research-article

Public Access

Droid-AntiRM: Taming Control Flow Anti-analysis to Support Automated Dynamic Analysis of Android Malware

Authors:

Yuexiang YangAuthors Info & Claims

ACSAC '17: Proceedings of the 33rd Annual Computer Security Applications Conference

Pages 350 - 361

https://doi.org/10.1145/3134600.3134601

Published: 04 December 2017 Publication History

Abstract

While many test input generation techniques have been proposed to improve the code coverage of dynamic analysis, they are still inefficient in triggering hidden malicious behaviors protected by anti-analysis techniques. In this work, we design and implement Droid-AntiRM, a new approach seeking to tame anti-analysis automatically and improve automated dynamic analysis. Our approach leverages three key observations: 1) Logic-bomb based anti-analysis techniques control the execution of certain malicious behaviors; 2) Anti-analysis techniques are normally implemented through condition statements; 3) Anti-analysis techniques normally have no dependence on program inputs. Based on these observations, Droid-AntiRM uses various techniques to detect anti-analysis in malware samples, and rewrite the condition statements in anti-analysis cases through bytecode instrumentation, thus forcing the hidden behavior to be executed at runtime. Through a study of 3187 malware samples, we find that 32.50% of them employ various anti-analysis techniques. Our experiments demonstrate that Droid-AntiRM can identify anti-analysis instances from 30 malware samples with a true positive rate of 89.15% and zero false negative. By taming the identified anti-analysis, Droid-AntiRM can greatly improve the automated dynamic analysis, successfully triggering 44 additional hidden malicious behaviors from the 30 samples. Further performance evaluation shows that Droid-AntiRM has good efficiency to perform large-scale analysis.

References

[1]

American Mathematical Society 2015. Decompiler. American Mathematical Society. http://www.javadecompilers.com.

[2]

Saswat Anand, Mayur Naik, Mary Jean Harrold, and Hongseok Yang. 2012. Automated concolic testing of smartphone apps. In Proceedings of the ACM SIGSOFT 20th International Symposium on the Foundations of Software Engineering. ACM, 59.

Digital Library

[3]

Daniel Arp, Michael Spreitzenbarth, Malte Hubner, Hugo Gascon, Konrad Rieck, and CERT Siemens. 2014. DREBIN: Effective and Explainable Detection of Android Malware in Your Pocket. In NDSS.

[4]

Steven Arzt, Siegfried Rasthofer, and Eric Bodden. 2013. Instrumenting android and java applications as easy as abc. In International Conference on Runtime Verification. Springer, 364--381.

[5]

Steven Arzt, Siegfried Rasthofer, Christian Fritz, Eric Bodden, Alexandre Bartel, Jacques Klein, Yves Le Traon, Damien Octeau, and Patrick McDaniel. 2014. Flowdroid: Precise context, flow, field, object-sensitive and life cycle-aware taint analysis for android apps. Acm Sigplan Notices 49, 6 (2014), 259--269.

Digital Library

[6]

Kathy Wain Yee Au, Yi Fan Zhou, Zhen Huang, and David Lie. 2012. Pscout: analyzing the android permission specification. In Proceedings of the 2012 ACM conference on Computer and communications security. ACM, 217--228.

Digital Library

[7]

Yinzhi Cao, Yanick Fratantonio, Antonio Bianchi, Manuel Egele, Christopher Kruegel, Giovanni Vigna, and Yan Chen. 2015. EdgeMiner: Automatically Detecting Implicit Control Flow Transitions through the Android Framework. In NDSS.

[8]

Julian Dolby, Stephen J Fink, and Manu Sridharan. 2015. TJ Watson libraries for analysis (WALA). American Mathematical Society. http://wala.sf.net.

[9]

Ken Dunham, Shane Hartman, Manu Quintans, Jose Andre Morales, and Tim Strazzere. 2014. Android Malware and Analysis. CRC Press.

Digital Library

[10]

William Enck, Peter Gilbert, Seungyeop Han, Vasant Tendulkar, Byung-Gon Chun, Landon P Cox, Jaeyeon Jung, Patrick McDaniel, and Anmol N Sheth. 2014. TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones. ACM Transactions on Computer Systems (TOCS) 32, 2 (2014), 5.

Digital Library

[11]

Yanick Fratantonio, Antonio Bianchi, William Robertson, Engin Kirda, Christopher Kruegel, and Giovanni Vigna. 2016. Triggerscope: Towards detecting logic bombs in android applications. In Security and Privacy (SP), 2016 IEEE Symposium on. IEEE, 377--396.

[12]

Patrice Godefroid, Nils Klarlund, and Koushik Sen. 2005. DART: directed automated random testing. In ACM Sigplan Notices, Vol. 40. ACM, 213--223.

Digital Library

[13]

Michael I Gordon, Deokhwan Kim, Jeff H Perkins, Limei Gilham, Nguyen Nguyen, and Martin C Rinard. 2015. Information Flow Analysis of Android Applications in DroidSafe. In NDSS. Citeseer.

[14]

Wenjun Hu and Z Xiao. 2014. Guess where i am-android: detection and prevention of emulator evading on android. HitCon.

[15]

Yiming Jing, Ziming Zhao, Gail-Joon Ahn, and Hongxin Hu. 2014. Morpheus: automatically generating heuristics to detect Android emulators. In Proceedings of the 30th Annual Computer Security Applications Conference. ACM, 216--225.

Digital Library

[16]

Nicolas Kiss, Jean-François Lalande, Mourad Leslous, and Valérie Viet Triem Tong. 2016. Kharon dataset: Android malware under a microscope. In The Learning from Authoritative Security Experiment Results (LASER) workshop. The USENIX Association.

[17]

Guan Le, Jia Shijie, Chen Bo, Zhang Fengwei, Luo Bo, Lin Jingqiang, Liu Peng, Xing Xinyu, and Xia Luning. 2017. Supporting Transparent Snapshot for Bare-metal Malware Analysis on Mobile Devices. In Proceedings of the 33rd Annual Computer Security Applications Conference. ACM.

Digital Library

[18]

Long Lu, Zhichun Li, Zhenyu Wu, Wenke Lee, and Guofei Jiang. 2012. Chex: statically vetting android apps for component hijacking vulnerabilities. In Proceedings of the 2012 ACM conference on Computer and communications security. ACM, 229--240.

Digital Library

[19]

Aravind Machiry, Rohan Tahiliani, and Mayur Naik. 2013. Dynodroid: An input generation system for android apps. In Proceedings of the 2013 9th Joint Meeting on Foundations of Software Engineering. ACM, 224--234.

Digital Library

[20]

Andreas Moser, Christopher Kruegel, and Engin Kirda. 2007. Exploring multiple execution paths for malware analysis. In Security and Privacy, 2007. SP'07. IEEE Symposium on. IEEE, 231--245.

Digital Library

[21]

Simone Mutti, Yanick Fratantonio, Antonio Bianchi, Luca Invernizzi, Jacopo Corbetta, Dhilung Kirat, Christopher Kruegel, and Giovanni Vigna. 2015. BareDroid: Large-scale analysis of Android apps on real devices. In Proceedings of the 31st Annual Computer Security Applications Conference. ACM, 71--80.

Digital Library

[22]

Zhenyu Ning and Fengwei Zhang. 2017. Ninja: Towards Transparent Tracing and Debugging on ARM. In In 26th USENIX Security Symposium (USENIX Security 17). ACM.

[23]

Damien Octeau, Daniel Luchaup, Matthew Dering, Somesh Jha, and Patrick McDaniel. 2015. Composite constant propagation: Application to android inter-component communication analysis. In Proceedings of the 37th International Conference on Software Engineering-Volume 1. IEEE Press, 77--88.

Digital Library

[24]

Damien Octeau, Patrick McDaniel, Somesh Jha, Alexandre Bartel, Eric Bodden, Jacques Klein, and Yves Le Traon. 2013. Effective inter-component communication mapping in android with epicc: An essential step towards holistic security analysis. In Proceedings of the 22nd USENIX security symposium. 543--558.

Digital Library

[25]

MilaParkour. 2011. Contagio malware dump. blog sobre compartición de malware, recurso en línea disponible en: http://contagiodump.blogspot.com/, consultado el 8 (2011).

[26]

Fei Peng, Zhui Deng, Xiangyu Zhang, Dongyan Xu, Zhiqiang Lin, and Zhendong Su. 2014. X-Force: Force-Executing Binary Programs for Security Applications. In USENIX Security Symposium. 829--844.

Digital Library

[27]

Thanasis Petsas, Giannis Voyatzis, Elias Athanasopoulos, Michalis Polychronakis, and Sotiris Ioannidis. 2014. Rage against the virtual machine: hindering dynamic analysis of android malware. In Proceedings of the Seventh European Workshop on System Security. ACM, 5.

Digital Library

[28]

Siegfried Rasthofer, Steven Arzt, and Eric Bodden. 2014. A Machine-learning Approach for Classifying and Categorizing Android Sources and Sinks. In NDSS.

[29]

Siegfried Rasthofer, Steven Arzt, Marc Miltenberger, and Eric Bodden. 2016. Harvesting runtime values in android applications that feature anti-analysis techniques. In Proceedings of the Annual Symposium on Network and Distributed System Security (NDSS).

[30]

Siegfried Rasthofer, Irfan Asrar, Stephan Huber, and Eric Bodden. 2015. How current android malware seeks to evade automated code analysis. In IFIP International Conference on Information Security Theory and Practice. Springer, 187--202.

Digital Library

[31]

Julian Schütte, Rafael Fedler, and Dennis Titze. 2015. Condroid: Targeted dynamic analysis of android applications. In Advanced Information Networking and Applications (AINA), 2015 IEEE 29th International Conference on. IEEE, 571--578.

[32]

Kimberly Tam, Salahuddin J Khan, Aristide Fattori, and Lorenzo Cavallaro. 2015. CopperDroid: Automatic Reconstruction of Android Malware Behaviors. In NDSS.

[33]

Virus Total. 2012. VirusTotal-Free online virus, malware and URL scanner. Online: https://www.virustotal.com/en (2012).

[34]

Timothy Vidas and Nicolas Christin. 2014. Evading android runtime analysis via sandbox detection. In Proceedings of the 9th ACM symposium on Information, computer and communications security. ACM, 447--458.

Digital Library

[35]

Xiaolei Wang, Yuexiang Yang, Chuan Tang, Yingzhi Zeng, and Jie He. 2016. DroidContext: Identifying Malicious Mobile Privacy Leak Using Context. In Trustcom/BigDataSE/ISPA, 2016 IEEE. IEEE, 807--814.

[36]

Xiaolei Wang, Yuexiang Yang, and Yingzhi Zeng. 2015. Accurate mobile malware detection and classification in the cloud. SpringerPlus 4, 1 (2015), 583.

[37]

Fengguo Wei, Sankardas Roy, Xinming Ou, and others. 2014. Amandroid: A precise and general inter-component data flow analysis framework for security vetting of android apps. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security. ACM, 1329--1341.

Digital Library

[38]

Michelle Y Wong and David Lie. 2016. Intellidroid: A targeted input generator for the dynamic analysis of android malware. In Proceedings of the Annual Symposium on Network and Distributed System Security (NDSS).

[39]

Lei Xue, Yajin Zhou, Ting Chen, Xiapu Luo, and Guofei Gu. 2017. Malton: Towards On-Device Non-Invasive Mobile Malware Analysis for ART. In In 26th USENIX Security Symposium (USENIX Security 17). ACM.

[40]

Lok-Kwong Yan and Heng Yin. 2012. DroidScope: Seamlessly Reconstructing the OS and Dalvik Semantic Views for Dynamic Android Malware Analysis. In USENIX security symposium. 569--584.

Digital Library

[41]

Hui Ye, Shaoyin Cheng, Lanbo Zhang, and Fan Jiang. 2013. Droidfuzzer: Fuzzing the android apps with intent-filter tag. In Proceedings of International Conference on Advances in Mobile Computing & Multimedia. ACM, 68.

Digital Library

[42]

Xiangyu Zhang, Neelam Gupta, and Rajiv Gupta. 2006. Locating faults through automated predicate switching. In Proceedings of the 28th international conference on Software engineering. ACM, 272--281.

Digital Library

[43]

Yuan Zhang, Min Yang, Bingquan Xu, Zhemin Yang, Guofei Gu, Peng Ning, X Sean Wang, and Binyu Zang. 2013. Vetting undesirable behaviors in android apps with permission use analysis. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security. ACM, 611--622.

Digital Library

[44]

Yajin Zhou and Xuxian Jiang. 2012. Android malware genome project. Disponibile a http://www.malgenomeproject.org (2012).

Cited By

Ho J(2025)Game Theoretic Approach Toward Detection of Input‐Driven Evasive Malware in the IoTSecurity and Privacy10.1002/spy2.4678:1Online publication date: 12-Jan-2025
https://dl.acm.org/doi/10.1002/spy2.467
Dai XYu ZLiang CGao CHe QWu DXu Z(2024)Detecting Novel Malware Classes with a Foundational Multi-Modality Data Analysis ModelData Intelligence10.3724/2096-7004.di.2024.0056Online publication date: 17-Oct-2024
https://doi.org/10.3724/2096-7004.di.2024.0056
Neil AShabaan EEl Qout MEmara K(2024)Machine Learning Based Approaches For Android Malware Detection using Hybrid Feature Analysis2024 6th International Conference on Computing and Informatics (ICCI)10.1109/ICCI61671.2024.10485163(158-165)Online publication date: 6-Mar-2024
https://doi.org/10.1109/ICCI61671.2024.10485163
Show More Cited By

Index Terms

Droid-AntiRM: Taming Control Flow Anti-analysis to Support Automated Dynamic Analysis of Android Malware
1. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
    1. Malware and its mitigation

Recommendations

A Survey On Automated Dynamic Malware Analysis Evasion and Counter-Evasion: PC, Mobile, and Web
ROOTS: Proceedings of the 1st Reversing and Offensive-oriented Trends Symposium

Automated dynamic malware analysis systems are important in combating the proliferation of modern malware. Unfortunately, malware can often easily detect and evade these systems. Competition between malware authors and analysis system developers has ...
Droid Analytics: A Signature Based Analytic System to Collect, Extract, Analyze and Associate Android Malware
TRUSTCOM '13: Proceedings of the 2013 12th IEEE International Conference on Trust, Security and Privacy in Computing and Communications

Smartphones and mobile devices are rapidly becoming indispensable devices for many users. Unfortunately, they also become fertile grounds for hackers to deploy malware. There is an urgent need to have a "security analytic & forensic system" which can ...
Maaker: A framework for detecting and defeating evasion techniques in Android malware
Abstarct
Dynamic analysis is a prominent approach for understanding the real-behavior of Android malware. Malware mainly use evasions to underperform dynamic analysis. Although different approaches have been proposed to tackle evasive malware, they suffer ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

ACSAC '17: Proceedings of the 33rd Annual Computer Security Applications Conference

December 2017

618 pages

ISBN:9781450353458

DOI:10.1145/3134600

Copyright © 2017 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 04 December 2017

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Funding Sources

National Science Foundation
Science and Technology Project of Guangzhou City
Natural Science Foundation of Guangdong Province
China Scholarships Council Program

