A Large Scale Investigation of Obfuscation Use in Google Play

Wermke, Dominik; Huaman, Nicolas; Acar, Yasemin; Reaves, Bradley; Traynor, Patrick; Fahl, Sascha

doi:10.1145/3274694.3274726

Cited by 68 publications

(50 citation statements)

References 49 publications

(69 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…To study the obfuscation of the 3PLs, we analyze their source codes with jd-gui, a tool that transforms Java bytecodes into source codes. We find that although obfuscation is widely adopted in 3PLs (accounting for 60%), the obfuscation does not affect their entry methods, which is corroborated by Wermke et al 38 The reason is straightforward. If the name of the entry method is obfuscated, the host app would not be able to know how to start the 3PL.…”

Section: Discussionsupporting

confidence: 83%

Component‐based permission management of Android applications

Zhou

Wang

2019

Softw Pract Exp

View full text Add to dashboard Cite

Summary Most Android applications include third‐party libraries (3PLs) to make revenues, to facilitate their development, and to track user behaviors. 3PLs generally require specific permissions to realize their functionalities. Current Android systems manage permissions in app (process) granularity. As a result, the permission sets of apps with 3PLs (3PL‐apps) may be augmented, introducing overprivilege risks. In this paper, we firstly study how severe the problem is by analyzing the permission sets of 27 718 real‐world Android apps with and without 3PLs downloaded in both 2016 and 2017. We find that the usage of 3PLs and the permissions required by 3PL‐apps have increased over time. As a result, the possibility of overprivilege risks increases. We then propose Perman, a fine‐grained permission management mechanism for Android. Perman isolates the permissions of the host app and those of the 3PLs through dynamic code instrumentation. It allows users to manage permission requests of different modules of 3PL‐apps during app runtime. Unlike existing tools, Perman does not need to redesign Android apps and systems. Therefore, it can be applied to millions of existing apps and various Android devices. We conduct experiments to evaluate the effectiveness and efficiency of Perman. The experimental results verify that Perman is capable of managing permission requests of the host app and those of the 3PLs. We also confirm that the overhead introduced by Perman is comparable to that by existing commercial permission management tools.

show abstract

Section: Discussionsupporting

confidence: 83%

Component‐based permission management of Android applications

Zhou

Wang

2019

Softw Pract Exp

View full text Add to dashboard Cite

show abstract

“…We also find that the use of obfuscation techniques dramatically increased since the early days of Android malware, with specimens nowadays pervasively using native code and including external scripts to avoid easy analysis. This contrasts with the amount of legitimate apps that are currently obfuscated-a recent investigation shows that less than 25% of apps in Google Play are obfuscated [47], while we show that over 90% of the riders have the ability to use advanced obfuscation techniques. A consequence of this is that antimalware systems trained on carriers and/or older datasets might not be effective in detecting the most recent threats, especially when they only rely on static analysis.…”

Section: Introductioncontrasting

confidence: 81%

“…We show that all forms of obfuscation are increasingly more popular in malware, with the usage of cryptography present in 90% of the families in 2017. When putting this in perspective with respect to legitimate apps [47], we show sharp increase in the use these techniques. Discussions about the attribution of certain behaviors such as the use of obfuscation to repackaged malware have been recurrent in literature over the last few years [29].…”

Section: B Key Findingsmentioning

confidence: 95%

“…Evidence of obfuscation: A large scale investigation of the use of obfuscation in Google Play have recently shown that only 24.9% of the apps are obfuscated [47]. In this work we look at certain evidences of obfuscation among riders.…”

Section: B Key Findingsmentioning

confidence: 99%

“…Recent work studied the use of obfuscation on goodware on the Google Play store [47] Authors showed that less than 25% of apps have been obfuscated by the primary developer. Instead, we show that the obfuscation in malware is way more prominent.…”

Section: Evolution Over Timementioning

confidence: 99%

See 2 more Smart Citations

Eight Years of Rider Measurement in the Android Malware Ecosystem

Suárez-Tangil

Stringhini

2022

IEEE Trans. Dependable and Secure Comput.

View full text Add to dashboard Cite

Despite the growing threat posed by Android malware, the research community is still lacking a comprehensive view of common behaviors and trends exposed by malware families active on the platform. Without such view, the researchers incur the risk of developing systems that only detect outdated threats, missing the most recent ones. In this paper, we conduct the largest measurement of Android malware behavior to date, analyzing over 1.2 million malware samples that belong to 1.2K families over a period of eight years (from 2010 to 2017). We aim at understanding how the behavior of Android malware has evolved over time, focusing on repackaging malware. In this type of threats different innocuous apps are piggybacked with a malicious payload (rider), allowing inexpensive malware manufacturing.One of the main challenges posed when studying repackaged malware is slicing the app to split benign components apart from the malicious ones. To address this problem, we use differential analysis to isolate software components that are irrelevant to the campaign and study the behavior of malicious riders alone. Our analysis framework relies on collective repositories and recent advances on the systematization of intelligence extracted from multiple anti-virus vendors. We find that since its infancy in 2010, the Android malware ecosystem has changed significantly, both in the type of malicious activity performed by the malicious samples and in the level of obfuscation used by malware to avoid detection. We then show that our framework can aid analysts who attempt to study unknown malware families. Finally, we discuss what our findings mean for Android malware detection research, highlighting areas that need further attention by the research community.

show abstract