Zhenhao Tang
Minxue Pan
ABSTRACT
Modern Android malwares tend to use advanced techniques to cover their malicious behaviors. They usually feature multi-staged, condition-guarded and environment-specific payloads. An increasing number of them utilize WebView, particularly the two-way communications between Java and JavaScript, to evade detection and analysis of existing techniques. We propose Dual-Force, a forced execution technique which simultaneously forces both Java and JavaScript code of WebView applications to execute along various paths without requiring any environment setup or providing any inputs manually. As such, the hidden payloads of WebView malwares are forcefully exposed. The technique features a novel execution model that allows forced execution to suppress exceptions and continue execution. Experimental results show that Dual-Force precisely exposes malicious payload in 119 out of 150 WebView malwares. Compared to the state-of-the-art, Dual-Force can expose 23% more malicious behaviors.
- 2015. 22nd Annual Network and Distributed System Security Symposium, NDSS 2015, San Diego, California, USA, February 8-11, 2015. The Internet Society.Google Scholar
- https: //www.ndss-symposium.org/ndss2015/ 2016. 23rd Annual Network and Distributed System Security Symposium, NDSS 2016, San Diego, California, USA, February 21-24, 2016. The Internet Society.Google Scholar
- https: link to page 10 link to page 10 link to page 10 Dual-Force: Understanding WebView Malware via Cross-Language Forced Execution ASE ’18, September 3–7, 2018, Montpellier, France //www.ndss-symposium.org/ndss2016/Google Scholar
- A. Abraham, Radoniaina Andriatsimandefitra, A. Brunelat, Jean-François Lalande, and Valérie Viet Triem Tong. 2015. GroddDroid: a gorilla for triggering malicious behaviors. In 10th International Conference on Malicious and Unwanted Software, MALWARE 2015, Fajardo, PR, USA, October 20-22, 2015. IEEE Computer Society, 119–127. Google ScholarDigital Library
- Steven Arzt, Siegfried Rasthofer, Christian Fritz, Eric Bodden, Alexandre Bartel, Jacques Klein, Yves Le Traon, Damien Octeau, and Patrick D. McDaniel. 2014.Google Scholar
- FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps. In ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI ’14, Edinburgh, United Kingdom - June 09 - 11, 2014, Michael F. P. O’Boyle and Keshav Pingali (Eds.). ACM, 259–269. Google ScholarDigital Library
- Zhui Deng, Brendan Saltaformaggio, Xiangyu Zhang, and Dongyan Xu. 2015. iRiS: Vetting Private API Abuse in iOS Applications. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, Denver, CO, USA, October 12-16, 2015, Indrajit Ray, Ninghui Li, and Christopher Kruegel (Eds.). ACM, 44–56. Google ScholarDigital Library
- Clint Gibler, Jonathan Crussell, Jeremy Erickson, and Hao Chen. 2012. AndroidLeaks: Automatically Detecting Potential Privacy Leaks in Android Applications on a Large Scale. In Trust and Trustworthy Computing - 5th International Conference, TRUST 2012, Vienna, Austria, June 13-15, 2012. Proceedings (Lecture Notes in Computer Science), Stefan Katzenbeisser, Edgar R. Weippl, L. Jean Camp, Melanie Volkamer, Mike K. Reiter, and Xinwen Zhang (Eds.), Vol. 7344. Springer, 291–307. Google ScholarDigital Library
- Google. 2018. Android application fundamentals. Retrieved July 23, 2018 from https://developer.android.com/guide/components/fundamentalsGoogle Scholar
- Google. 2018. Building web apps in WebView. Retrieved July 23, 2018 from https://developer.android.com/guide/webapps/webviewGoogle Scholar
- Google. 2018. Chromium build instructions for Android WebView. Retrieved July 23, 2018 from https://www.chromium.org/developers/how-tos/ build-instructions-android-webviewGoogle Scholar
- Google. 2018. Intents. Retrieved July 23, 2018 from https://developer.android. com/guide/components/intents-filtersGoogle Scholar