Conference

ACSAC 2017

ACSAC 2017: 2017 Annual Computer Security Applications Conference

December 4 - 8, 2017

FL, Orlando, USA

Acceptance Rates

Overall Acceptance Rate 104 of 497 submissions, 21%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

24
Total Citations
View Citations
650
Total Downloads

Downloads (Last 12 months)119
Downloads (Last 6 weeks)10

Reflects downloads up to 01 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Ho J(2025)Game Theoretic Approach Toward Detection of Input‐Driven Evasive Malware in the IoTSecurity and Privacy10.1002/spy2.4678:1Online publication date: 12-Jan-2025
https://dl.acm.org/doi/10.1002/spy2.467
Dai XYu ZLiang CGao CHe QWu DXu Z(2024)Detecting Novel Malware Classes with a Foundational Multi-Modality Data Analysis ModelData Intelligence10.3724/2096-7004.di.2024.0056Online publication date: 17-Oct-2024
https://doi.org/10.3724/2096-7004.di.2024.0056
Neil AShabaan EEl Qout MEmara K(2024)Machine Learning Based Approaches For Android Malware Detection using Hybrid Feature Analysis2024 6th International Conference on Computing and Informatics (ICCI)10.1109/ICCI61671.2024.10485163(158-165)Online publication date: 6-Mar-2024
https://doi.org/10.1109/ICCI61671.2024.10485163
Niu WZhang XYan RGong JNiu WZhang XYan RGong J(2024)Dynamic Adversarial Method in Android MalwareAndroid Malware Detection and Adversarial Methods10.1007/978-981-97-1459-9_6(129-150)Online publication date: 4-Mar-2024
https://doi.org/10.1007/978-981-97-1459-9_6
Sun XChen XLi LCai HGrundy JSamhi JBissyandé TKlein J(2023)Demystifying Hidden Sensitive Operations in Android AppsACM Transactions on Software Engineering and Methodology10.1145/357415832:2(1-30)Online publication date: 29-Mar-2023
https://dl.acm.org/doi/10.1145/3574158
Kaithal PSharma V(2023)A Systematic Review and Future Perspective of Android Malware Detection Based Machine Learning Techniques2023 IEEE International Conference on ICT in Business Industry & Government (ICTBIG)10.1109/ICTBIG59752.2023.10456033(1-17)Online publication date: 8-Dec-2023
https://doi.org/10.1109/ICTBIG59752.2023.10456033
Alrammal MNaveed MSallam STsaramirsis G(2022)A Two-Layered Machine Learning Approach for Anti-Malware Sustainability2022 9th International Conference on Computing for Sustainable Global Development (INDIACom)10.23919/INDIACom54597.2022.9763123(7-11)Online publication date: 23-Mar-2022
https://doi.org/10.23919/INDIACom54597.2022.9763123
Faghihi FZulkernine MDing S(2022)CamoDroidJournal of Systems Architecture: the EUROMICRO Journal10.1016/j.sysarc.2022.102452125:COnline publication date: 1-Apr-2022
https://dl.acm.org/doi/10.1016/j.sysarc.2022.102452
Alrammal MNaveed MSallam STsaramirsis G(2022)Malware analysis: Reverse engineering tools using santuko linuxMaterials Today: Proceedings10.1016/j.matpr.2021.10.24360(1367-1378)Online publication date: 2022
https://doi.org/10.1016/j.matpr.2021.10.243
Borzacchiello LCoppa EMaiorca DColumbu ADemetrescu CGiacinto G(2022)Reach Me if You Can: On Native Vulnerability Reachability in Android AppsComputer Security – ESORICS 202210.1007/978-3-031-17143-7_34(701-722)Online publication date: 24-Sep-2022
https://doi.org/10.1007/978-3-031-17143-7_34
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Figures

Tables

Media

View Table of Conten