Guozhu Meng
Yinxing Xue
Chandramohan Mahinthan
Yang Liu
ABSTRACT
In the arms race of attackers and defenders, the defense is usually more challenging than the attack due to the unpredicted vulnerabilities and newly emerging attacks every day. Currently, most of existing malware detection solutions are individually proposed to address certain types of attacks or certain evasion techniques. Thus, it is desired to conduct a systematic investigation and evaluation of anti-malware solutions and tools based on different attacks and evasion techniques. In this paper, we first propose a meta model for Android malware to capture the common attack features and evasion features in the malware. Based on this model, we develop a framework, MYSTIQUE, to automatically generate malware covering four attack features and two evasion features, by adopting the software product line engineering approach. With the help of MYSTIQUE, we conduct experiments to 1) understand Android malware and the associated attack features as well as evasion techniques; 2) evaluate and compare the 57 off-the-shelf anti-malware tools, 9 academic solutions and 4 App market vetting processes in terms of accuracy in detecting attack features and capability in addressing evasion. Last but not least, we provide a benchmark of Android malware with proper labeling of contained attack and evasion features.
- Activity | Android Developer. http://developer.android.com/reference/android/app/Activity.html#ActivityLifecycle.Google Scholar
- GetJar Developer Zone: Publishing. http://developer.getjar.mobi/.Google Scholar
- Mystique | Evolving Android Malware for Auditing Anti-Malware Tools. https://sites.google.com/site/malwareevolution/.Google Scholar
- SlideME | Android Apps Market: Download Free & Paid Android Applications. http://slideme.org/.Google Scholar
- TorrApk - Alternative Android App Store for Free Applications. https://www.torrapk.com/en.Google Scholar
- VirusShare. http://www.virusshare.com.Google Scholar
- 10 Years of Mobile Malware Whitepaper. http://www.fortinet.com/sites/default/files/whitepapers/10-Years-of-Mobile-Malware-Whitepaper.pdf, 2014.Google Scholar
- VirusTotal - Free Online Virus, Malware and URL Scanner. https://www.virustotal.com, 2015.Google Scholar
- Y. Aafer, W. Du, and H. Yin. DroidAPIMiner: Mining API-Level Features for Robust Malware Detection in Android. In SecureComm, 2013.Google ScholarCross Ref
- K. Allix, T. F. Bissyandé, J. Klein, and Y. L. Traon. Machine Learning-Based Malware Detection for Android Applications: History Matters! Technical Report 978--2--87971--132--4, 2014.Google Scholar
- M. Arapinis, L. Mancini, E. Ritter, M. Ryan, N. Golde, K. Redon, and R. Borgaonkar. New Privacy Issues in Mobile Telephony: Fix and Verification. In CCS, pages 205--216, 2012. Google ScholarDigital Library
- D. Arp, M. Spreitzenbarth, M. Hübner, H. Gascon, and K. Rieck. Drebin: Effective and Explainable Detection of Android Malware in Your Pocket. In NDSS, 2014.Google ScholarCross Ref
- S. Arzt, S. Rasthofer, C. Fritz, E. Bodden, A. Bartel, J. Klein, Y. Le Traon, D. Octeau, and P. McDaniel. FlowDroid: Precise Context, Flow, Field, Object-sensitive and Lifecycle-aware Taint Analysis for Android Apps. In PLDI, pages 259--269, 2014. Google ScholarDigital Library
- V. Avdiienko, K. Kuznetsov, A. Gorla, and A. Zeller. Mining Apps for Abnormal Usage of Sensitive Data. In ICSE, 2015. Google ScholarDigital Library
- E. Aydogan and S. Sen. Automatic Generation of Mobile Malwares Using Genetic Programming. In Applications of Evolutionary Computation, volume 9028, 2015.Google Scholar
- E. Barkan, E. Biham, and N. Keller. Instant Ciphertext-Only Cryptanalysis of GSM Encrypted Communication. CRYPTO, 21(3):392--429, Mar. 2003. Google ScholarDigital Library
- I. Burguera, U. Zurutuza, and S. Nadjm-Tehrani. Crowdroid: Behavior-based Malware Detection System for Android. In SPSM, pages 15--26, 2011. Google ScholarDigital Library
- A. Cani, M. Gaudesi, E. Sanchez, G. Squillero, and A. Tonda. Towards Automated Malware Creation: Code Generation and Code Integration. In SAC, pages 157--160, 2014. Google ScholarDigital Library
- K. Chen, P. Liu, and Y. Zhang. Achieving Accuracy and Scalability Simultaneously in Detecting Application Clones on Android Markets. In ICSE, pages 175--186, 2014. Google ScholarDigital Library
- K. Z. Chen, N. M. Johnson, V. D'Silva, S. Dai, K. MacNamara, T. R. Magrino, E. X. Wu, M. Rinard, and D. X. Song. Contextual Policy Enforcement in Android Applications with Permission Event Graphs. In NDSS, 2013.Google Scholar
- Q. A. Chen, Z. Qian, and Z. M. Mao. Peeking into Your App without Actually Seeing It: UI State Inference and Novel Android Attacks. In USENIX Security, pages 1037--1052, 2014. Google ScholarDigital Library
- Y. Choi, T. Kim, S. Choi, and C. Lee. Automatic Detection for JavaScript Obfuscation Attacks in Web Pages through String Pattern Analysis. In FGIT, pages 160--172, 2009. Google ScholarDigital Library
- M. Christodorescu and S. Jha. Testing Malware Detectors. In ISSTA, pages 34--44, 2004. Google ScholarDigital Library
- P. Clements and L. Northrop. Software Product Lines: Practices and Patterns. Addison-Wesley Professional, 3rd edition, Aug. 2001.Google Scholar
- J. Crussell, C. Gibler, and H. Chen. Attack of the Clones: Detecting Cloned Applications on Android Markets. In ESORICS, volume 7459, pages 37--54. 2012.Google Scholar
- K. Czarnecki and U. W. Eisenecker. Generative programming - methods, tools and applications. Addison-Wesley, 2000. Google ScholarDigital Library
- S. Dai, A. Tongaonkar, X. Wang, A. Nucci, and D. Song. Network Profiler: Towards Automatic Fingerprinting of Android Apps. In IEEE INFOCOM, pages 809--817, 2013.Google ScholarCross Ref
- W. Enck, P. Gilbert, B.-G. Chun, L. P. Cox, J. Jung, P. McDaniel, and A. N. Sheth. TaintDroid: An Information-flow Tracking System for Realtime Privacy Monitoring on Smartphones. In OSDI, pages 1--6, 2010. Google ScholarDigital Library
- W. Enck, M. Ongtang, and P. D. McDaniel. On Lightweight Mobile Phone Application Certification. In CCS, pages 235--245, 2009. Google ScholarDigital Library
- Essam Al Daoud and Iqbal H. Jebril and Belal Zaqaibeh. Computer Virus Strategies and Detection Methods. 1(2), 2008.Google Scholar
- A. P. Felt, H. J. Wang, A. Moshchuk, S. Hanna, and E. Chin. Permission Re-Delegation: Attacks and Defenses. In USENIX Security, 2011. Google ScholarDigital Library
- Y. Feng, S. Anand, I. Dillig, and A. Aiken. Apposcopy: Semantics-based Detection of Android Malware Through Static Analysis. In FSE, pages 576--587, 2014. Google ScholarDigital Library
- A. P. Fuchs, A. Chaudhuri, and J. S. Foster. Checking Interation-Based Declassification Policies for Android Using Symbolic Execution. Technical report, 2009.Google Scholar
- J. Garcia, M. Hammad, B. Pedrood, A. Bagheri-Khaligh, and S. Malek. Obfuscation-Resilient, Efficient, and Accurate Detection and Family Identification of Android Malware. Technical Report GMU-CS-TR-2015--10, 2015.Google Scholar
- H. Gascon, F. Yamaguchi, D. Arp, and K. Rieck. Structural Detection of Android Malware Using Embedded Call Graphs. In AISec, pages 45--54, 2013. Google ScholarDigital Library
- M. I. Gordon, D. Kim, J. H. Perkins, L. Gilham, N. Nguyen, and M. C. Rinard. Information Flow Analysis of Android Applications in DroidSafe. In NDSS, 2015.Google ScholarCross Ref
- H. Gunadi and A. Tiu. Efficient Runtime Monitoring with Metric Temporal Logic: A Case Study in the Android Operating System. CoRR, abs/1311.2362, 2013.Google Scholar
- H. Huang, K. Chen, C. Ren, P. Liu, S. Zhu, and D. Wu. Towards Discovering and Understanding Unexpected Hazards in Tailoring Antivirus Software for Android. In AsiaCCS, pages 7--18, 2015. Google ScholarDigital Library
- H. Ishibuchi, N. Tsukamoto, and Y. Nojima. Evolutionary Many-Objective Optimization: A Short Review. In CEC, pages 2419--2426, 2008.Google Scholar
- K. C. Kang, S. G. Cohen, J. A. Hess, W. E. Novak, and A. S. Peterson. Feature-Oriented Domain Analysis (FODA) Feasibility Study. Technical report, Nov 1990.Google Scholar
- E. Kim. Creating Better User Experiences on Google Play. http://android-developers.blogspot.ro/2015/03/creating-better-user-experiences-on.html, 2015.Google Scholar
- P. Kocher, J. Jaffe, and B. Jun. Differential Power Analysis. In CRYPTO, pages 388--397, Aug. 1999. Google ScholarDigital Library
- L. Li, A. Bartel, T. F. Bissyandé, J. Klein, Y. L. Traon, S. Arzt, S. Rasthofer, E. Bodden, D. Octeau, and P. McDaniel. IccTA: Detecting Inter-Component Privacy Leaks in Android Apps. In ICSE, 2015. Google ScholarDigital Library
- H. Lockheimer. Android and Security - Official Google Mobile Blog. http://googlemobile.blogspot.sg/2012/02/android-and-security.html, 2012.Google Scholar
- F. Maggi, A. Valdi, and S. Zanero. AndroTotal: A Flexible, Scalable Toolbox and Service for Testing Mobile Malware Detectors. In SPSM, pages 49--54, 2013. Google ScholarDigital Library
- D. Maier, T. Müller, and M. Protsenko. Divide-and-Conquer: Why Android Malware cannot be stopped. In ARES. Google ScholarDigital Library
- K. Micinski, J. Fetter-Degges, J. Jeon, J. S. Foster, and M. R. Clarkson. Checking Interation-Based Declassification Policies for Android Using Symbolic Execution. Technical Report arXiv:1504.03711v2, 2015.Google Scholar
- D. A. Mundie and D. M. McIntire. An Ontology for Malware Analysis. In ARES, pages 556--558, 2013. Google ScholarDigital Library
- D. Octeau, P. McDaniel, S. Jha, A. Bartel, E. Bodden, J. Klein, and Y. Le Traon. Effective Inter-Component Communication Mapping in Android with Epicc: An Essential Step Towards Holistic Security Analysis. In USENIX Security, pages 543--558, 2013. Google ScholarDigital Library
- N. Peiravian and X. Zhu. Machine Learning for Android Malware Detection Using Permission and API Calls. In ICTAI, pages 300--305, 2013. Google ScholarDigital Library
- T. Petsas, G. Voyatzis, E. Athanasopoulos, M. Polychronakis, and S. Ioannidis. Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malware. In EuroSec, pages 5:1--5:6, 2014. Google ScholarDigital Library
- Z. Qian, Z. M. Mao, and Y. Xie. Collaborative TCP Sequence Number Inference Attack: How to Crack Sequence Number Under a Second. In CCS, pages 593--604, 2012. Google ScholarDigital Library
- S. Rasthofer, S. Arzt, and E. Bodden. A Machine-learning Approach for Classifying and Categorizing Android Sources and Sinks. In NDSS, 2014.Google ScholarCross Ref
- V. Rastogi, Y. Chen, and X. Jiang. DroidChameleon: Evaluating Android Anti-malware Against Transformation Attacks. In AsiaCCS, pages 329--334, 2013. Google ScholarDigital Library
- V. Rastogi, Y. Chen, and X. Jiang. Catch Me If You Can: Evaluating Android Anti-Malware Against Transformation Attacks. IEEE Transactions on Information Forensics and Security, 9(1):99--108, 2014. Google ScholarDigital Library
- J. Reed, A. J. Aviv, D. Wagner, A. Haeberlen, B. C. Pierce, and J. M. Smith. Differential Privacy for Collaborative Security. In EUROSEC, pages 1--7, 2010. Google ScholarDigital Library
- J. Sahs and L. Khan. A Machine Learning Approach to Android Malware Detection. In EISIC, pages 141--147, 2012. Google ScholarDigital Library
- A. S. Sayyad, T. Menzies, and H. Ammar. On the Value of User Preferences in Search-based Software Engineering: A Case Study in Software Product Lines. In ICSE, pages 492--501, 2013. Google ScholarDigital Library
- R. Schlegel, K. Zhang, X. yong Zhou, M. Intwala, A. Kapadia, and X. Wang. Soundcomber: A Stealthy and Context-Aware Sound Trojan for Smartphones. In NDSS, Feb. 2011.Google Scholar
- R. Schlegel, K. Zhang, X. Zhou, M. Intwala, A. Kapadia, and X. Wang. Soundcomber: A Stealthy and Context-Aware Sound Trojan for Smartphones. In NDSS, 2011.Google Scholar
- A.-D. Schmidt, R. Bye, H.-G. Schmidt, J. Clausen, O. Kiraz, K. A. Yüksel, S. A. Camtepe, and S. Albayrak. Static Analysis of Executables for Collaborative Malware Detection on Android. In ICC, pages 631--635, 2009. Google ScholarDigital Library
- S. She, R. Lotufo, T. Berger, A. Wasowski, and K. Czarnecki. Reverse engineering feature models. In ICSE, pages 461--470, 2011. Google ScholarDigital Library
- D. J. J. T. SUFATRIO, T.-W. CHUA, and V. L. L. THING. Securing Android: A Survey, Taxonomy, and Challenges, May 2015.Google Scholar
- T. H. Tan, Y. Xue, M. Chen, J. Sun, Y. Liu, and J. S. Dong. Optimizing selection of competing features via feedback-directed evolutionary algorithms. In ISSTA, pages 246--256, 2015. Google ScholarDigital Library
- W. Yang, X. Xiao, B. Andow, S. Li, T. Xie, and W. Enck. AppContext: Differentiating Malicious and Benign Mobile App Behavior Under Contexts. In ICSE, 2014. Google ScholarDigital Library
- Z. Yang, M. Yang, Y. Zhang, G. Gu, P. Ning, and X. S. Wang. AppIntent: Analyzing Sensitive Data Transmission in Android for Privacy Leakage Detection. In CCS, pages 1043--1054, 2013. Google ScholarDigital Library
- M. Zhang, Y. Duan, H. Yin, and Z. Zhao. Semantics-Aware Android Malware Classification Using Weighted Contextual API Dependency Graphs. In CCS, 2014. Google ScholarDigital Library
- M. Zheng, P. P. C. Lee, and J. C. S. Lui. ADAM: An Automatic and Extensible Platform to Stress Test Android Anti-virus Systems. In DIMVA, pages 82--101, 2013. Google ScholarDigital Library
- W. Zhou, Y. Zhou, M. Grace, X. Jiang, and S. Zou. Fast, Scalable Detection of "Piggybacked" Mobile Applications. In Proceedings of the 3rd ACM Conference on Data and Application Security and Privacy, pages 185--196, 2013. Google ScholarDigital Library
- Y. Zhou and X. Jiang. Dissecting Android Malware: Characterization and Evolution. In IEEE S&P, pages 95--109, 2012. Google ScholarDigital Library
Index Terms
- Mystique: Evolving Android Malware for Auditing Anti-Malware Tools
Recommendations
Adapting novelty towards generating antigens for antivirus systems
GECCO '22: Proceedings of the Genetic and Evolutionary Computation ConferenceIt is well known that anti-malware scanners depend on malware signatures to identify malware. However, even minor modifications to malware code structure results in a change in the malware signature thus enabling the variant to evade detection by ...
FUMVar: a practical framework for generating Fully-working and Unseen Malware Variants
SAC '21: Proceedings of the 36th Annual ACM Symposium on Applied ComputingIt is crucial to understand how malware variants are generated to bypass malware detection systems and understand their characteristics to improve the detectors' performances. To achieve this goal, we propose an evolutionary-based framework named FUMVar ...
An Evolutionary based Generative Adversarial Network Inspired Approach to Defeating Metamorphic Malware
GECCO '23 Companion: Proceedings of the Companion Conference on Genetic and Evolutionary ComputationDefeating dangerous families of malware like polymorphic and metamorphic malware have become well studied due to their increased attacks on computer systems and network. Traditional Machine Learning (ML) models have been used in detecting this malware,...
Comments