research-article

Dual-force: understanding WebView malware via cross-language forced execution

Authors:

Jianhua ZhaoAuthors Info & Claims

ASE '18: Proceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering

Pages 714 - 725

https://doi.org/10.1145/3238147.3238221

Published: 03 September 2018 Publication History

Abstract

Modern Android malwares tend to use advanced techniques to cover their malicious behaviors. They usually feature multi-staged, condition-guarded and environment-specific payloads. An increasing number of them utilize WebView, particularly the two-way communications between Java and JavaScript, to evade detection and analysis of existing techniques. We propose Dual-Force, a forced execution technique which simultaneously forces both Java and JavaScript code of WebView applications to execute along various paths without requiring any environment setup or providing any inputs manually. As such, the hidden payloads of WebView malwares are forcefully exposed. The technique features a novel execution model that allows forced execution to suppress exceptions and continue execution. Experimental results show that Dual-Force precisely exposes malicious payload in 119 out of 150 WebView malwares. Compared to the state-of-the-art, Dual-Force can expose 23% more malicious behaviors.

References

[1]

2015. 22nd Annual Network and Distributed System Security Symposium, NDSS 2015, San Diego, California, USA, February 8-11, 2015. The Internet Society.

[2]

https: //www.ndss-symposium.org/ndss2015/ 2016. 23rd Annual Network and Distributed System Security Symposium, NDSS 2016, San Diego, California, USA, February 21-24, 2016. The Internet Society.

[3]

https: link to page 10 link to page 10 link to page 10 Dual-Force: Understanding WebView Malware via Cross-Language Forced Execution ASE ’18, September 3–7, 2018, Montpellier, France //www.ndss-symposium.org/ndss2016/

[4]

A. Abraham, Radoniaina Andriatsimandefitra, A. Brunelat, Jean-François Lalande, and Valérie Viet Triem Tong. 2015. GroddDroid: a gorilla for triggering malicious behaviors. In 10th International Conference on Malicious and Unwanted Software, MALWARE 2015, Fajardo, PR, USA, October 20-22, 2015. IEEE Computer Society, 119–127.

Digital Library

[5]

Steven Arzt, Siegfried Rasthofer, Christian Fritz, Eric Bodden, Alexandre Bartel, Jacques Klein, Yves Le Traon, Damien Octeau, and Patrick D. McDaniel. 2014.

[6]

FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps. In ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI ’14, Edinburgh, United Kingdom - June 09 - 11, 2014, Michael F. P. O’Boyle and Keshav Pingali (Eds.). ACM, 259–269.

Digital Library

[7]

Zhui Deng, Brendan Saltaformaggio, Xiangyu Zhang, and Dongyan Xu. 2015. iRiS: Vetting Private API Abuse in iOS Applications. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, Denver, CO, USA, October 12-16, 2015, Indrajit Ray, Ninghui Li, and Christopher Kruegel (Eds.). ACM, 44–56.

Digital Library

[8]

Clint Gibler, Jonathan Crussell, Jeremy Erickson, and Hao Chen. 2012. AndroidLeaks: Automatically Detecting Potential Privacy Leaks in Android Applications on a Large Scale. In Trust and Trustworthy Computing - 5th International Conference, TRUST 2012, Vienna, Austria, June 13-15, 2012. Proceedings (Lecture Notes in Computer Science), Stefan Katzenbeisser, Edgar R. Weippl, L. Jean Camp, Melanie Volkamer, Mike K. Reiter, and Xinwen Zhang (Eds.), Vol. 7344. Springer, 291–307.

Digital Library

[9]

Google. 2018. Android application fundamentals. Retrieved July 23, 2018 from https://developer.android.com/guide/components/fundamentals

[10]

Google. 2018. Building web apps in WebView. Retrieved July 23, 2018 from https://developer.android.com/guide/webapps/webview

[11]

Google. 2018. Chromium build instructions for Android WebView. Retrieved July 23, 2018 from https://www.chromium.org/developers/how-tos/ build-instructions-android-webview

[12]

Google. 2018. Intents. Retrieved July 23, 2018 from https://developer.android. com/guide/components/intents-filters

[13]

Google. 2018. Starting activity in Android. Retrieved July 23, 2018 from https: //developer.android.com/training/basics/firstapp/starting-activity

[14]

Google. 2018. WebView documentation. Retrieved July 23, 2018 from https: //developer.android.com/reference/android/webkit/WebView

[15]

