Skip to main content
SpringerLink
Log in

Empirical Analysis on the Use of Dynamic Code Updates in Android and Its Security Implications

  • Conference paper
  • First Online:
Secure IT Systems (NordSec 2016)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 10014))

Included in the following conference series:

  • 985 Accesses

Abstract

Dynamic code update techniques, such as reflection and dynamic class loading (DCL), enable an application (app) to change its behavior at runtime. These techniques are heavily used in Android apps for extensibility. However, malware developers misuse these techniques to conceal malicious functionality, bypass static analysis tools and expose the malicious functionality only when the app is installed and run on a user’s device. Although, the use of these techniques alone may not be sufficient to bypass analysis tools, it is the use of reflection/DCL APIs with obfuscated parameters that makes the state-of-art static analysis tools for Android unable to infer the correct behavior of the app. To understand the current trends in real apps, it is important to perform a study on the sources of the parameters used in reflection/DCL APIs. In this paper, we describe how malicious apps bypass analysis tools using reflection/DCL with parameters provided by sources, such as network, files, encrypted strings, etc., which are hard to analyze statically. We further develop a tool to analyze a dataset of 3,645 real world malware samples and 16,528 benign apps in order to investigate the sources of the parameters used in reflection/DCL APIs. The results of our analysis indicate the presence of such programming practices in both legitimate and malicious apps. However, malicious apps tend to obfuscate the parameters of reflection/DCL APIs more often. The use of Crypto related APIs as sources of the parameters of reflection/DCL APIs is significantly higher in malicious apps, which endorses the fact that malicious apps try to thwart static analysis tools.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

References

  1. 2015 mobile threat report published by the pulse secure mobile threat center (MTC). https://www.pulsesecure.net/lp/mobile-threat-report-2014/

  2. AndroGuard: Reverse engineering, malware and goodware analysis of Android applications. https://code.google.com/p/androguard/

  3. Android Sandbox. http://www.androidsandbox.net/samples/

  4. Contagio Mobile Malware Mini Dump. http://www.http://contagiominidump.blogspot.it/

  5. Dexguard: The most advanced security software for android applications. https://www.guardsquare.com/dexguard

  6. F-Droid – Android market. https://f-droid.org/

  7. Google Play – Android official market. https://play.google.com/store/apps

  8. Number of available applications in the Google Play Store from December 2009 to July 2015. http://www.statista.com/statistics/266210/number-of-available-applications-in-the-google-play-store/

  9. Virustotal - free online malware and url scanner. https://www.virustotal.com

  10. Smartphone OS Market Share, 2015 Q2 (2015). http://www.idc.com/prodserv/smartphone-os-market-share.jsp

  11. Arzt, S., Rasthofer, S., Fritz, C., Bodden, E., Bartel, A., Klein, J., Le Traon, Y., Octeau, D., McDaniel, P.: FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. In: Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation, pp. 259–269 (2014)

    Google Scholar 

  12. Bodden, E., Sewe, A., Sinschek, J., Oueslati, H., Mezini, M.: Taming reflection: aiding static analysis in the presence of reflection and customclass loaders. In: Proceedings of the 33rd International Conference on Software Engineering, pp. 241–250. ACM (2011)

    Google Scholar 

  13. Callaham, J.: Google says there are now 1.4 billion active Android devices worldwide (2015). http://www.androidcentral.com/google-says-there-are-now-14-billion-active-android-devices-worldwide

  14. Canfora, G., Mercaldo, F., Moriano, G., Visaggio, C.A.: Composition-malware: building android malware at run time. In: 2015 10th International Conference on Availability, Reliability and Security (ARES), pp. 318–326. IEEE (2015)

    Google Scholar 

  15. Christensen, A.S., Møller, A., Schwartzbach, M.I.: Precise analysis of string expressions. In: Cousot, R. (ed.) SAS 2003. LNCS, vol. 2694, pp. 1–18. Springer, Heidelberg (2003). doi:10.1007/3-540-44898-5_1

    Chapter  Google Scholar 

  16. F-Secure: Trojan: Android/FakeNotify Gets Updated (2011). http://www.f-secure.com/weblog/archives/00002291.html?tduid=f57e2769518f081721ffca586e797b2a

