Article

DroidScope: seamlessly reconstructing the OS and Dalvik semantic views for dynamic Android malware analysis

Authors:

Heng YinAuthors Info & Claims

Security'12: Proceedings of the 21st USENIX conference on Security symposium

Page 29

Published: 08 August 2012 Publication History

Abstract

The prevalence of mobile platforms, the large market share of Android, plus the openness of the Android Market makes it a hot target for malware attacks. Once a malware sample has been identified, it is critical to quickly reveal its malicious intent and inner workings. In this paper we present DroidScope, an Android analysis platform that continues the tradition of virtualization-based malware analysis. Unlike current desktop malware analysis platforms, DroidScope reconstructs both the OS-level and Java-level semantics simultaneously and seamlessly. To facilitate custom analysis, DroidScope exports three tiered APIs that mirror the three levels of an Android device: hardware, OS and Dalvik Virtual Machine. On top of DroidScope, we further developed several analysis tools to collect detailed native and Dalvik instruction traces, profile API-level activity, and track information leakage through both the Java and native components using taint analysis. These tools have proven to be effective in analyzing real world malware samples and incur reasonably low performance overheads.

References

[1]

Anubis: Analyzing Unknown Binaries. http://anubis. iseclab.org/.

[2]

BALZAROTTI, D., COVA, M., KARLBERGER, C., KRUEGEL, C., KIRDA, E., AND VIGNA, G. Efficient Detection of Split Personalities in Malware. In Proceedings of the Network and Distributed System Security Symposium (NDSS) (San Diego, CA, February 2010).

[3]

BELLARD, F. QEMU, a fast and portable dynamic translator. In USENIX Annual Technical Conference, FREENIX Track (April 2005).

[4]

BERNAT, A. R., ROUNDY, K., AND MILLER, B. P. Efficient, sensitivity resistant binary instrumentation. In Proceedings of the 2011 International Symposium on Software Testing and Analysis (New York, NY, USA, 2011), ISSTA'11, ACM, pp. 89-99.

[5]

BRUENING, D., GARNETT, T., AND AMARASINGHE, S. An infrastructure for adaptive dynamic optimization. In International Symposium on Code Generation and Optimization (CGO'03) (March 2003).

[6]

BRUMLEY, D., HARTWIG, C., KANG, M. G., LIANG, Z., NEWSOME, J., POOSANKAM, P., AND SONG, D. BitScope: Automatically dissecting malicious binaries. Tech. Rep. CS-07-133, School of Computer Science, Carnegie Mellon University, Mar. 2007.

[7]

BUNGALE, P. P., AND LUK, C.-K. PinOS: a programmable framework for whole-system dynamic instrumentation. In Proceedings of the 3rd international conference on Virtual execution environments (2007), VEE'07, pp. 137-147.

[8]

CHENG, B., AND BUZBEE, B. A JIT compiler for android's dalvik VM. http://www. google.com/events/io/2010/sessions/ jit-compiler-androids-dalvik-vm.html, 2010. Google I/O.

[9]

CHIPOUNOV, V., KUZNETSOV, V., AND CANDEA, G. S2E: A platform for in-vivo multi-path analysis of software systems. In Proceedings of the 16th International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS) (Mar. 2011).

[10]

CLAUSE, J., LI, W., AND ORSO, A. Dytan: a generic dynamic taint analysis framework. In Proceedings of the 2007 International Symposium on Software Testing and Analysis (ISSTA'07) (2007), pp. 196-206.

[11]

CRANDALL, J. R., AND CHONG, F. T. Minos: Control data attack prevention orthogonal to memory model. In Proceedings of the 37th International Symposium on Microarchitecture (MICRO'04) (December 2004).

[12]

Cve-2009-1185. http://cve.mitre.org/cgi-bin/ cvename.cgi?name=CVE-2009-1185.

[13]

ded: Decompiling Android Applications. http://siis.cse. psu.edu/ded/index.html.

[14]

Dynamic, metamorphic (and opensource) virtual machines. http://archive.hack.lu/2010/Desnos_Dynamic_ Metamorphic_Virtual_Machines-slides.pdf.

[15]

DINABURG, A., ROYAL, P., SHARIF, M., AND LEE, W. Ether: malware analysis via hardware virtualization extensions. In Proceedings of the 15th ACM Conference on Computer and Communications Security (2008), pp. 51-62.

[16]

DOLAN-GAVITT, B., LEEK, T., ZHIVICH, M., GIFFIN, J., AND LEE, W. Virtuoso: Narrowing the semantic gap in virtual machine introspection. In Proceedings of the 2011 IEEE Symposium on Security and Privacy (Washington, DC, USA, 2011), SP '11, IEEE Computer Society, pp. 297-312.

[17]

Droidbox: Android application sandbox. http://code. google.com/p/droidbox/.

[18]

EGELE, M., KRUEGEL, C., KIRDA, E., YIN, H., AND SONG, D. Dynamic Spyware Analysis. In Proceedings of the 2007 Usenix Annual Conference (Usenix'07) (June 2007).

[19]

ENCK, W., GILBERT, P., CHUN, B.-G., COX, L. P., JUNG, J., MCDANIEL, P., AND SHETH, A. N. Taintdroid: an information-flow tracking system for realtime privacy monitoring on smartphones. In Proceedings of the 9th USENIX conference on Operating systems design and implementation (Berkeley, CA, USA, 2010), OSDI'10, USENIX Association, pp. 1-6.

[20]

ENCK, W., OCTEAU, D., MCDANIEL, P., AND CHAUDHURI, S. A study of android application security. In Proceedings of the 20th USENIX Security Symposium (2011).

[21]

GARFINKEL, T., AND ROSENBLUM, M. A virtual machine introspection based architecture for intrusion detection. In Proceedings of Network and Distributed Systems Security Symposium (NDSS'03) (February 2003).

[22]

Gartner says sales of mobile devices grew 5.6 percent in third quarter of 2011; smartphone sales increased 42 percent. http: //gartner.com/it/page.jsp?id=1848514, 2011.

[23]

HAZELWOOD, K., AND KLAUSER, A. A dynamic binary instrumentation engine for the arm architecture. In Proceedings of the 2006 international conference on Compilers, architecture and synthesis for embedded systems (New York, NY, USA, 2006), CASES'06, ACM, pp. 261-270.

[24]

JIANG, X., WANG, X., AND XU, D. Stealthy malware detection through vmm-based "out-of-the-box" semantic view reconstruction. In Proceedings of the 14th ACM conference on Computer and Communications Security (CCS'07) (October 2007).

[25]

Security alert: New sophisticated android malware droidkungfu found in alternative chinese app markets. http://www.csc. ncsu.edu/faculty/jiang/DroidKungFu.html.

[26]

KANG, M. G., YIN, H., HANNA, S., MCCAMANT, S., AND SONG, D. Emulating emulation-resistant malware. In Proceedings of the 2nd Workshop on Virtual Machine Security (VMSec'09) (November 2009).

[27]

LUK, C.-K., COHN, R., MUTH, R., PATIL, H., KLAUSER, A., LOWNEY, G., WALLACE, S., REDDI, V. J., AND HAZELWOOD, K. Pin: Building customized program analysis tools with dynamic instrumentation. In Proc. of 2005 Programming Language Design and Implementation (PLDI) conference (june 2005).

[28]

MARTIGNONI, L., MCCAMANT, S., POOSANKAM, P., SONG, D., AND MANIATIS, P. Path-exploration lifting: Hi-fi tests for lo-fi emulators. In Proceedings of the 17th International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS) (London, UK, Mar. 2012).

[29]

MARTIGNONI, L., PALEARI, R., ROGLIA, G. F., AND BRUSCHI, D. Testing cpu emulators. In Proceedings of the 18th International Symposium on Software Testing and Analysis (ISSTA'09) (2009), pp. 261-272.

[30]

MIJAR, R., AND NIGHTINGALE, A. Virtualization is coming to a platform near you. Tech. rep., ARM Limited, 2011.

[31]

MOSER, A., KRUEGEL, C., AND KIRDA, E. Exploring multiple execution paths for malware analysis. In Proceedings of the 2007 IEEE Symposium on Security and Privacy(Oakland'07) (May 2007).

[32]

NETHERCOTE, N., AND SEWARD, J. Valgrind: a framework for heavyweight dynamic binary instrumentation. In PLDI (2007), pp. 89-100.

[33]

PORTOKALIDIS, G., SLOWINSKA, A., AND BOS, H. Argos: an emulator for fingerprinting zero-day attacks. In EuroSys 2006 (April 2006).

[34]

Proguard. http://proguard.sourceforge.net.

[35]

TEMU: The BitBlaze dynamic analysis component. http:// bitblaze.cs.berkeley.edu/temu.html.

[36]

YAN, L.-K., JAYACHANDRA, M., ZHANG, M., AND YIN, H. V2E: Combining hardware virtualization and software emulation for transparent and extensible malware analysis. In Proceedings of the Eighth Annual International Conference on Virtual Execution Environments (VEE'12) (March 2012).

[37]

YIN, H., LIANG, Z., AND SONG, D. HookFinder: Identifying and understanding malware hooking behaviors. In Proceedings of the 15th Annual Network and Distributed System Security Symposium (NDSS'08) (February 2008).

[38]

YIN, H., AND SONG, D. Temu: Binary code analysis via whole-system layered annotative execution. Tech. Rep. UCB/EECS- 2010-3, EECS Department, University of California, Berkeley, Jan 2010.

[39]

YIN, H., SONG, D., MANUEL, E., KRUEGEL, C., AND KIRDA, E. Panorama: Capturing system-wide information flow for malware detection and analysis. In Proceedings of the 14th ACM Conferences on Computer and Communication Security (CCS'07) (October 2007).

[40]

ZHOU, Y., AND JIANG, X. Dissecting android malware: Characterization and evolution. In Proceedings of the 33rd IEEE Symposium on Security and Privacy (Oakland 2012) (San Francisco, CA, USA, May 2012), IEEE.

[41]

ZHOU, Y., WANG, Z., ZHOU, W., AND JIANG, X. Hey, you, get off of my market: Detecting malicious apps in official and alternative android markets. In Proceedings of the 19th Network and Distributed System Security Symposium (San Diego, CA, February 2012).

Cited By

Lin YWong JGao D(2023)FA3Proceedings of the 24th International Workshop on Mobile Computing Systems and Applications10.1145/3572864.3580338(74-80)Online publication date: 22-Feb-2023
https://dl.acm.org/doi/10.1145/3572864.3580338
Liu XLiu K(2023)A permission-carrying security policy and static enforcement for information flows in Android programsComputers and Security10.1016/j.cose.2022.103090126:COnline publication date: 15-Feb-2023
https://dl.acm.org/doi/10.1016/j.cose.2022.103090
Khan KUllah NAli SKhan MNauman MGhani A(2022)Op2VecSecurity and Communication Networks10.1155/2022/37109682022Online publication date: 1-Jan-2022
https://dl.acm.org/doi/10.1155/2022/3710968
Show More Cited By

Recommendations

Detecting repackaged smartphone applications in third-party android marketplaces
CODASPY '12: Proceedings of the second ACM conference on Data and Application Security and Privacy

Recent years have witnessed incredible popularity and adoption of smartphones and mobile devices, which is accompanied by large amount and wide variety of feature-rich smartphone applications. These smartphone applications (or apps), typically organized ...
A Measurement-based Study on Application Popularity in Android and iOS App Stores
Mobidata '15: Proceedings of the 2015 Workshop on Mobile Big Data

Mobile application stores (appstores) are emerging digital distribution platforms with explosive growth. Although there have been some observations on the mobile application (app) popularity in Android appstores, there is no report on the app popularity ...
An Explorative Study of the Mobile App Ecosystem from App Developers' Perspective
WWW '17: Proceedings of the 26th International Conference on World Wide Web

With the prevalence of smartphones, app markets such as Apple App Store and Google Play has become the center stage in the mobile app ecosystem, with millions of apps developed by tens of thousands of app developers in each major market. This paper ...

Comments

Information & Contributors

Information

Published In

cover image Guide Proceedings

Security'12: Proceedings of the 21st USENIX conference on Security symposium

August 2012

43 pages

Program Chair:
Tadayoshi Kohno
University of Washington

Sponsors

NSF: National Science Foundation
Google Inc.
IBMR: IBM Research
Microsoft Research: Microsoft Research
Symantec: Symantec

Publisher

USENIX Association

United States

Publication History

Published: 08 August 2012

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

118
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 09 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Lin YWong JGao D(2023)FA3Proceedings of the 24th International Workshop on Mobile Computing Systems and Applications10.1145/3572864.3580338(74-80)Online publication date: 22-Feb-2023
https://dl.acm.org/doi/10.1145/3572864.3580338
Liu XLiu K(2023)A permission-carrying security policy and static enforcement for information flows in Android programsComputers and Security10.1016/j.cose.2022.103090126:COnline publication date: 15-Feb-2023
https://dl.acm.org/doi/10.1016/j.cose.2022.103090
Khan KUllah NAli SKhan MNauman MGhani A(2022)Op2VecSecurity and Communication Networks10.1155/2022/37109682022Online publication date: 1-Jan-2022
https://dl.acm.org/doi/10.1155/2022/3710968
Choo ENabeel MAlsabah MKhalil IYu TWang W(2022)DeviceWatch: A Data-Driven Network Analysis Approach to Identifying Compromised Mobile Devices with Graph-InferenceACM Transactions on Privacy and Security10.1145/355876726:1(1-32)Online publication date: 7-Nov-2022
https://dl.acm.org/doi/10.1145/3558767
Song WMing JJiang LXiang YPan XFu JPeng GKim YKim JVigna GShi E(2021)Towards Transparent and Stealthy Android OS Sandboxing via Customizable Container-Based VirtualizationProceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security10.1145/3460120.3484544(2858-2874)Online publication date: 12-Nov-2021
https://dl.acm.org/doi/10.1145/3460120.3484544
Uliana EStathis KJago R(2019)MagnetDroidProceedings of the Seventeenth International Conference on Artificial Intelligence and Law10.1145/3322640.3326729(123-132)Online publication date: 17-Jun-2019
https://dl.acm.org/doi/10.1145/3322640.3326729
Wang YLiu XMao WWang W(2019)DCDroidProceedings of the ACM Turing Celebration Conference - China10.1145/3321408.3326665(1-9)Online publication date: 17-May-2019
https://dl.acm.org/doi/10.1145/3321408.3326665
Qin XZeng FZhang Y(2019)MSNdroidProceedings of the ACM Turing Celebration Conference - China10.1145/3321408.3321606(1-5)Online publication date: 17-May-2019
https://dl.acm.org/doi/10.1145/3321408.3321606
Onwuzurike LMariconti EAndriotis PCristofaro ERoss GStringhini G(2019)MaMaDroidACM Transactions on Privacy and Security10.1145/331339122:2(1-34)Online publication date: 9-Apr-2019
https://dl.acm.org/doi/10.1145/3313391
Wu TDeng XYan JZhang J(2019)Analyses for specific defects in android applicationsFrontiers of Computer Science: Selected Publications from Chinese Universities10.1007/s11704-018-7008-113:6(1210-1227)Online publication date: 1-Dec-2019
https://dl.acm.org/doi/10.1007/s11704-018-7008-1
Show More Cited By

View Options

View options

Media

Figures

Other

Tables

View Table of Contents