Google. 2018. WebView for Android. Retrieved July 23, 2018 from https:// developer.chrome.com/multidevice/webview/overview

[16]

Michael I. Gordon, Deokhwan Kim, Jeff H. Perkins, Limei Gilham, Nguyen Nguyen, and Martin C. Rinard. 2015. Information Flow Analysis of Android Applications in DroidSafe, See { 1 }. https://www.ndss-symposium.org/ndss2015/ information-flow-analysis-android-applications-droidsafe

[17]

Xunchao Hu, Yao Cheng, Yue Duan, Andrew Henderson, and Heng Yin. 2017. JSForce: A Forced Execution Engine for Malicious JavaScript Detection. In Security and Privacy in Communication Networks - 13th International Conference, SecureComm 2017, Niagara Falls, ON, Canada, October 22-25, 2017, Proceedings (Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering), Xiaodong Lin, Ali Ghorbani, Kui Ren, Sencun Zhu, and Aiqing Zhang (Eds.), Vol. 238. Springer, 704–720. 978-3-319-78813-5_37

[18]

Casper Svenning Jensen, Mukul R. Prasad, and Anders Møller. 2013. Automated testing with targeted event sequence generation. In International Symposium on Software Testing and Analysis, ISSTA ’13, Lugano, Switzerland, July 15-20, 2013, Mauro Pezzè and Mark Harman (Eds.). ACM, 67–77. 2483760.2483777

Digital Library

[19]

Mohammad Karami, Mohamed Elsabagh, Parnian Najafiborazjani, and Angelos Stavrou. 2013. Behavioral Analysis of Android Applications Using Automated Instrumentation. In Seventh International Conference on Software Security and Reliability, SERE 2012, Gaithersburg, Maryland, USA, 18-20 June 2013 - Companion Volume. IEEE, 182–187.

Digital Library

[20]

Kyungtae Kim, I Luk Kim, Chung Hwan Kim, Yonghwi Kwon, Yunhui Zheng, Xiangyu Zhang, and Dongyan Xu. 2017. J-Force: Forced Execution on JavaScript. In Proceedings of the 26th International Conference on World Wide Web, WWW 2017, Perth, Australia, April 3-7, 2017, Rick Barrett, Rick Cummings, Eugene Agichtein, and Evgeniy Gabrilovich (Eds.). ACM, 897–906.

Digital Library

[21]

3052674

[22]

Koodous.com. 2018. Koodous. Retrieved July 23, 2018 from https://koodous.com

[23]

P Lantz, A Desnos, and K Yang. 2017. DroidBox: Android application sandbox. Retrieved July 23, 2018 from https://github.com/pjlantz/droidbox

[24]

Sungho Lee, Julian Dolby, and Sukyoung Ryu. 2016. HybriDroid: static analysis framework for Android hybrid applications. In Proceedings of the 31st IEEE/ACM International Conference on Automated Software Engineering, ASE 2016, Singapore, September 3-7, 2016, David Lo, Sven Apel, and Sarfraz Khurshid (Eds.). ACM, 250–261.

Digital Library

[25]

Li Li, Alexandre Bartel, Tegawendé F. Bissyandé, Jacques Klein, Yves Le Traon, Steven Arzt, Siegfried Rasthofer, Eric Bodden, Damien Octeau, and Patrick D. McDaniel. 2015. IccTA: Detecting Inter-Component Privacy Leaks in Android Apps. In 37th IEEE/ACM International Conference on Software Engineering, ICSE 2015, Florence, Italy, May 16-24, 2015, Volume 1, Antonia Bertolino, Gerardo Canfora, and Sebastian G. Elbaum (Eds.). IEEE Computer Society, 280–291.

Digital Library

[26]

You Li, Zhendong Su, Linzhang Wang, and Xuandong Li. 2013. Steering symbolic execution to less traveled paths. In Proceedings of the 2013 ACM SIGPLAN International Conference on Object Oriented Programming Systems Languages & Applications, OOPSLA 2013, part of SPLASH 2013, Indianapolis, IN, USA, October 26-31, 2013, Antony L. Hosking, Patrick Th. Eugster, and Cristina V. Lopes (Eds.). ACM, 19–32.

Digital Library

[27]

Aravind Machiry, Rohan Tahiliani, and Mayur Naik. 2013. Dynodroid: an input generation system for Android apps. In Joint Meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering, ESEC/FSE’13, Saint Petersburg, Russian Federation, August 18-26, 2013, Bertrand Meyer, Luciano Baresi, and Mira Mezini (Eds.). ACM, 224– 234.

Digital Library

[28]

Riyadh Mahmood, Nariman Mirzaei, and Sam Malek. 2014. EvoDroid: segmented evolutionary testing of Android apps. In Proceedings of the 22nd ACM SIGSOFT International Symposium on Foundations of Software Engineering, (FSE- 22), Hong Kong, China, November 16 - 22, 2014, Shing-Chi Cheung, Alessandro Orso, and Margaret-Anne D. Storey (Eds.). ACM, 599–609. 1145/2635868.2635896

Digital Library

[29]

Nariman Mirzaei, Sam Malek, Corina S. Pasareanu, Naeem Esfahani, and Riyadh Mahmood. 2012. Testing android apps through symbolic execution. ACM SIGSOFT Software Engineering Notes 37, 6 (2012), 1–5. 2382756.2382798

Digital Library

[30]

Damien Octeau, Patrick D. McDaniel, Somesh Jha, Alexandre Bartel, Eric Bodden, Jacques Klein, and Yves Le Traon. 2013. Effective Inter-Component Communication Mapping in Android: An Essential Step Towards Holistic Security Analysis. In Proceedings of the 22th USENIX Security Symposium, Washington, DC, USA, August 14-16, 2013, Samuel T. King (Ed.). USENIX Association, 543– 558. https://www.usenix.org/conference/usenixsecurity13/technical-sessions/ presentation/octeau

Digital Library

[31]

Mila Parkour. 2018. Contagio minidump. Retrieved July 23, 2018 from http: //contagiominidump.blogspot.com

[32]

Fei Peng, Zhui Deng, Xiangyu Zhang, Dongyan Xu, Zhiqiang Lin, and Zhendong Su. 2014. X-Force: Force-Executing Binary Programs for Security Applications. In Proceedings of the 23rd USENIX Security Symposium, San Diego, CA, USA, August 20-22, 2014., Kevin Fu and Jaeyeon Jung (Eds.). USENIX Association, 829– 844. https://www.usenix.org/conference/usenixsecurity14/technical-sessions/ presentation/peng

Digital Library

[33]

Siegfried Rasthofer, Steven Arzt, Marc Miltenberger, and Eric Bodden. 2016.

[34]

Harvesting Runtime Values in Android Applications That Feature Anti-Analysis Techniques, See { 2 }. http: //wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2017/09/ harvesting-runtime-values-android-applications-feature-anti-analysis-techniques. pdf

[35]

Siegfried Rasthofer, Steven Arzt, Stefan Triller, and Michael Pradel. 2017. Making malory behave maliciously: targeted fuzzing of android execution environments. In Proceedings of the 39th International Conference on Software Engineering, ICSE 2017, Buenos Aires, Argentina, May 20-28, 2017, Sebastián Uchitel, Alessandro Orso, and Martin P. Robillard (Eds.). IEEE / ACM, 300–311. 1109/ICSE.2017.35

Digital Library

[36]

Siegfried Rasthofer, Irfan Asrar, Stephan Huber, and Eric Bodden. 2015. How Current Android Malware Seeks to Evade Automated Code Analysis. In Information Security Theory and Practice - 9th IFIP WG 11.2 International Conference, WISTP 2015 Heraklion, Crete, Greece, August 24-25, 2015 Proceedings (Lecture Notes in Computer Science), Raja Naeem Akram and Sushil Jajodia (Eds.), Vol. 9311. Springer, 187–202.

Digital Library

[37]

Vaibhav Rastogi, Yan Chen, and William Enck. 2013. AppsPlayground: automatic security analysis of smartphone applications. In Third ACM Conference on Data and Application Security and Privacy, CODASPY’13, San Antonio, TX, USA, February 18-20, 2013, Elisa Bertino, Ravi S. Sandhu, Lujo Bauer, and Jaehong Park (Eds.). ACM, 209–220.

Digital Library

[38]

Rovo89. 2018. Xposed framework. Retrieved July 23, 2018 from http://xposed. info

[39]

Kimberly Tam, Salahuddin J. Khan, Aristide Fattori, and Lorenzo Cavallaro. 2015.

[40]

CopperDroid: Automatic Reconstruction of Android Malware Behaviors, See { 1 }. https://www.ndss-symposium.org/ndss2015/ copperdroid-automatic-reconstruction-android-malware-behaviors

[41]

Raja Vallée-Rai, Phong Co, Etienne Gagnon, Laurie Hendren, Patrick Lam, and Vijay Sundaresan. 2010. Soot: A Java Bytecode Optimization Framework. In CASCON First Decade High Impact Papers (CASCON ’10). IBM Corp., Riverton, NJ, USA, 214–224.

