Abstract
Software repackaging is a common approach for creating malware. Malware authors often use software repackaging to obfuscate code containing malicious payloads. This forces analysts to spend a large amount of time filtering out benign obfuscated methods in order to locate potentially malicious methods for further analysis. If an effective mechanism for filtering out benign obfuscated methods were available, the number of methods that analysts must consider could be reduced, allowing them to be more productive. In this paper, we present Semeo, an obfuscation-resilient approach for semantic equivalence analysis of Android apps. Semeo automatically and with high accuracy determines whether a repackaged and obfuscated version of a method is semantically equivalent to an original version thereof. Semeo further handles widely-used and complicated types of obfuscations, as well as the scenarios where multiple obfuscation types are applied in tandem. Our empirical evaluation corroborates that Semeo significantly outperforms the state-of-the-art, achieving 100% precision in identifying semantically equivalent methods across almost all apps under analysis. Semeo consistently provides over 80% recall when one or two types of obfuscation are used and 73% recall when five different types of obfuscation are compositely applied.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
In general, the problem of determining the semantic equivalence of two programs is undecidable [18], so our approach is necessarily a heuristic.
- 2.
Available from https://github.com/techexpertize/SignApk.
References
Ponomarenko, A.: A tool for checking backward API/ABI compatibility of a Java library (2013). https://github.com/lvc/japi-compliance-checker
Android. Dalvik bytecode (2015). https://source.android.com/devices/tech/dalvik/dalvik-bytecode.html
Fenton, C.: A pattern based Dalvik deobfuscator which uses limited execution to improve semantic analysis (2015). https://github.com/CalebFenton/dex-oracle
Fenton, C.: Generic Android Deobfuscator (2015). https://github.com/CalebFenton/simplify
Christodorescu, M., Jha, S.: Static analysis of executables to detect malicious patterns. In: Proceedings of the 12th Conference on USENIX Security Symposium - Volume 12, SSYM’03, Washington, DC, pp. 12 (2003)
Collberg, C., Myles, G., Huntwork, A.: Sandmark-a tool for software protection research. IEEE Secur. Priv. 1(4), 40–49 (2003)
Collberg, C., Nagra, J.: Surreptitious Software: Obfuscation, Watermarking, and Tamperproofing for Software Protection, 1st edn. Addison-Wesley Professional, Boston (2009)
Contagio Mini Dump: Pokemon GO with Droidjack - Android sample (2016). http://contagiominidump.blogspot.com
Crussell, J., Gibler, C., Chen, H.: Attack of the clones: detecting cloned applications on android markets. In: Foresti, S., Yung, M., Martinelli, F. (eds.) ESORICS 2012. LNCS, vol. 7459, pp. 37–54. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-33167-1_3
Crussell, J., Gibler, C., Chen, H.: AnDarwin: scalable detection of semantically similar android applications. In: Crampton, J., Jajodia, S., Mayes, K. (eds.) ESORICS 2013. LNCS, vol. 8134, pp. 182–199. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40203-6_11
Goodin, D.: Fake Pokémon Go app on Google Play infects phones with screenlocker (2016). http://arstechnica.com/security/2016/07/fake-pokemon-go-app-on-google-play-infects-phones-with-screenlocker/
DARPA: Automated Program Analysis for Cybersecurity (APAC) (2012). http://www.darpa.mil/program/automated-program-analysis-for-cybersecurity
Desnos, A.: AndroGuard, May 2013. http://androguard.blogspot.com/
Duan, Y., et al.: Things you may not know about android (un) packers: a systematic study based on whole-system emulation. In: 25th Annual Network and Distributed System Security Symposium, NDSS, San Diego, CA, pp. 18–21 (2018)
Feng, Y., Anand, S., Dillig, I., Aiken, A.: Apposcopy: semantics-based detection of android malware through static analysis. In: Proceedings of the 22nd ACM SIGSOFT International Symposium on Foundations of Software Engineering, FSE 2014, pp. 576–587. ACM, New York (2014)
Guan, Q., Huang, H., Luo, W., Zhu, S.: Semantics-based repackaging detection for mobile apps. In: Caballero, J., Bodden, E., Athanasopoulos, E. (eds.) ESSoS 2016. LNCS, vol. 9639, pp. 89–105. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-30806-7_6
I. IDC Research: Smartphone OS Market Share, 2015 Q2. IDC Research Report (2015)
Jones, N.D.: Computability and Complexity: From a Programming Perspective. MIT Press, Cambridge (1997)
Sullivan, J.: Pokémon Go bundles with malicious remote administration tool DroidJack (2016). http://blog.trustlook.com/2016/09/02/pokemon-go-bundles-with-malicious-remote-administration-tool-droidjack/
Cannell, J.: Obfuscation: malware’s best friend (2013). https://blog.malwarebytes.com/threat-analysis/2013/03/obfuscation-malwares-best-friend/
Junaid, M., Liu, D., Kung, D.C.: Dexteroid: detecting malicious behaviors in android apps using reverse-engineered life cycle models. CoRR arXiv:1506.05217 (2015)
Komondoor, R., Horwitz, S.: Semantics-preserving procedure extraction. In: Proceedings of the ACM Symposium on Principles of Programming Languages, pp. 155–169 (2000)
Konstantinou, E.: Metamorphic virus: analysis and detection. Technical Report RHUL-MA-2008-02, Royal Holloway, University of London, January 2008
Kruegel, C., Robertson, W., Vigna, G.: Detecting kernel-level rootkits through binary analysis. In: Proceedings of the 20th Annual Computer Security Applications Conference, ACSAC’04, Tucson, AZ, USA, pp. 91–100 (2004)
Li, Z., Sun, J., Yan, Q., Srisa-an, W., Tsutano, Y.: Obfusifier: obfuscation-resistant android malware detection system. In: Chen, S., Choo, K.-K.R., Fu, X., Lou, W., Mohaisen, A. (eds.) SecureComm 2019. LNICST, vol. 304, pp. 214–234. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-37228-6_11
Linux Foundation: JavaAPI Compliance Checker (2015). http://ispras.linuxbase.org/index.php/Java_API_Compliance_Checker
Mr.Trojans. ALAN - Android Malware Evaluating Tools Released (2015). http://seclist.us/alan-android-malware-evaluating-tools-released.html
Myles, G., Collberg, C.: K-gram based software birthmarks. In: Proceedings of the 2005 ACM Symposium on Applied Computing, SAC’05, Santa Fe, New Mexico, pp. 314–318 (2005)
National Cyber Security Center (UK): Code Obfuscation (2014). https://www.ncsc.gov.uk/content/files/protected_files/guidance_files/Code-obfuscation.pdf
Partush, N., Yahav, E.: Abstract semantic differencing via speculative correlation. In: SIGPLAN Not., vol. 49, no. 10, pp. 811–828 (2014)
Person, S., Dwyer, M.B., Elbaum, S., Pǎsǎreanu, C.S.: Differential symbolic execution. In: Proceedings of the 16th ACM SIGSOFT International Symposium on Foundations of Software Engineering, SIGSOFT’08/FSE-16, pp. 226–237. ACM, New York (2008)
Pomilia, M.: A study on obfuscation techniques for android malware. Technical Report, Sapienza University of Rome, March 2016. http://midlab.diag.uniroma1.it/articoli/matteo_pomilia_master_thesis.pdf
Preda, M.D., Maggi, F.: Testing android malware detectors against code obfuscation: a systematization of knowledge and unified methodology. J. Comput. Virol. Hacking Tech. 13(3), 209–232 (2016). https://doi.org/10.1007/s11416-016-0282-2
Proofpoint Staff: DroidJack Uses Side-Load...It’s Super Effective! Backdoored Pokemon GO Android App Found (2016). https://www.proofpoint.com/us/threat-insight/post/droidjack-uses-side-load-backdoored-pokemon-go-android-app
Rad, B.B., Masrom, M.: Metamorphic virus variants classification using opcode frequency histogram. In: Proceedings of the International Conference on Computers, pp. 147–155 (2010)
Ramos, D.A., Engler, D.R.: Practical, low-effort equivalence verification of real code. In: Gopalakrishnan, G., Qadeer, S. (eds.) CAV 2011. LNCS, vol. 6806, pp. 669–685. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22110-1_55
Rastogi, V., Chen, Y., Jiang, X.: DroidChameleon: evaluating android anti-malware against transformation attacks. In: Proceedings of the ACM Symposium on Information, Computer and Communications Security, pp. 329–334 (2013)
Siek, J.G., Lee, L.-Q., Lumsdaine, A.: The Boost Graph Library: User Guide and Reference Manual. Addison-Wesley Longman Publishing Co., Inc., Boston (2002)
Tsutano, Y., Bachala, S., Srisa-an, W., Rothermel, G., Dinh, J.: An efficient, robust, and scalable approach for analyzing interacting android apps. In: Proceedings of the International Conference on Software Engineering, Buenos Aires, Argentina, May 2017
Tsutano, Y., Bachala, S., Srisa-an, W., Rothermel, G., Dinh, J.: JITANA: a modern hybrid program analysis framework for android platforms. J. Comput. Lang. 52, 55–71 (2019)
Wong, W., Stamp, M.: Hunting for metamorphic engines. J. Comput. Virol. 2(3), 211–229 (2006)
Zhauniarovich, Y., Gadyatskaya, O., Crispo, B., La Spina, F., Moser, E.: FSquaDRA: fast detection of repackaged applications. In: Atluri, V., Pernul, G. (eds.) DBSec 2014. LNCS, vol. 8566, pp. 130–145. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-43936-4_9
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Hu, Z., Silva, B.V.R.E., Bagheri, H., Srisa-an, W., Rothermel, G., Dinh, J. (2022). SEMEO: A Semantic Equivalence Analysis Framework for Obfuscated Android Applications. In: Hara, T., Yamaguchi, H. (eds) Mobile and Ubiquitous Systems: Computing, Networking and Services. MobiQuitous 2021. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 419. Springer, Cham. https://doi.org/10.1007/978-3-030-94822-1_18
Download citation
DOI: https://doi.org/10.1007/978-3-030-94822-1_18
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-94821-4
Online ISBN: 978-3-030-94822-1
eBook Packages: Computer ScienceComputer Science (R0)