TU Darmstadt / ULB / TUbiblio

Harvesting Runtime Values in Android Applications That Feature Anti-Analysis Techniques

Rasthofer, Siegfried ; Arzt, Steven ; Miltenberger, Marc ; Bodden, Eric (2016)
Harvesting Runtime Values in Android Applications That Feature Anti-Analysis Techniques.
San Diego, CA
doi: 10.14722/ndss.2016.23066
Konferenzveröffentlichung, Bibliographie

Kurzbeschreibung (Abstract)

It is generally challenging to tell apart malware from benign applications. To make this decision, human analysts are frequently interested in runtime values: targets of reflective method calls, URLs to which data is sent, target telephone numbers of SMS messages, and many more. However, obfuscation and string encryption, used by malware as well as goodware, often not only render human inspections, but also static analyses ineffective. In addition, malware frequently tricks dynamic analyses by detecting the execution environment emulated by the analysis tool and then refraining from malicious behavior. In this work we therefore present HARVESTER, an approach to fully automatically extract runtime values from Android applications. HARVESTER is designed to extract values even from highly obfuscated state-of-the-art malware samples that obfuscate method calls using reflection, hide sensitive values in native code, load code dynamically and apply anti-analysis techniques. The approach combines program slicing with code generation and dynamic execution. Experiments on 16,799 current malware samples show that HARVESTER fully automatically extracts many sensitive values, with perfect precision. The process usually takes less than three minutes and does not require human interaction. In particular, it goes without simulating UI inputs. Two case studies further show that by integrating the extracted values back into the app, HARVESTER can increase the recall of existing static and dynamic analysis tools such as FlowDroid and TaintDroid.

Typ des Eintrags: Konferenzveröffentlichung
Erschienen: 2016
Autor(en): Rasthofer, Siegfried ; Arzt, Steven ; Miltenberger, Marc ; Bodden, Eric
Art des Eintrags: Bibliographie
Titel: Harvesting Runtime Values in Android Applications That Feature Anti-Analysis Techniques
Sprache: Deutsch
Publikationsjahr: Februar 2016
Verlag: Internet Society
Buchtitel: Network and Distributed System Security Symposium 2016
Veranstaltungsort: San Diego, CA
DOI: 10.14722/ndss.2016.23066
Kurzbeschreibung (Abstract):

It is generally challenging to tell apart malware from benign applications. To make this decision, human analysts are frequently interested in runtime values: targets of reflective method calls, URLs to which data is sent, target telephone numbers of SMS messages, and many more. However, obfuscation and string encryption, used by malware as well as goodware, often not only render human inspections, but also static analyses ineffective. In addition, malware frequently tricks dynamic analyses by detecting the execution environment emulated by the analysis tool and then refraining from malicious behavior. In this work we therefore present HARVESTER, an approach to fully automatically extract runtime values from Android applications. HARVESTER is designed to extract values even from highly obfuscated state-of-the-art malware samples that obfuscate method calls using reflection, hide sensitive values in native code, load code dynamically and apply anti-analysis techniques. The approach combines program slicing with code generation and dynamic execution. Experiments on 16,799 current malware samples show that HARVESTER fully automatically extracts many sensitive values, with perfect precision. The process usually takes less than three minutes and does not require human interaction. In particular, it goes without simulating UI inputs. Two case studies further show that by integrating the extracted values back into the app, HARVESTER can increase the recall of existing static and dynamic analysis tools such as FlowDroid and TaintDroid.

ID-Nummer: TUD-CS-2016-14770
Fachbereich(e)/-gebiet(e): Profilbereiche
Profilbereiche > Cybersicherheit (CYSEC)
Hinterlegungsdatum: 14 Aug 2017 12:03
Letzte Änderung: 22 Jan 2019 10:24
PPN:
Export:
Suche nach Titel in: TUfind oder in Google
Frage zum Eintrag Frage zum Eintrag

Optionen (nur für Redakteure)
Redaktionelle Details anzeigen Redaktionelle Details anzeigen