  17. Falsina, L., Fratantonio, Y., Zanero, S., Kruegel, C., Vigna, G., Maggi, F.: Grab’n run: secure and practical dynamic code loading for android applications. In: Proceedings of the 31st Annual Computer Security Applications Conference, pp. 201–210. ACM (2015)

    Google Scholar 

  18. Fuchs, A.P., Chaudhuri, A., Foster, J.S.: Scandroid: automated security certification of android applications, 2(3). Univ. of Maryland (2009). http://www.cs.umd.edu/avik/projects/scandroidascaa

  19. Hirzel, M., Dincklage, D.V., Diwan, A., Hind, M.: Fast online pointer analysis. ACM Trans. Program. Lang. Syst. (TOPLAS) 29(2), 11 (2007)

    Article  Google Scholar 

  20. Hoffmann, J., Ussath, M., Holz, T., Spreitzenbarth, M.: Slicing droids: program slicing for smali code. In: Proceedings of the 28th Annual ACM Symposium on Applied Computing, pp. 1844–1851 (2013)

    Google Scholar 

  21. Li, L., Bartel, A., Bissyande, T.F.D.A., Klein, J., Le Traon, Y., Arzt, S., Rasthofer, S., Bodden, E., Octeau, D., McDaniel, P.: IccTA: detectinginter-component privacy leaks in android apps. In: 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering (ICSE 2015) (2015)

    Google Scholar 

  22. Livshits, B., Whaley, J., Lam, M.S.: Reflection analysis for Java. In: Yi, K. (ed.) APLAS 2005. LNCS, vol. 3780, pp. 139–160. Springer, Heidelberg (2005). doi:10.1007/11575467_11

    Chapter  Google Scholar 

  23. Poeplau, S., Fratantonio, Y., Bianchi, A., Kruegel, C., Vigna, G.: Executethis! analyzing unsafe and malicious dynamic code loading in android applications (2014)

    Google Scholar 

  24. Polkovnichenko, A., Boxiner, A.: Braintest - a new level of sophistication in mobile malware. Technical report, Check Point Technologies Ltd

    Google Scholar 

  25. Wei, F., Roy, S., Ou, X., et al.: Amandroid: a precise and generalinter-component data flow analysis framework for security vetting of androidapps. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pp. 1329–1341. ACM (2014)

    Google Scholar 

  26. Wognsen, E.R., Karlsen, H.S., Olesen, M.C., Hansen, R.R.: Formalisation andanalysis of dalvik bytecode. Science of Computer Programming (2013)

    Google Scholar 

  27. Zhauniarovich, Y., Ahmad, M., Gadyatskaya, O., Crispo, B., Massacci, F.: Stadyna: addressing the problem of dynamic code updates in the security analysis of android applications. In: Proceedings of the 5th ACM Conferenceon Data and Application Security and Privacy, pp. 37–48. ACM (2015)

    Google Scholar 

  28. Zhou, Y., Jiang, X.: An analysis of the AnserverBot Trojan. Technical report, Department of Computer Science, NC State University (2013). http://www.csc.ncsu.edu/faculty/jiang/pubs/AnserverBot_Analysis.pdf

  29. Zhou, Y., Jiang, X.: Dissecting android malware: characterization and evolution. In: Proceedings of the 2012 IEEE Symposium on Security and Privacy, pp. 95–109 (2012)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. University of Trento, Trento, Italy

    Maqsood Ahmad, Bruno Crispo & Teklay Gebremichael

  2. KU Leuven, Leuven, Belgium

    Bruno Crispo

Authors
  1. Maqsood Ahmad
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Bruno Crispo
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Teklay Gebremichael
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Maqsood Ahmad .

Editor information

Editors and Affiliations

  1. Tampere University of Technology , Tampere, Finland

    Billy Bob Brumley

  2. Computer Science and Eng, University of Oulu, Oulu, Finland

    Juha Röning

Rights and permissions

Reprints and permissions

Copyright information

© 2016 Springer International Publishing AG

About this paper

Cite this paper

Ahmad, M., Crispo, B., Gebremichael, T. (2016). Empirical Analysis on the Use of Dynamic Code Updates in Android and Its Security Implications. In: Brumley, B., Röning, J. (eds) Secure IT Systems. NordSec 2016. Lecture Notes in Computer Science(), vol 10014. Springer, Cham. https://doi.org/10.1007/978-3-319-47560-8_8

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-47560-8_8

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-47559-2

  • Online ISBN: 978-3-319-47560-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation