research-article

Tackling Androids Native Library Malware with Robust, Efficient and Accurate Similarity Measures

Authors:

Anatoli Kalysch,

Oskar Milisterfer,

Mykolai Protsenko,

Tilo MüllerAuthors Info & Claims

ARES '18: Proceedings of the 13th International Conference on Availability, Reliability and Security

Article No.: 58, Pages 1 - 10

https://doi.org/10.1145/3230833.3232828

Published: 27 August 2018 Publication History

Abstract

Code similarity measures create a comparison metric showing to what degree two code samples have the same functionality, e.g., to statically detect the use of known libraries in binary code. They are both an indispensable part of automated malware analysis, as well as a helper for the detection of plagiarism (IP protection) and the illegal use of open-source libraries in commercial apps. The centroid similarity metric extracts control-flow features from binary code and encodes them as geometric structures before comparing them. In our paper, we propose novel improvements to the centroid approach and apply it to the ARM architecture for the first time. We implement our approach as a plug-in for the IDA Pro disassembler and evaluate it regarding efficiency, accuracy and robustness on Android. Based on a dataset of 508,745 APKs, collected from 18 third-party app markets, we achieve a detection rate of 89% for the use of native code libraries, with an FPR of 10.8%. To test the robustness of our approach against the compiler version, optimization level, and other code transformations, we obfuscate and recompile known open-source libraries to evaluate which code transformations are resisted. Based on our results, we discuss how code re-use can be hidden by obfuscation and conclude with possible improvements.

References

[1]

Alfred V Aho, Ravi Sethi, and Jeffrey D Ullman. 1986. Compilers, Principles, Techniques. Addison Wesley 7, 8 (1986), 9.

Digital Library

[2]

Shahid Alam, Issa Traore, and Ibrahim Sogukpinar. 2015. Annotated control flow graph for metamorphic malware detection. Comput. J. 58, 10 (2015), 2608--2621.

[3]

Daniel Arp, Michael Spreitzenbarth, Malte Hübner, Hugo Gascon, and Konrad Rieck. 2014. DREBIN: Effective and Explainable Detection of Android Malware in Your Pocket. In NDSS.

[4]

Pavel Berkhin. 2006. A survey of clustering data mining techniques. In Grouping multidimensional data. Springer, 25--71.

[5]

Ashish Bhatia. 2015. AndroMalShare. http://sanddroid.xjtu.edu.cn:8080/, accessed on 16. March 2018.

[6]

Marcel Busch, Mykolai Protsenko, and Tilo Müller. 2017. A Cloud-Based Compilation and Hardening Platform for Android Apps. In Proceedings of the 12th International Conference on Availability, Reliability and Security. ACM, 37.

Digital Library

[7]

Kai Chen, Peng Liu, and Yingjun Zhang. 2014. Achieving accuracy and scalability simultaneously in detecting application clones on android markets. In Proceedings of the 36th International Conference on Software Engineering. ACM, 175--186.

Digital Library

[8]

Kai Chen, Xueqiang Wang, Yi Chen, Peng Wang, Yeonjoon Lee, XiaoFeng Wang, Bin Ma, Aohui Wang, Yingjun Zhang, and Wei Zou. 2016. Following devil's footprints: Cross-platform analysis of potentially harmful libraries on android and ios. In Security and Privacy (SP), 2016 IEEE Symposium on. IEEE, 357--376.

[9]

Christian Collberg. 2015. The Tigress C diversifier/obfuscator. Retrieved August 14 (2015), 2015.

[10]

Keith D Cooper, Timothy J Harvey, and Ken Kennedy. 2001. A simple, fast dominance algorithm. Software Practice & Experience 4, 1--10 (2001), 1--8.

[11]

Jonathan Crussell, Clint Gibler, and Hao Chen. 2012. Attack of the clones: Detecting cloned applications on android markets. In European Symposium on Research in Computer Security. Springer, 37--54.

[12]

Jonathan Crussell, Clint Gibler, and Hao Chen. 2013. Andarwin: Scalable detection of semantically similar android applications. In European Symposium on Research in Computer Security. Springer, 182--199.

[13]

Andrew Rice Daniel Thomas, Alastair Beresford and Daniel Wagner. 2018. AVO: Collection of all android vulnerabilities. https://androidvulnerabilities.org/all, accessed on 16. March 2018.

[14]

Luke Deshotels, Vivek Notani, and Arun Lakhotia. 2014. Droidlegacy: Automated familial classification of android malware. In Proceedings of ACM SIGPLAN on program protection and reverse engineering workshop 2014. ACM, 3.

Digital Library

[15]

Martin Ester, Hans-Peter Kriegel, Jörg Sander, Xiaowei Xu, et al. 1996. Adensity-based algorithm for discovering clusters in large spatial databases with noise. In Kdd, Vol. 96. 226--231.

Digital Library

[16]

Parvez Faruki, Vijay Ganmoor, Vijay Laxmi, Manoj Singh Gaur, and Ammar Bharmal. 2013. AndroSimilar: robust statistical feature signature for Android malware detection. In Proceedings of the 6th International Conference on Security of Information and Networks. ACM, 152--159.

Digital Library

[17]

Google LLC. 2018. Getting started with NDK. https://developer.android.com/ndk/guides/index.html, accessed on 15. March 2018.

[18]

Andy Greenberg. 2011. Phone rootkit carrierIQ may have violated wiretap law in millions of cases. https://www.forbes.com/sites/andygreenberg/2011/11/30/phone-rootkit-carrier-iq-may-have-violated-wiretap-law-in-millions-of-cases/, accessed on 16. March 2018.

[19]

Steve Hanna, Ling Huang, Edward Wu, Saung Li, Charles Chen, and Dawn Song. 2012. Juxtapp: A scalable system for detecting code reuse among android applications. In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. Springer, 62--81.

Digital Library

[20]

HexRays Inc. 2018. FLIRT Signatures in depth. https://www.hex-rays.com/products/ida/tech/flirt/in_depth.shtml, accessed on 30. March 2018.

[21]

Xuxian Jiang. 2011. Security alert: New sophisticated android malware droid-kungfu found in alternative Chinese app markets. URL http://www.esc.ncsu.edu/faculty/jiang/DroidKungFu.html (2011).

[22]

Caleb Fenton Jon Sawyer, Tim Strazzere. 2015. Offensive and Defensive Android Reverse Engineering. https://github.com/rednaga/training/tree/master/DEFCON23, accessed on 15. March 2018.

[23]

Anatoli Kalysch. 2017. Third Party APK Store Crawlers. https://github.com/anatolikalysch/APKCrawler, accessed on 03. April 2018.

[24]

Anatoli Kalysch, Johannes Götzfried, and Tilo Müller. 2017. VMAttack: De-obfuscating Virtualization-Based Packed Binaries. In Proceedings of the 12th International Conference on Availability, Reliability and Security. ACM, 2.

Digital Library

[25]

Hyun Jae Kang, Jae-wook Jang, Aziz Mohaisen, and Huy Kang Kim. 2014. An-drotracker: Creator information based android malware classification system. In Information Security Applications-15th International Workshop, WISA, Vol. 8909.

[26]

Kaspersky Lab. 2018. Mobile malware evolution 2017. https://securelist.com/mobile-malware-review-2017/84139/, accessed on 10. March 2018.

[27]

Thomas Lengauer and Robert Endre Tarjan. 1979. A fast algorithm for finding dominators in a flowgraph. ACM Transactions on Programming Languages and Systems (TOPLAS) 1, 1 (1979), 121--141.

Digital Library

[28]

Dominik Maier, Tilo Müller, and Mykola Protsenko. 2014. Divide-and-conquer: Why android malware cannot be stopped. In Availability, Reliability and Security (ARES), 2014 Ninth International Conference on. IEEE, 30--39.

Digital Library

[29]

McAfee Labs. 2017. Android Banking Trojan MoqHao Spreading via SMS Phishing in South Korea. https://securingtomorrow.mcafee.com/mcafee-labs/android-banking-trojan-moqhao-spreading-via-sms-phishing-south-korea/, accessed on 15. March 2018.

[30]

Raymond T. Ng and Jiawei Han. 2002. CLARANS: A method for clustering objects for spatial data mining. IEEE transactions on knowledge and data engineering 14, 5 (2002), 1003--1016.

Digital Library

[31]

Mila Parkour. 2015. Contagio Mobile. http://contagiominidump.blogspot.com/, accessed on 19. March 2018.

[32]

Rolf Rolles. 2009. Unpacking Virtualization Obfuscators. In Proceedings of the 3rd USENIX Conference on Offensive Technologies (WOOT'09). USENIX Association, Berkeley, CA, USA.

Digital Library

[33]

Search Security. 2015. How did a malicious app slip past Google Play app store security? http://searchsecurity.techtarget.com/answer/How-did-a-malicious-app-slip-past-Google-Play-app-store-security, accessed on 15. March 2018.

[34]

Tim Strazzere. 2015. android-unpacker. https://github.com/strazzere/android-unpacker, accessed on 13. March 2018.

[35]

Xin Sun, Yibing Zhongyang, Zhi Xin, Bing Mao, and Li Xie. 2014. Detecting code reuse in android applications using component-based control flow graph. In IFIP International Information Security Conference. Springer, 142--155.

[36]

Robert Tarjan. 1972. Depth-first search and linear graph algorithms. SIAM journal on computing 1, 2 (1972), 146--160.

[37]

Trend Micro. 2014. Malware in Apps' Clothing: A Look at Repackaged Apps. https://www.trendmicro.com/vinfo/us/security/news/mobile-safety/malware-in-apps-clothing-a-look-at-repackaged-apps, accessed on 15. March 2018.

[38]

VirusShare.com. 2018. VirusShare Malware Repository. https://virusshare.com, accessed on 01. April 2018.

[39]

Ilsun You and Kangbin Yim. 2010. Malware obfuscation techniques: A brief survey. In Broadband, Wireless Computing, Communication and Applications (BWCCA), 2010 International Conference on. IEEE, 297--300.

