research-article

Mystique: Evolving Android Malware for Auditing Anti-Malware Tools

Authors:

Chandramohan Mahinthan,

Annamalai Narayanan,

Tieming ChenAuthors Info & Claims

ASIA CCS '16: Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security

Pages 365 - 376

https://doi.org/10.1145/2897845.2897856

Published: 30 May 2016 Publication History

Abstract

In the arms race of attackers and defenders, the defense is usually more challenging than the attack due to the unpredicted vulnerabilities and newly emerging attacks every day. Currently, most of existing malware detection solutions are individually proposed to address certain types of attacks or certain evasion techniques. Thus, it is desired to conduct a systematic investigation and evaluation of anti-malware solutions and tools based on different attacks and evasion techniques. In this paper, we first propose a meta model for Android malware to capture the common attack features and evasion features in the malware. Based on this model, we develop a framework, MYSTIQUE, to automatically generate malware covering four attack features and two evasion features, by adopting the software product line engineering approach. With the help of MYSTIQUE, we conduct experiments to 1) understand Android malware and the associated attack features as well as evasion techniques; 2) evaluate and compare the 57 off-the-shelf anti-malware tools, 9 academic solutions and 4 App market vetting processes in terms of accuracy in detecting attack features and capability in addressing evasion. Last but not least, we provide a benchmark of Android malware with proper labeling of contained attack and evasion features.

References

[1]

Activity | Android Developer. http://developer.android.com/reference/android/app/Activity.html#ActivityLifecycle.

[2]

GetJar Developer Zone: Publishing. http://developer.getjar.mobi/.

[3]

Mystique | Evolving Android Malware for Auditing Anti-Malware Tools. https://sites.google.com/site/malwareevolution/.

[4]

SlideME | Android Apps Market: Download Free & Paid Android Applications. http://slideme.org/.

[5]

TorrApk - Alternative Android App Store for Free Applications. https://www.torrapk.com/en.

[6]

VirusShare. http://www.virusshare.com.

[7]

10 Years of Mobile Malware Whitepaper. http://www.fortinet.com/sites/default/files/whitepapers/10-Years-of-Mobile-Malware-Whitepaper.pdf, 2014.

[8]

VirusTotal - Free Online Virus, Malware and URL Scanner. https://www.virustotal.com, 2015.

[9]

Y. Aafer, W. Du, and H. Yin. DroidAPIMiner: Mining API-Level Features for Robust Malware Detection in Android. In SecureComm, 2013.

[10]

K. Allix, T. F. Bissyandé, J. Klein, and Y. L. Traon. Machine Learning-Based Malware Detection for Android Applications: History Matters! Technical Report 978--2--87971--132--4, 2014.

[11]

M. Arapinis, L. Mancini, E. Ritter, M. Ryan, N. Golde, K. Redon, and R. Borgaonkar. New Privacy Issues in Mobile Telephony: Fix and Verification. In CCS, pages 205--216, 2012.

Digital Library

[12]

D. Arp, M. Spreitzenbarth, M. Hübner, H. Gascon, and K. Rieck. Drebin: Effective and Explainable Detection of Android Malware in Your Pocket. In NDSS, 2014.

[13]

S. Arzt, S. Rasthofer, C. Fritz, E. Bodden, A. Bartel, J. Klein, Y. Le Traon, D. Octeau, and P. McDaniel. FlowDroid: Precise Context, Flow, Field, Object-sensitive and Lifecycle-aware Taint Analysis for Android Apps. In PLDI, pages 259--269, 2014.

Digital Library

[14]

V. Avdiienko, K. Kuznetsov, A. Gorla, and A. Zeller. Mining Apps for Abnormal Usage of Sensitive Data. In ICSE, 2015.

Digital Library

[15]

E. Aydogan and S. Sen. Automatic Generation of Mobile Malwares Using Genetic Programming. In Applications of Evolutionary Computation, volume 9028, 2015.

