Skip to main content

Stegomalware: Playing Hide and Seek with Malicious Components in Smartphone Apps

Part of the Lecture Notes in Computer Science book series (LNSC,volume 8957)

Abstract

We discuss a class of smartphone malware that uses steganographic techniques to hide malicious executable components within their assets, such as documents, databases, or multimedia files. In contrast with existing obfuscation techniques, many existing information hiding algorithms are demonstrably secure, which would make such stegomalware virtually undetectable by static analysis techniques. We introduce various types of stegomalware attending to the location of the hidden payload and the components required to extract it. We demonstrate its feasibility with a prototype implementation of a stegomalware app that has remained undetected in Google Play so far. We also address the question of whether steganographic capabilities are already being used for malicious purposes. To do this, we introduce a detection system for stegomalware and use it to analyze around 55 K apps retrieved from both malware sources and alternative app markets. Our preliminary results are not conclusive, but reveal that many apps do incorporate steganographic code and that there is a substantial amount of hidden content embedded in app assets.

Keywords

  • Smartphone security
  • Malware
  • Steganography
  • Obfuscation

This is a preview of subscription content, access via your institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-319-16745-9_27
  • Chapter length: 20 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   69.99
Price excludes VAT (USA)
  • ISBN: 978-3-319-16745-9
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   89.99
Price excludes VAT (USA)
Fig. 1.
Fig. 2.
Fig. 3.
Fig. 4.
Fig. 5.
Fig. 6.
Fig. 7.

Notes

  1. 1.

    This definition can be naturally extended to public-key stegosystems [3].

  2. 2.

    https://code.google.com/p/f5-steganography.

  3. 3.

    https://play.google.com/store/apps/details?id=es.uc3m.cosec.likeimage.

  4. 4.

    http://www.aptoide.com/.

  5. 5.

    http://www.virusshare.com/.

  6. 6.

    http://commons.apache.org/proper/commons-imaging/.

References

  1. Arp, D., Spreitzenbarth, M., Hübner, M., Gascon, H., Rieck, K.: Drebin: effective and explainable detection of android malware in your pocket. In: Proceedings of Network and Distributed System Security Symposium (NDSS), February 2014

    Google Scholar 

  2. Bastien, F.: Sss - simple steganalysis suite (Visited 2014). https://code.google.com/p/simple-steganalysis-suite/

  3. Cachin, C.: Digital steganography. In: van Tilborg, H.C.A. (ed.) Encyclopedia of Cryptography and Security, pp. 159–164. Springer, US (2005)

    CrossRef  Google Scholar 

  4. Cheddad, A., Condell, J., Curran, K., Mc Kevitt, P.: Digital image steganography: survey and analysis of current methods. Signal Process. 90(3), 727–752 (2010)

    CrossRef  MATH  Google Scholar 

  5. Desnos, A., et al.: Androguard: Reverse engineering, malware and goodware analysis of android applications (Visited December 2013), https://code.google.com/p/androguard

  6. Egele, M., Scholte, T., Kirda, E., Kruegel, C.: A survey on automated dynamic malware-analysis techniques and tools. ACM Comp. Surv. 44(2), 1–42 (2012)

    CrossRef  Google Scholar 

  7. Farid, H., Siwei, L.: Detecting hidden messages using higher-order statistics and support vector machines. In: Petitcolas, F.A.P. (ed.) IH 2002. LNCS, vol. 2578, pp. 340–354. Springer, Heidelberg (2002)

    Google Scholar 

  8. Forczmanski, P., Wegrzyn, M.: Open virtual steganographic laboratory. In: International Conference on Advanced Computer Systems (ACS-AISBIS) (2009). http://vsl.sourceforge.net/

  9. Fridrich, J.: Feature-based steganalysis for JPEG images and its implications for future design of steganographic schemes. In: Fridrich, J. (ed.) IH 2004. LNCS, vol. 3200, pp. 67–81. Springer, Heidelberg (2004)

    CrossRef  Google Scholar 

  10. Fridrich, J., Goljan, M., Hogea, D.: New methodology for breaking steganographic techniques for JPEGs. In: International Society for Optics and Photonics Electronic Imaging 2003, pp. 143–155 (2003)

    Google Scholar 

  11. Gao, J., Bai, X., Tsai, W.T., Uehara, T.: Mobile application testing: a tutorial. Computer 47(2), 46–55 (2014)

    CrossRef  Google Scholar 

  12. Huang, H., Zhu, S., Liu, P., Wu, D.: A framework for evaluating mobile app repackaging detection algorithms. In: Huth, M., Asokan, N., Čapkun, S., Flechais, I., Coles-Kemp, L. (eds.) TRUST 2013. LNCS, vol. 7904, pp. 169–186. Springer, Heidelberg (2013)

