Top

Journal of Computer Virology and Hacking Techniques

Published in:

20-08-2016 | Original Paper

Testing android malware detectors against code obfuscation: a systematization of knowledge and unified methodology

Authors: Mila Dalla Preda, Federico Maggi

Published in: Journal of Computer Virology and Hacking Techniques | Issue 3/2017

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

The authors of mobile-malware have started to leverage program protection techniques to circumvent anti-viruses, or simply hinder reverse engineering. In response to the diffusion of anti-virus applications, several researches have proposed a plethora of analyses and approaches to highlight their limitations when malware authors employ program-protection techniques. An important contribution of this work is a systematization of the state of the art of anti-virus apps, comparing the existing approaches and providing a detailed analysis of their pros and cons. As a result of our systematization, we notice the lack of openness and reproducibility that, in our opinion, are crucial for any analysis methodology. Following this observation, the second contribution of this work is an open, reproducible, rigorous methodology to assess the effectiveness of mobile anti-virus tools against code-transformation attacks. Our unified workflow, released in the form of an open-source prototype, comprises a comprehensive set of obfuscation operators. It is intended to be used by anti-virus developers and vendors to test the resilience of their products against a large dataset of malware samples and obfuscations, and to obtain insights on how to improve their products with respect to particular classes of code-transformation attacks.

previous article Impeding behavior-based malware analysis via replacement attacks to malware specifications

next article Experimental analysis of hidden Markov model based secure misuse intrusion trace classification and hacking detection

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Available only for authorised users

Antiy. http://www.antiy.net. Accessed 15 July 2016

Dalvik bytecode verifier notes. http://www.netmite.com/android/mydroid/dalvik/docs/verifier.html. Accessed 15 July 2016

Contagio mobile e mobile malware mini dump. http://contagiominidump.blogspot.com/. Accessed 15 July 2016

Dexguard. http://www.saikoa.com/dexguard. Accessed 15 July 2016

Virustotal. https://www.virustotal.com. Accessed 15 July 2016

Smartphone os market share, q2 2015, 2015. http://www.idc.com/prodserv/smartphone-os-market-share.jsp. Accessed 15 July 2016

Apvrille, A., Nigam, R.: Obfuscation in android malware, and how to fight back. In: Virus, Bulletin, pp. 1–10 (2014)

Barak, B., Goldreich, O., Impagliazzo, R., Rudich, S., Sahai, A., Vadhan, S.P., and Yang, K.: On the (im)possibility of obfuscating programs. In: CRYPTO ’01: Proceedings of the 21st Annual International Cryptology Conference on Advances in Cryptology, pp. 1–18. Springer, Berlin (2001) (ISBN 3-540-42456-3)

Christodorescu, M., Jha, S.: Testing malware detectors. In: Proceedings of the ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA ’04), pp. 34–44 (2004)

10.

Collberg, C., and Nagra, J.: Surreptitious Software: Obfuscation, Watermarking, and Tamperproofing for Software Protection. Addison-Wesley Professional, Menlo Park (2009) (ISBN 0321549252)

11.

Collberg, C., Thomborson, C.D., Low, D.: Manufacturing cheap, resilient, and stealthy opaque constructs. In: Proceedings of Conference Record of the 25st ACM Symp. on Principles of Programming Languages (POPL ’98), pp. 184–196. ACM Press, New york (1998)

12.

Preda, Mila Dalla, Giacobazzi, Roberto: Semantics-based code obfuscation by abstract interpretation. J. Comput. Secur. 17(6), 855–908 (2009)CrossRef

13.

Preda, M.D., Mastroeni, I., Giacobazzi, R.: A formal framework for property-driven obfuscation strategies. In: Fundamentals of computation theory—19th International Symposium, FCT 2013, Liverpool, UK, August 19-21, 2013. Proceedings, vol. 8070 of Lecture Notes in Computer Science, pp. 133–144. Springer, Berlin (2013)

14.

F-Secure. H2 2013 threat report. Technical report (2014)

15.

Freiling, F.C., Protsenko, M., Zhuang, Y.: An empirical evaluation of software obfuscation techniques applied to android apks. In: International Conference on Security and Privacy in Communication Networks—10th International ICST Conference, SecureComm 2014, Beijing, China, 24–26 Sept 2014, Revised Selected Papers, Part II, vol. 153 of Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, pp. 315–328. Springer, Berlin (2014)

16.

Garg, S., Gentry, C., Halevi, S., Raykova, M., Sahai, A., Waters, B.: Candidate indistinguishability obfuscation and functional encryption for all circuits. In: 54th Annual IEEE Symposium on Foundations of Computer Science, FOCS 2013, 26–29 Oct 2013, Berkeley, CA, USA, pp. 40–49. IEEE Computer Society (2013)

17.

Fedler, R., Schette, J., Kulicke, M.: On the effectiveness of malware protection on android: an evaluation of android antivirus app. Technical report (2013)

18.

Sridhara, S.M., Stamp, M.: Metamorphic worm that carries its own morphing engine. J. Comput. Virol. 9(2), 49–58 (2013)

19.

Maggi, F., Valdi, A., Zanero, S.: AndroTotal: a flexible, scalable toolbox and service for testing mobile malware detectors. In: Proceedings of the Third ACM Workshop on Security and Privacy in Smartphones & Mobile Devices, SPSM ’13, pp. 49–54. ACM. ISBN 978-1-4503-2491-5. doi:10.1145/2516760.2516768. http://doi.acm.org/10.1145/2516760.2516768. Accessed 15 July 2016

20.

Maiorca, Davide, Ariu, Davide, Corona, Igino, Aresu, Marco, Giacinto, Giorgio: Stealth attacks: an extended insight into the obfuscation effects on android malware. Comput. & Secur. 51, 16–31 (2015)CrossRef

21.

Musale, Mangesh, Austin, Thomas H., Stamp, Mark: Hunting for metamorphic javascript malware. J. Comput. Virol. Hacking Tech. 11(2), 89–102 (2015). doi:10.1007/s11416-014-0225-8 CrossRef

22.

Pellegatta, F., Maggi, F., Preda, M.D.: Aamo: another android malware obfuscator (source code). https://github.com/necst/aamo. Accessed 15 July 2016

23.

Protsenko, M., Müller, T.: PANDORA applies non-deterministic obfuscation randomly to android. In: 8th International Conference on Malicious and Unwanted Software: “The Americas”’, MALWARE 2013, Fajardo, PR, USA, Oct 22–24, 2013, pp. 59–67. IEEE Computer Society (2013)

24.

Rastogi, V., Chen, Y., Jiang, X.: Droidchameleon: evaluating android anti-malware against transformation attacks. In: 8th ACM Symposium on Information, Computer and Communications Security, ASIA CCS ’13, Hangzhou, China, ACM, May 08-10, 2013, pp. 329–334 (2013)

25.

Strazzere, T., Sawyer, J.: Android hacker protection level 0. Defcon 22, Las Vegas (2014)

26.

Symantec Corporation. Internet security threat report: 20 April 2015

27.

Unuchek, R., Chebyshev, V.: Mobile malware evolution: 2013. https://securelist.com/analysis/kaspersky-security-bulletin/58335/mobile-malware-evolution-2013/. Feb 2014

28.

Zheng, M., Lee, P.P.C., Lui, J.C.S.: Adam: an automatic and extensible platform to stress test android anti-virus systems (source code). http://ansrlab.cse.cuhk.edu.hk/software/adam/. Accessed 15 July 2016

29.

Zheng, M., Lee, P.P.C., Lui, J.C.S.: ADAM: an automatic and extensible platform to stress test android anti-virus systems. In: Detection of Intrusions and Malware, and Vulnerability Assessment—9th International Conference, DIMVA 2012, Heraklion, Crete, Greece, July 26–27, 2012, Revised Selected Papers, volume 7591 of Lecture Notes in Computer Science, pp. 82–101. Springer, Berlin (2012)

30.

Zhou, Y., Jiang, X.: Dissecting android malware: characterization and evolution. In: Proceedings of the 33rd IEEE Symposium on Security and Privacy. http://www.malgenomeproject.org/. Accessed 15 July 2016

Title: Testing android malware detectors against code obfuscation: a systematization of knowledge and unified methodology
Authors: Mila Dalla Preda
Federico Maggi
Publication date: 20-08-2016
Publisher: Springer Paris
Published in: Journal of Computer Virology and Hacking Techniques / Issue 3/2017
Electronic ISSN: 2263-8733
DOI: https://doi.org/10.1007/s11416-016-0282-2

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Other articles of this Issue 3/2017

A completely covert audio channel in Android

Impeding behavior-based malware analysis via replacement attacks to malware specifications

Evolution and characterization of point-of-sale RAM scraping malware

Experimental analysis of hidden Markov model based secure misuse intrusion trace classification and hacking detection

Graph embedding as a new approach for unknown malware detection

MalwareHunt: semantics-based malware diffing speedup by normalized basic block memoization

Premium Partner