International journal of advanced smart convergence

The Institute of Internet, Broadcasting and Communication (한국인터넷방송통신학회)
권호 표지
DOI QR코드

DOI QR Code

Investigation of the SPRT-Based Android Evasive Malware

  • Ho, Jun-Won (Department of Information Security, Seoul Women's University)
  • Received : 2022.06.17
  • Accepted : 2022.06.23
  • Published : 2022.09.30
Download PDF
⟨ Previous Next ⟩

Abstract

In this paper, we explore a new type of Android evasive malware based on the Sequential Probability Ratio Test (SPRT) that does not perform malicious task when it discerns that dynamic analyzer is input generator. More specifically, a new type of Android evasive malware leverages the intuition that dynamic analyzer provides as many inputs within a certain amount of time as possible to Android apps to be tested, while human users generally provide necessary inputs to Android apps to be used. Under this intuition, it harnesses the SPRT to discern whether dynamic analyzer runs in Android system or not in such a way that the number of inputs per time slot exceeding a preset threshold is regarded as evidence that inputs are provided by dynamic analyzer, expediting the SPRT to decide that dynamic analyzer operates in Android system and evasive malware does not carry out malicious task.

Keywords

Acknowledgement

This work was supported by a research grant from Seoul Women's University (2022-0136).

References

  1. S. Hao, B. Liu, S. Nathy, W.G.J. Halfond, R. Govindan. PUMA: Programmable UI-Automation for Large-Scale Dynamic Analysis of Mobile Apps. In ACM MobiSys, 2014. DOI: https://doi.org/10.1145/2594368.2594390.
  2. Y. Li, Z. Yang, Y. Guo, and X. Chen. DroidBot: A Lightweight UI-Guided Test Input Generator for Android. In IEEE/ACM 39th IEEE International Conference on Software Engineering Companion, 2017. DOI: https://doi.org/10.1109/ICSE-C.2017.8.
  3. https://developer.android.com/studio/test/monkey.
  4. S. D. Yalew, G. Q. Maguire, S. Haridi, and M. Correia. T2Droid: A TrustZone-Based Dynamic Analyser for Android Applications. In 2017 IEEE Trustcom/BigDataSE/ICESS, 2017, pp. 240-247. DOI: https://doi.org/10.1109/Trustcom/BigDataSE/ICESS.2017.243.
  5. A. Dawoud, S. Bugiel. Bringing Balance to the Force: Dynamic Analysis of the Android Application Framwork. In NDSS 2021. DOI: https://doi.org/10.14722/ndss.2021.23106.
  6. A. Wald. Sequential Analysis, Dover, 2004.
  7. Y. Li, Z. Yang, Y. Guo, and X. Chen. Humanoid: A Deep Learning-Based Approach to Automated Black-box Android App Testing. In 34th IEEE/ACM International Conference on Automated Software Engineering (ASE), 2019, pp. 1070-1073. DOI: https://doi.org/10.1109/ASE.2019.00104.
  8. Ho, Jun-Won (2022): Game Theoretic Security Analysis against Input-Driven Evasive Malware in the IoT. TechRxiv. Preprint. DOI: https://doi.org/10.36227/techrxiv.19633677.v1
  9. Ho, Jun-Won. GAME THEORY BASED DYNAMIC ANALYSIS INPUT SYSTEM AND METHOD FOR INTELLIGENT MALICIOUS APP DETECTION. Republic of Korea Patent. Registration Number/Date: 1022106590000/(2021.01.27).
  10. Ho, Jun-Won. METHOD AND APPARATUS FOR DIAGNOSING MALICIOUS APP DETECTED APPLICATION. Republic of Korea Patent. Registration Number/Date: 1020995060000 (2020.04.03).
  11. J. Blackthorne, A. Bulazel, A. Fasano, P. Biernat, and B. Yener. AVLeak: Fingerprinting Antivirus Emulators Through Black-Box Testing. In USENIX Workshop on Offensive Technologies, 2016.
  12. D. C. DElia, E. Coppa, F. Palmaro, and L. Cavallaro. On the Dissection of Evasive Malware. In IEEE Transactions on Information Forensics and Security, vol. 15, pp. 2750-2765, 2020. DOI: https://doi.org/10.1109/TIFS.2020.2976559.
  13. W. Diao, X. Liu, Z. Li, and K. Zhang. Evading Android Runtime Analysis Through Detecting Programmed Interactions. In ACM WiSec, 2016. DOI: https://doi.org/10.1145/2939918.2939926.
  14. Y. Jing, Z. Zhao, G.-J. Ahn, and H. Hu. Morpheus: Automatically Generating Heuristics to Detect Android Emulators. In Proceedings of the Annual Computer Security Applications Conference (ACSAC), 2014. DOI: https://doi.org/10.1145/2664243.2664250.
  15. N. Miramirkhani, M. P. Appini, N. Nikiforakis, and M. Polychronakis. Spotless Sandboxes: Evading Malware Analysis Systems using Wear-and-Tear Artifacts. 2017 IEEE Symposium on Security and Privacy (SP), 2017, pp. 1009-1024, DOI: https://doi.org/ 10.1109/SP.2017.42.
  16. H. Shi, J. Mirkovic, and A. Alwabel. Handling Anti-Virtual Machine Techniques in Malicious Software. In ACM Transactions on Privacy and Security, Article No.2, December 2017. DOI: https://doi.org/10.1145/3139292.
  17. J. Wampler, I. Martiny, and E. Wustrow. ExSpectre: Hiding Malware in Speculative Execution. In Network and Distributed Systems Security(NDSS) Symposium, 2019.
  18. D. Kirat, G. Vigna, C. Kruegel. BareCloud: Bare-metal Analysis-based Evasive Malware Detection. In Usenix Security, 2014.
  19. X. Wang, S. Zhu, D. Zhou, and Y. Yang. Droid-AntiRM: Taming Control Flow Anti-analysis to Support Automated Dynamic Analysis of Android Malware. In ACSAC, 2017, Pages 350-361. DOI: https://doi.org/10.1145/3134600.3134601
  20. X. Wang, Y. Yang, and S. Zhu. Automated Hybrid Analysis of Android Malware through Augmenting Fuzzing with Forced Execution. In IEEE Transactions on Mobile Computing, vol. 18, no. 12, pp. 2768-2782, 2019. DOI: https://doi.org/10.1109/TMC.2018.2886881.
  21. J. Zhang, Z. Gu, J. Jang, D. Kirat, M. Stoecklin, X. Shu, H. Huang. Scarecrow: Deactivating Evasive Malware via Its Own Evasive Logic. In50th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), 2020, pp. 76-87.
  22. X. Pan, X. Wang, Y. Duan, X. Wang, and H. Yin. Dark Hazard: Learning-based, Large-scale Discovery of Hidden Sensitive Operations in Android Apps. In NDSS, 2017.
  23. L. Bello and M. Pistoia. Ares: Triggering Payload of Evasive Android Malware. In IEEE/ACM 5th International Conference on Mobile Software Engineering and Systems (MOBILESoft), 2018, pp. 2-12.
  24. S. Mutti, Y. Fratantonio, A. Bianchi, L. Invernizzi, J. Corbetta, D. Kirat,C. Kruegel, and G. Vigna. BareDroid: Large-Scale Analysis of Android Apps on Real Devices. In ACSAC, 2015. DOI: https://doi.org/10.1145/2818000.2818036.