- Google. 2018. Starting activity in Android. Retrieved July 23, 2018 from https: //developer.android.com/training/basics/firstapp/starting-activityGoogle Scholar
- Google. 2018. WebView documentation. Retrieved July 23, 2018 from https: //developer.android.com/reference/android/webkit/WebViewGoogle Scholar
- Google. 2018. WebView for Android. Retrieved July 23, 2018 from https:// developer.chrome.com/multidevice/webview/overviewGoogle Scholar
- Michael I. Gordon, Deokhwan Kim, Jeff H. Perkins, Limei Gilham, Nguyen Nguyen, and Martin C. Rinard. 2015. Information Flow Analysis of Android Applications in DroidSafe, See { 1 }. https://www.ndss-symposium.org/ndss2015/ information-flow-analysis-android-applications-droidsafeGoogle Scholar
- Xunchao Hu, Yao Cheng, Yue Duan, Andrew Henderson, and Heng Yin. 2017. JSForce: A Forced Execution Engine for Malicious JavaScript Detection. In Security and Privacy in Communication Networks - 13th International Conference, SecureComm 2017, Niagara Falls, ON, Canada, October 22-25, 2017, Proceedings (Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering), Xiaodong Lin, Ali Ghorbani, Kui Ren, Sencun Zhu, and Aiqing Zhang (Eds.), Vol. 238. Springer, 704–720. 978-3-319-78813-5_37Google Scholar
- Casper Svenning Jensen, Mukul R. Prasad, and Anders Møller. 2013. Automated testing with targeted event sequence generation. In International Symposium on Software Testing and Analysis, ISSTA ’13, Lugano, Switzerland, July 15-20, 2013, Mauro Pezzè and Mark Harman (Eds.). ACM, 67–77. 2483760.2483777 Google ScholarDigital Library
- Mohammad Karami, Mohamed Elsabagh, Parnian Najafiborazjani, and Angelos Stavrou. 2013. Behavioral Analysis of Android Applications Using Automated Instrumentation. In Seventh International Conference on Software Security and Reliability, SERE 2012, Gaithersburg, Maryland, USA, 18-20 June 2013 - Companion Volume. IEEE, 182–187. Google ScholarDigital Library
- Kyungtae Kim, I Luk Kim, Chung Hwan Kim, Yonghwi Kwon, Yunhui Zheng, Xiangyu Zhang, and Dongyan Xu. 2017. J-Force: Forced Execution on JavaScript. In Proceedings of the 26th International Conference on World Wide Web, WWW 2017, Perth, Australia, April 3-7, 2017, Rick Barrett, Rick Cummings, Eugene Agichtein, and Evgeniy Gabrilovich (Eds.). ACM, 897–906. Google ScholarDigital Library
- 3052674Google Scholar
- Koodous.com. 2018. Koodous. Retrieved July 23, 2018 from https://koodous.comGoogle Scholar
- P Lantz, A Desnos, and K Yang. 2017. DroidBox: Android application sandbox. Retrieved July 23, 2018 from https://github.com/pjlantz/droidboxGoogle Scholar
- Sungho Lee, Julian Dolby, and Sukyoung Ryu. 2016. HybriDroid: static analysis framework for Android hybrid applications. In Proceedings of the 31st IEEE/ACM International Conference on Automated Software Engineering, ASE 2016, Singapore, September 3-7, 2016, David Lo, Sven Apel, and Sarfraz Khurshid (Eds.). ACM, 250–261. Google ScholarDigital Library
- Li Li, Alexandre Bartel, Tegawendé F. Bissyandé, Jacques Klein, Yves Le Traon, Steven Arzt, Siegfried Rasthofer, Eric Bodden, Damien Octeau, and Patrick D. McDaniel. 2015. IccTA: Detecting Inter-Component Privacy Leaks in Android Apps. In 37th IEEE/ACM International Conference on Software Engineering, ICSE 2015, Florence, Italy, May 16-24, 2015, Volume 1, Antonia Bertolino, Gerardo Canfora, and Sebastian G. Elbaum (Eds.). IEEE Computer Society, 280–291. Google ScholarDigital Library
- You Li, Zhendong Su, Linzhang Wang, and Xuandong Li. 2013. Steering symbolic execution to less traveled paths. In Proceedings of the 2013 ACM SIGPLAN International Conference on Object Oriented Programming Systems Languages & Applications, OOPSLA 2013, part of SPLASH 2013, Indianapolis, IN, USA, October 26-31, 2013, Antony L. Hosking, Patrick Th. Eugster, and Cristina V. Lopes (Eds.). ACM, 19–32. Google ScholarDigital Library
- Aravind Machiry, Rohan Tahiliani, and Mayur Naik. 2013. Dynodroid: an input generation system for Android apps. In Joint Meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering, ESEC/FSE’13, Saint Petersburg, Russian Federation, August 18-26, 2013, Bertrand Meyer, Luciano Baresi, and Mira Mezini (Eds.). ACM, 224– 234. Google ScholarDigital Library
- Riyadh Mahmood, Nariman Mirzaei, and Sam Malek. 2014. EvoDroid: segmented evolutionary testing of Android apps. In Proceedings of the 22nd ACM SIGSOFT International Symposium on Foundations of Software Engineering, (FSE- 22), Hong Kong, China, November 16 - 22, 2014, Shing-Chi Cheung, Alessandro Orso, and Margaret-Anne D. Storey (Eds.). ACM, 599–609. 1145/2635868.2635896 Google ScholarDigital Library
- Nariman Mirzaei, Sam Malek, Corina S. Pasareanu, Naeem Esfahani, and Riyadh Mahmood. 2012. Testing android apps through symbolic execution. ACM SIGSOFT Software Engineering Notes 37, 6 (2012), 1–5. 2382756.2382798 Google ScholarDigital Library
- Damien Octeau, Patrick D. McDaniel, Somesh Jha, Alexandre Bartel, Eric Bodden, Jacques Klein, and Yves Le Traon. 2013. Effective Inter-Component Communication Mapping in Android: An Essential Step Towards Holistic Security Analysis. In Proceedings of the 22th USENIX Security Symposium, Washington, DC, USA, August 14-16, 2013, Samuel T. King (Ed.). USENIX Association, 543– 558. https://www.usenix.org/conference/usenixsecurity13/technical-sessions/ presentation/octeau Google ScholarDigital Library
- Mila Parkour. 2018. Contagio minidump. Retrieved July 23, 2018 from http: //contagiominidump.blogspot.comGoogle Scholar
- Fei Peng, Zhui Deng, Xiangyu Zhang, Dongyan Xu, Zhiqiang Lin, and Zhendong Su. 2014. X-Force: Force-Executing Binary Programs for Security Applications. In Proceedings of the 23rd USENIX Security Symposium, San Diego, CA, USA, August 20-22, 2014., Kevin Fu and Jaeyeon Jung (Eds.). USENIX Association, 829– 844. https://www.usenix.org/conference/usenixsecurity14/technical-sessions/ presentation/peng Google ScholarDigital Library
- Siegfried Rasthofer, Steven Arzt, Marc Miltenberger, and Eric Bodden. 2016.Google Scholar
- Harvesting Runtime Values in Android Applications That Feature Anti-Analysis Techniques, See { 2 }. http: //wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2017/09/ harvesting-runtime-values-android-applications-feature-anti-analysis-techniques. pdfGoogle Scholar
- Siegfried Rasthofer, Steven Arzt, Stefan Triller, and Michael Pradel. 2017. Making malory behave maliciously: targeted fuzzing of android execution environments. In Proceedings of the 39th International Conference on Software Engineering, ICSE 2017, Buenos Aires, Argentina, May 20-28, 2017, Sebastián Uchitel, Alessandro Orso, and Martin P. Robillard (Eds.). IEEE / ACM, 300–311. 1109/ICSE.2017.35 Google ScholarDigital Library
- Siegfried Rasthofer, Irfan Asrar, Stephan Huber, and Eric Bodden. 2015. How Current Android Malware Seeks to Evade Automated Code Analysis. In Information Security Theory and Practice - 9th IFIP WG 11.2 International Conference, WISTP 2015 Heraklion, Crete, Greece, August 24-25, 2015 Proceedings (Lecture Notes in Computer Science), Raja Naeem Akram and Sushil Jajodia (Eds.), Vol. 9311. Springer, 187–202. Google ScholarDigital Library
- Vaibhav Rastogi, Yan Chen, and William Enck. 2013. AppsPlayground: automatic security analysis of smartphone applications. In Third ACM Conference on Data and Application Security and Privacy, CODASPY’13, San Antonio, TX, USA, February 18-20, 2013, Elisa Bertino, Ravi S. Sandhu, Lujo Bauer, and Jaehong Park (Eds.). ACM, 209–220. Google ScholarDigital Library
- Rovo89. 2018. Xposed framework. Retrieved July 23, 2018 from http://xposed. infoGoogle Scholar
- Kimberly Tam, Salahuddin J. Khan, Aristide Fattori, and Lorenzo Cavallaro. 2015.Google Scholar
- CopperDroid: Automatic Reconstruction of Android Malware Behaviors, See { 1 }. https://www.ndss-symposium.org/ndss2015/ copperdroid-automatic-reconstruction-android-malware-behaviorsGoogle Scholar
