More Web Proxy on the site http://driver.im/

research-article

Towards Discovering and Understanding Unexpected Hazards in Tailoring Antivirus Software for Android

Authors:

Dinghao WuAuthors Info & Claims

ASIA CCS '15: Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security

Pages 7 - 18

https://doi.org/10.1145/2714576.2714589

Published: 14 April 2015 Publication History

Abstract

In its latest comparison of Android Virus Detectors (AVDs), the independent lab AV-TEST reports that they have around 95% malware detection rate. This only indicates that current AVDs on Android have good malware signature databases. When the AVDs are deployed on the fast-evolving mobile system, their effectiveness should also be measured on their runtime behavior. Therefore, we perform a comprehensive analysis on the design of top 30 AVDs tailored for Android. Our new understanding of the AVDs' design leads us to discover the hazards in adopting AVD solutions for Android, including hazards in malware scan (malScan) mechanisms and the engine update (engineUpdate). First, the malScan mechanisms of all the analyzed AVDs lack comprehensive and continuous scan coverage. To measure the seriousness of the identified hazards, we implement targeted evasions at certain time (e.g., end of the scan) and locations (certain folders) and find that the evasions can work even under the assumption that the AVDs are equipped with "complete" virus definition files. Second, we discover that, during the engineUpdate, the Android system surprisingly nullifies all types of protections of the AVDs and renders the system for a period of high risk. We confirmed the presence of this vulnerable program logic in all versions of Google Android source code and other vendor customized system images.

Since AVDs have about 650-1070 million downloads on the Google store, we immediately reported these hazards to AVD vendors across 16 countries. Google also confirmed our discovered hazard in the engineUpdate procedure, so feature enhancements might be included in later versions. Our research sheds the light on the importance of taking the secure and preventive design strategies for AVD or other mission critical apps for fast-evolving mobile-systems.

References

[1]

AndroGuard: Android Dalvik Bytecode Analysis Framework. http://www.blackhat.com/html/bh-ad-11/bh-ad-11-briefings.html.

[2]

Android antivirus companies. Technical report. http://www.zdnet.com/android-antivirus-comparison-review-malware-symantec-mcafee-kaspersky-sophos-norton-7000019189/.

[3]

Android Dalvik Debug Monitor Server. http://developer.android.com/sdk/installing/studio-tips.html.

[4]

Android Monkeyrunner. http://developer.android.com/guide/developing/tools/monkeyrunner_concepts.html.

[5]

Android OS Version Relative Chart ending on April 1, 2014 . http://developer.android.com/about/dashboards/index.html.

[6]

AV TEST report, Jan 2014. http://www.av-test.org/en/tests/mobile-devices/android/jan-2014/.

[7]

Avast! Mobile Security protects against USSD attacks. http://blog.avast.com/2012/10/04/avast-mobile-security-protects-against-ussd-attacks/ .

[8]

DoS attack on Lookout mobile security application. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3579.

[9]

Factory Images for Nexus Devices. https://developers.google.com/android/nexus/images.

[10]

Frequently updates of Antivirus Detection Engine, 2013. http://www.androiddrawer.com/15401/download-lookout-security-antivirus-8-30-1-app-apk/ .

[11]

HTC Android Images from HTCdev. http://www.htcdev.com/devcenter/downloads/P00.

[12]

Jinshan mobile duba. http://m.duba.net/.

[13]

Kaspersky Lab Reports Mobile Malware in 2013. http://usa.kaspersky.com/about-us/press-center/press-releases/kaspersky-lab-reports-mobile-malware-2013-more-doubles-previous.

[14]

LBE secrity guard. http://www.lbesec.com/.

[15]

Prevent Unintended APP Update. http://www.symantec.com/connect/blogs/case-unintended-android-application-upgrade.

[16]

Samli/Baksmali. http://code.google.com/p/smali/.

[17]

Samsung Images from Samsung-updates. http://samsung-updates.com/.

[18]

Samsung Mobile Device Management solution. http://www.samsung.com/global/business/mobile/solution/security/mobile-device-management/.

[19]

The avast! AVD v2.0.4400 for Android allows attackers to cause a denial of service. http://cve.scap.org.cn/CVE-2013-0122.html.

[20]

The Lookout AVD v8.17-8a39d3f for Android allows attackers to cause a denial of service. http://cve.scap.org.cn/CVE-2013-3579.html.

[21]

The TrustGo AVD v1.3.6 for Android allows attackers to cause a DoS. http://cve.scap.org.cn/CVE-2013-3580.html.

[22]

Android Platform Fragmentation. http://opensignal.com/reports/fragmentation-2013/, 2012.

[23]

Frequently updates of Antivirus Detection Engine. http://m.aptoide.com/list/versions/com.lookout/83510, 2013.

