Abstract
Dynamic code update techniques, such as reflection and dynamic class loading (DCL), enable an application (app) to change its behavior at runtime. These techniques are heavily used in Android apps for extensibility. However, malware developers misuse these techniques to conceal malicious functionality, bypass static analysis tools and expose the malicious functionality only when the app is installed and run on a user’s device. Although, the use of these techniques alone may not be sufficient to bypass analysis tools, it is the use of reflection/DCL APIs with obfuscated parameters that makes the state-of-art static analysis tools for Android unable to infer the correct behavior of the app. To understand the current trends in real apps, it is important to perform a study on the sources of the parameters used in reflection/DCL APIs. In this paper, we describe how malicious apps bypass analysis tools using reflection/DCL with parameters provided by sources, such as network, files, encrypted strings, etc., which are hard to analyze statically. We further develop a tool to analyze a dataset of 3,645 real world malware samples and 16,528 benign apps in order to investigate the sources of the parameters used in reflection/DCL APIs. The results of our analysis indicate the presence of such programming practices in both legitimate and malicious apps. However, malicious apps tend to obfuscate the parameters of reflection/DCL APIs more often. The use of Crypto related APIs as sources of the parameters of reflection/DCL APIs is significantly higher in malicious apps, which endorses the fact that malicious apps try to thwart static analysis tools.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
2015 mobile threat report published by the pulse secure mobile threat center (MTC). https://www.pulsesecure.net/lp/mobile-threat-report-2014/
AndroGuard: Reverse engineering, malware and goodware analysis of Android applications. https://code.google.com/p/androguard/
Android Sandbox. http://www.androidsandbox.net/samples/
Contagio Mobile Malware Mini Dump. http://www.http://contagiominidump.blogspot.it/
Dexguard: The most advanced security software for android applications. https://www.guardsquare.com/dexguard
F-Droid – Android market. https://f-droid.org/
Google Play – Android official market. https://play.google.com/store/apps
Number of available applications in the Google Play Store from December 2009 to July 2015. http://www.statista.com/statistics/266210/number-of-available-applications-in-the-google-play-store/
Virustotal - free online malware and url scanner. https://www.virustotal.com
Smartphone OS Market Share, 2015 Q2 (2015). http://www.idc.com/prodserv/smartphone-os-market-share.jsp
Arzt, S., Rasthofer, S., Fritz, C., Bodden, E., Bartel, A., Klein, J., Le Traon, Y., Octeau, D., McDaniel, P.: FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. In: Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation, pp. 259–269 (2014)
Bodden, E., Sewe, A., Sinschek, J., Oueslati, H., Mezini, M.: Taming reflection: aiding static analysis in the presence of reflection and customclass loaders. In: Proceedings of the 33rd International Conference on Software Engineering, pp. 241–250. ACM (2011)
Callaham, J.: Google says there are now 1.4 billion active Android devices worldwide (2015). http://www.androidcentral.com/google-says-there-are-now-14-billion-active-android-devices-worldwide
Canfora, G., Mercaldo, F., Moriano, G., Visaggio, C.A.: Composition-malware: building android malware at run time. In: 2015 10th International Conference on Availability, Reliability and Security (ARES), pp. 318–326. IEEE (2015)
Christensen, A.S., Møller, A., Schwartzbach, M.I.: Precise analysis of string expressions. In: Cousot, R. (ed.) SAS 2003. LNCS, vol. 2694, pp. 1–18. Springer, Heidelberg (2003). doi:10.1007/3-540-44898-5_1
F-Secure: Trojan: Android/FakeNotify Gets Updated (2011). http://www.f-secure.com/weblog/archives/00002291.html?tduid=f57e2769518f081721ffca586e797b2a
Falsina, L., Fratantonio, Y., Zanero, S., Kruegel, C., Vigna, G., Maggi, F.: Grab’n run: secure and practical dynamic code loading for android applications. In: Proceedings of the 31st Annual Computer Security Applications Conference, pp. 201–210. ACM (2015)
Fuchs, A.P., Chaudhuri, A., Foster, J.S.: Scandroid: automated security certification of android applications, 2(3). Univ. of Maryland (2009). http://www.cs.umd.edu/avik/projects/scandroidascaa
Hirzel, M., Dincklage, D.V., Diwan, A., Hind, M.: Fast online pointer analysis. ACM Trans. Program. Lang. Syst. (TOPLAS) 29(2), 11 (2007)
Hoffmann, J., Ussath, M., Holz, T., Spreitzenbarth, M.: Slicing droids: program slicing for smali code. In: Proceedings of the 28th Annual ACM Symposium on Applied Computing, pp. 1844–1851 (2013)
Li, L., Bartel, A., Bissyande, T.F.D.A., Klein, J., Le Traon, Y., Arzt, S., Rasthofer, S., Bodden, E., Octeau, D., McDaniel, P.: IccTA: detectinginter-component privacy leaks in android apps. In: 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering (ICSE 2015) (2015)
Livshits, B., Whaley, J., Lam, M.S.: Reflection analysis for Java. In: Yi, K. (ed.) APLAS 2005. LNCS, vol. 3780, pp. 139–160. Springer, Heidelberg (2005). doi:10.1007/11575467_11
Poeplau, S., Fratantonio, Y., Bianchi, A., Kruegel, C., Vigna, G.: Executethis! analyzing unsafe and malicious dynamic code loading in android applications (2014)
Polkovnichenko, A., Boxiner, A.: Braintest - a new level of sophistication in mobile malware. Technical report, Check Point Technologies Ltd
Wei, F., Roy, S., Ou, X., et al.: Amandroid: a precise and generalinter-component data flow analysis framework for security vetting of androidapps. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pp. 1329–1341. ACM (2014)
Wognsen, E.R., Karlsen, H.S., Olesen, M.C., Hansen, R.R.: Formalisation andanalysis of dalvik bytecode. Science of Computer Programming (2013)
Zhauniarovich, Y., Ahmad, M., Gadyatskaya, O., Crispo, B., Massacci, F.: Stadyna: addressing the problem of dynamic code updates in the security analysis of android applications. In: Proceedings of the 5th ACM Conferenceon Data and Application Security and Privacy, pp. 37–48. ACM (2015)
Zhou, Y., Jiang, X.: An analysis of the AnserverBot Trojan. Technical report, Department of Computer Science, NC State University (2013). http://www.csc.ncsu.edu/faculty/jiang/pubs/AnserverBot_Analysis.pdf
Zhou, Y., Jiang, X.: Dissecting android malware: characterization and evolution. In: Proceedings of the 2012 IEEE Symposium on Security and Privacy, pp. 95–109 (2012)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing AG
About this paper
Cite this paper
Ahmad, M., Crispo, B., Gebremichael, T. (2016). Empirical Analysis on the Use of Dynamic Code Updates in Android and Its Security Implications. In: Brumley, B., Röning, J. (eds) Secure IT Systems. NordSec 2016. Lecture Notes in Computer Science(), vol 10014. Springer, Cham. https://doi.org/10.1007/978-3-319-47560-8_8
Download citation
DOI: https://doi.org/10.1007/978-3-319-47560-8_8
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-47559-2
Online ISBN: 978-3-319-47560-8
eBook Packages: Computer ScienceComputer Science (R0)