Demystifying Hidden Sensitive Operations in Android apps_2

2025-05-06 0 0 1.22MB 30 页 10玖币
侵权投诉
Demystifying Hidden Sensitive Operations in Android apps
XIAOYU SUN, Monash University, Australia
XIAO CHEN, Monash University, Australia
LI LI,Monash University, Australia
HAIPENG CAI, Washington State University, United States
JOHN GRUNDY, Monash University, Australia
JORDAN SAMHI, University of Luxembourg, Luxembourg
TEGAWENDÉ F. BISSYANDÉ, University of Luxembourg, Luxembourg
JACQUES KLEIN, University of Luxembourg, Luxembourg
Security of Android devices is now paramount, given their wide adoption among consumers. As researchers develop tools for statically
or dynamically detecting suspicious apps, malware writers regularly update their attack mechanisms to hide malicious behavior
implementation. This poses two problems to current research techniques: static analysis approaches, given their over-approximations,
can report an overwhelming number of false alarms, while dynamic approaches will miss those behaviors that are hidden through
evasion techniques. We propose in this work a static approach specically targeted at highlighting hidden sensitive operations, mainly
sensitive data ows. The prototype version of HiSenDroid has been evaluated on a large-scale dataset of thousands of malware and
goodware samples on which it successfully revealed anti-analysis code snippets aiming at evading detection by dynamic analysis. We
further experimentally show that, with FlowDroid, some of the hidden sensitive behaviors would eventually lead to private data leaks.
Those leaks would have been hard to spot either manually among the large number of false positives reported by the state of the art
static analyzers, or by dynamic tools. Overall, by putting the light on hidden sensitive operations, HiSenDroid helps security analysts
in validating potential sensitive data operations, which would be previously unnoticed.
CCS Concepts: Security and privacy Domain-specic security and privacy architectures.
Additional Key Words and Phrases: Android Application; Privacy Leak; Hidden Sensitive Operations; Program Analysis
ACM Reference Format:
Xiaoyu Sun, Xiao Chen, Li Li, Haipeng Cai, John Grundy, Jordan Samhi, Tegawendé F. Bissyandé, and Jacques Klein. 2022. Demystifying
Hidden Sensitive Operations in Android apps. 1, 1 (October 2022), 30 pages. https://doi.org/10.1145/nnnnnnn.nnnnnnn
Li Li is the corresponding author.
Authors’ addresses: Xiaoyu Sun, xiaoyu.sun@monash.edu, Monash University, Australia, Wellington Rd, Clayton, VIC, 3800; Xiao Chen, Xiao.chen@
monash.edu, Monash University, Australia, Wellington Rd, Clayton, VIC, 3800; Li Li, lilicoding@ieee.org, Monash University, Australia, Wellington
Rd, Clayton, VIC, 3800; Haipeng Cai, haipeng.cai@wsu.edu, Washington State University, United States, Wilson Rd, Pullman, WA, 99164-5910; John
Grundy, john.grundy@monash.edu, Monash University, Australia, Wellington Rd, Clayton, VIC, 3800; Jordan Samhi, jordan.samhi@uni.lu, University
of Luxembourg, Luxembourg, 2 Avenue de l’Universite, 4365 Esch-sur-Alzette, Luxembourg; Tegawendé F. Bissyandé, tegawende.bissyande@uni.lu,
University of Luxembourg, Luxembourg, 2 Avenue de l’Universite, 4365 Esch-sur-Alzette, Luxembourg; Jacques Klein, jacques.klein@uni.lu, University of
Luxembourg, Luxembourg, 2 Avenue de l’Universite, 4365 Esch-sur-Alzette, Luxembourg.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not
made or distributed for prot or commercial advantage and that copies bear this notice and the full citation on the rst page. Copyrights for components
of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to
redistribute to lists, requires prior specic permission and/or a fee. Request permissions from permissions@acm.org.
©2022 Association for Computing Machinery.
Manuscript submitted to ACM
Manuscript submitted to ACM 1
arXiv:2210.10997v1 [cs.CR] 20 Oct 2022
2Xiaoyu Sun, Xiao Chen, Li Li, Haipeng Cai, John Grundy, Jordan Samhi, Tegawendé F. Bissyandé, and Jacques Klein
1 INTRODUCTION
Android is the most adopted mobile operating systems in terms of users, applications and developers [
9
]. However, its
popularity means that legitimate developers must co-exist with malware writers. Reports on many dierent kinds of
attacks are presented in the technology and lay media. For example, security researchers have reported a malicious
“clicker trojan”
1
which has been bundled into 34 dierent Google Play apps that have already been installed more than
100 million times
2
. On a larger scale, antivirus engines have been agging a large number of apps as potential threats.
For example, as of October 2020, the popular AndroZoo dataset [
8
] has recorded more than 226,000 Android GooglePlay
