TU Darmstadt / ULB / TUbiblio

Harvesting Runtime Values in Android Applications That Feature Anti-Analysis Techniques

Rasthofer, Siegfried and Arzt, Steven and Miltenberger, Marc and Bodden, Eric (2016):
Harvesting Runtime Values in Android Applications That Feature Anti-Analysis Techniques.
In: Network and Distributed System Security Symposium 2016, Internet Society, San Diego, CA, ISBN 1-891562-41-X,
DOI: 10.14722/ndss.2016.23066,
[Conference or Workshop Item]

Abstract

It is generally challenging to tell apart malware from benign applications. To make this decision, human analysts are frequently interested in runtime values: targets of reflective method calls, URLs to which data is sent, target telephone numbers of SMS messages, and many more. However, obfuscation and string encryption, used by malware as well as goodware, often not only render human inspections, but also static analyses ineffective. In addition, malware frequently tricks dynamic analyses by detecting the execution environment emulated by the analysis tool and then refraining from malicious behavior. In this work we therefore present HARVESTER, an approach to fully automatically extract runtime values from Android applications. HARVESTER is designed to extract values even from highly obfuscated state-of-the-art malware samples that obfuscate method calls using reflection, hide sensitive values in native code, load code dynamically and apply anti-analysis techniques. The approach combines program slicing with code generation and dynamic execution. Experiments on 16,799 current malware samples show that HARVESTER fully automatically extracts many sensitive values, with perfect precision. The process usually takes less than three minutes and does not require human interaction. In particular, it goes without simulating UI inputs. Two case studies further show that by integrating the extracted values back into the app, HARVESTER can increase the recall of existing static and dynamic analysis tools such as FlowDroid and TaintDroid.

Item Type: Conference or Workshop Item
Erschienen: 2016
Creators: Rasthofer, Siegfried and Arzt, Steven and Miltenberger, Marc and Bodden, Eric
Title: Harvesting Runtime Values in Android Applications That Feature Anti-Analysis Techniques
Language: German
Abstract:

It is generally challenging to tell apart malware from benign applications. To make this decision, human analysts are frequently interested in runtime values: targets of reflective method calls, URLs to which data is sent, target telephone numbers of SMS messages, and many more. However, obfuscation and string encryption, used by malware as well as goodware, often not only render human inspections, but also static analyses ineffective. In addition, malware frequently tricks dynamic analyses by detecting the execution environment emulated by the analysis tool and then refraining from malicious behavior. In this work we therefore present HARVESTER, an approach to fully automatically extract runtime values from Android applications. HARVESTER is designed to extract values even from highly obfuscated state-of-the-art malware samples that obfuscate method calls using reflection, hide sensitive values in native code, load code dynamically and apply anti-analysis techniques. The approach combines program slicing with code generation and dynamic execution. Experiments on 16,799 current malware samples show that HARVESTER fully automatically extracts many sensitive values, with perfect precision. The process usually takes less than three minutes and does not require human interaction. In particular, it goes without simulating UI inputs. Two case studies further show that by integrating the extracted values back into the app, HARVESTER can increase the recall of existing static and dynamic analysis tools such as FlowDroid and TaintDroid.

Title of Book: Network and Distributed System Security Symposium 2016
Publisher: Internet Society
ISBN: 1-891562-41-X
Divisions: Profile Areas
Profile Areas > Cybersecurity (CYSEC)
Event Location: San Diego, CA
Date Deposited: 14 Aug 2017 12:03
DOI: 10.14722/ndss.2016.23066
Identification Number: TUD-CS-2016-14770
Export:
Suche nach Titel in: TUfind oder in Google

Optionen (nur für Redakteure)

View Item View Item