research-article

Open access

NCScope: hardware-assisted analyzer for native code in Android apps

Authors:

Haipeng CaiAuthors Info & Claims

ISSTA 2022: Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis

Pages 629 - 641

https://doi.org/10.1145/3533767.3534410

Published: 18 July 2022 Publication History

Abstract

More and more Android apps implement their functionalities in native code, so does malware. Although various approaches have been designed to analyze the native code used by apps, they usually generate incomplete and biased results due to their limitations in obtaining and analyzing high-fidelity execution traces and memory data with low overheads. To fill the gap, in this paper, we propose and develop a novel hardware-assisted analyzer for native code in apps. We leverage ETM, a hardware feature of ARM platform, and eBPF, a kernel component of Android system, to collect real execution traces and relevant memory data of target apps, and design new methods to scrutinize native code according to the collected data. To show the unique capability of NCScope, we apply it to four applications that cannot be accomplished by existing tools, including systematic studies on self-protection and anti-analysis mechanisms implemented in native code of apps, analysis of memory corruption in native code, and identification of performance differences between functions in native code. The results uncover that only 26.8% of the analyzed financial apps implement self-protection methods in native code, implying that the security of financial apps is far from expected. Meanwhile, 78.3% of the malicious apps under analysis have anti-analysis behaviors, suggesting that NCScope is very useful to malware analysis. Moreover, NCScope can effectively detect bugs in native code and identify performance differences.

References

[1]

2021. adeb. https://github.com/joelagnel/adeb.

[2]

2021. Advanced Debugging with ETM. http://ww1.microchip.com/download s/en/AppNotes/Atmel-44045-32-bit-Cortex-M7-Microcontroller-AdvancedDebugging\-SAM-V71-V70-E70-S70-MCUs-with-ARM-ETM_App-Note.pdf. SamsungKnoxSecuritySolution.pdf.

[3]

2022. Artifacts of NCScope. https://doi.org/10.5281/zenodo.6534525

Digital Library

[4]

2022. CWE-415 : Double Free. https://cwe.mitre.org/data/definitions/415.html.

[5]

2022. CWE-416 : Use After Free. https://cwe.mitre.org/data/definitions/416.html.

[6]

2022. Java Native Interface Specification. https://docs.oracle.com/javase/7/doc s/technotes/guides/jni/spec/jniTOC.html.

[7]

2022. Mobile Operating System Market Share Worldwide. https://gs.statcount er.com/os-market-share/mobile/worldwide.

[8]

2022. mprotect. https://man7.org/linux/man-pages/man2/mprotect.2.html.

[9]

Vitor Afonso, Antonio Bianchi, Yanick Fratantonio, Adam Doupe´, Mario Polino, Paulo de Geus, Christopher Kruegel, and Giovanni Vigna. 2016. Going Native: Using a Large-Scale Analysis of Android Apps to Create a Practical Native-Code Sandboxing Policy. In Proc. NDSS.

[10]

Sumaya Almanee, Arda Unal, Mathias Payer, and Joshua Garcia. 2021. Too Quiet in the Library: An Empirical Study of Security Updates in Android Apps' Native Code. In Proc. ICSE.

[11]

Steven Arzt, Siegfried Rasthofer, Christian Fritz, Eric Bodden, Alexandre Bartel, Jacques Klein, Yves Le Traon, Damien Octeau, and Patrick McDaniel. 2014. FlowDroid: Precise Context, Flow, Field, Object-sensitive and Lifecycle-aware Taint Analysis for Android Apps. In Proc. PLDI.

Digital Library

[12]

Michael Backes, Sven Bugiel, Oliver Schranz, Philipp von Styp-Rekowsky, and Sebastian Weisgerber. 2017. ARTist: The Android runtime instrumentation and security toolkit. In Proc. IEEE EuroS&P.

[13]

Stefano Berlato and Mariano Ceccato. 2020. A large-scale study on the adoption of anti-debugging and anti-tampering protections in android apps. Journal of Information Security and Applications 52 ( 2020 ), 102463.

[14]

Sen Chen, Lingling Fan, Guozhu Meng, Ting Su, Minhui Xue, Yinxing Xue, Yang Liu, and Lihua Xu. 2020. An Empirical Assessment of Security Risks of Global Android Banking Apps. In Proc. ICSE.

Digital Library

[15]

Sen Chen, Ting Su, Lingling Fan, Guozhu Meng, Minhui Xue, Yang Liu, and Lihua Xu. 2018. Are Mobile Banking Apps Secure? What Can Be Improved?. In Proc. ESEC/FSE.

Digital Library

[16]

Yunlan Du, Zhenyu Ning, Jun Xu, Zilong Wang, Yueh-Hsun Lin, Fengwei Zhang, Xinyu Xing, and Bing Mao. 2020. HART: Hardware-assisted Kernel Module Tracing on Arm. In Proc. ESORICS.

Digital Library

[17]

Yue Duan, Mu Zhang, Abhishek Vasisht Bhaskar, Heng Yin, Xiaorui Pan, Tongxin Li, Xueqiang Wang, and X Wang. 2018. Things you may not know about android (un)packers: a systematic study based on whole-system emulation. In Proc. NDSS.

[18]

Evelyn Duesterwald, Calin Cascaval, and Sandhya Dwarkadas. 2003. Characterizing and predicting program behavior and its variability. In Proc. PACT.

[19]

William Enck, Peter Gilbert, Seungyeop Han, Vasant Tendulkar, Byung-Gon Chun, Landon P. Cox, Jaeyeon Jung, Patrick McDaniel, and Anmol N. Sheth. 2014. TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones. ACM Transactions on Computer Systems 32, 2 ( 2014 ).

Digital Library

[20]

Luca Falsina, Yanick Fratantonio, Stefano Zanero, Christopher Kruegel, Giovanni Vigna, and Federico Maggi. 2015. Grab'n run: Secure and practical dynamic code loading for android applications. In Proc. ACSAC.

[21]

George Fourtounis, Leonidas Triantafyllou, and Yannis Smaragdakis. 2020. Identifying Java calls in native code via binary scanning. In Proc. ISSTA.

Digital Library

[22]

Muhui Jiang, Tianyi Xu, Yajin Zhou, Yufeng Hu, Ming Zhong, Lei Wu, Xiapu Luo, and Kui Ren. 2012. EXAMINER: Automatically Locating Inconsistent Instructions between Real Devices and CPU Emulators for ARM. In Proc. ASPLOS.

[23]

Muhui Jiang, Yajin Zhou, Xiapu Luo, Ruoyu Wang, Yang Liu, and Kui Ren. 2020. An Empirical Study on ARM Disassembly Tools. In Proc. ISSTA.

Digital Library

[24]

Jin-Hyuk Jung, Ju Young Kim, Hyeong-Chan Lee, and Jeong Hyun Yi. 2013. Repackaging attack on android banking applications and its countermeasures. Wireless Personal Communications 73, 4 ( 2013 ), 1421-1437.

[25]

Ansgar Kellner, Micha Horlboge, Konrad Rieck, and Christian Wressnegger. 2019. False Sense of Security: A Study on the Efectivity of Jailbreak Detection in Banking Apps. In Proc. Euro S&P.

[26]

Taehun Kim, Hyeonmin Ha, Seoyoon Choi, Jaeyeon Jung, and Byung-Gon Chun. 2017. Breaking Ad-Hoc Runtime Integrity Protection Mechanisms in Android Financial Apps. In Proc. Asia CCS.

Digital Library

[27]

Bodong Li, Yuanyuan Zhang, Juanru Li, Wenbo Yang, and Dawu Gu. 2018. AppSpear: automating the hidden-code extraction and reassembling of packed android malware. Journal of Systems and Software 140 ( 2018 ), 3-16.

[28]

Li Li, Tegawende Bissyande, and Jacques Klein. 2020. Rebooting Research on Detecting Repackaged Android Apps: Literature Review and Benchmark. IEEE Transactions on Software Engineering ( 2020 ).