Digital Library

[40]

Mu Zhang, Yue Duan, Heng Yin, and Zhiruo Zhao. 2014. Semantics-aware android malware classification using weighted contextual api dependency graphs. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security. ACM, 1105--1116.

Digital Library

[41]

Wu Zhou, Yajin Zhou, Michael Grace, Xuxian Jiang, and Shihong Zou. 2013. Fast, scalable detection of piggybacked mobile applications. In Proceedings of the third ACM conference on Data and application security and privacy. ACM, 185--196.

Digital Library

[42]

Wu Zhou, Yajin Zhou, Xuxian Jiang, and Peng Ning. 2012. Detecting repackaged smartphone applications in third-party android marketplaces. In Proceedings of the second ACM conference on Data and Application Security and Privacy. ACM, 317--326.

Digital Library

Cited By

Ramneantu EStrehl TGrobe JGijzen MHelfrich SMallick AFäßler V(2024)Faster Software Development Cycles using Graph-based Code Similarity Analysis2024 Stuttgart International Symposium on Automotive and Engine Technology10.1007/978-3-658-45010-6_12(191-201)Online publication date: 30-Jun-2024
https://doi.org/10.1007/978-3-658-45010-6_12
Zakeri-Nasrabadi MParsa SRamezani MRoy CEkhtiarzadeh M(2023)A systematic literature review on source code similarity measurement and clone detectionJournal of Systems and Software10.1016/j.jss.2023.111796204:COnline publication date: 1-Oct-2023
https://dl.acm.org/doi/10.1016/j.jss.2023.111796
Parsa SParsa S(2023)Automatic RefactoringSoftware Testing Automation10.1007/978-3-031-22057-9_5(191-245)Online publication date: 25-Mar-2023
https://doi.org/10.1007/978-3-031-22057-9_5
Show More Cited By

Recommendations

BugGraph: Differentiating Source-Binary Code Similarity with Graph Triplet-Loss Network
ASIA CCS '21: Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security

Binary code similarity detection, which answers whether two pieces of binary code are similar, has been used in a number of applications,such as vulnerability detection and automatic patching. Existing approaches face two hurdles in their efforts to ...
Measuring Source Code Similarity by Finding Similar Subgraph with an Incremental Genetic Algorithm
GECCO '16: Proceedings of the Genetic and Evolutionary Computation Conference 2016

Measuring similarity between source codes has lots of applications, such as code plagiarism detection, code clone detection, and malware detection. A variety of methods for the measurement have been developed and program-dependence-graph based methods ...
Permission based malware detection in android devices
SCA '18: Proceedings of the 3rd International Conference on Smart City Applications

The mobile operation system Android is one of the most OS's used in the entire world, which make it the target of many malware projects and the mission of detecting those malware applications is getting harder over time due to evaluation and development ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

ARES '18: Proceedings of the 13th International Conference on Availability, Reliability and Security

August 2018

603 pages

ISBN:9781450364485

DOI:10.1145/3230833

Copyright © 2018 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

In-Cooperation

Universität Hamburg: Universität Hamburg

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 27 August 2018

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Conference

ARES 2018

ARES 2018: International Conference on Availability, Reliability and Security

August 27 - 30, 2018

Hamburg, Germany

Acceptance Rates

ARES '18 Paper Acceptance Rate 128 of 260 submissions, 49%;

Overall Acceptance Rate 228 of 451 submissions, 51%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

5
Total Citations
View Citations
171
Total Downloads

Downloads (Last 12 months)19
Downloads (Last 6 weeks)3

Reflects downloads up to 10 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Ramneantu EStrehl TGrobe JGijzen MHelfrich SMallick AFäßler V(2024)Faster Software Development Cycles using Graph-based Code Similarity Analysis2024 Stuttgart International Symposium on Automotive and Engine Technology10.1007/978-3-658-45010-6_12(191-201)Online publication date: 30-Jun-2024
https://doi.org/10.1007/978-3-658-45010-6_12
Zakeri-Nasrabadi MParsa SRamezani MRoy CEkhtiarzadeh M(2023)A systematic literature review on source code similarity measurement and clone detectionJournal of Systems and Software10.1016/j.jss.2023.111796204:COnline publication date: 1-Oct-2023
https://dl.acm.org/doi/10.1016/j.jss.2023.111796
Parsa SParsa S(2023)Automatic RefactoringSoftware Testing Automation10.1007/978-3-031-22057-9_5(191-245)Online publication date: 25-Mar-2023
https://doi.org/10.1007/978-3-031-22057-9_5
Saeki RKitayama LKoga JShimizu MOida K(2022)Smishing Strategy Dynamics and Evolving Botnet Activities in JapanIEEE Access10.1109/ACCESS.2022.321779510(114869-114884)Online publication date: 2022
https://doi.org/10.1109/ACCESS.2022.3217795
Kalysch ABove DMüller T(2018)How Android's UI Security is Undermined by AccessibilityProceedings of the 2nd Reversing and Offensive-oriented Trends Symposium10.1145/3289595.3289597(1-10)Online publication date: 29-Nov-2018
https://dl.acm.org/doi/10.1145/3289595.3289597

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents