Execute This! Analyzing Unsafe and Malicious Dynamic Code Loading in Android Applications

@inproceedings{Poeplau2014ExecuteTA,
  title={Execute This! Analyzing Unsafe and Malicious Dynamic Code Loading in Android Applications},
  author={Sebastian Poeplau and Yanick Fratantonio and Antonio Bianchi and Christopher Kr{\"u}gel and Giovanni Vigna},
  booktitle={NDSS},
  year={2014}
}
The design of the Android system allows applications to load additional code from external sources at runtime. On the one hand, malware can use this capability to add malicious functionality after it has been inspected by an application store or anti-virus engine at installation time. On the other hand, developers of benign applications can inadvertently introduce vulnerabilities. In this paper, we systematically analyze the security implications of the ability to load additional code in… 
Empirical Analysis on the Use of Dynamic Code Updates in Android and Its Security Implications
TLDR
How malicious apps bypass analysis tools using reflection/DCL with parameters provided by sources, such as network, files, encrypted strings, etc., which are hard to analyze statically is described.
StaDART: Addressing the problem of dynamic code updates in the security analysis of android applications
TLDR
StaDART is presented, combining static and dynamic analysis of Android apps to reveal the concealed behavior of malware, and is integrated with a triggering solution, DroidBot, to make it more scalable and fully automated.
ConDroid: Targeted Dynamic Analysis of Android Applications
TLDR
This work proposes a tool combining static call path analysis with byte code instrumentation and a heuristic partial symbolic execution, which can systematically locate potentially security-critical code sections and instrument applications such that execution of these sections can be observed in a dynamic analysis.
Analysis of dynamic code updating in Android with security perspective
TLDR
An extensive analysis was carried out on nearly 30,000 applications collected from three different Android markets and two malware datasets in order to monitor malicious activities in such applications, and new malicious applications using updating techniques were discovered in Google Play.
Design and Implementation of API Extraction Method for Android Malicious Code Analysis Using Xposed
TLDR
SDK code hooking module for Android malicious code analysis is designed using Xposed, and intent tracking for code flow, dynamic loading file information, and various API information extraction are implemented, which will contribute to the analysis of obfuscated information and behavior of Android Malware.
DroidNative: Semantic-Based Detection of Android Native Code Malware
TLDR
DroidNative is proposed, an Android malware detector that uses specific control flow patterns to reduce the effect of obfuscations, provides automation and platform independence, and as far as the authors know is the first system that operates at the Android native code level, allowing it to detect malware embedded in both native code and bytecode.
Divide-and-Conquer: Why Android Malware Cannot Be Stopped
TLDR
It is demonstrated that Android malware can bypass all automated analysis systems, including AV solutions, mobile sandboxes, and the Google Bouncer, and a tool is proposed called Sand-Finger for the fingerprinting of Android-based analysis systems that combines fingerprinting and dynamic code loading.
"Do You Want to Install an Update of This Application?" A Rigorous Analysis of Updated Android Applications
  • A. Aysan, Sevil Sen
  • Computer Science
    2015 IEEE 2nd International Conference on Cyber Security and Cloud Computing
  • 2015
TLDR
This work is the first study which monitors updating behaviours of applications during their execution, and this analysis allows us to analyse suspicious applications deeply and to develop better security solutions.
DroidNative: Automating and optimizing detection of Android native code malware variants
TLDR
DroidNative is the first system that builds cross-platform (x86 and ARM) semantic-based signatures at the Android native code level, allowing the system to detect malware embedded in either bytecode or native code.
DyDroid: Measuring Dynamic Code Loading and Its Security Implications in Android Applications
TLDR
Droid is designed and implemented, a system which uses both dynamic and static analysis to analyze dynamically loaded code, and determines the distribution, pros/cons, and implications of several common obfuscation methods, including DEX encryption/loading.
...
1
2
3
4
5
...

References

SHOWING 1-10 OF 45 REFERENCES
CHEX: statically vetting Android apps for component hijacking vulnerabilities
TLDR
This paper proposes CHEX, a static analysis method to automatically vet Android apps for component hijacking vulnerabilities, and prototyped CHEX based on Dalysis, a generic static analysis framework that was built to support many types of analysis on Android app bytecode.
I-ARM-Droid : A Rewriting Framework for In-App Reference Monitors for Android Applications
Mobile applications are a major force behind the explosive growth of mobile devices. While they greatly extend the functionality of mobile devices, they also raise security and privacy concerns,
PScout: analyzing the Android permission specification
TLDR
An analysis of the permission system of the Android smartphone OS is performed and it is found that a trade-off exists between enabling least-privilege security with fine-grained permissions and maintaining stability of the permissions specification as the Android OS evolves.
On the effectiveness of API-level access control using bytecode rewriting in Android
TLDR
This work has identified a number of potential attacks targeted at incomplete implementations of bytecode rewriting on Android OS, which can be applied to bypass access control imposed by bytecode rewriter.
Why eve and mallory love android: an analysis of android SSL (in)security
TLDR
An analysis of 13,500 popular free apps downloaded from Google's Play Market revealed that 1,074 (8.0%) of the apps examined contain SSL/TLS code that is potentially vulnerable to MITM attacks, and MalloDroid is introduced, a tool to detect potential vulnerability againstMITM attacks.
Detecting Passive Content Leaks and Pollution in Android Applications
TLDR
The presence of a large number of vulnerable apps in popular Android markets as well as the variety of private data for leaks and manipulation reflect the severity of these two vulnerabilities.
Security Enhanced (SE) Android: Bringing Flexible MAC to Android
TLDR
The work to bring flexible mandatory access control (MAC) to Android is motivated and described by enabling the effective use of Security Enhanced Linux (SELinux) for kernel-level MAC and by developing a set of middleware MAC extensions to the Android permissions model.
Hey, You, Get Off of My Market: Detecting Malicious Apps in Official and Alternative Android Markets
TLDR
A permissionbased behavioral footprinting scheme to detect new samples of known Android malware families and a heuristics-based filtering scheme to identify certain inherent behaviors of unknown malicious families are proposed.
Dissecting Android Malware: Characterization and Evolution
TLDR
Systematize or characterize existing Android malware from various aspects, including their installation methods, activation mechanisms as well as the nature of carried malicious payloads reveal that they are evolving rapidly to circumvent the detection from existing mobile anti-virus software.
An empirical study of cryptographic misuse in android applications
TLDR
This paper develops program analysis techniques to automatically check programs on the Google Play marketplace, and finds that applications do not use cryptographic APIs in a fashion that maximizes overall security.
...
1
2
3
4
5
...