- Raja Vallée-Rai, Phong Co, Etienne Gagnon, Laurie Hendren, Patrick Lam, and Vijay Sundaresan. 2010. Soot: A Java Bytecode Optimization Framework. In CASCON First Decade High Impact Papers (CASCON ’10). IBM Corp., Riverton, NJ, USA, 214–224. Google ScholarDigital Library
- VirusTotal.com. 2018. VirusTotal. Retrieved July 23, 2018 from https://www. virustotal.com link to page 10 ASE ’18, September 3–7, 2018, Montpellier, France Z. Tang, J. Zhai, M. Pan, Y. Aafer, S. Ma, X. Zhang, J. ZhaoGoogle Scholar
- Wikipedia. 2018. Entropy (information theory). Retrieved July 23, 2018 from https://en.wikipedia.org/wiki/Entropy_(information_theory)Google Scholar
- Michelle Y. Wong and David Lie. 2016. IntelliDroid: A Targeted Input Generator for the Dynamic Analysis of Android Malware, See { 2 }. http://wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2017/09/ intellidroid-targeted-input-generator-dynamic-analysis-android-malware.pdfGoogle Scholar
- Zhaoyan Xu, Jialong Zhang, Guofei Gu, and Zhiqiang Lin. 2014. GoldenEye: Efficiently and Effectively Unveiling Malware’s Targeted Environment. In Research in Attacks, Intrusions and Defenses - 17th International Symposium, RAID 2014, Gothenburg, Sweden, September 17-19, 2014. Proceedings (Lecture Notes in Computer Science), Angelos Stavrou, Herbert Bos, and Georgios Portokalidis (Eds.), Vol. 8688. Springer, 22–45.Google Scholar
- Lei Xue, Yajin Zhou, Ting Chen, Xiapu Luo, and Guofei Gu. 2017. Malton: Towards On-Device Non-Invasive Mobile Malware Analysis for ART. In 26th USENIX Security Symposium, USENIX Security 2017, Vancouver, BC, Canada, August 16-18, 2017., Engin Kirda and Thomas Ristenpart (Eds.). USENIX Association, 289–306. https://www.usenix.org/conference/usenixsecurity17/ technical-sessions/presentation/xue Google ScholarDigital Library
- Lok-Kwong Yan and Heng Yin. 2012. DroidScope: Seamlessly Reconstructing the OS and Dalvik Semantic Views for Dynamic Android Malware Analysis. In Proceedings of the 21th USENIX Security Symposium, Bellevue, WA, USA, August 8-10, 2012, Tadayoshi Kohno (Ed.). USENIX Association, 569–584. https://www. usenix.org/conference/usenixsecurity12/technical-sessions/presentation/yan Google ScholarDigital Library
- Zhemin Yang, Min Yang, Yuan Zhang, Guofei Gu, Peng Ning, and Xiaoyang Sean Wang. 2013. AppIntent: analyzing sensitive data transmission in android for privacy leakage detection. In 2013 ACM SIGSAC Conference on Computer and Communications Security, CCS’13, Berlin, Germany, November 4-8, 2013, Ahmad-Reza Sadeghi, Virgil D. Gligor, and Moti Yung (Eds.). ACM, 1043–1054. Google ScholarDigital Library
Index Terms
- Dual-force: understanding WebView malware via cross-language forced execution
Recommendations
Detecting trigger-based behaviors in botnet malware
RACS '15: Proceedings of the 2015 Conference on research in adaptive and convergent systemsMalware often hides malicious behaviors which are triggered when constraints are satisfied. The trigger-based behavior makes malware detection harder, and requires manual analysis. The number of daily submitted malware has been increasing, while the ...
Detecting environment-sensitive malware
RAID'11: Proceedings of the 14th international conference on Recent Advances in Intrusion DetectionThe execution of malware in an instrumented sandbox is a widespread approach for the analysis of malicious code, largely because it sidesteps the difficulties involved in the static analysis of obfuscated code. As malware analysis sandboxes increase in ...
A Survey On Automated Dynamic Malware Analysis Evasion and Counter-Evasion: PC, Mobile, and Web
ROOTS: Proceedings of the 1st Reversing and Offensive-oriented Trends SymposiumAutomated dynamic malware analysis systems are important in combating the proliferation of modern malware. Unfortunately, malware can often easily detect and evade these systems. Competition between malware authors and analysis system developers has ...
Comments