Dynamic code update techniques (Android Studio – support for dynamic delivery), such as dynamic classloading and reflection, enable Android apps to extend their functionality at runtime. At the same time,these techniques are misused by malware developers to transform a seemingly benign app into a mal-ware, once installed on a real device. Among the corpus of evasive techniques used in modern real-worldmalware, evasive usage of dynamic code updates plays a key role.First, we demonstrate the ineffectiveness of existing tools to analyze apps in the presence of dynamiccode updates using our test apps, i.e.,Reflection-Benchand InboxArchiver. Second, we present StaDART,combining static and dynamic analysis of Android apps to reveal the concealed behavior of malware.StaDART performs dynamic code interposition using a vtable tampering technique for API hooking toavoid modifications to the Android framework. Furthermore, we integrate it with a triggering solution,DroidBot, to make it more scalable and fully automated. We present our evaluation results with a datasetof 2000 real world apps; containing 1000 legitimate apps and 1000 malware samples. The evaluationresults with this dataset and Reflection-Bench show that StaDART reveals suspicious behavior that is oth-erwise hidden to static analysis tools.

StaDART: Addressing the problem of dynamic code updates in the security analysis of android applications

Costamagna, Valerio;Bergadano, Francesco;
2020-01-01

Abstract

Dynamic code update techniques (Android Studio – support for dynamic delivery), such as dynamic classloading and reflection, enable Android apps to extend their functionality at runtime. At the same time,these techniques are misused by malware developers to transform a seemingly benign app into a mal-ware, once installed on a real device. Among the corpus of evasive techniques used in modern real-worldmalware, evasive usage of dynamic code updates plays a key role.First, we demonstrate the ineffectiveness of existing tools to analyze apps in the presence of dynamiccode updates using our test apps, i.e.,Reflection-Benchand InboxArchiver. Second, we present StaDART,combining static and dynamic analysis of Android apps to reveal the concealed behavior of malware.StaDART performs dynamic code interposition using a vtable tampering technique for API hooking toavoid modifications to the Android framework. Furthermore, we integrate it with a triggering solution,DroidBot, to make it more scalable and fully automated. We present our evaluation results with a datasetof 2000 real world apps; containing 1000 legitimate apps and 1000 malware samples. The evaluationresults with this dataset and Reflection-Bench show that StaDART reveals suspicious behavior that is oth-erwise hidden to static analysis tools.
2020
159
1
13
https://reader.elsevier.com/reader/sd/pii/S0164121219301530?token=AFBB94F9B66C23DC767E20E2EAD1645A604B6D99A962A4620DC2401B4CCD06F6A86477590B713FED5BCD5D52AD67BE1B
Android, Dynamic code updates, Reflection, Dynamic class loading, Security analysis
Ahmad, Maqsood; Costamagna, Valerio; Crispo, Bruno; Bergadano, Francesco; Zhauniarovich, Yury
File in questo prodotto:
Non ci sono file associati a questo prodotto.

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/2318/1714320
Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus 19
  • ???jsp.display-item.citation.isi??? 16
social impact