    CrossRef  Google Scholar 

  13. Johnson, N.F., Jajodia, S.: Exploring steganography: seeing the unseen. Computer 31(2), 26–34 (1998)

    CrossRef  Google Scholar 

  14. Khalind, O.S., Hernandez-Castro, J.C., Aziz, B.: A study on the false positive rate of Stegdetect. Digit. Invest. 9(3), 235–245 (2013)

    CrossRef  Google Scholar 

  15. Oberheide, J., Miller, C.: Dissecting the android bouncer. In: SummerCon (2012)

    Google Scholar 

  16. O’Kane, P., Sezer, S., McLaughlin, K.: Obfuscation: the hidden malware. IEEE Secur. Priv. 9(5), 41–47 (2011)

    CrossRef  Google Scholar 

  17. Petitcolas, F.A., Anderson, R.J., Kuhn, M.G.: Information hiding-a survey. Proc. IEEE 87(7), 1062–1078 (1999)

    CrossRef  Google Scholar 

  18. Pfitzmann, B.: Information hiding terminology. In: Anderson, R. (ed.) IH 1996. LNCS, vol. 1174, pp. 347–350. Springer, Heidelberg (1996)

    CrossRef  Google Scholar 

  19. Provos, N., Honeyman, P.: Hide and seek: an introduction to steganography. IEEE Secur. Priv. 1(3), 32–44 (2003)

    CrossRef  Google Scholar 

  20. Provos, N., Honeyman, P.: Detecting steganographic content on the internet. Technical report, Center for Information Technology Integration University of Michigan (2001)

    Google Scholar 

  21. Rastogi, V., Chen, Y., Enck, W.: AppsPlayground: automatic security analysis of smartphone applications. In: Proceedings of the Third ACM Conference on Data and Application Security and Privacy CODASPY ’13, pp. 209–220. ACM, New York (2013)

    Google Scholar 

  22. Rastogi, V., Chen, Y., Jiang, X.: Droidchameleon: evaluating android anti-malware against transformation attacks. In: Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security ASIA CCS ’13, pp. 329–334. ACM, New York (2013)

    Google Scholar 

  23. Shabtai, A., Tenenboim-Chekina, L., Mimran, D., Rokach, L., Shapira, B., Elovici, Y.: Mobile malware detection through analysis of deviations in application network behavior. Comput. Secur. 43, 1–18 (2014)

    CrossRef  Google Scholar 

  24. Suarez-Tangil, G., Tapiador, J.E., Lombardi, F., Pietro, R.D.: Thwarting Obfuscated malware via differential fault analysis. IEEE Comput. 47(6), 24–31 (2014)

    CrossRef  Google Scholar 

  25. Suarez-Tangil, G., Tapiador, J.E., Peris, P., Ribagorda, A.: Evolution, detection and analysis of malware for smart devices. IEEE Commun. Surv. Tutorials 16(2), 961–987 (2014)

    CrossRef  Google Scholar 

  26. Suarez-Tangil, G., Tapiador, J.E., Peris-Lopez, P., Blasco, J.: Dendroid: a text mining approach to analyzing and classifying code structures in android malware families. Expert Syst. Appl. 41(1), 1104–1117 (2014)

    CrossRef  Google Scholar 

  27. Upham, D.: Jsteg (1997). http://www.tiac.net/users/korejwa/jsteg.htm

  28. Wang, K., Parekh, J.J., Stolfo, S.J.: Anagram: a content anomaly detector resistant to mimicry attack. In: Advances in Intrusion Detection. pp. 226–248 (2006)

    Google Scholar 

  29. Westfeld, A.: F5-A steganographic algorithm. In: Moskowitz, I.S. (ed.) IH 2001. LNCS, vol. 2137, p. 289. Springer, Heidelberg (2001)

    CrossRef  Google Scholar 

  30. Zhou, Y., Jiang, X.: Dissecting android malware: characterization and evolution. In: IEEE Symposium on Security and Privacy. pp. 95–109 (2012)

    Google Scholar 

Download references

Acknowledgements

We are very grateful to the anonymous reviewers for constructive feedback and insightful suggestions that helped to improve the quality of the original manuscript. This work was supported by the MINECO grant TIN2013-46469-R (SPINY: Security and Privacy in the Internet of You).

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Guillermo Suarez-Tangil .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2015 Springer International Publishing Switzerland

About this paper

Cite this paper

Suarez-Tangil, G., Tapiador, J.E., Peris-Lopez, P. (2015). Stegomalware: Playing Hide and Seek with Malicious Components in Smartphone Apps. In: Lin, D., Yung, M., Zhou, J. (eds) Information Security and Cryptology. Inscrypt 2014. Lecture Notes in Computer Science(), vol 8957. Springer, Cham. https://doi.org/10.1007/978-3-319-16745-9_27

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-16745-9_27

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-16744-2

  • Online ISBN: 978-3-319-16745-9

  • eBook Packages: Computer ScienceComputer Science (R0)