apps than have been agged as adware/malware by at least 5 Antivirus products, and this number is still growing.
Those adware/malware often not work along but collaborate with many third parties over the internet. Some of the
representative malicious behaviors include leading users to malicious websites through devious advertisements [
22
,
23
,
46
,
71
], distributing malicious apps in the mobile network through drive-by downloads [
19
], leaking users’ sensitive
data to web servers through HTTP connections [28,37,47,65], etc.
To protect Android users against the rapid spread of malware, the research and practice communities have im-
plemented a variety of measures and proposed several approaches to detect malware [
11
,
43
,
52
,
66
,
72
,
74
]. These
include static code analysis-based approaches [
39
,
41
], dynamic testing based approaches [
34
], and learning-based
approaches [
49
]. Unfortunately the emergence of many dierent malware detection techniques has also stimulated
malware attackers into being more innovative to increasingly better hide malicious behaviour, in order to bypass
static code analysis (e.g., via obfuscation) and even dynamic detection (e.g., sensing of sandbox execution). In practice,
sophisticated code obfuscation techniques [
53
] are being leveraged by attackers to hide their malicious program behavior,
leading to false negatives in most static analyses thus resulting in imprecise and unsound results. Camouage techniques
have been frequently leveraged by attackers to evade dynamic testing approaches [
25
,
62
]. Attackers often introduce a
so-called logic bomb or time bomb to set o malicious functions only after certain conditions are met. For instance, after
knowing that Google applies a dynamic analysis tool called bouncer to scan every app submitted to Google Play for
ve minutes, as revealed by Oberheide et al. [55], a bunch of malicious apps has been created and been demonstrated
to be capable of penetrating Google’s bouncer vetting system by simply waiting ve minutes before triggering their
malicious behavior.
To cope with such hidden malicious behaviors, researchers have devised new detection approaches. For example,
Fratantonio et al. [
27
] have proposed an approach called TriggerScope to detect hidden behaviors triggered by predened
circumstances such as events related to location, time, and SMS. However, TriggerScope is not capable of detecting such
malicious activities hidden behind other trigger types, such as the existence of other services (i.e., other than location,
time and SMS). In line with this research, Pan et al. [
57
] have proposed a machine learning-based approach aiming
to discover unknown trigger types. Their approach, however, needs to manually label a dataset for training, which is
known to be resource-intensive and error-prone.
Static analyzers suer less than dynamic approaches from evasion techniques such as logic bomb or time bomb.
In particular, regarding sensitive ow detection (also called privacy leak detection), numerous static analysis tools
have been proposed such as FlowDroid [
12
] (and its extension IccTA [
38
]), Amandroid [
70
], or DroidSafe [
30
].
Although these tools are able to track sensitive ows (which are often hidden) by bringing key new contributions to the
1
Such as the Android.Click.312.origin trojan and its modied variant Android.Click.313.origin trojan. This aims to generate fraudulent click-through and
subscription revenues.
2
https://www.forbes.com/sites/zakdoman/2019/08/13/android-warning-100m-users-have-installed-dangerous-new-malware-from-google-
play/#1956f51c22a9
Manuscript submitted to ACM
Demystifying Hidden Sensitive Operations in Android apps 3
research community, they still face some well-known limitations [
60
]: their inherent over-approximations inevitably
lead to false alarms, which, for some analyzers, occur at a high rate, making them impractical. Consequently, when
building on static analysis, manual investigation is often required. Unfortunately, such eorts cannot scale. Dynamic
validation then appears as an alternative. Unfortunately, runtime execution often misses hidden sensitive ows due to
the implementation of evasion techniques by attackers. While some eort (e.g., [
27
,
57
]) has been put to characterize
Hidden Sensitive Operations (HSOs) in Android apps, our community has not yet proposed dedicated approaches to
detect and explain such operations, allowing attackers to achieve malicious behaviors while bypassing certain security
vetting mechanisms.
We ll this research gap in this work by proposing a new prototype tool, HiSenDroid, which deploys an automated
static app analyzer tailored for detecting hidden sensitive operations. HiSenDroid performs a sequence of static analyses,
including call graph analysis, forward data-ow analysis, inter-procedural backward data-ow analysis, etc. For exposed
HSOs, HiSenDroid further goes one step deeper to record detailed information for explaining why these HSOs should
be agged as such.
To summarize, key contributions of our work include:
We propose using a static analysis approach to discover hidden sensitive operations that are not exposed to the
state-of-the-art static and dynamic analysis tools in Android apps. To this end, we leverage control ow and data
ow analyses to identify the unique code level characteristics of hidden sensitive operations.
We designed and implemented a prototype tool HiSenDroid for analyzing hidden sensitive operations. We release
HiSenDroid as an open source project [
5
] for supporting security analysts in their analysis needs and fostering
further researches in this direction.
We evaluated HiSenDroid on a large-scale dataset that contains 10,000 benign and 10,000 malware samples,
and discovered emerging anti-analysis techniques employed by malware samples, such as fullling certain
restrictions related to time,location,SMS message,system properties,package manager, and other logics.
With the help of FlowDroid [
12
], a static taint analyzer, we further experimentally show that HSOs have been
recurrently leveraged by attackers to leak sensitive user information.
The rest of the paper is organized as follows: Section 2denes HSO and presents the motivation of our research,
i.e., why there is a strong need to demystify HSO. Section 3depicts the design and implementation of the proposed
approach. Section 4and Section 5respectively describe the characteristics of common and susipious HSOs detected by
our approach from a large-scale dataset. Section 6presents a practical implication of our approach by characterizing
sensitive data leaks triggered by HSOs. Section 7discusses the limitations of the tool. Section 8reviews the related
works, and nally Section 9concludes this paper.
2 HSO DEFINITION AND MOTIVATION
We conducted an exploratory study to understand the characteristics of Hidden Sensitive Operations (HSO) in Android
apps. We rst dumped operations in a set of real-world Android malware. Then, we manually examined those operations
to observe the characteristics of such operations that could be considered as hidden-triggered operations. Based on our
manual summarization, we found that (1) if statement and the notion of branch are key in the denition of HSO; (2) the
if statement contains a specic operation that triggers the hidden sensitive ows, and this trigger condition is related to
Android API.
Manuscript submitted to ACM
4Xiaoyu Sun, Xiao Chen, Li Li, Haipeng Cai, John Grundy, Jordan Samhi, Tegawendé F. Bissyandé, and Jacques Klein
Let
𝐵
denote one of the two branches of an if-then-else statement, or the branch of an if statement where the else
branch is considered empty.
Denition 1 [Hidden Sensitive Branch (HSB)]: 𝐵is an HSB if it fullls the following rules:
(1) 𝐵
contains sensitive Android APIs, and these APIs are dierent from those contained in the other branch involved
in the if-then-else statement. The rationale behind this condition is that a hidden branch is supposed to achieve
some sensitive behaviors that are dierent from those of the "normal" branch (i.e., non-HSB), which per se might
also access sensitive APIs as part of the app’s expected behaviors.
(2) 𝐵
does not involve any of the variables appearing in the condition expression of the if-then-else statement. The
rationale behind this is that the branch is triggered by conditions that are also dierent from its (sensitive)
behaviors.
Less formally, an HSB could be dened as an "if branch" which accesses sensitive APIs, and which is fully "independent"
of the if condition and the other branch of the if statement.
Let 𝐶denote the 𝑐𝑜𝑛𝑑𝑖𝑡𝑖𝑜𝑛 of an if statement.
Denition 2 [Hidden Sensitive Operation (HSO)]:
An HSO is an HSB that is triggered by a condition
𝐶
containing
values obtained via (or directly impacted by) Android system APIs or system properties (i.e., attributes of system classes).
This may return dierent values when being executed under dierent circumstances, so as to triggering hidden sensitive
operations.
Listing 1 exemplies a simplied code snippet illustrating these denitions in practice. Note that Listing 1 presents
the typical characteristics of an HSO in many real-world apps that we have manually analyzed. At line 7, the app rstly
checks if it is running on one of the popular Android emulators (i.e., genymotion, bluestacks, and bignox). If not, the app
reads the device information and sends it to a hard-coded phone number through an SMS. Otherwise, if an emulator
environment is detected, it will only perform some unharmful string operations (ignored). In this example, three private
