Browse > Article
http://dx.doi.org/10.13089/JKIISC.2017.27.3.549

A Study on the Vulnerability of Using Intermediate Language in Android: Bypassing Security Check Point in Android-Based Banking Applications  

Lee, Woojin (Graduate School of Information Security, Korea University)
Lee, Kyungho (Graduate School of Information Security, Korea University)
Publication Information
Journal of the Korea Institute of Information Security & Cryptology / v.27, no.3, 2017 , pp. 549-562 More about this Journal
Abstract
In recent years, as the proportion of mobile banking has become bigger with daily usage of mobile banking, security threats are also increasing according to the feeling. Accordingly, the domestic banking system introduces security solution programs in the banking application and sets security check points to ensure the stability of the application in order to check whether it is always executed. This study presents a vulnerability of inactivity bypassing mobile vaccine program operation checkpoints using the intermediate language statically and dynamically analysis when decompiling the android banking applications of major banks in Korea. Also, through the results, it identifies possible attacks that can be exploited and suggest countermeasures.
Keywords
Mobile banking; Bypassing vulnerability; Android mobile vaccine program;
Citations & Related Records
Times Cited By KSCI : 2  (Citation Analysis)
연도 인용수 순위
1 "Domestic Internet banking service in Q2/ 2016", The Bank of Korea, pp. 4-7, Aug. 2016
2 Hyunho Cho , "E-finance and Financial Security", Financial Security Institute, vol 4, pp.5-32, Feb. 2016
3 "Announcement of Survey on Internet Usage Conditions in Korea", Korea Internet & Security Agency, pp. 6-7, Feb. 2015
4 Roman Unuchek, "Mobile malware evolution 2016", Kaspersky lab, pp. 10, Feb. 2017
5 Jisun Choi, Taehee Kim, Sangshik Min and Jaemo Seung, "Protection technology trend for smartphone banking application integrity verification", Journal of Information Security, 23(1), pp. 54-60, Feb. 2013
6 Jin-Hyuk Jung, Ju Young Kim, Hyeong-Chan Lee and Jeong Hyun Yi, "Repackaging Attack on Android Banking Applications and Its Countermeasures," Wireless Personal Communications, vol 73, no. 4. pp. 1421-1437, Dec. 2013   DOI
7 Wu Zhou, Yajin Zhou, Xuxian Jiang and Peng Ning, "Detecting repackaged smartphone applications in third-party android marketplaces", CODASPY '12 Proceedings of the second ACM conference on Data and Application Security and Privacy, pp. 317-326, Feb. 2012
8 Seungyong Yoon, Jeongnyeo Kim and Yongsung Jeon, "Analyzing Security Threats of Android-based Mobile Malware", Advanced Science and Technology Letters(SecTech 2016), Vol. 139, pp.310-315, Nov. 2016
9 Sriramulu Bojjagani and V.N. Sastry, "STAMBA: Security Testing for Android Mobile Banking Apps", Advances in Signal Processing and Intelligent Recognition Systems, pp. 671-683, Dec. 2015
10 Jong Hyuk Park, Ki Jung Yi and Young-Sik Jeong, "An enhanced smartphone security model based on information security management system (ISMS)", Electronic Commerce Research, Vol. 4, no 3, pp. 321-348, Nov. 2014
11 Soonil Kim, Sunghoon Kim and Dong Hoon Lee, "A study on the vulnerability of integrity verification functions of android-based smartphone banking applications", Journal of the Korea Institute of Information Security and Cryptology, 23(4), pp.743-755, 2013   DOI
12 Nguyen, Thanh, McDonald, Jeffrey Todd and Glisson, William Bradley, "Exploitation and Detection of a Malicious Mobile Application", Proceedings of the 50th Hawaii International Conference on System Sciences, Jan. 2017
13 A. Shabtai, Y. Fledel, U. Kanonov, Y. Elovici, S. Dolev, and C. Glezer, "Google Android: A Comprehensive Security Assessment," IEEE Security and Privacy, vol. 8, no. 2, pp. 35-44, Mar. 2010.   DOI
14 https://ibotpeaches.github.io/Apktool/
15 https://sourceforge.net/projects/dex2jar/
16 http://jd.benow.ca/
17 https://github.com/JesusFreke/smali/wiki
18 Yajin Zhou and Xuxian Jiang, "Dissecting Android Malware: Characterization and Evolution", 2012 IEEE Symposium on Security and Privacy, pp. 95-109, May. 2015
19 Ahnlab, http://www.ahnlab.com/kr/site/product/productView.do?prodSeq=67
20 NSHC, http://www.nshc.net/wp/portfolio-item/droid-x/T.Strazzere,
21 Jung-Woong Lee, In-Seok Kim, "A Study on the Vulnerability of Security Keypads in Android Mobile Using Accessibility Features", Journal of The Korea Institute of Information Security & Cryptology, 26(1), pp. 177-185, Feb. 2016   DOI
22 Parvez Faruki, Ammar Bharmal, Vijay Laxmi, M. S. Gaur, Mauro Conti, and Muttukrishnan Rajarajan, "Evaluation of Android Anti Malware Techniques against Dalvik Bytecode Obfuscation", 2014 IEEE 13th International Conference on Trust, Security and Privacy in Computing and Communications, pp. 414-421,Sep. 2014
23 "Dex Education: Practicing Safe Dex", Blackhat USA 2012, Jul. 2012, http://www.strazzere.com/papers/Dex
24 Proofpoint Staff, "DroidJack Uses Side-L oad...It's Super Effective! Backdoored Po kemon GO Android App Found", Jul. 2016, https://www.proofpoint.com/us/threat-insight/post/droidjack-uses-side-loadbackdoored-pokemon-go-android-app
25 Vaibhav Rastogi, Yan Chen and Xuxian Jiang, "Catch Me If You Can: Evaluating Android Anti-Malware Against Transformation Attacks", IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, vol. 9, no. 1,pp. 99-108, Jan. 2014   DOI
26 H. Cai, Z. Shao and A. Vaynberg, "Certified Self-Modifying Code," Proceedings of the 2007 ACM SIGPLAN conference on Programming language design and implementation, vol. 42, no.6, pp. 66-77, Jun. 2007.
27 Marius Popa, "Techniques of Program Code Obfuscation for Secure Software", Journal of Mobile, Embedded and Distributed Systems, vol.3, no.4, pp. 205-219, 2011
28 Namheun Son, Yunho Lee, Dohyun Kim, Joshua I. James, Sangjin Lee and Kyungho Lee,"A study of user data integrity during acquisition of Android devices", 13th Annual Digital Forensics Research Conference, vol. 10, Supplement, pp. S3-S11, Aug, 2013