StaDART: Addressing the problem of dynamic code updates in the security analysis of android applications

Maqsood Ahmad, Valerio Costamagna, Bruno Crispo, Francesco Bergadano, Yury Zhauniarovich

Research output: Contribution to journalArticle

Abstract

Dynamic code update techniques (Android Studio – support for dynamic delivery), such as dynamic class loading and reflection, enable Android apps to extend their functionality at runtime. At the same time, these techniques are misused by malware developers to transform a seemingly benign app into a malware, once installed on a real device. Among the corpus of evasive techniques used in modern real-world malware, evasive usage of dynamic code updates plays a key role. First, we demonstrate the ineffectiveness of existing tools to analyze apps in the presence of dynamic code updates using our test apps, i.e., Reflection-Bench and InboxArchiver. Second, we present StaDART, combining static and dynamic analysis of Android apps to reveal the concealed behavior of malware. StaDART performs dynamic code interposition using a vtable tampering technique for API hooking to avoid modifications to the Android framework. Furthermore, we integrate it with a triggering solution, DroidBot, to make it more scalable and fully automated. We present our evaluation results with a dataset of 2000 real world apps; containing 1000 legitimate apps and 1000 malware samples. The evaluation results with this dataset and Reflection-Bench show that StaDART reveals suspicious behavior that is otherwise hidden to static analysis tools.

Original languageEnglish
Article number110386
JournalJournal of Systems and Software
Volume159
DOIs
Publication statusPublished - Jan 2020

Fingerprint

Application programs
Static analysis
Studios
Application programming interfaces (API)
Dynamic analysis
Malware

Keywords

  • Android
  • Dynamic class loading
  • Dynamic code updates
  • Reflection
  • Security analysis

ASJC Scopus subject areas

  • Software
  • Information Systems
  • Hardware and Architecture

Cite this

StaDART : Addressing the problem of dynamic code updates in the security analysis of android applications. / Ahmad, Maqsood; Costamagna, Valerio; Crispo, Bruno; Bergadano, Francesco; Zhauniarovich, Yury.

In: Journal of Systems and Software, Vol. 159, 110386, 01.2020.

Research output: Contribution to journalArticle

@article{1470dbeff4114964a3cc96262ea57032,
title = "StaDART: Addressing the problem of dynamic code updates in the security analysis of android applications",
abstract = "Dynamic code update techniques (Android Studio – support for dynamic delivery), such as dynamic class loading and reflection, enable Android apps to extend their functionality at runtime. At the same time, these techniques are misused by malware developers to transform a seemingly benign app into a malware, once installed on a real device. Among the corpus of evasive techniques used in modern real-world malware, evasive usage of dynamic code updates plays a key role. First, we demonstrate the ineffectiveness of existing tools to analyze apps in the presence of dynamic code updates using our test apps, i.e., Reflection-Bench and InboxArchiver. Second, we present StaDART, combining static and dynamic analysis of Android apps to reveal the concealed behavior of malware. StaDART performs dynamic code interposition using a vtable tampering technique for API hooking to avoid modifications to the Android framework. Furthermore, we integrate it with a triggering solution, DroidBot, to make it more scalable and fully automated. We present our evaluation results with a dataset of 2000 real world apps; containing 1000 legitimate apps and 1000 malware samples. The evaluation results with this dataset and Reflection-Bench show that StaDART reveals suspicious behavior that is otherwise hidden to static analysis tools.",
keywords = "Android, Dynamic class loading, Dynamic code updates, Reflection, Security analysis",
author = "Maqsood Ahmad and Valerio Costamagna and Bruno Crispo and Francesco Bergadano and Yury Zhauniarovich",
year = "2020",
month = "1",
doi = "10.1016/j.jss.2019.07.088",
language = "English",
volume = "159",
journal = "Journal of Systems and Software",
issn = "0164-1212",
publisher = "Elsevier Inc.",

}

TY - JOUR

T1 - StaDART

T2 - Addressing the problem of dynamic code updates in the security analysis of android applications

AU - Ahmad, Maqsood

AU - Costamagna, Valerio

AU - Crispo, Bruno

AU - Bergadano, Francesco

AU - Zhauniarovich, Yury

PY - 2020/1

Y1 - 2020/1

N2 - Dynamic code update techniques (Android Studio – support for dynamic delivery), such as dynamic class loading and reflection, enable Android apps to extend their functionality at runtime. At the same time, these techniques are misused by malware developers to transform a seemingly benign app into a malware, once installed on a real device. Among the corpus of evasive techniques used in modern real-world malware, evasive usage of dynamic code updates plays a key role. First, we demonstrate the ineffectiveness of existing tools to analyze apps in the presence of dynamic code updates using our test apps, i.e., Reflection-Bench and InboxArchiver. Second, we present StaDART, combining static and dynamic analysis of Android apps to reveal the concealed behavior of malware. StaDART performs dynamic code interposition using a vtable tampering technique for API hooking to avoid modifications to the Android framework. Furthermore, we integrate it with a triggering solution, DroidBot, to make it more scalable and fully automated. We present our evaluation results with a dataset of 2000 real world apps; containing 1000 legitimate apps and 1000 malware samples. The evaluation results with this dataset and Reflection-Bench show that StaDART reveals suspicious behavior that is otherwise hidden to static analysis tools.

AB - Dynamic code update techniques (Android Studio – support for dynamic delivery), such as dynamic class loading and reflection, enable Android apps to extend their functionality at runtime. At the same time, these techniques are misused by malware developers to transform a seemingly benign app into a malware, once installed on a real device. Among the corpus of evasive techniques used in modern real-world malware, evasive usage of dynamic code updates plays a key role. First, we demonstrate the ineffectiveness of existing tools to analyze apps in the presence of dynamic code updates using our test apps, i.e., Reflection-Bench and InboxArchiver. Second, we present StaDART, combining static and dynamic analysis of Android apps to reveal the concealed behavior of malware. StaDART performs dynamic code interposition using a vtable tampering technique for API hooking to avoid modifications to the Android framework. Furthermore, we integrate it with a triggering solution, DroidBot, to make it more scalable and fully automated. We present our evaluation results with a dataset of 2000 real world apps; containing 1000 legitimate apps and 1000 malware samples. The evaluation results with this dataset and Reflection-Bench show that StaDART reveals suspicious behavior that is otherwise hidden to static analysis tools.

KW - Android

KW - Dynamic class loading

KW - Dynamic code updates

KW - Reflection

KW - Security analysis

UR - http://www.scopus.com/inward/record.url?scp=85073942145&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85073942145&partnerID=8YFLogxK

U2 - 10.1016/j.jss.2019.07.088

DO - 10.1016/j.jss.2019.07.088

M3 - Article

AN - SCOPUS:85073942145

VL - 159

JO - Journal of Systems and Software

JF - Journal of Systems and Software

SN - 0164-1212

M1 - 110386

ER -