data – namely the device’s IMEI, IMSI, and phone number – are retrieved in lines 9-11 and sent to a hard-coded phone
number via SMS (line 15). All of these three leaks are hidden behind the trigger condition ed.checkPackageName()
(line 7). The trigger condition checks the return value of a self-dened method checkPackageName() (line 30), which is
determined by several other if-conditions dened in the invoking method (lines 31,37,39). Finally, the trigger condition
in the HSO is traced back to a system API PackageManager.queryIntentActivities() (line 38) (
cf. Denition 2
). This
trigger condition examines whether popular Android emulator packages (lines 26-28) are available in the device, i.e.,
checking if the app is running on these emulators. If the running environment is not one of the hard-coded emulators,
the HSO will be performed. Otherwise, benign string operations are executed (lines 17-19) (cf. Denition 1).
3 OUR APPROACH
To better help security analysts understand Hidden Sensitive Operations (HSO) placed in Android apps, we designed and
implemented a prototype tool, named HiSenDroid, to automatically locate such operations in Android apps. HiSenDroid
takes as input an Android app and outputs a set of hidden sensitive operations. Fig. 1illustrates the working process of
HiSenDroid. It achieves the aforementioned goal through three main modules, namely: (1) Hidden Sensitive Branch
Location; (2) Trigger Condition Inference; (3) Suspicious HSO Detection and Explanation. We now respectively detail
these three modules.
Manuscript submitted to ACM
Demystifying Hidden Sensitive Operations in Android apps 5
1pub l ic cl a ss MainActivity exten d s A p p C o m patActivity {
2protected void on Cr ea te ( B undl e s av ed In st anceState ) {
3SmsManager smsManager = SmsManager.getDefault();
4ED e d = new E D ( this) ;
5Strin g B u i l d e r m e ssage = new StringBuilder();
6
7if (ed.checkPackageName()) {
8TelephonyManager tm = (TelephonyManager) getSystemService(Context.TELEPHONY_SERVICE);
9S tr in g im ei = t m . g et D ev i ce I d () ;
10 S tr in g p ho n eN u mb e r = t m . g e tL i ne 1 Nu m b er ( ) ;
11 S tr in g s ub s cr i b er I d = t m . g et S u bs c ri b er I d ( ) ;
12 mes sa ge . a pp en d ( im ei ) ;
13 mes sa ge . a pp en d ( ph on eN um be r );
14 mes sa ge . a pp en d ( su bs cr ib er Id ) ;
15 smsM an ag er . s en dD at aMe ssa ge ("+115800763861",null , ( short) 1001 , m essag e . to St ri ng ( ). g et By te s () , null ,null) ;
16 }else {
17 // b enig n strin g op er ations
18 }}
19
20
21 pub l ic clas s ED {
22 public ED ( Con te xt p Co nt ex t ) {
23 mContext = pContext;
24 mListPackageName.add(" c om . g oo gl e . a nd ro id .. . g en y mo ti o n ") ;
25 mListPackageName.add(" c om . b l ue st a ck s " );
26 mListPackageName.add(" c om . b ig no x . ap p " );
27 }
28 pub l ic boo l e an checkPackageName() {
29 if ( ! i s Ch e ck P ac k ag e || m L is t Pa c ka g eN a m e . i sE m pt y ( ) ) {
30 ret ur n fa ls e ;
31 }
32 final P ac k ag e M an a ge r p a ck a ge M an a ge r = m Co n te x t . g e tP a ck a ge M an a g er ( ) ;
33 for (final Str in g p kg Name : m Li st Pa ck ag eN am e ) {
34 final Int ent tryInt en t = pa ck ag eM an ag er . getLa un ch In te nt Fo rP ac ka ge ( pkgNa me ) ;
35 if (tryIntent != null) {
36 final List < R e solv e Info > resol v e I n f o s = p a ckageManag e r . q u e r y I n t e n t A c t ivities ( t ryIn ten t ,
Packag eM an ag er . M AT CH _D EFA ULT_ ONLY ) ;
37 if ( ! r e so l ve I nf o s . i s Em pt y ( ) ) {
38 ret ur n tr ue ;
39 }
40 }
41 }
42 ret ur n fa ls e ;
43 }
Listing 1. An example of a real-world hidden sensitive data flow.
APK
HS Branch
Location
Trigger Condition
Inference
Suspicious HSO
Detection & Explanation
Android
app
List of Common
HSOs
Suspicious
Hidden Sensitive
Operation
Fig. 1. The working process of HiSenDroid.
3.1 Hidden Sensitive Branch Location
The rst module of HiSenDroid is responsible for locating hidden sensitive branches (HSBs) in Android apps (i.e.,
fullling the rules in Denition 1). Towards locating HSBs, this module rst statically goes through all the methods
that appeared in the DEX le of the input APK. For each method, this module then constructs an intra-procedural
control-ow graph (CFG) and traverses the graph to locate if-then-else statements. Once an if-then-else statement is
located, it further extracts the sensitive APIs accessed by the two branches (hereinafter referred to as if-branch and
else-branch). Sensitive APIs are such methods that are protected by Android permissions, which are classied following
the latest Android API-permission mappings PSCout [
13
], Axplorer [
14
], Arcade [
7
], and NatiDroid [
36
]. Any of the
Manuscript submitted to ACM
摘要:

DemystifyingHiddenSensitiveOperationsinAndroidappsXIAOYUSUN,MonashUniversity,AustraliaXIAOCHEN,MonashUniversity,AustraliaLILI∗,MonashUniversity,AustraliaHAIPENGCAI,WashingtonStateUniversity,UnitedStatesJOHNGRUNDY,MonashUniversity,AustraliaJORDANSAMHI,UniversityofLuxembourg,LuxembourgTEGAWENDÉF.BISSY...

展开>> 收起<<
Demystifying Hidden Sensitive Operations in Android apps_2.pdf

共30页,预览5页

还剩页未读, 继续阅读

声明:本站为文档C2C交易模式,即用户上传的文档直接被用户下载,本站只是中间服务平台,本站所有文档下载所得的收益归上传人(含作者)所有。玖贝云文库仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对上载内容本身不做任何修改或编辑。若文档所含内容侵犯了您的版权或隐私,请立即通知玖贝云文库,我们立即给予删除!

相关推荐

更多
立即下载
分类:图书资源 价格:10玖币 属性:30 页 大小:1.22MB 格式:PDF 时间:2025-05-06

开通VIP享超值会员特权

  • 多端同步记录
  • 高速下载文档
  • 免费文档工具
  • 分享文档赚钱
  • 每日登录抽奖
  • 优质衍生服务

作者详情

相关内容

更多

热门标签

人际关系 配电装置 动力学连接体 力的合成 高考理综 全宋诗作者索引 公务员考试
/ 30
评分 收藏
分享
立即下载
客服
关注