[29]

Ke Mao, Mark Harman, and Yue Jia. 2016. Sapienz: Multi-Objective Automated Testing for Android Applications. In Proc. ISSTA.

Digital Library

[30]

Jiang Ming, Dinghao Wu, Jun Wang, Gaoyao Xiao, and Peng Liu. 2016. Straighttaint: Decoupled ofline symbolic taint analysis. In Proc. ASE.

Digital Library

[31]

Nicholas Nethercote and Julian Seward. 2007. Valgrind: a framework for heavyweight dynamic binary instrumentation. In Proc. ACM PLDI.

Digital Library

[32]

Zhenyu Ning and Fengwei Zhang. 2017. Ninja: Towards Transparent Tracing and Debugging on ARM. In Proc. USENIX Security.

[33]

Sebastian Poeplau, Yanick Fratantonio, Antonio Bianchi, Christopher Kruegel, and Giovanni Vigna. 2014. Execute this! analyzing unsafe and malicious dynamic code loading in android applications. In Proc. NDSS.

[34]

Shisong Qin, Chao Zhang, Kaixiang Chen, and Zheming Li. 2021. iDEV: exploring and exploiting semantic deviations in ARM instruction processing. In Proc. ISSTA.

Digital Library

[35]

Zhengyang Qu, Shahid Alam, Yan Chen, Xiaoyong Zhou, Wangjun Hong, and Ryan Riley. 2017. Dydroid: Measuring dynamic code loading and its security implications in android applications. In Proc. DSN.

[36]

Ali Razeen, Alvin R Lebeck, David H Liu, Alexander Meijer, Valentin Pistol, and Landon P Cox. 2018. Sandtrap: Tracking information flows on demand with parallel permissions. In Proc. MobiSys.

Digital Library

[37]

Onur Sahin, Ayse K Coskun, and Manuel Egele. 2018. Proteus: Detecting android emulators from instruction-level profiles. In Proc. RAID.

[38]

Yan Shoshitaishvili, Ruoyu Wang, Christopher Salls, Nick Stephens, Mario Polino, Andrew Dutcher, John Grosen, Siji Feng, Christophe Hauser, Christopher Kruegel, et al. 2016. Sok:(state of) the art of war: Ofensive techniques in binary analysis. In Proc. S&P.

[39]

Lina Song, Zhanyong Tang, Zhen Li, Xiaoqing Gong, Xiaojiang Chen, Dingyi Fang, and Zheng Wang. 2017. AppIS: Protect Android Apps Against Runtime Repackaging Attacks. In Proc. ICPADS.

[40]

Ting Su, Guozhu Meng, Yuting Chen, Ke Wu, Weiming Yang, Yao Yao, Geguang Pu, Yang Liu, and Zhendong Su. 2017. Guided, Stochastic Model-based GUI Testing of Android Apps. In Proc. ACM FSE.

Digital Library

[41]

Mingshen Sun, Tao Wei, and John Lui. 2016. Taintart: A practical multi-level information-flow tracking system for android runtime. In Proc. ACM CCS.

Digital Library

[42]

Kimberly Tam, Salahuddin J Khan, Aristide Fattori, and Lorenzo Cavallaro. 2015. CopperDroid: Automatic Reconstruction of Android Malware Behaviors. In Proc. NDSS.

[43]

Timothy Vidas and Nicolas Christin. 2014. Evading Android Runtime Analysis via Sandbox Detection. In Proc. ACM AsiaCCS.

Digital Library

[44]

Fengguo Wei, Yuping Li, Sankardas Roy, Xinming Ou, and Wu Zhou. 2017. Deep ground truth analysis of current android malware. In Proc. DIMVA.

[45]

Fengguo Wei, Xingwei Lin, Xinming Ou, Ting Chen, and Xiaosong Zhang. 2018. JN-SAF: Precise and Eficient NDK/JNI-Aware Inter-Language Static Analysis Framework for Security Vetting of Android Applications with Native Code. In Proc. ACM CCS.

Digital Library

[46]

Michelle Y Wong and David Lie. 2016. Intellidroid: a targeted input generator for the dynamic analysis of android malware. In Porc. NDSS.

[47]

Lei Xue, Chenxiong Qian, and Xiapu Luo. 2015. Androidperf: A cross-layer profiling system for android applications. In Proc. IWQoS.

[48]

Lei Xue, Chenxiong Qian, Hao Zhou, Xiapu Luo, Yajin Zhou, Yuru Shao, and Alvin TS Chan. 2019. NDroid: Toward Tracking Information Flows Across Multiple Android Contexts. IEEE Transactions on Information Forensics and Security 14, 3 ( 2019 ), 814-828.

[49]

Lei Xue, Hao Zhou, Xiapu Luo, Yajin Zhou, Yang Shi, Guofei Gu, Fengwei Zhang, and Man Ho Au. 2021. Happer: Unpacking Android Apps via a HardwareAssisted Approach. In Proc. S&P.

[50]

Lei Xue, Yajin Zhou, Ting Chen, Xiapu Luo, and Guofei Gu. 2017. Malton: Towards On-Device Non-Invasive Mobile Malware Analysis for ART. In Proc. USENIX Security.

[51]

Carter Yagemann, Matthew Pruett, Simon P Chung, Kennon Bittick, Brendan Saltaformaggio, and Wenke Lee. 2021. ARCUS: Symbolic Root Cause Analysis of Exploits in Production Systems. In Proc. USENIX Security.

[52]

Jiwei Yan, Hao Liu, Linjie Pan, Jun Yan, Jian Zhang, and Bin Liang. 2020. MultipleEntry Testing of Android Applications by Constructing Activity Launching Contexts. In Proc. ICSE.

Digital Library

[53]

Lok-Kwong Yan and Heng Yin. 2012. DroidScope: Seamlessly Reconstructing OS and Dalvik Semantic Views for Dynamic Android Malware Analysis. In Proc. USENIX Security.

[54]

Min Zheng, Mingshen Sun, and John CS Lui. 2014. DroidTrace: a ptrace based Android dynamic analysis system with forward execution capability. In Proc. IWCMC.

[55]

Wu Zhou, Yajin Zhou, Xuxian Jiang, and Peng Ning. 2012. Detecting Repackaged Smartphone Applications in Third-Party Android Marketplaces. In Proc. CODASPY.

Digital Library

[56]

Yajin Zhou, Zhi Wang, Wu Zhou, and Xuxian Jiang. 2012. Hey, you, get of of my market: detecting malicious apps in oficial and alternative android markets. In Proc. NDSS.

Cited By

Lu HWang SWu YHe WZhang FBalzarotti DXu W(2024)MOATProceedings of the 33rd USENIX Conference on Security Symposium10.5555/3698900.3698965(1153-1170)Online publication date: 14-Aug-2024
https://dl.acm.org/doi/10.5555/3698900.3698965
Pourali SYu XZhao LMannan MYoussef ABalzarotti DXu W(2024)Racing for TLS certificate validationProceedings of the 33rd USENIX Conference on Security Symposium10.5555/3698900.3698939(683-700)Online publication date: 14-Aug-2024
https://dl.acm.org/doi/10.5555/3698900.3698939
Wang QChang BJi STian YZhang XZhao BPan GLyu CPayer MWang WBeyah R(2024)SyzTrust: State-aware Fuzzing on Trusted OS Designed for IoT Devices2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00070(2310-2387)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00070
Show More Cited By

Index Terms

NCScope: hardware-assisted analyzer for native code in Android apps
1. Software and its engineering
  1. Software creation and management
    1. Software verification and validation
      1. Software defect analysis
        Software testing and debugging

Recommendations

Benchmark Dalvik and Native Code for Android System
IBICA '11: Proceedings of the 2011 Second International Conference on Innovations in Bio-inspired Computing and Applications

Google's Android Native Development Kit (NDK) is a toolset that lets you embed components to use of native code in your Android applications. It makes possible for developers to easily compile in C/C++ for the Android development platform. Generally, ...
Code smells in iOS apps: how do they compare to Android?
MOBILESoft '17: Proceedings of the 4th International Conference on Mobile Software Engineering and Systems

With billions of app downloads, the Apple App Store and Google Play Store succeeded to conquer mobile devices. However, this success also challenges app developers to publish high-quality apps to keep attracting and satisfying end-users. In particular, ...
Inter-app communication between Android apps developed in app-inventor and Android studio
MOBILESoft '16: Proceedings of the International Conference on Mobile Software Engineering and Systems

Communications between mobile apps are an important aspect of mobile platforms. Android is specifically designed with inter-app communication in mind and depends on this to provide different platform specific functionalities. Android Apps can either be ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

ISSTA 2022: Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis

July 2022

808 pages

ISBN:9781450393799

DOI:10.1145/3533767

General Chair:
Sukyoung Ryu
KAIST, South Korea
,
Program Chair:
Yannis Smaragdakis
University of Athens, Greece

Copyright © 2022 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGSOFT: ACM Special Interest Group on Software Engineering

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 18 July 2022

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Badges

Artifacts Available / v1.1

Author Tags

Qualifiers

Research-article

Conference

ISSTA '22

Sponsor:

SIGSOFT

ISSTA '22: 31st ACM SIGSOFT International Symposium on Software Testing and Analysis

July 18 - 22, 2022

Virtual, South Korea

Acceptance Rates

Overall Acceptance Rate 58 of 213 submissions, 27%

Upcoming Conference

ISSTA '25

Sponsor:
sigsoft

34th ACM SIGSOFT International Symposium on Software Testing and Analysis

June 25 - 28, 2025

Trondheim , Norway

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

8
Total Citations
View Citations
1,391
Total Downloads

Downloads (Last 12 months)515
Downloads (Last 6 weeks)63

Reflects downloads up to 22 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Lu HWang SWu YHe WZhang FBalzarotti DXu W(2024)MOATProceedings of the 33rd USENIX Conference on Security Symposium10.5555/3698900.3698965(1153-1170)Online publication date: 14-Aug-2024
https://dl.acm.org/doi/10.5555/3698900.3698965
Pourali SYu XZhao LMannan MYoussef ABalzarotti DXu W(2024)Racing for TLS certificate validationProceedings of the 33rd USENIX Conference on Security Symposium10.5555/3698900.3698939(683-700)Online publication date: 14-Aug-2024
https://dl.acm.org/doi/10.5555/3698900.3698939
Wang QChang BJi STian YZhang XZhao BPan GLyu CPayer MWang WBeyah R(2024)SyzTrust: State-aware Fuzzing on Trusted OS Designed for IoT Devices2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00070(2310-2387)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00070
Cao JGuo FQu Y(2024)JNFuzz-Droid: A Lightweight Fuzzing and Taint Analysis Framework for Android Native Code2024 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER)10.1109/SANER60148.2024.00033(255-266)Online publication date: 12-Mar-2024
https://doi.org/10.1109/SANER60148.2024.00033
Aydogan ESen S(2024)Android Authorship Attribution Using Source Code-Based FeaturesIEEE Access10.1109/ACCESS.2024.335194512(6569-6589)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3351945
Park YChoi SChoi UJin HNor NPark Y(2024)A practical approach for finding anti-debugging routines in the Arm-Linux using hardware tracingScientific Reports10.1038/s41598-024-65374-w14:1Online publication date: 26-Jun-2024
https://doi.org/10.1038/s41598-024-65374-w
Niu WZhang XYan RGong JNiu WZhang XYan RGong J(2024)Future Trends in Android Malware DetectionAndroid Malware Detection and Adversarial Methods10.1007/978-981-97-1459-9_8(169-190)Online publication date: 4-Mar-2024
https://doi.org/10.1007/978-981-97-1459-9_8
Sharaf HAhmad IDimitriou T(2022)Extended Berkeley Packet Filter: An Application PerspectiveIEEE Access10.1109/ACCESS.2022.322626910(126370-126393)Online publication date: 2022
https://doi.org/10.1109/ACCESS.2022.3226269

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Figures

Tables

Media

View Table of Conten