[16]

E. Barkan, E. Biham, and N. Keller. Instant Ciphertext-Only Cryptanalysis of GSM Encrypted Communication. CRYPTO, 21(3):392--429, Mar. 2003.

Digital Library

[17]

I. Burguera, U. Zurutuza, and S. Nadjm-Tehrani. Crowdroid: Behavior-based Malware Detection System for Android. In SPSM, pages 15--26, 2011.

Digital Library

[18]

A. Cani, M. Gaudesi, E. Sanchez, G. Squillero, and A. Tonda. Towards Automated Malware Creation: Code Generation and Code Integration. In SAC, pages 157--160, 2014.

Digital Library

[19]

K. Chen, P. Liu, and Y. Zhang. Achieving Accuracy and Scalability Simultaneously in Detecting Application Clones on Android Markets. In ICSE, pages 175--186, 2014.

Digital Library

[20]

K. Z. Chen, N. M. Johnson, V. D'Silva, S. Dai, K. MacNamara, T. R. Magrino, E. X. Wu, M. Rinard, and D. X. Song. Contextual Policy Enforcement in Android Applications with Permission Event Graphs. In NDSS, 2013.

[21]

Q. A. Chen, Z. Qian, and Z. M. Mao. Peeking into Your App without Actually Seeing It: UI State Inference and Novel Android Attacks. In USENIX Security, pages 1037--1052, 2014.

Digital Library

[22]

Y. Choi, T. Kim, S. Choi, and C. Lee. Automatic Detection for JavaScript Obfuscation Attacks in Web Pages through String Pattern Analysis. In FGIT, pages 160--172, 2009.

Digital Library

[23]

M. Christodorescu and S. Jha. Testing Malware Detectors. In ISSTA, pages 34--44, 2004.

Digital Library

[24]

P. Clements and L. Northrop. Software Product Lines: Practices and Patterns. Addison-Wesley Professional, 3rd edition, Aug. 2001.

[25]

J. Crussell, C. Gibler, and H. Chen. Attack of the Clones: Detecting Cloned Applications on Android Markets. In ESORICS, volume 7459, pages 37--54. 2012.

[26]

K. Czarnecki and U. W. Eisenecker. Generative programming - methods, tools and applications. Addison-Wesley, 2000.

Digital Library

[27]

S. Dai, A. Tongaonkar, X. Wang, A. Nucci, and D. Song. Network Profiler: Towards Automatic Fingerprinting of Android Apps. In IEEE INFOCOM, pages 809--817, 2013.

[28]

W. Enck, P. Gilbert, B.-G. Chun, L. P. Cox, J. Jung, P. McDaniel, and A. N. Sheth. TaintDroid: An Information-flow Tracking System for Realtime Privacy Monitoring on Smartphones. In OSDI, pages 1--6, 2010.

Digital Library

[29]

W. Enck, M. Ongtang, and P. D. McDaniel. On Lightweight Mobile Phone Application Certification. In CCS, pages 235--245, 2009.

Digital Library

[30]

Essam Al Daoud and Iqbal H. Jebril and Belal Zaqaibeh. Computer Virus Strategies and Detection Methods. 1(2), 2008.

[31]

A. P. Felt, H. J. Wang, A. Moshchuk, S. Hanna, and E. Chin. Permission Re-Delegation: Attacks and Defenses. In USENIX Security, 2011.

Digital Library

[32]

Y. Feng, S. Anand, I. Dillig, and A. Aiken. Apposcopy: Semantics-based Detection of Android Malware Through Static Analysis. In FSE, pages 576--587, 2014.

Digital Library

[33]

A. P. Fuchs, A. Chaudhuri, and J. S. Foster. Checking Interation-Based Declassification Policies for Android Using Symbolic Execution. Technical report, 2009.

[34]

J. Garcia, M. Hammad, B. Pedrood, A. Bagheri-Khaligh, and S. Malek. Obfuscation-Resilient, Efficient, and Accurate Detection and Family Identification of Android Malware. Technical Report GMU-CS-TR-2015--10, 2015.

[35]

H. Gascon, F. Yamaguchi, D. Arp, and K. Rieck. Structural Detection of Android Malware Using Embedded Call Graphs. In AISec, pages 45--54, 2013.

Digital Library

[36]

M. I. Gordon, D. Kim, J. H. Perkins, L. Gilham, N. Nguyen, and M. C. Rinard. Information Flow Analysis of Android Applications in DroidSafe. In NDSS, 2015.

[37]

H. Gunadi and A. Tiu. Efficient Runtime Monitoring with Metric Temporal Logic: A Case Study in the Android Operating System. CoRR, abs/1311.2362, 2013.

[38]

H. Huang, K. Chen, C. Ren, P. Liu, S. Zhu, and D. Wu. Towards Discovering and Understanding Unexpected Hazards in Tailoring Antivirus Software for Android. In AsiaCCS, pages 7--18, 2015.

Digital Library

[39]

H. Ishibuchi, N. Tsukamoto, and Y. Nojima. Evolutionary Many-Objective Optimization: A Short Review. In CEC, pages 2419--2426, 2008.

[40]

K. C. Kang, S. G. Cohen, J. A. Hess, W. E. Novak, and A. S. Peterson. Feature-Oriented Domain Analysis (FODA) Feasibility Study. Technical report, Nov 1990.

[41]

E. Kim. Creating Better User Experiences on Google Play. http://android-developers.blogspot.ro/2015/03/creating-better-user-experiences-on.html, 2015.

[42]

P. Kocher, J. Jaffe, and B. Jun. Differential Power Analysis. In CRYPTO, pages 388--397, Aug. 1999.

Digital Library

[43]

L. Li, A. Bartel, T. F. Bissyandé, J. Klein, Y. L. Traon, S. Arzt, S. Rasthofer, E. Bodden, D. Octeau, and P. McDaniel. IccTA: Detecting Inter-Component Privacy Leaks in Android Apps. In ICSE, 2015.

Digital Library

[44]

H. Lockheimer. Android and Security - Official Google Mobile Blog. http://googlemobile.blogspot.sg/2012/02/android-and-security.html, 2012.

[45]

F. Maggi, A. Valdi, and S. Zanero. AndroTotal: A Flexible, Scalable Toolbox and Service for Testing Mobile Malware Detectors. In SPSM, pages 49--54, 2013.

Digital Library

[46]

D. Maier, T. Müller, and M. Protsenko. Divide-and-Conquer: Why Android Malware cannot be stopped. In ARES.

Digital Library

[47]

K. Micinski, J. Fetter-Degges, J. Jeon, J. S. Foster, and M. R. Clarkson. Checking Interation-Based Declassification Policies for Android Using Symbolic Execution. Technical Report arXiv:1504.03711v2, 2015.

[48]

D. A. Mundie and D. M. McIntire. An Ontology for Malware Analysis. In ARES, pages 556--558, 2013.

Digital Library

[49]

D. Octeau, P. McDaniel, S. Jha, A. Bartel, E. Bodden, J. Klein, and Y. Le Traon. Effective Inter-Component Communication Mapping in Android with Epicc: An Essential Step Towards Holistic Security Analysis. In USENIX Security, pages 543--558, 2013.

Digital Library

[50]

N. Peiravian and X. Zhu. Machine Learning for Android Malware Detection Using Permission and API Calls. In ICTAI, pages 300--305, 2013.

Digital Library

[51]

T. Petsas, G. Voyatzis, E. Athanasopoulos, M. Polychronakis, and S. Ioannidis. Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malware. In EuroSec, pages 5:1--5:6, 2014.

Digital Library

[52]

Z. Qian, Z. M. Mao, and Y. Xie. Collaborative TCP Sequence Number Inference Attack: How to Crack Sequence Number Under a Second. In CCS, pages 593--604, 2012.

Digital Library

[53]

S. Rasthofer, S. Arzt, and E. Bodden. A Machine-learning Approach for Classifying and Categorizing Android Sources and Sinks. In NDSS, 2014.

[54]

V. Rastogi, Y. Chen, and X. Jiang. DroidChameleon: Evaluating Android Anti-malware Against Transformation Attacks. In AsiaCCS, pages 329--334, 2013.

Digital Library

[55]

V. Rastogi, Y. Chen, and X. Jiang. Catch Me If You Can: Evaluating Android Anti-Malware Against Transformation Attacks. IEEE Transactions on Information Forensics and Security, 9(1):99--108, 2014.

Digital Library

[56]

J. Reed, A. J. Aviv, D. Wagner, A. Haeberlen, B. C. Pierce, and J. M. Smith. Differential Privacy for Collaborative Security. In EUROSEC, pages 1--7, 2010.

Digital Library

[57]

J. Sahs and L. Khan. A Machine Learning Approach to Android Malware Detection. In EISIC, pages 141--147, 2012.

Digital Library

[58]

A. S. Sayyad, T. Menzies, and H. Ammar. On the Value of User Preferences in Search-based Software Engineering: A Case Study in Software Product Lines. In ICSE, pages 492--501, 2013.

Digital Library

[59]

R. Schlegel, K. Zhang, X. yong Zhou, M. Intwala, A. Kapadia, and X. Wang. Soundcomber: A Stealthy and Context-Aware Sound Trojan for Smartphones. In NDSS, Feb. 2011.

[60]

R. Schlegel, K. Zhang, X. Zhou, M. Intwala, A. Kapadia, and X. Wang. Soundcomber: A Stealthy and Context-Aware Sound Trojan for Smartphones. In NDSS, 2011.

[61]

A.-D. Schmidt, R. Bye, H.-G. Schmidt, J. Clausen, O. Kiraz, K. A. Yüksel, S. A. Camtepe, and S. Albayrak. Static Analysis of Executables for Collaborative Malware Detection on Android. In ICC, pages 631--635, 2009.

Digital Library

[62]

S. She, R. Lotufo, T. Berger, A. Wasowski, and K. Czarnecki. Reverse engineering feature models. In ICSE, pages 461--470, 2011.

Digital Library

[63]

D. J. J. T. SUFATRIO, T.-W. CHUA, and V. L. L. THING. Securing Android: A Survey, Taxonomy, and Challenges, May 2015.

[64]

T. H. Tan, Y. Xue, M. Chen, J. Sun, Y. Liu, and J. S. Dong. Optimizing selection of competing features via feedback-directed evolutionary algorithms. In ISSTA, pages 246--256, 2015.

Digital Library

[65]

W. Yang, X. Xiao, B. Andow, S. Li, T. Xie, and W. Enck. AppContext: Differentiating Malicious and Benign Mobile App Behavior Under Contexts. In ICSE, 2014.

Digital Library

[66]

Z. Yang, M. Yang, Y. Zhang, G. Gu, P. Ning, and X. S. Wang. AppIntent: Analyzing Sensitive Data Transmission in Android for Privacy Leakage Detection. In CCS, pages 1043--1054, 2013.

Digital Library

[67]

M. Zhang, Y. Duan, H. Yin, and Z. Zhao. Semantics-Aware Android Malware Classification Using Weighted Contextual API Dependency Graphs. In CCS, 2014.

Digital Library

[68]

M. Zheng, P. P. C. Lee, and J. C. S. Lui. ADAM: An Automatic and Extensible Platform to Stress Test Android Anti-virus Systems. In DIMVA, pages 82--101, 2013.

Digital Library

[69]

W. Zhou, Y. Zhou, M. Grace, X. Jiang, and S. Zou. Fast, Scalable Detection of "Piggybacked" Mobile Applications. In Proceedings of the 3rd ACM Conference on Data and Application Security and Privacy, pages 185--196, 2013.

Digital Library

[70]

Y. Zhou and X. Jiang. Dissecting Android Malware: Characterization and Evolution. In IEEE S&P, pages 95--109, 2012.

Digital Library

Cited By

Li YYuan DZhang TCai HLo DGao CLuo XJiang H(2024)Meta-Learning for Multi-Family Android Malware ClassificationACM Transactions on Software Engineering and Methodology10.1145/366480633:7(1-27)Online publication date: 26-Aug-2024
https://dl.acm.org/doi/10.1145/3664806
Ruggia ANisi DDambra SMerlo ABalzarotti DAonzo SQuek TGao DZhou JCardenas A(2024)Unmasking the Veiled: A Comprehensive Analysis of Android Evasive MalwareProceedings of the 19th ACM Asia Conference on Computer and Communications Security10.1145/3634737.3637658(383-398)Online publication date: 1-Jul-2024
https://dl.acm.org/doi/10.1145/3634737.3637658
Sun TAllix KKim KZhou XKim DLo DBissyandé TKlein J(2023)DexBERT: Effective, Task-Agnostic and Fine-Grained Representation Learning of Android BytecodeIEEE Transactions on Software Engineering10.1109/TSE.2023.331087449:10(4691-4706)Online publication date: 1-Oct-2023
https://doi.org/10.1109/TSE.2023.3310874
Show More Cited By

Index Terms

Mystique: Evolving Android Malware for Auditing Anti-Malware Tools
1. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
    1. Malware and its mitigation
  2. Systems security
    1. Operating systems security
      1. Mobile platform security
2. Software and its engineering
  1. Software creation and management
    1. Software development techniques
      1. Reusability
        Software product lines

Recommendations

Adapting novelty towards generating antigens for antivirus systems
GECCO '22: Proceedings of the Genetic and Evolutionary Computation Conference

It is well known that anti-malware scanners depend on malware signatures to identify malware. However, even minor modifications to malware code structure results in a change in the malware signature thus enabling the variant to evade detection by ...
FUMVar: a practical framework for generating Fully-working and Unseen Malware Variants
SAC '21: Proceedings of the 36th Annual ACM Symposium on Applied Computing

It is crucial to understand how malware variants are generated to bypass malware detection systems and understand their characteristics to improve the detectors' performances. To achieve this goal, we propose an evolutionary-based framework named FUMVar ...
An Evolutionary based Generative Adversarial Network Inspired Approach to Defeating Metamorphic Malware
GECCO '23 Companion: Proceedings of the Companion Conference on Genetic and Evolutionary Computation

Defeating dangerous families of malware like polymorphic and metamorphic malware have become well studied due to their increased attacks on computer systems and network. Traditional Machine Learning (ML) models have been used in detecting this malware,...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

ASIA CCS '16: Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security

May 2016

958 pages

ISBN:9781450342339

DOI:10.1145/2897845

General Chair:
Xiaofeng Chen
Xidian University, China
,
Program Chairs:
XiaoFeng Wang
Indiana University at Bloomington, USA
,
Xinyi Huang
Fujian Normal University, China

Copyright © 2016 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 30 May 2016

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

National Natural Science Foundation of China
National Science of Foundation of China
National Research Foundation, Prime Minister's Office, Singapore under its National Cybersecurity R&D Program

Conference

ASIA CCS '16

Sponsor:

SIGSAC

ASIA CCS '16: ACM Asia Conference on Computer and Communications Security

May 30 - June 3, 2016

Xi'an, China

Acceptance Rates

ASIA CCS '16 Paper Acceptance Rate 73 of 350 submissions, 21%;

Overall Acceptance Rate 418 of 2,322 submissions, 18%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

42
Total Citations
View Citations
823
Total Downloads

Downloads (Last 12 months)48
Downloads (Last 6 weeks)9

Reflects downloads up to 30 Aug 2024

Other Metrics

View Author Metrics

Citations

Cited By

Li YYuan DZhang TCai HLo DGao CLuo XJiang H(2024)Meta-Learning for Multi-Family Android Malware ClassificationACM Transactions on Software Engineering and Methodology10.1145/366480633:7(1-27)Online publication date: 26-Aug-2024
https://dl.acm.org/doi/10.1145/3664806
Ruggia ANisi DDambra SMerlo ABalzarotti DAonzo SQuek TGao DZhou JCardenas A(2024)Unmasking the Veiled: A Comprehensive Analysis of Android Evasive MalwareProceedings of the 19th ACM Asia Conference on Computer and Communications Security10.1145/3634737.3637658(383-398)Online publication date: 1-Jul-2024
https://dl.acm.org/doi/10.1145/3634737.3637658
Sun TAllix KKim KZhou XKim DLo DBissyandé TKlein J(2023)DexBERT: Effective, Task-Agnostic and Fine-Grained Representation Learning of Android BytecodeIEEE Transactions on Software Engineering10.1109/TSE.2023.331087449:10(4691-4706)Online publication date: 1-Oct-2023
https://doi.org/10.1109/TSE.2023.3310874
Qiu JHan QLuo WPan LNepal SZhang JXiang Y(2023)Cyber Code Intelligence for Android Malware DetectionIEEE Transactions on Cybernetics10.1109/TCYB.2022.316462553:1(617-627)Online publication date: Jan-2023
https://doi.org/10.1109/TCYB.2022.3164625
Huang WLin CYan QXiang LZhang ZMeng GChen K(2023)FMDiv: Functional Module Division on Binary Malware for Accurate Malicious Code Localization2023 26th International Conference on Computer Supported Cooperative Work in Design (CSCWD)10.1109/CSCWD57460.2023.10151998(947-952)Online publication date: 24-May-2023
https://doi.org/10.1109/CSCWD57460.2023.10151998
Liu ZZhang LTang Y(2023)Enhancing Malware Detection for Android Apps: Detecting Fine-Granularity Malicious Components2023 38th IEEE/ACM International Conference on Automated Software Engineering (ASE)10.1109/ASE56229.2023.00074(1212-1224)Online publication date: 11-Sep-2023
https://doi.org/10.1109/ASE56229.2023.00074
Pružinec JNguyen QBaldwin AGriffin JLiu YKiss ÁMarín BSaadatmand M(2022)KUBO: a framework for automated efficacy testing of anti-virus behavioral detection with procedure-based malware emulationProceedings of the 13th International Workshop on Automating Test Case Design, Selection and Evaluation10.1145/3548659.3561307(37-44)Online publication date: 7-Nov-2022
https://dl.acm.org/doi/10.1145/3548659.3561307
Murali RVelayutham CWagner M(2022)Adapting novelty towards generating antigens for antivirus systemsProceedings of the Genetic and Evolutionary Computation Conference10.1145/3512290.3528693(1254-1262)Online publication date: 8-Jul-2022
https://dl.acm.org/doi/10.1145/3512290.3528693
Rafiq HAslam NIssac BRandhawa R(2022)On Impact of Adversarial Evasion Attacks on ML-based Android Malware Classifier Trained on Hybrid Features2022 14th International Conference on Software, Knowledge, Information Management and Applications (SKIMA)10.1109/SKIMA57145.2022.10029504(216-221)Online publication date: 2-Dec-2022
https://doi.org/10.1109/SKIMA57145.2022.10029504
Rafiq HAslam NIssac BRandhawa R(2022)An Investigation on Fragility of Machine Learning Classifiers in Android Malware DetectionIEEE INFOCOM 2022 - IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS)10.1109/INFOCOMWKSHPS54753.2022.9798161(1-6)Online publication date: 2-May-2022
https://doi.org/10.1109/INFOCOMWKSHPS54753.2022.9798161
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents