apposcopy: semantics-based detection of android …yufeng/talks/fse14_slides.pdf · detection of...
TRANSCRIPT
![Page 1: Apposcopy: Semantics-Based Detection of Android …yufeng/talks/fse14_slides.pdf · Detection of Android Malware Through Static Analysis Yu Feng, ... • Activity • Service •](https://reader031.vdocuments.mx/reader031/viewer/2022022520/5b1b3dbc7f8b9a28258e5954/html5/thumbnails/1.jpg)
Apposcopy: Semantics-Based Detection of Android Malware
Through Static Analysis
Yu Feng, Saswat Anand, Isil Dillig, Alex Aiken
University of Texas at Austin Stanford University
![Page 2: Apposcopy: Semantics-Based Detection of Android …yufeng/talks/fse14_slides.pdf · Detection of Android Malware Through Static Analysis Yu Feng, ... • Activity • Service •](https://reader031.vdocuments.mx/reader031/viewer/2022022520/5b1b3dbc7f8b9a28258e5954/html5/thumbnails/2.jpg)
Motivation-Our setting
2014 Threat Landscape Report, Fortinet
Why Android?
![Page 3: Apposcopy: Semantics-Based Detection of Android …yufeng/talks/fse14_slides.pdf · Detection of Android Malware Through Static Analysis Yu Feng, ... • Activity • Service •](https://reader031.vdocuments.mx/reader031/viewer/2022022520/5b1b3dbc7f8b9a28258e5954/html5/thumbnails/3.jpg)
Motivation-Our setting
2014 Threat Landscape Report, Fortinet
Why Android?
![Page 4: Apposcopy: Semantics-Based Detection of Android …yufeng/talks/fse14_slides.pdf · Detection of Android Malware Through Static Analysis Yu Feng, ... • Activity • Service •](https://reader031.vdocuments.mx/reader031/viewer/2022022520/5b1b3dbc7f8b9a28258e5954/html5/thumbnails/4.jpg)
Motivation-Our setting
2014 Threat Landscape Report, Fortinet
Why Android?
![Page 5: Apposcopy: Semantics-Based Detection of Android …yufeng/talks/fse14_slides.pdf · Detection of Android Malware Through Static Analysis Yu Feng, ... • Activity • Service •](https://reader031.vdocuments.mx/reader031/viewer/2022022520/5b1b3dbc7f8b9a28258e5954/html5/thumbnails/5.jpg)
Motivation-damage
50% of Android malware are trying to steal your personal data
http://securelist.com/analysis/quarterly-malware-reports/37163/it-threat-evolution-q2-2013/
![Page 6: Apposcopy: Semantics-Based Detection of Android …yufeng/talks/fse14_slides.pdf · Detection of Android Malware Through Static Analysis Yu Feng, ... • Activity • Service •](https://reader031.vdocuments.mx/reader031/viewer/2022022520/5b1b3dbc7f8b9a28258e5954/html5/thumbnails/6.jpg)
Motivation-damage
50% of Android malware are trying to steal your personal data
http://securelist.com/analysis/quarterly-malware-reports/37163/it-threat-evolution-q2-2013/
![Page 7: Apposcopy: Semantics-Based Detection of Android …yufeng/talks/fse14_slides.pdf · Detection of Android Malware Through Static Analysis Yu Feng, ... • Activity • Service •](https://reader031.vdocuments.mx/reader031/viewer/2022022520/5b1b3dbc7f8b9a28258e5954/html5/thumbnails/7.jpg)
Motivation-damage
50% of Android malware are trying to steal your personal data
http://securelist.com/analysis/quarterly-malware-reports/37163/it-threat-evolution-q2-2013/
![Page 8: Apposcopy: Semantics-Based Detection of Android …yufeng/talks/fse14_slides.pdf · Detection of Android Malware Through Static Analysis Yu Feng, ... • Activity • Service •](https://reader031.vdocuments.mx/reader031/viewer/2022022520/5b1b3dbc7f8b9a28258e5954/html5/thumbnails/8.jpg)
Motivation-damage
50% of Android malware are trying to steal your personal data
http://securelist.com/analysis/quarterly-malware-reports/37163/it-threat-evolution-q2-2013/
![Page 9: Apposcopy: Semantics-Based Detection of Android …yufeng/talks/fse14_slides.pdf · Detection of Android Malware Through Static Analysis Yu Feng, ... • Activity • Service •](https://reader031.vdocuments.mx/reader031/viewer/2022022520/5b1b3dbc7f8b9a28258e5954/html5/thumbnails/9.jpg)
Motivation-Taint analysis
Existing approach 1 Enck et al.2012
![Page 10: Apposcopy: Semantics-Based Detection of Android …yufeng/talks/fse14_slides.pdf · Detection of Android Malware Through Static Analysis Yu Feng, ... • Activity • Service •](https://reader031.vdocuments.mx/reader031/viewer/2022022520/5b1b3dbc7f8b9a28258e5954/html5/thumbnails/10.jpg)
Motivation-Taint analysis
Source Call Log ContactList
CreditCard
Existing approach 1 Enck et al.2012
![Page 11: Apposcopy: Semantics-Based Detection of Android …yufeng/talks/fse14_slides.pdf · Detection of Android Malware Through Static Analysis Yu Feng, ... • Activity • Service •](https://reader031.vdocuments.mx/reader031/viewer/2022022520/5b1b3dbc7f8b9a28258e5954/html5/thumbnails/11.jpg)
Motivation-Taint analysis
Source Call Log ContactList
CreditCard
...
......
...Propagation
Existing approach 1 Enck et al.2012
![Page 12: Apposcopy: Semantics-Based Detection of Android …yufeng/talks/fse14_slides.pdf · Detection of Android Malware Through Static Analysis Yu Feng, ... • Activity • Service •](https://reader031.vdocuments.mx/reader031/viewer/2022022520/5b1b3dbc7f8b9a28258e5954/html5/thumbnails/12.jpg)
Motivation-Taint analysis
Internet
I/O SMSSink
Source Call Log ContactList
CreditCard
...
......
...Propagation
Existing approach 1 Enck et al.2012
![Page 13: Apposcopy: Semantics-Based Detection of Android …yufeng/talks/fse14_slides.pdf · Detection of Android Malware Through Static Analysis Yu Feng, ... • Activity • Service •](https://reader031.vdocuments.mx/reader031/viewer/2022022520/5b1b3dbc7f8b9a28258e5954/html5/thumbnails/13.jpg)
Motivation-Taint analysis
Internet
I/O SMSSink
Source Call Log ContactList
CreditCard
...
......
...Propagation
Existing approach 1 Enck et al.2012
![Page 14: Apposcopy: Semantics-Based Detection of Android …yufeng/talks/fse14_slides.pdf · Detection of Android Malware Through Static Analysis Yu Feng, ... • Activity • Service •](https://reader031.vdocuments.mx/reader031/viewer/2022022520/5b1b3dbc7f8b9a28258e5954/html5/thumbnails/14.jpg)
Motivation-Taint analysis
Internet
I/O SMSSink
Source Call Log ContactList
CreditCard
...
......
...Propagation
Existing approach 1 Enck et al.2012
![Page 15: Apposcopy: Semantics-Based Detection of Android …yufeng/talks/fse14_slides.pdf · Detection of Android Malware Through Static Analysis Yu Feng, ... • Activity • Service •](https://reader031.vdocuments.mx/reader031/viewer/2022022520/5b1b3dbc7f8b9a28258e5954/html5/thumbnails/15.jpg)
Motivation-Taint analysis
Internet
I/O SMSSink
Source Call Log ContactList
CreditCard
...
......
...Propagation
Existing approach 1
Call Log
Enck et al.2012
![Page 16: Apposcopy: Semantics-Based Detection of Android …yufeng/talks/fse14_slides.pdf · Detection of Android Malware Through Static Analysis Yu Feng, ... • Activity • Service •](https://reader031.vdocuments.mx/reader031/viewer/2022022520/5b1b3dbc7f8b9a28258e5954/html5/thumbnails/16.jpg)
Motivation-Taint analysis
Internet
I/O SMSSink
Source Call Log ContactList
CreditCard
...
......
...Propagation
Existing approach 1
Call Log
Enck et al.2012
![Page 17: Apposcopy: Semantics-Based Detection of Android …yufeng/talks/fse14_slides.pdf · Detection of Android Malware Through Static Analysis Yu Feng, ... • Activity • Service •](https://reader031.vdocuments.mx/reader031/viewer/2022022520/5b1b3dbc7f8b9a28258e5954/html5/thumbnails/17.jpg)
Motivation-Taint analysis
Internet
I/O SMSSink
Source Call Log ContactList
CreditCard
...
......
...Propagation
Existing approach 1
Call Log
Enck et al.2012
![Page 18: Apposcopy: Semantics-Based Detection of Android …yufeng/talks/fse14_slides.pdf · Detection of Android Malware Through Static Analysis Yu Feng, ... • Activity • Service •](https://reader031.vdocuments.mx/reader031/viewer/2022022520/5b1b3dbc7f8b9a28258e5954/html5/thumbnails/18.jpg)
Motivation-Taint analysis
Internet
I/O SMSSink
Source Call Log ContactList
CreditCard
...
......
...Propagation
Existing approach 1
Call Log
Enck et al.2012
![Page 19: Apposcopy: Semantics-Based Detection of Android …yufeng/talks/fse14_slides.pdf · Detection of Android Malware Through Static Analysis Yu Feng, ... • Activity • Service •](https://reader031.vdocuments.mx/reader031/viewer/2022022520/5b1b3dbc7f8b9a28258e5954/html5/thumbnails/19.jpg)
Motivation-Taint analysis
![Page 20: Apposcopy: Semantics-Based Detection of Android …yufeng/talks/fse14_slides.pdf · Detection of Android Malware Through Static Analysis Yu Feng, ... • Activity • Service •](https://reader031.vdocuments.mx/reader031/viewer/2022022520/5b1b3dbc7f8b9a28258e5954/html5/thumbnails/20.jpg)
Motivation-Taint analysis
Pros: Exposing apps that leak sensitive
data in a sound way.
![Page 21: Apposcopy: Semantics-Based Detection of Android …yufeng/talks/fse14_slides.pdf · Detection of Android Malware Through Static Analysis Yu Feng, ... • Activity • Service •](https://reader031.vdocuments.mx/reader031/viewer/2022022520/5b1b3dbc7f8b9a28258e5954/html5/thumbnails/21.jpg)
Motivation-Taint analysis
Pros: Exposing apps that leak sensitive
data in a sound way.
Cons: Block legitimate apps
![Page 22: Apposcopy: Semantics-Based Detection of Android …yufeng/talks/fse14_slides.pdf · Detection of Android Malware Through Static Analysis Yu Feng, ... • Activity • Service •](https://reader031.vdocuments.mx/reader031/viewer/2022022520/5b1b3dbc7f8b9a28258e5954/html5/thumbnails/22.jpg)
Motivation-Signature-based
Existing approach 2
• Signature-based malware detectors
• Specific sequence of instructions
• Certain string values, e.g., method or variable names(e.g., ‘zjService’)
Griffin et al.2009
![Page 23: Apposcopy: Semantics-Based Detection of Android …yufeng/talks/fse14_slides.pdf · Detection of Android Malware Through Static Analysis Yu Feng, ... • Activity • Service •](https://reader031.vdocuments.mx/reader031/viewer/2022022520/5b1b3dbc7f8b9a28258e5954/html5/thumbnails/23.jpg)
Motivation-Signature-based
![Page 24: Apposcopy: Semantics-Based Detection of Android …yufeng/talks/fse14_slides.pdf · Detection of Android Malware Through Static Analysis Yu Feng, ... • Activity • Service •](https://reader031.vdocuments.mx/reader031/viewer/2022022520/5b1b3dbc7f8b9a28258e5954/html5/thumbnails/24.jpg)
Motivation-Signature-based
Pros: Represent a corpus of malware
through finite signatures
![Page 25: Apposcopy: Semantics-Based Detection of Android …yufeng/talks/fse14_slides.pdf · Detection of Android Malware Through Static Analysis Yu Feng, ... • Activity • Service •](https://reader031.vdocuments.mx/reader031/viewer/2022022520/5b1b3dbc7f8b9a28258e5954/html5/thumbnails/25.jpg)
Motivation-Signature-based
Pros: Represent a corpus of malware
through finite signatures
Cons: Update signature frequently;
Obfuscation by bytecode
transformation
![Page 26: Apposcopy: Semantics-Based Detection of Android …yufeng/talks/fse14_slides.pdf · Detection of Android Malware Through Static Analysis Yu Feng, ... • Activity • Service •](https://reader031.vdocuments.mx/reader031/viewer/2022022520/5b1b3dbc7f8b9a28258e5954/html5/thumbnails/26.jpg)
Goal-Putting two together?
Taint analysis Signature-based
![Page 27: Apposcopy: Semantics-Based Detection of Android …yufeng/talks/fse14_slides.pdf · Detection of Android Malware Through Static Analysis Yu Feng, ... • Activity • Service •](https://reader031.vdocuments.mx/reader031/viewer/2022022520/5b1b3dbc7f8b9a28258e5954/html5/thumbnails/27.jpg)
Goal-Putting two together?
Taint analysis Signature-based
![Page 28: Apposcopy: Semantics-Based Detection of Android …yufeng/talks/fse14_slides.pdf · Detection of Android Malware Through Static Analysis Yu Feng, ... • Activity • Service •](https://reader031.vdocuments.mx/reader031/viewer/2022022520/5b1b3dbc7f8b9a28258e5954/html5/thumbnails/28.jpg)
Goal-Putting two together?
Fewer false positives
Taint analysis Signature-based
![Page 29: Apposcopy: Semantics-Based Detection of Android …yufeng/talks/fse14_slides.pdf · Detection of Android Malware Through Static Analysis Yu Feng, ... • Activity • Service •](https://reader031.vdocuments.mx/reader031/viewer/2022022520/5b1b3dbc7f8b9a28258e5954/html5/thumbnails/29.jpg)
Goal-Putting two together?
Fewer false positives
Taint analysis Signature-based
Resist common obfuscation.
![Page 30: Apposcopy: Semantics-Based Detection of Android …yufeng/talks/fse14_slides.pdf · Detection of Android Malware Through Static Analysis Yu Feng, ... • Activity • Service •](https://reader031.vdocuments.mx/reader031/viewer/2022022520/5b1b3dbc7f8b9a28258e5954/html5/thumbnails/30.jpg)
Goal
• A high-level signature language for describing semantic characteristics of Android malware families. Such as:
• Control-flow properties
• Data-flow properties
![Page 31: Apposcopy: Semantics-Based Detection of Android …yufeng/talks/fse14_slides.pdf · Detection of Android Malware Through Static Analysis Yu Feng, ... • Activity • Service •](https://reader031.vdocuments.mx/reader031/viewer/2022022520/5b1b3dbc7f8b9a28258e5954/html5/thumbnails/31.jpg)
Goal
• Powerful static analyses for deciding if a given app matches signature of a malware family.
• Control-flow properties matching: Inter-Component Call Graph Construction.
• Data-flow properties matching: Taint analysis
![Page 32: Apposcopy: Semantics-Based Detection of Android …yufeng/talks/fse14_slides.pdf · Detection of Android Malware Through Static Analysis Yu Feng, ... • Activity • Service •](https://reader031.vdocuments.mx/reader031/viewer/2022022520/5b1b3dbc7f8b9a28258e5954/html5/thumbnails/32.jpg)
Android Background
Let’s take a detour before we go through the technical details...
![Page 33: Apposcopy: Semantics-Based Detection of Android …yufeng/talks/fse14_slides.pdf · Detection of Android Malware Through Static Analysis Yu Feng, ... • Activity • Service •](https://reader031.vdocuments.mx/reader031/viewer/2022022520/5b1b3dbc7f8b9a28258e5954/html5/thumbnails/33.jpg)
Android Background
• Android Components
• Activity
• Service
• Broadcast Receiver
• Content Provider
![Page 34: Apposcopy: Semantics-Based Detection of Android …yufeng/talks/fse14_slides.pdf · Detection of Android Malware Through Static Analysis Yu Feng, ... • Activity • Service •](https://reader031.vdocuments.mx/reader031/viewer/2022022520/5b1b3dbc7f8b9a28258e5954/html5/thumbnails/34.jpg)
Android Background
• Android Components
• Activity
• Service
• Broadcast Receiver
• Content Provider
![Page 35: Apposcopy: Semantics-Based Detection of Android …yufeng/talks/fse14_slides.pdf · Detection of Android Malware Through Static Analysis Yu Feng, ... • Activity • Service •](https://reader031.vdocuments.mx/reader031/viewer/2022022520/5b1b3dbc7f8b9a28258e5954/html5/thumbnails/35.jpg)
Android Background
• Android Components
• Activity
• Service
• Broadcast Receiver
• Content Provider
![Page 36: Apposcopy: Semantics-Based Detection of Android …yufeng/talks/fse14_slides.pdf · Detection of Android Malware Through Static Analysis Yu Feng, ... • Activity • Service •](https://reader031.vdocuments.mx/reader031/viewer/2022022520/5b1b3dbc7f8b9a28258e5954/html5/thumbnails/36.jpg)
Android Background
• Android Components
• Activity
• Service
• Broadcast Receiver
• Content Provider
![Page 37: Apposcopy: Semantics-Based Detection of Android …yufeng/talks/fse14_slides.pdf · Detection of Android Malware Through Static Analysis Yu Feng, ... • Activity • Service •](https://reader031.vdocuments.mx/reader031/viewer/2022022520/5b1b3dbc7f8b9a28258e5954/html5/thumbnails/37.jpg)
Android Background
• Android Components
• Activity
• Service
• Broadcast Receiver
• Content Provider
![Page 38: Apposcopy: Semantics-Based Detection of Android …yufeng/talks/fse14_slides.pdf · Detection of Android Malware Through Static Analysis Yu Feng, ... • Activity • Service •](https://reader031.vdocuments.mx/reader031/viewer/2022022520/5b1b3dbc7f8b9a28258e5954/html5/thumbnails/38.jpg)
Android Background
Component A Component B
Intent actiondata
category
Intent Filter actiondata
category
Inter-Component Communication
![Page 39: Apposcopy: Semantics-Based Detection of Android …yufeng/talks/fse14_slides.pdf · Detection of Android Malware Through Static Analysis Yu Feng, ... • Activity • Service •](https://reader031.vdocuments.mx/reader031/viewer/2022022520/5b1b3dbc7f8b9a28258e5954/html5/thumbnails/39.jpg)
Android Background
http://www.edureka.co/blog/android-interview-questions-answers-for-beginners/
An example of Inter-Component Communication
![Page 40: Apposcopy: Semantics-Based Detection of Android …yufeng/talks/fse14_slides.pdf · Detection of Android Malware Through Static Analysis Yu Feng, ... • Activity • Service •](https://reader031.vdocuments.mx/reader031/viewer/2022022520/5b1b3dbc7f8b9a28258e5954/html5/thumbnails/40.jpg)
Key Ideas
![Page 41: Apposcopy: Semantics-Based Detection of Android …yufeng/talks/fse14_slides.pdf · Detection of Android Malware Through Static Analysis Yu Feng, ... • Activity • Service •](https://reader031.vdocuments.mx/reader031/viewer/2022022520/5b1b3dbc7f8b9a28258e5954/html5/thumbnails/41.jpg)
Key Ideas
Control-flow properties
Data-flow properties
![Page 42: Apposcopy: Semantics-Based Detection of Android …yufeng/talks/fse14_slides.pdf · Detection of Android Malware Through Static Analysis Yu Feng, ... • Activity • Service •](https://reader031.vdocuments.mx/reader031/viewer/2022022520/5b1b3dbc7f8b9a28258e5954/html5/thumbnails/42.jpg)
Key Ideas
Can Activity A launch Service B?
Control-flow properties
Data-flow properties
![Page 43: Apposcopy: Semantics-Based Detection of Android …yufeng/talks/fse14_slides.pdf · Detection of Android Malware Through Static Analysis Yu Feng, ... • Activity • Service •](https://reader031.vdocuments.mx/reader031/viewer/2022022520/5b1b3dbc7f8b9a28258e5954/html5/thumbnails/43.jpg)
Key Ideas
Can Activity A launch Service B?
Can Receiver C send my credit card number through Internet?
Control-flow properties
Data-flow properties
![Page 44: Apposcopy: Semantics-Based Detection of Android …yufeng/talks/fse14_slides.pdf · Detection of Android Malware Through Static Analysis Yu Feng, ... • Activity • Service •](https://reader031.vdocuments.mx/reader031/viewer/2022022520/5b1b3dbc7f8b9a28258e5954/html5/thumbnails/44.jpg)
Key Ideas
Can Activity A launch Service B?
Can Receiver C send my credit card number through Internet?
Control-flow properties
Data-flow properties
Our signature should reflect the Inter-component communication!
![Page 45: Apposcopy: Semantics-Based Detection of Android …yufeng/talks/fse14_slides.pdf · Detection of Android Malware Through Static Analysis Yu Feng, ... • Activity • Service •](https://reader031.vdocuments.mx/reader031/viewer/2022022520/5b1b3dbc7f8b9a28258e5954/html5/thumbnails/45.jpg)
System Overview
Apposcopy
![Page 46: Apposcopy: Semantics-Based Detection of Android …yufeng/talks/fse14_slides.pdf · Detection of Android Malware Through Static Analysis Yu Feng, ... • Activity • Service •](https://reader031.vdocuments.mx/reader031/viewer/2022022520/5b1b3dbc7f8b9a28258e5954/html5/thumbnails/46.jpg)
System Overview
Malware Spec
Apposcopy
![Page 47: Apposcopy: Semantics-Based Detection of Android …yufeng/talks/fse14_slides.pdf · Detection of Android Malware Through Static Analysis Yu Feng, ... • Activity • Service •](https://reader031.vdocuments.mx/reader031/viewer/2022022520/5b1b3dbc7f8b9a28258e5954/html5/thumbnails/47.jpg)
System Overview
SignatureLanguage
Malware Spec
Apposcopy
![Page 48: Apposcopy: Semantics-Based Detection of Android …yufeng/talks/fse14_slides.pdf · Detection of Android Malware Through Static Analysis Yu Feng, ... • Activity • Service •](https://reader031.vdocuments.mx/reader031/viewer/2022022520/5b1b3dbc7f8b9a28258e5954/html5/thumbnails/48.jpg)
System Overview
SignatureLanguage
Malware Spec
Apposcopy
![Page 49: Apposcopy: Semantics-Based Detection of Android …yufeng/talks/fse14_slides.pdf · Detection of Android Malware Through Static Analysis Yu Feng, ... • Activity • Service •](https://reader031.vdocuments.mx/reader031/viewer/2022022520/5b1b3dbc7f8b9a28258e5954/html5/thumbnails/49.jpg)
System Overview
SignatureLanguage
Match or not
Malware Spec
Apposcopy
![Page 50: Apposcopy: Semantics-Based Detection of Android …yufeng/talks/fse14_slides.pdf · Detection of Android Malware Through Static Analysis Yu Feng, ... • Activity • Service •](https://reader031.vdocuments.mx/reader031/viewer/2022022520/5b1b3dbc7f8b9a28258e5954/html5/thumbnails/50.jpg)
Our Approach
![Page 51: Apposcopy: Semantics-Based Detection of Android …yufeng/talks/fse14_slides.pdf · Detection of Android Malware Through Static Analysis Yu Feng, ... • Activity • Service •](https://reader031.vdocuments.mx/reader031/viewer/2022022520/5b1b3dbc7f8b9a28258e5954/html5/thumbnails/51.jpg)
Our Approach
An instance of GoldDream malwareSHA256: 3e72cc3c0db3513a29ff53e27726fb9277c7d2f13661cf0dfca8eb34dc690074
![Page 52: Apposcopy: Semantics-Based Detection of Android …yufeng/talks/fse14_slides.pdf · Detection of Android Malware Through Static Analysis Yu Feng, ... • Activity • Service •](https://reader031.vdocuments.mx/reader031/viewer/2022022520/5b1b3dbc7f8b9a28258e5954/html5/thumbnails/52.jpg)
Our Approach
An instance of GoldDream malwareSHA256: 3e72cc3c0db3513a29ff53e27726fb9277c7d2f13661cf0dfca8eb34dc690074
“It will register a receiver so that it will be notified for certain system events such as when a SMS message is received, or when there is an incoming/outgoing phone call.”
“Upon these events, the malware launches a background service without user's knowledge.”
“GoldDream will collect the IMSI and IMEI of the device. ”
“Transport the collected information to a remote server. ”
----- GoldDream malware report: http://www.csc.ncsu.edu/faculty/jiang/GoldDream/
GoldDream malware specification:
![Page 53: Apposcopy: Semantics-Based Detection of Android …yufeng/talks/fse14_slides.pdf · Detection of Android Malware Through Static Analysis Yu Feng, ... • Activity • Service •](https://reader031.vdocuments.mx/reader031/viewer/2022022520/5b1b3dbc7f8b9a28258e5954/html5/thumbnails/53.jpg)
Our Approach
1. GDEvent(SMS_RECEIEVED).2. GDEvent(NEW_OUTGOING_CALL).3. GoldDream :- receiver(r),4. icc(SYSTEM, r, e, _), GDEvent(e),5. service(s), icc*(r, s),6. flow(s, DeviceId, s, Internet),7. flow(s, SubscriberId, s, Internet).
GoldDream Signature
![Page 54: Apposcopy: Semantics-Based Detection of Android …yufeng/talks/fse14_slides.pdf · Detection of Android Malware Through Static Analysis Yu Feng, ... • Activity • Service •](https://reader031.vdocuments.mx/reader031/viewer/2022022520/5b1b3dbc7f8b9a28258e5954/html5/thumbnails/54.jpg)
Our Approach
1. GDEvent(SMS_RECEIEVED).2. GDEvent(NEW_OUTGOING_CALL).3. GoldDream :- receiver(r),4. icc(SYSTEM, r, e, _), GDEvent(e),5. service(s), icc*(r, s),6. flow(s, DeviceId, s, Internet),7. flow(s, SubscriberId, s, Internet).
GoldDream Signature
Component
predicate
![Page 55: Apposcopy: Semantics-Based Detection of Android …yufeng/talks/fse14_slides.pdf · Detection of Android Malware Through Static Analysis Yu Feng, ... • Activity • Service •](https://reader031.vdocuments.mx/reader031/viewer/2022022520/5b1b3dbc7f8b9a28258e5954/html5/thumbnails/55.jpg)
Our Approach
1. GDEvent(SMS_RECEIEVED).2. GDEvent(NEW_OUTGOING_CALL).3. GoldDream :- receiver(r),4. icc(SYSTEM, r, e, _), GDEvent(e),5. service(s), icc*(r, s),6. flow(s, DeviceId, s, Internet),7. flow(s, SubscriberId, s, Internet).
GoldDream Signature
Component
predicateICC
predicate
![Page 56: Apposcopy: Semantics-Based Detection of Android …yufeng/talks/fse14_slides.pdf · Detection of Android Malware Through Static Analysis Yu Feng, ... • Activity • Service •](https://reader031.vdocuments.mx/reader031/viewer/2022022520/5b1b3dbc7f8b9a28258e5954/html5/thumbnails/56.jpg)
Our Approach
1. GDEvent(SMS_RECEIEVED).2. GDEvent(NEW_OUTGOING_CALL).3. GoldDream :- receiver(r),4. icc(SYSTEM, r, e, _), GDEvent(e),5. service(s), icc*(r, s),6. flow(s, DeviceId, s, Internet),7. flow(s, SubscriberId, s, Internet).
GoldDream Signature
Component
predicateICC
predicate
Flow
predicate
![Page 57: Apposcopy: Semantics-Based Detection of Android …yufeng/talks/fse14_slides.pdf · Detection of Android Malware Through Static Analysis Yu Feng, ... • Activity • Service •](https://reader031.vdocuments.mx/reader031/viewer/2022022520/5b1b3dbc7f8b9a28258e5954/html5/thumbnails/57.jpg)
Our Approach
Signature matching procedure:
![Page 58: Apposcopy: Semantics-Based Detection of Android …yufeng/talks/fse14_slides.pdf · Detection of Android Malware Through Static Analysis Yu Feng, ... • Activity • Service •](https://reader031.vdocuments.mx/reader031/viewer/2022022520/5b1b3dbc7f8b9a28258e5954/html5/thumbnails/58.jpg)
Our Approach
Signature matching procedure:
![Page 59: Apposcopy: Semantics-Based Detection of Android …yufeng/talks/fse14_slides.pdf · Detection of Android Malware Through Static Analysis Yu Feng, ... • Activity • Service •](https://reader031.vdocuments.mx/reader031/viewer/2022022520/5b1b3dbc7f8b9a28258e5954/html5/thumbnails/59.jpg)
Our Approach
Signature matching procedure:
Malware Signature
![Page 60: Apposcopy: Semantics-Based Detection of Android …yufeng/talks/fse14_slides.pdf · Detection of Android Malware Through Static Analysis Yu Feng, ... • Activity • Service •](https://reader031.vdocuments.mx/reader031/viewer/2022022520/5b1b3dbc7f8b9a28258e5954/html5/thumbnails/60.jpg)
Our Approach
Signature matching procedure:
Malware Signature
![Page 61: Apposcopy: Semantics-Based Detection of Android …yufeng/talks/fse14_slides.pdf · Detection of Android Malware Through Static Analysis Yu Feng, ... • Activity • Service •](https://reader031.vdocuments.mx/reader031/viewer/2022022520/5b1b3dbc7f8b9a28258e5954/html5/thumbnails/61.jpg)
Our Approach
Signature matching procedure:
Control-flow Properties
Malware Signature
![Page 62: Apposcopy: Semantics-Based Detection of Android …yufeng/talks/fse14_slides.pdf · Detection of Android Malware Through Static Analysis Yu Feng, ... • Activity • Service •](https://reader031.vdocuments.mx/reader031/viewer/2022022520/5b1b3dbc7f8b9a28258e5954/html5/thumbnails/62.jpg)
Our Approach
Signature matching procedure:
Control-flow Properties
Data-flow Properties Malware Signature
![Page 63: Apposcopy: Semantics-Based Detection of Android …yufeng/talks/fse14_slides.pdf · Detection of Android Malware Through Static Analysis Yu Feng, ... • Activity • Service •](https://reader031.vdocuments.mx/reader031/viewer/2022022520/5b1b3dbc7f8b9a28258e5954/html5/thumbnails/63.jpg)
Our Approach
Signature matching procedure:
Control-flow Properties
Data-flow Properties Malware Signature
![Page 64: Apposcopy: Semantics-Based Detection of Android …yufeng/talks/fse14_slides.pdf · Detection of Android Malware Through Static Analysis Yu Feng, ... • Activity • Service •](https://reader031.vdocuments.mx/reader031/viewer/2022022520/5b1b3dbc7f8b9a28258e5954/html5/thumbnails/64.jpg)
Our Approach
• Data-flow properties matching through Static taint analysis.
• Credit card number flows to Internet
• Device Id flows through SMS
• ...
![Page 65: Apposcopy: Semantics-Based Detection of Android …yufeng/talks/fse14_slides.pdf · Detection of Android Malware Through Static Analysis Yu Feng, ... • Activity • Service •](https://reader031.vdocuments.mx/reader031/viewer/2022022520/5b1b3dbc7f8b9a28258e5954/html5/thumbnails/65.jpg)
Our Approach
com.sjgo.client.zjService:$SimSerialNumber -> !INTERNET$DeviceId -> !INTERNET$SubscriberId -> !INTERNET$DeviceId -> !sendTextMessage$SubscriberId -> !sendTextMessage
cxboy.android.game.fiveInk.FiveLink: $ID -> !INTERNET
$MODEL -> !INTERNET
net.youmi.android.AdActivity: $DeviceId -> !WebView$ExternalStorage -> !WebView
Output of Taint Analysis:
![Page 66: Apposcopy: Semantics-Based Detection of Android …yufeng/talks/fse14_slides.pdf · Detection of Android Malware Through Static Analysis Yu Feng, ... • Activity • Service •](https://reader031.vdocuments.mx/reader031/viewer/2022022520/5b1b3dbc7f8b9a28258e5954/html5/thumbnails/66.jpg)
Our Approach
com.sjgo.client.zjService:$SimSerialNumber -> !INTERNET$DeviceId -> !INTERNET$SubscriberId -> !INTERNET$DeviceId -> !sendTextMessage$SubscriberId -> !sendTextMessage
cxboy.android.game.fiveInk.FiveLink: $ID -> !INTERNET
$MODEL -> !INTERNET
net.youmi.android.AdActivity: $DeviceId -> !WebView$ExternalStorage -> !WebView
Output of Taint Analysis:
![Page 67: Apposcopy: Semantics-Based Detection of Android …yufeng/talks/fse14_slides.pdf · Detection of Android Malware Through Static Analysis Yu Feng, ... • Activity • Service •](https://reader031.vdocuments.mx/reader031/viewer/2022022520/5b1b3dbc7f8b9a28258e5954/html5/thumbnails/67.jpg)
Our Approach
com.sjgo.client.zjService:$SimSerialNumber -> !INTERNET$DeviceId -> !INTERNET$SubscriberId -> !INTERNET$DeviceId -> !sendTextMessage$SubscriberId -> !sendTextMessage
cxboy.android.game.fiveInk.FiveLink: $ID -> !INTERNET
$MODEL -> !INTERNET
net.youmi.android.AdActivity: $DeviceId -> !WebView$ExternalStorage -> !WebView
Output of Taint Analysis:
1. GDEvent(SMS_RECEIEVED).2. GDEvent(NEW_OUTGOING_CALL).3. GoldDream :- receiver(r),4. icc(SYSTEM, r, e, _), GDEvent(e),5. service(s), icc*(r, s),6. flow(s, DeviceId, s, Internet),7. flow(s, SubscriberId, s, Internet).
![Page 68: Apposcopy: Semantics-Based Detection of Android …yufeng/talks/fse14_slides.pdf · Detection of Android Malware Through Static Analysis Yu Feng, ... • Activity • Service •](https://reader031.vdocuments.mx/reader031/viewer/2022022520/5b1b3dbc7f8b9a28258e5954/html5/thumbnails/68.jpg)
Our Approach
Signature matching procedure:
Control-flow Properties
Data-flow Properties Malware Signature
![Page 69: Apposcopy: Semantics-Based Detection of Android …yufeng/talks/fse14_slides.pdf · Detection of Android Malware Through Static Analysis Yu Feng, ... • Activity • Service •](https://reader031.vdocuments.mx/reader031/viewer/2022022520/5b1b3dbc7f8b9a28258e5954/html5/thumbnails/69.jpg)
Our ApproachControl-flow properties matching through ICCG Construction.ICCG: Inter-Component Call Graph, an high-level abstraction for Android application
Component A Component B
Data Type, Action...
Component C
Data Type, Action...Data Type, Action...
Intent analysis: Resolve the target components
![Page 70: Apposcopy: Semantics-Based Detection of Android …yufeng/talks/fse14_slides.pdf · Detection of Android Malware Through Static Analysis Yu Feng, ... • Activity • Service •](https://reader031.vdocuments.mx/reader031/viewer/2022022520/5b1b3dbc7f8b9a28258e5954/html5/thumbnails/70.jpg)
Our ApproachPartial ICCG for current example
Android System
com.sjgo.client.zjReceiver
com.sjgo.client.zjServicecom.sjgo.client.HandPics
com.sjgo.client.oa_animal
com.sjgo.client.oa_girl ...
![Page 71: Apposcopy: Semantics-Based Detection of Android …yufeng/talks/fse14_slides.pdf · Detection of Android Malware Through Static Analysis Yu Feng, ... • Activity • Service •](https://reader031.vdocuments.mx/reader031/viewer/2022022520/5b1b3dbc7f8b9a28258e5954/html5/thumbnails/71.jpg)
Our ApproachPartial ICCG for current example
Android System
com.sjgo.client.zjReceiver
com.sjgo.client.zjServicecom.sjgo.client.HandPics
com.sjgo.client.oa_animal
com.sjgo.client.oa_girl ...
![Page 72: Apposcopy: Semantics-Based Detection of Android …yufeng/talks/fse14_slides.pdf · Detection of Android Malware Through Static Analysis Yu Feng, ... • Activity • Service •](https://reader031.vdocuments.mx/reader031/viewer/2022022520/5b1b3dbc7f8b9a28258e5954/html5/thumbnails/72.jpg)
Our ApproachPartial ICCG for current example
Android System
com.sjgo.client.zjReceiver
com.sjgo.client.zjServicecom.sjgo.client.HandPics
com.sjgo.client.oa_animal
com.sjgo.client.oa_girl ...
1. GDEvent(SMS_RECEIEVED).2. GDEvent(NEW_OUTGOING_CALL).3. GoldDream :- receiver(r),4. icc(SYSTEM, r, e, _), GDEvent(e),5. service(s), icc*(r, s),6. flow(s, DeviceId, s, Internet),7. flow(s, SubscriberId, s, Internet).
![Page 73: Apposcopy: Semantics-Based Detection of Android …yufeng/talks/fse14_slides.pdf · Detection of Android Malware Through Static Analysis Yu Feng, ... • Activity • Service •](https://reader031.vdocuments.mx/reader031/viewer/2022022520/5b1b3dbc7f8b9a28258e5954/html5/thumbnails/73.jpg)
Our Approach
Signature matching procedure:
Control-flow Properties
Data-flow Properties Malware Signature
![Page 74: Apposcopy: Semantics-Based Detection of Android …yufeng/talks/fse14_slides.pdf · Detection of Android Malware Through Static Analysis Yu Feng, ... • Activity • Service •](https://reader031.vdocuments.mx/reader031/viewer/2022022520/5b1b3dbc7f8b9a28258e5954/html5/thumbnails/74.jpg)
Implementation
ICCGConstruction
Taint Analysis
Intent Analysis
PointerAnalysis
CallGraph
Build-inPredicates
Apposcopy
![Page 75: Apposcopy: Semantics-Based Detection of Android …yufeng/talks/fse14_slides.pdf · Detection of Android Malware Through Static Analysis Yu Feng, ... • Activity • Service •](https://reader031.vdocuments.mx/reader031/viewer/2022022520/5b1b3dbc7f8b9a28258e5954/html5/thumbnails/75.jpg)
Implementation
Malware Spec
ICCGConstruction
Taint Analysis
Intent Analysis
PointerAnalysis
CallGraph
Build-inPredicates
Apposcopy
![Page 76: Apposcopy: Semantics-Based Detection of Android …yufeng/talks/fse14_slides.pdf · Detection of Android Malware Through Static Analysis Yu Feng, ... • Activity • Service •](https://reader031.vdocuments.mx/reader031/viewer/2022022520/5b1b3dbc7f8b9a28258e5954/html5/thumbnails/76.jpg)
Implementation
SignatureLanguage
Malware Spec
ICCGConstruction
Taint Analysis
Intent Analysis
PointerAnalysis
CallGraph
Build-inPredicates
Apposcopy
![Page 77: Apposcopy: Semantics-Based Detection of Android …yufeng/talks/fse14_slides.pdf · Detection of Android Malware Through Static Analysis Yu Feng, ... • Activity • Service •](https://reader031.vdocuments.mx/reader031/viewer/2022022520/5b1b3dbc7f8b9a28258e5954/html5/thumbnails/77.jpg)
Implementation
SignatureLanguage
Malware Spec
ICCGConstruction
Taint Analysis
Intent Analysis
PointerAnalysis
CallGraph
Build-inPredicates
Apposcopy
![Page 78: Apposcopy: Semantics-Based Detection of Android …yufeng/talks/fse14_slides.pdf · Detection of Android Malware Through Static Analysis Yu Feng, ... • Activity • Service •](https://reader031.vdocuments.mx/reader031/viewer/2022022520/5b1b3dbc7f8b9a28258e5954/html5/thumbnails/78.jpg)
Implementation
SignatureLanguage
Match or not
Malware Spec
ICCGConstruction
Taint Analysis
Intent Analysis
PointerAnalysis
CallGraph
Build-inPredicates
Apposcopy
![Page 79: Apposcopy: Semantics-Based Detection of Android …yufeng/talks/fse14_slides.pdf · Detection of Android Malware Through Static Analysis Yu Feng, ... • Activity • Service •](https://reader031.vdocuments.mx/reader031/viewer/2022022520/5b1b3dbc7f8b9a28258e5954/html5/thumbnails/79.jpg)
Implementation
SignatureLanguage
Match or not
Malware Spec
ICCGConstruction
Taint Analysis
Intent Analysis
PointerAnalysis
CallGraph
Build-inPredicates
Apposcopy
![Page 80: Apposcopy: Semantics-Based Detection of Android …yufeng/talks/fse14_slides.pdf · Detection of Android Malware Through Static Analysis Yu Feng, ... • Activity • Service •](https://reader031.vdocuments.mx/reader031/viewer/2022022520/5b1b3dbc7f8b9a28258e5954/html5/thumbnails/80.jpg)
Experiments
• Our experiments are trying to answer three questions:
• RQ1: Can Apposcopy pinpoint malware?
• Malware from Android Malware Genome Project.
http://www.malgenomeproject.org/
![Page 81: Apposcopy: Semantics-Based Detection of Android …yufeng/talks/fse14_slides.pdf · Detection of Android Malware Through Static Analysis Yu Feng, ... • Activity • Service •](https://reader031.vdocuments.mx/reader031/viewer/2022022520/5b1b3dbc7f8b9a28258e5954/html5/thumbnails/81.jpg)
Experiments
Malware Family #Samples FN FP AccuracyDroidKungFu 444 15 0 96.6%
AnserverBot 184 2 0 98.9%
BaseBridge 121 75 0 38%
Geinimi 68 2 2 97.1%
DroidDreamLight 46 0 0 100%
GoldDream 46 1 0 97.8%
Pjapps 43 7 0 83.7%
ADRD 22 0 0 100%
jSMSHider 16 0 0 100%
DroidDream 14 1 0 92.9%
Bgserv 9 0 0 100%
BeanBot 8 0 0 100%
GingerMaster 4 0 0 100%
CoinPirate 1 0 0 100%
DroidCoupon 1 0 0 100%
Total 1027 103 2 90%
Malware in Android Genome project
![Page 82: Apposcopy: Semantics-Based Detection of Android …yufeng/talks/fse14_slides.pdf · Detection of Android Malware Through Static Analysis Yu Feng, ... • Activity • Service •](https://reader031.vdocuments.mx/reader031/viewer/2022022520/5b1b3dbc7f8b9a28258e5954/html5/thumbnails/82.jpg)
Experiments
Malware Family #Samples FN FP AccuracyDroidKungFu 444 15 0 96.6%
AnserverBot 184 2 0 98.9%
BaseBridge 121 75 0 38%
Geinimi 68 2 2 97.1%
DroidDreamLight 46 0 0 100%
GoldDream 46 1 0 97.8%
Pjapps 43 7 0 83.7%
ADRD 22 0 0 100%
jSMSHider 16 0 0 100%
DroidDream 14 1 0 92.9%
Bgserv 9 0 0 100%
BeanBot 8 0 0 100%
GingerMaster 4 0 0 100%
CoinPirate 1 0 0 100%
DroidCoupon 1 0 0 100%
Total 1027 103 2 90%
Malware in Android Genome project
![Page 83: Apposcopy: Semantics-Based Detection of Android …yufeng/talks/fse14_slides.pdf · Detection of Android Malware Through Static Analysis Yu Feng, ... • Activity • Service •](https://reader031.vdocuments.mx/reader031/viewer/2022022520/5b1b3dbc7f8b9a28258e5954/html5/thumbnails/83.jpg)
Experiments
• Our experiments are trying to answer three questions:
• RQ2: Does Apposcopy report a lot of false positives?
• Benign apps from Google play.
![Page 84: Apposcopy: Semantics-Based Detection of Android …yufeng/talks/fse14_slides.pdf · Detection of Android Malware Through Static Analysis Yu Feng, ... • Activity • Service •](https://reader031.vdocuments.mx/reader031/viewer/2022022520/5b1b3dbc7f8b9a28258e5954/html5/thumbnails/84.jpg)
Experiments11215 “benign” apps from Google
Play
16
11,199
Benign Malicious
![Page 85: Apposcopy: Semantics-Based Detection of Android …yufeng/talks/fse14_slides.pdf · Detection of Android Malware Through Static Analysis Yu Feng, ... • Activity • Service •](https://reader031.vdocuments.mx/reader031/viewer/2022022520/5b1b3dbc7f8b9a28258e5954/html5/thumbnails/85.jpg)
Experiments
• Our experiments are trying to answer three questions:
• RQ3: Is Apposcopy resistant to common obfuscations?
• Obfuscated malware
![Page 86: Apposcopy: Semantics-Based Detection of Android …yufeng/talks/fse14_slides.pdf · Detection of Android Malware Through Static Analysis Yu Feng, ... • Activity • Service •](https://reader031.vdocuments.mx/reader031/viewer/2022022520/5b1b3dbc7f8b9a28258e5954/html5/thumbnails/86.jpg)
Experiments
Det
ectio
n R
ate
0%
25%
50%
75%
100%
Comparison with other tools on obfuscated malware
AVG Symantec ESET
Dr. Web Kaspersky Trend Micro
McAfee Apposcopy
Obfuscate existing malware using the ProGuard tool.
![Page 87: Apposcopy: Semantics-Based Detection of Android …yufeng/talks/fse14_slides.pdf · Detection of Android Malware Through Static Analysis Yu Feng, ... • Activity • Service •](https://reader031.vdocuments.mx/reader031/viewer/2022022520/5b1b3dbc7f8b9a28258e5954/html5/thumbnails/87.jpg)
Experiments
Det
ectio
n R
ate
0%
25%
50%
75%
100%
Comparison with other tools on obfuscated malware
AVG Symantec ESET
Dr. Web Kaspersky Trend Micro
McAfee Apposcopy
Obfuscate existing malware using the ProGuard tool.
![Page 88: Apposcopy: Semantics-Based Detection of Android …yufeng/talks/fse14_slides.pdf · Detection of Android Malware Through Static Analysis Yu Feng, ... • Activity • Service •](https://reader031.vdocuments.mx/reader031/viewer/2022022520/5b1b3dbc7f8b9a28258e5954/html5/thumbnails/88.jpg)
Summary
![Page 89: Apposcopy: Semantics-Based Detection of Android …yufeng/talks/fse14_slides.pdf · Detection of Android Malware Through Static Analysis Yu Feng, ... • Activity • Service •](https://reader031.vdocuments.mx/reader031/viewer/2022022520/5b1b3dbc7f8b9a28258e5954/html5/thumbnails/89.jpg)
Summary
• Apposcopy: a new static analysis approachfor detecting Android malware
![Page 90: Apposcopy: Semantics-Based Detection of Android …yufeng/talks/fse14_slides.pdf · Detection of Android Malware Through Static Analysis Yu Feng, ... • Activity • Service •](https://reader031.vdocuments.mx/reader031/viewer/2022022520/5b1b3dbc7f8b9a28258e5954/html5/thumbnails/90.jpg)
Summary
• Apposcopy: a new static analysis approachfor detecting Android malware
• Perform deep static analysis and use a high-level representation(ICCG) to extract both data-flow and control-flow properties.
![Page 91: Apposcopy: Semantics-Based Detection of Android …yufeng/talks/fse14_slides.pdf · Detection of Android Malware Through Static Analysis Yu Feng, ... • Activity • Service •](https://reader031.vdocuments.mx/reader031/viewer/2022022520/5b1b3dbc7f8b9a28258e5954/html5/thumbnails/91.jpg)
Thank you!
![Page 92: Apposcopy: Semantics-Based Detection of Android …yufeng/talks/fse14_slides.pdf · Detection of Android Malware Through Static Analysis Yu Feng, ... • Activity • Service •](https://reader031.vdocuments.mx/reader031/viewer/2022022520/5b1b3dbc7f8b9a28258e5954/html5/thumbnails/92.jpg)
Related work
• Zhou, Yajin, and Xuxian Jiang. "Dissecting android malware: Characterization and evolution." S&P 2012.
• Enck, William, Machigar Ongtang, and Patrick McDaniel. "On lightweight mobile phone application certification." CCS 2009.
• W. Enck, P. Gilbert, B. gon Chun, L. P. Cox, J. Jung, P. McDaniel, and A. Sheth. TaintDroid: An information-flow tracking system for realtime privacy monitoring on smartphones. OSDI 2010
• M. Christodorescu, S. Jha, S. A. Seshia, D. X. Song, and R. E. Bryant. Semantics-aware malware detection. S&P 2005
• K. Griffin, S. Schneider, X. Hu, and T. cker Chiueh. Automatic generation of string signatures for malware detection. RAID 2009