层前向神经网络的代码抄袭检测方法。提取程序之间的7种比较特征作为神经网络的输入,经过网络计算后得出程序的相似值,并将该值与抄袭决策阈值相比较以判定存在抄袭现象的程序集。实验结果表明,本方法具有很好的检测效果。     

Discovering and understanding android sensor usage behaviors with data flow analysis

Today’s Android-powered smartphones have various embedded sensors that measure the acceleration, orientation, light and other environmental conditions. Many functions in the third-party applications (apps) need to use these sensors. However, embedded sensors may lead to security issues, as the third-party apps can read data from these sensors without claiming any permissions. It has been proven that embedded sensors can be exploited by well designed malicious apps, resulting in leaking users’ privacy. In this work, we are motivated to provide an overview of sensor usage patterns in current apps by investigating what, why and how embedded sensors are used in the apps collected from both a Chinese app. market called “AppChina” and the official market called “Google Play”. To fulfill this goal, We develop a tool called “SDFDroid” to identify the used sensors’ types and to generate the sensor data propagation graphs in each app. We then cluster the apps to find out their sensor usage patterns based on their sensor data propagation graphs. We apply our method on 22,010 apps collected from AppChina and 7,601 apps from Google Play. Extensive experiments are conducted and the experimental results show that most apps implement their sensor related functions by using the third-party libraries. We further study the sensor usage behaviors in the third-party libraries. Our results show that the accelerometer is the most frequently used sensor. Though many third-party libraries use no more than four types of sensors, there are still some third-party libraries registering all the types of sensors recklessly. These results call for more attentions on better regulating the sensor usage in Android apps.     

基于API依赖关系的代码相似度分析

针对传统系统调用依赖图(SCDG)不能很好地消除API噪声、API重排等API特征混淆的问题,提出一种基于API依赖关系的恶意代码相似度分析方法。采用由API控制依赖关系和4类数据依赖关系组成的SCDG程序行为描述方式,通过数据依赖关系分析和控制依赖关系归一化,消除SCDG中的API噪声和API重排。实验结果表明,与API序列相似度分析方式相比,该方法能提高恶意代码相似度分析的准确性。     

基于宿主权限的移动广告漏洞攻击技术

移动广告作为市场营销的一种重要手段,越来越受到应用开发者的青睐,其市场规模也日趋增大.但是,为了追求广告的精准投放和其他非法利益,移动广告给用户的隐私与财产安全也带来了很大威胁.目前,众多学者关注广告平台、广告主和移动应用的安全风险,还没有出现在广告网络中直接发起攻击的案例.本文提出一种基于宿主权限的移动广告漏洞攻击方法,能够在移动应用获取广告内容时在流量中植入攻击代码.通过对广告流量的拦截,提取出宿主应用的标识和客户端相关信息,间接得到宿主应用的权限列表和当前设备的WebView漏洞.另外,本文提出一种攻击者的能力描述语言,能够自动生成定制化的攻击载荷.实验表明,本文所提出的攻击方法能够影响到大量含有移动广告的应用,几个攻击实例的分析也证明了自动生成攻击载荷的可行性.最后,本文提出了几种防护方法和安全增强措施,包括应用标识混淆、完整性校验和中间人攻击防护技术等.     

Leveraging app usage contexts for app recommendation: a neural approach

The large volume and variety of apps pose a great challenge for people to choose appropriate apps. As a consequence, app recommendation is becoming increasingly important. Recently, app usage data which record the sequence of apps being used by a user have become increasingly available. Such data record the usage context of each instance of app use, i.e., the app instances being used together with this app (within a short time window). Our empirical data analysis shows that a user has a pattern of app usage contexts. More importantly, the similarity in the two users’ preferences over mobile apps is correlated with the similarity in their app usage context patterns. Inspired by these important observations, this paper tries to leverage the predictive power of app usage context patterns for effective app recommendation. To this end, we propose a novel neural approach which learns the embeddings of both users and apps and then predicts a user’s preference for a given app. Our neural network structure models both a user’s preference over apps and the user’s app usage context pattern in a unified way. To address the issue of unbalanced training data, we introduce several sampling methods to sample user-app interactions and app usage contexts effectively. We conduct extensive experiments using a large real app usage data. Comparative results demonstrate that our approach achieves higher precision and recall, compared with the state-of-the-art recommendation methods.

     

移动应用安全解析学:成果与挑战

随着移动应用(App)的广泛使用,移动应用的安全事件也频频发生。从数以亿计的移动应用中准确地识别出潜在的安全隐患成为了信息安全领域重要的难题之一。移动应用数量级增长的同时,也产生了海量的应用安全数据。这些数据使得移动应用的安全解析成为了可能。本文分别从用户界面解析、重打包应用检测、应用功能与安全行为一致性检测、基于上下文的恶意行为检测、终端用户应用管理和使用行为分析这五个方面介绍了移动应用安全解析学目前的成果。同时,基于以上的研究成果,对未来的研究方向进行了展望,并讨论了这些研究方向面临的挑战。     

Personal information leakage detection method using the inference-based access control model on the Android platform

The web services used on desktop can be accessed through a smartphone due to the development of smart devices. As the usage of smartphones increases, the importance of personal information security inside the smartphone is emphasized. The openness features of Android platform make a lot easier to develop an application and also deploying malicious codes into application is an easy task for hackers. The security practices are also growing rapidly as the number of malicious code increases exponentially. According to these circumstances, new methods for detecting and protecting the behavior of leaked personal information are needed to manage the personal information within a smartphone.In this paper, we study the permission access category in order to detect the malicious code, which discloses the personal information on Android environment such as equipment and location information, address book and messages, and solve the problem related to Resource access of Random Access Control method in conventional Android file system to detect the new malware or malicious code via the context ontology reasoning of permission access and API resource information which the personal information are leaked through. Then we propose an inference-based access control model, which can be enabled to access the proactive security. There is more improvement accuracy than existing malicious detecting techniques and effectiveness of access control model is verified through the proposal of inference-based access control model.     

Behavior-based features model for malware detection

The sharing of malicious code libraries and techniques over the Internet has vastly increased the release of new malware variants in an unprecedented rate. Malware variants share similar behaviors yet they have different syntactic structure due to the incorporation of many obfuscation and code change techniques such as polymorphism and metamorphism. The different structure of malware variants poses a serious problem to signature-based detection technique, yet their similar exhibited behaviors and actions can be a remarkable feature to detect them by behavior-based techniques. Malware instances also largely depend on API calls provided by the operating system to achieve their malicious tasks. Therefore, behavior-based detection techniques that utilize API calls are promising for the detection of malware variants. In this paper, we propose a behavior-based features model that describes malicious action exhibited by malware instance. To extract the proposed model, we first perform dynamic analysis on a relatively recent malware dataset inside a controlled virtual environment and capture traces of API calls invoked by malware instances. The traces are then generalized into high-level features we refer to as actions. We assessed the viability of actions by various classification algorithms such as decision tree, random forests, and support vector machine. The experimental results demonstrate that the classifiers attain high accuracy and satisfactory results in the detection of malware variants.     

Component-based permission management of Android applications

Most Android applications include third-party libraries (3PLs) to make revenues, to facilitate their development, and to track user behaviors. 3PLs generally require specific permissions to realize their functionalities. Current Android systems manage permissions in app (process) granularity. As a result, the permission sets of apps with 3PLs (3PL-apps) may be augmented, introducing overprivilege risks. In this paper, we firstly study how severe the problem is by analyzing the permission sets of 27 718 real-world Android apps with and without 3PLs downloaded in both 2016 and 2017. We find that the usage of 3PLs and the permissions required by 3PL-apps have increased over time. As a result, the possibility of overprivilege risks increases. We then propose Perman, a fine-grained permission management mechanism for Android. Perman isolates the permissions of the host app and those of the 3PLs through dynamic code instrumentation. It allows users to manage permission requests of different modules of 3PL-apps during app runtime. Unlike existing tools, Perman does not need to redesign Android apps and systems. Therefore, it can be applied to millions of existing apps and various Android devices. We conduct experiments to evaluate the effectiveness and efficiency of Perman. The experimental results verify that Perman is capable of managing permission requests of the host app and those of the 3PLs. We also confirm that the overhead introduced by Perman is comparable to that by existing commercial permission management tools.     

A static technique for detecting input validation vulnerabilities in Android apps

Input validation vulnerabilities are common in Android apps, especially in inter-component communications. Malicious attacks can exploit this kind of vulnerability to bypass Android security mechanism and compromise the integrity, confidentiality and availability of Android devices. However, so far there is not a sound approach at the source code level for app developers aiming to detect input validation vulnerabilities in Android apps. In this paper, we propose a novel approach for detecting input validation flaws in Android apps and we implement a prototype named EasyIVD, which provides practical static analysis of Java source code. EasyIVD leverages backward program slicing to extract transaction and constraint slices from Java source code. Then EasyIVD validates these slices with predefined security rules to detect vulnerabilities in a known pattern. To detect vulnerabilities in an unknown pattern, EasyIVD extracts implicit security specifications as frequent patterns from the duplicated slices and verifies them. Then EasyIVD semi-automatically confirms the suspicious rule violations and reports the confirmed ones as vulnerabilities. We evaluate EasyIVD on four versions of original Android apps spanning from version 2.2 to 5.0. It detects 58 vulnerabilities including confused deputy attacks and denial of service attacks. Our results prove that EasyIVD can provide a practical defensive solution for app developers.