Digital Library

[42]

VirusTotal.com. 2018. VirusTotal. Retrieved July 23, 2018 from https://www. virustotal.com link to page 10 ASE ’18, September 3–7, 2018, Montpellier, France Z. Tang, J. Zhai, M. Pan, Y. Aafer, S. Ma, X. Zhang, J. Zhao

[43]

Wikipedia. 2018. Entropy (information theory). Retrieved July 23, 2018 from https://en.wikipedia.org/wiki/Entropy_(information_theory)

[44]

Michelle Y. Wong and David Lie. 2016. IntelliDroid: A Targeted Input Generator for the Dynamic Analysis of Android Malware, See { 2 }. http://wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2017/09/ intellidroid-targeted-input-generator-dynamic-analysis-android-malware.pdf

[45]

Zhaoyan Xu, Jialong Zhang, Guofei Gu, and Zhiqiang Lin. 2014. GoldenEye: Efficiently and Effectively Unveiling Malware’s Targeted Environment. In Research in Attacks, Intrusions and Defenses - 17th International Symposium, RAID 2014, Gothenburg, Sweden, September 17-19, 2014. Proceedings (Lecture Notes in Computer Science), Angelos Stavrou, Herbert Bos, and Georgios Portokalidis (Eds.), Vol. 8688. Springer, 22–45.

[46]

Lei Xue, Yajin Zhou, Ting Chen, Xiapu Luo, and Guofei Gu. 2017. Malton: Towards On-Device Non-Invasive Mobile Malware Analysis for ART. In 26th USENIX Security Symposium, USENIX Security 2017, Vancouver, BC, Canada, August 16-18, 2017., Engin Kirda and Thomas Ristenpart (Eds.). USENIX Association, 289–306. https://www.usenix.org/conference/usenixsecurity17/ technical-sessions/presentation/xue

Digital Library

[47]

Lok-Kwong Yan and Heng Yin. 2012. DroidScope: Seamlessly Reconstructing the OS and Dalvik Semantic Views for Dynamic Android Malware Analysis. In Proceedings of the 21th USENIX Security Symposium, Bellevue, WA, USA, August 8-10, 2012, Tadayoshi Kohno (Ed.). USENIX Association, 569–584. https://www. usenix.org/conference/usenixsecurity12/technical-sessions/presentation/yan

Digital Library

[48]

Zhemin Yang, Min Yang, Yuan Zhang, Guofei Gu, Peng Ning, and Xiaoyang Sean Wang. 2013. AppIntent: analyzing sensitive data transmission in android for privacy leakage detection. In 2013 ACM SIGSAC Conference on Computer and Communications Security, CCS’13, Berlin, Germany, November 4-8, 2013, Ahmad-Reza Sadeghi, Virgil D. Gligor, and Moti Yung (Eds.). ACM, 1043–1054.

Digital Library

Cited By

Sun EHan JLi YHuang C(2024)A Packet Content-Oriented Remote Code Execution Attack Payload Detection ModelFuture Internet10.3390/fi1607023516:7(235)Online publication date: 2-Jul-2024
https://doi.org/10.3390/fi16070235
Xue ZGao ZWang SHu XXia XLi SChristakis MPradel M(2024)SelfPiCo: Self-Guided Partial Code Execution with LLMsProceedings of the 33rd ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3650212.3680368(1389-1401)Online publication date: 11-Sep-2024
https://dl.acm.org/doi/10.1145/3650212.3680368
He DXie DWang YYou WLiang BHuang JShi WZhang ZZhang XChristakis MPradel M(2024)Define-Use Guided Path Exploration for Better Forced ExecutionProceedings of the 33rd ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3650212.3652128(287-299)Online publication date: 11-Sep-2024
https://dl.acm.org/doi/10.1145/3650212.3652128
Show More Cited By

Index Terms

Dual-force: understanding WebView malware via cross-language forced execution
1. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
    1. Malware and its mitigation
2. Theory of computation
  1. Semantics and reasoning
    1. Program reasoning
      1. Program analysis

Recommendations

Detecting trigger-based behaviors in botnet malware
RACS '15: Proceedings of the 2015 Conference on research in adaptive and convergent systems

Malware often hides malicious behaviors which are triggered when constraints are satisfied. The trigger-based behavior makes malware detection harder, and requires manual analysis. The number of daily submitted malware has been increasing, while the ...
Detecting environment-sensitive malware
RAID'11: Proceedings of the 14th international conference on Recent Advances in Intrusion Detection

The execution of malware in an instrumented sandbox is a widespread approach for the analysis of malicious code, largely because it sidesteps the difficulties involved in the static analysis of obfuscated code. As malware analysis sandboxes increase in ...
A Survey On Automated Dynamic Malware Analysis Evasion and Counter-Evasion: PC, Mobile, and Web
ROOTS: Proceedings of the 1st Reversing and Offensive-oriented Trends Symposium

Automated dynamic malware analysis systems are important in combating the proliferation of modern malware. Unfortunately, malware can often easily detect and evade these systems. Competition between malware authors and analysis system developers has ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

ASE '18: Proceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering

September 2018

955 pages

ISBN:9781450359375

DOI:10.1145/3238147

General Chair:
Marianne Huchard
University of Montpellier, France
,
Program Chairs:
Christian Kästner
Carnegie Mellon University, USA
,
Gordon Fraser
University of Passau, Germany

Copyright © 2018 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGAI: ACM Special Interest Group on Artificial Intelligence
CNRS: Centre National De La Rechercue Scientifique
SIGSOFT: ACM Special Interest Group on Software Engineering
IEEE-CS: Computer Society

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 03 September 2018

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

ASE '18

Sponsor:

SIGAI
CNRS
SIGSOFT
IEEE-CS

ASE '18: 33rd ACM/IEEE International Conference on Automated Software Engineering

September 3 - 7, 2018

Montpellier, France

Acceptance Rates

Overall Acceptance Rate 82 of 337 submissions, 24%

Upcoming Conference

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

7
Total Citations
View Citations
384
Total Downloads

Downloads (Last 12 months)49
Downloads (Last 6 weeks)10

Reflects downloads up to 15 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Sun EHan JLi YHuang C(2024)A Packet Content-Oriented Remote Code Execution Attack Payload Detection ModelFuture Internet10.3390/fi1607023516:7(235)Online publication date: 2-Jul-2024
https://doi.org/10.3390/fi16070235
Xue ZGao ZWang SHu XXia XLi SChristakis MPradel M(2024)SelfPiCo: Self-Guided Partial Code Execution with LLMsProceedings of the 33rd ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3650212.3680368(1389-1401)Online publication date: 11-Sep-2024
https://dl.acm.org/doi/10.1145/3650212.3680368
He DXie DWang YYou WLiang BHuang JShi WZhang ZZhang XChristakis MPradel M(2024)Define-Use Guided Path Exploration for Better Forced ExecutionProceedings of the 33rd ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3650212.3652128(287-299)Online publication date: 11-Sep-2024
https://dl.acm.org/doi/10.1145/3650212.3652128
Zhou AHu YXu XZhang C(2024) ARCTURUS: Full Coverage Binary Similarity Analysis with Reachability-guided EmulationACM Transactions on Software Engineering and Methodology10.1145/364033733:4(1-31)Online publication date: 11-Jan-2024
https://dl.acm.org/doi/10.1145/3640337
Hu JWei LLiu YCheung SJust RFraser G(2023)ωTest: WebView-Oriented Testing for Android ApplicationsProceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3597926.3598112(992-1004)Online publication date: 12-Jul-2023
https://dl.acm.org/doi/10.1145/3597926.3598112
Kim IWang WKwon YZhang X(2023)BFTDETECTOR: Automatic Detection of Business Flow Tampering for Digital Content Service2023 IEEE/ACM 45th International Conference on Software Engineering (ICSE)10.1109/ICSE48619.2023.00048(448-459)Online publication date: May-2023
https://doi.org/10.1109/ICSE48619.2023.00048
Cao MAhmed KRubin JDwyer MDamian DZeller A(2022)Rotten apples spoil the bunchProceedings of the 44th International Conference on Software Engineering10.1145/3510003.3510161(1919-1931)Online publication date: 21-May-2022
https://dl.acm.org/doi/10.1145/3510003.3510161
You WZhang ZKwon YAafer YPeng FShi YHarmon CZhang X(2020)PMP: Cost-effective Forced Execution with Probabilistic Memory Pre-planning2020 IEEE Symposium on Security and Privacy (SP)10.1109/SP40000.2020.00035(1121-1138)Online publication date: May-2020
https://doi.org/10.1109/SP40000.2020.00035

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents