CopperDroid: Automatic Reconstruction of Android Malware Behaviors

Tam, Kimberly; Khan, Salahuddin J.; Fattori, Aristide; Cavallaro, Lorenzo

doi:10.14722/ndss.2015.23145

Cited by 305 publications

(167 citation statements)

References 22 publications

Supporting

Mentioning

166

Contrasting

Unclassified

Order By: Relevance

“…In this case, the user must determine a mapping between the system call method and API methods that use the system call. Such tools include CopperDroid [39], AASandbox [10] and Crowdroid [12]. If only specific system calls are traced (e.g.…”

Section: ) Analyzing Api Methodsmentioning

confidence: 99%

“…Given a set of targeted APIs that represent the analysis performed by the dynamic tool, IntelliDroid will find instances of these targeted APIs in the application and generate inputs to trigger them. These inputs can be injected into an actual Android system, allowing IntelliDroid to be integrated with any dynamic analysis tool, including those that monitor application execution from an instrumented OS [19], or from a virtual machine emulator [39]. To accomplish this task, IntelliDroid takes the following steps: 1) Identify invocations of targeted APIs.…”

Section: Designmentioning

confidence: 99%

See 1 more Smart Citation

IntelliDroid: A Targeted Input Generator for the Dynamic Analysis of Android Malware

Wong¹,

Lie²

2016

Proceedings 2016 Network and Distributed System Security Symposium

162

View full text Add to dashboard Cite

Abstract-While dynamic malware analysis methods generally provide better precision than purely static methods, they have the key drawback that they can only detect malicious behavior if it is executed during analysis. This requires inputs that trigger the malicious behavior to be applied during execution. All current methods, such as hard-coded tests, random fuzzing and concolic testing, can provide good coverage but are inefficient because they are unaware of the specific capabilities of the dynamic analysis tool. In this work, we introduce IntelliDroid, a generic Android input generator that can be configured to produce inputs specific to a dynamic analysis tool, for the analysis of any Android application. Furthermore, IntelliDroid is capable of determining the precise order that the inputs must be injected, and injects them at what we call the device-framework interface such that system fidelity is preserved. This enables it to be paired with full-system dynamic analysis tools such as TaintDroid. Our experiments demonstrate that IntelliDroid requires an average of 72 inputs and only needs to execute an average of 5% of the application to detect malicious behavior. When evaluated on 75 instances of malicious behavior, IntelliDroid successfully identifies the behavior, extracts path constraints, and executes the malicious code in all but 5 cases. On average, IntelliDroid performs these tasks in 138.4 seconds per application.

show abstract

Section: ) Analyzing Api Methodsmentioning

confidence: 99%

Section: Designmentioning

confidence: 99%

IntelliDroid: A Targeted Input Generator for the Dynamic Analysis of Android Malware

Wong¹,

Lie²

2016

Proceedings 2016 Network and Distributed System Security Symposium

162

View full text Add to dashboard Cite

show abstract

“…malicious code or heavy computation code [20]) in Android apps. TaintDroid [21], DroidScope [39], CopperDroid [35] and VetDroid [42] conducted dynamic taint analysis to detect Yes suspicious behaviors at runtime. Static analysis requires access to complete bytecode program and therefore can be simply evaded by runtime packers.…”

Section: Question Set 4: Android Unpackersmentioning

confidence: 99%

Things You May Not Know About Android (Un)Packers: A Systematic Study based on Whole-System Emulation

Duan

Zhang

Bhaskar

et al. 2018

Proceedings 2018 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

Abstract-The prevalent usage of runtime packers has complicated Android malware analysis, as both legitimate and malicious apps are leveraging packing mechanisms to protect themselves against reverse engineer. Although recent efforts have been made to analyze particular packing techniques, little has been done to study the unique characteristics of Android packers. In this paper, we report the first systematic study on mainstream Android packers, in an attempt to understand their security implications. For this purpose, we developed DROIDUNPACK, a whole-system emulation based Android packing analysis framework, which compared with existing tools, relies on intrinsic characteristics of Android runtime (rather than heuristics), and further enables virtual machine inspection to precisely recover hidden code and reveal packing behaviors. Running our tool on 6 major commercial packers, 93,910 Android malware samples and 3 existing state-of-the-art unpackers, we found that not only are commercial packing services abused to encrypt malicious or plagiarized contents, they themselves also introduce securitycritical vulnerabilities to the apps being packed. Our study further reveals the prevalence and rapid evolution of custom packers used by malware authors, which cannot be defended against using existing techniques, due to their design weaknesses.

show abstract

“…CopperDroid [23] operates Android malware on QEMU, and analyzes the behavior of this malware by hooking the system calls. An analysis of Android-specific IPC using Binder is achieved by hooking ioctl(), which sends Binder the c 2016 Information Processing Society of Japan data.…”

Section: Related Workmentioning

confidence: 99%

Design of Function for Tracing Diffusion of Classified Information for IPC on KVM

Fujii

Sato

Yamauchi

et al. 2016

Journal of Information Processing

View full text Add to dashboard Cite

Abstract:The leaking of information has increased in recent years. To address this problem, we previously proposed a function for tracing the diffusion of classified information in a guest OS using a virtual machine monitor (VMM). This function makes it possible to grasp the location of classified information and detect information leakage without modifying the source codes of the guest OS. The diffusion of classified information is caused by a file operation, child process creation, and inter-process communication (IPC). In a previous study, we implemented the proposed function for a file operation and child process creation excluding IPC using a kernel-based virtual machine (KVM). In this paper, we describe the design of the proposed function for IPC on a KVM without modifying the guest OS. The proposed function traces the local and remote IPCs inside the guest OS from the outside so as to trace the information diffusion. Because IPC with an outside computer might cause information leakage, tracing the IPCs enables the detection of such a leakage. We also report the evaluation results including the traceability and performance of the proposed function.

show abstract

CopperDroid: Automatic Reconstruction of Android Malware Behaviors

Cited by 305 publications

References 22 publications

IntelliDroid: A Targeted Input Generator for the Dynamic Analysis of Android Malware

IntelliDroid: A Targeted Input Generator for the Dynamic Analysis of Android Malware

Things You May Not Know About Android (Un)Packers: A Systematic Study based on Whole-System Emulation

Design of Function for Tracing Diffusion of Classified Information for IPC on KVM

Contact Info

Product

Resources

About