[24]

M. I. Al-Saleh and J. R. Crandall. Application-level reconnaissance: Timing channel attacks against antivirus software. In 4th USENIX Workshop on LEET 11'.

Digital Library

[25]

H. Chen, D. Dean, and D. Wagner. Model Checking One Million Lines of C Code. In NDSS, 2004.

[26]

K. Chen, P. Liu, and Y. Zhang. Achieving accuracy and scalability simultaneously in detecting application clones on android markets. In ICSE, pages 175--186, 2014.

Digital Library

[27]

K. Z. Chen, N. M. Johnson, V. D'Silva, S. Dai, K. MacNamara, T. R. Magrino, E. X. Wu, M. Rinard, and D. X. Song. Contextual policy enforcement in android applications with permission event graphs. In NDSS, 2013.

[28]

X. Chen, J. Andersen, Z. M. Mao, M. Bailey, and J. Nazario. Towards an understanding of anti-virtualization and anti-debugging behavior in modern malware. In DSN' 08.

[29]

M. Christodorescu, S. Jha, S. A. Seshia, D. Song, and R. E. Bryant. Semantics-aware malware detection. In S&P '05.

Digital Library

[30]

M. Egele, D. Brumley, Y. Fratantonio, and C. Kruegel. An empirical study of cryptographic misuse in android applications. In CCS '13.

Digital Library

[31]

R. Fedler, M. Kulicke, and J. Schutte. An antivirus API for Android malware recognition. In Malicious and Unwanted Software: "The Americas" (MALWARE), 2013.

[32]

C. Gibler, R. Stevens, J. Crussell, H. Chen, H. Zang, and H. Choi. Adrob: Examining the landscape and impact of android application plagiarism. In MobiSys '13.

Digital Library

[33]

H. Huang, S. Zhang, X. Ou, A. Prakash, and K. Sakallah. Distilling critical attack graph surface iteratively through minimum-cost sat solving. In Proceedings of the 27th ACSAC, pages 31--40. ACM, 2011.

Digital Library

[34]

H. Huang, S. Zhu, P. Liu, and D. Wu. A framework for evaluating mobile app repackaging detection algorithms. In Trust and Trustworthy Computing. Springer, 2013.

[35]

S. Jana and V. Shmatikov. Abusing file processing in malware detectors for fun and profit. In SP'12.

Digital Library

[36]

S. Jana and V. Shmatikov. Memento: Learning secrets from process footprints. In S&P '12.

Digital Library

[37]

X. Jin, X. Hu, K. Ying, W. Du, H. Yin, and G. N. Peri. Code injection attacks on HTML5-based mobile apps: Characterization, detection and mitigation. In CCS '14.

Digital Library

[38]

M. G. Kang, H. Yin, S. Hanna, S. McCamant, and D. Song. Emulating emulation-resistant malware. In Proceedings of the 1st ACM Workshop on Virtual Machine Security, 2009.

Digital Library

[39]

A. Nadkarni and W. Enck. Preventing accidental data disclosure in modern operating systems. In CCS '13.

Digital Library

[40]

J. Oberheide, M. Bailey, and F. Jahanian. PolyPack: an automated online packing service for optimal antivirus evasion. In 3rd USENIX on Offensive technologies.

Digital Library

[41]

J. Oberheide and F. Jahanian. Remote fingerprinting and exploitation of mail server antivirus engines, 2009.

[42]

G. Pék, B. Bencsáth, and L. Buttyán. nEther: In-guest Detection of Out-of-the-guest Malware Analyzers. In Proceedings of the Fourth European Workshop on System Security, EUROSEC '11.

Digital Library

[43]

S. Poeplau, Y. Fratantonio, A. Bianchi, C. Kruegel, and G. Vigna. Execute this! analyzing unsafe and malicious dynamic code loading in android applications. In NDSS '14.

[44]

V. Rastogi, Y. Chen, and X. Jiang. Droidchameleon: evaluating android anti-malware against transformation attacks. In asiaCCS. ACM, 2013.

Digital Library

[45]

S. Smalley and R. Craig. Security enhanced (se) android: Bringing flexible mac to android. In NDSS, 2013.

[46]

L. Xing, X. Pan, R. Wang, K. Yuan, and X. Wang. Upgrading your android, elevating my malware: Privilege escalation through mobile os updating. In IEEE Symposium on S&P 14.

Digital Library

[47]

L. K. Yan and H. Yin. Droidscope: seamlessly reconstructing the os and dalvik semantic views for dynamic android malware analysis. In USENIX Sec '12.

Digital Library

[48]

F. Zhang, H. Huang, S. Zhu, D. Wu, and P. Liu. ViewDroid: Towards obfuscation-resilient mobile application repackaging detection. In Proceedings of ACM WiSec '14.

Digital Library

[49]

W. Zhou, Y. Zhou, X. Jiang, and P. Ning. Detecting repackaged smartphone applications in third-party android marketplaces. In Proceedings of CODASPY '12. ACM.

Digital Library

[50]

X. Zhou, S. Demetriou, D. He, M. Naveed, X. Pan, X. Wang, C. A. Gunter, and K. Nahrstedt. Identity, location, disease and more: inferring your secrets from android public resources. In In ACM CCS. ACM, 2013.

Digital Library

[51]

X. Zhou, Y. Lee, N. Zhang, M. Naveed, and X. Wang. The peril of fragmentation: Security hazards in android device driver customizations. In IEEE Symposium on S&P, 2014.

Digital Library

[52]

Y. Zhou and X. Jiang. An analysis of the anserverbot trojan. http://www.csc.ncsu.edu/faculty/jiang/pubs/AnserverBotAnalysis.pdf.

[53]

Y. Zhou and X. Jiang. Dissecting android malware: Characterization and evolution. In SP '12. IEEE.

Digital Library

Cited By

Du SLiu XLai GLuo XYin HStavrou ACremers CShi E(2022)Watch Out for Race Condition Attacks When Using Android External StorageProceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security10.1145/3548606.3560666(891-904)Online publication date: 7-Nov-2022
https://dl.acm.org/doi/10.1145/3548606.3560666
Zhang LLian KXiao HZhang ZLiu PZhang YYang MDuan H(2022)Exploit the Last Straw That Breaks Android Systems2022 IEEE Symposium on Security and Privacy (SP)10.1109/SP46214.2022.9833563(2230-2247)Online publication date: May-2022
https://doi.org/10.1109/SP46214.2022.9833563
Pang DWang TGe DZhang FChen J(2022)How to help teachers deal with students’ cheating in Online Examinations: Design and Implementation of International Chinese Online Teaching Test Anti-Cheating Monitoring System (OICIE-ACS)Electronic Commerce Research10.1007/s10660-022-09649-2Online publication date: 15-Dec-2022
https://doi.org/10.1007/s10660-022-09649-2
Show More Cited By

Index Terms

Towards Discovering and Understanding Unexpected Hazards in Tailoring Antivirus Software for Android
1. Security and privacy
2. Software and its engineering
  1. Software organization and properties
    1. Extra-functional properties
      1. Software fault tolerance
        Checkpoint / restart

Recommendations

DroidChameleon: evaluating Android anti-malware against transformation attacks
ASIA CCS '13: Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security

Mobile malware threats have recently become a real concern. In this paper, we evaluate the state-of-the-art commercial mobile antimalware products for Android and test how resistant they are against various common obfuscation techniques (even with known ...
A Novel Dataset for Fake Android Anti-Malware Detection
WIMS 2020: Proceedings of the 10th International Conference on Web Intelligence, Mining and Semantics

Today in the world people are able to get all types of Android applications (apps) from the app store or various sources over the Internet. A large number of apps is being produced daily, some of which are infected with malware. Thus, the use of anti-...
Fingerprinting Android packaging

Android's market experienced exponential popularity during the last few years. This blazing growth has, unfortunately, opened the door to thousands of malicious applications targeting Android devices everyday. Moreover, with the increasing ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

ASIA CCS '15: Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security

April 2015

698 pages

ISBN:9781450332453

DOI:10.1145/2714576

General Chairs:
Feng Bao
Huawei Technologies Pte Ltd, Singapore
,
Steven Miller
Singapore Management University, Singapore
,
Program Chairs:
Jianying Zhou
Institute for Infocomm Research, Singapore
,
Gail-Joon Ahn
Arizona State University, USA

Copyright © 2015 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 14 April 2015

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Conference

ASIA CCS '15

Sponsor:

SIGSAC

ASIA CCS '15: 10th ACM Symposium on Information, Computer and Communications Security

April 14 - March 17, 2015

Singapore, Republic of Singapore

Acceptance Rates

ASIA CCS '15 Paper Acceptance Rate 48 of 269 submissions, 18%;

Overall Acceptance Rate 418 of 2,322 submissions, 18%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

14
Total Citations
View Citations
520
Total Downloads

Downloads (Last 12 months)24
Downloads (Last 6 weeks)2

Reflects downloads up to 12 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Du SLiu XLai GLuo XYin HStavrou ACremers CShi E(2022)Watch Out for Race Condition Attacks When Using Android External StorageProceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security10.1145/3548606.3560666(891-904)Online publication date: 7-Nov-2022
https://dl.acm.org/doi/10.1145/3548606.3560666
Zhang LLian KXiao HZhang ZLiu PZhang YYang MDuan H(2022)Exploit the Last Straw That Breaks Android Systems2022 IEEE Symposium on Security and Privacy (SP)10.1109/SP46214.2022.9833563(2230-2247)Online publication date: May-2022
https://doi.org/10.1109/SP46214.2022.9833563
Pang DWang TGe DZhang FChen J(2022)How to help teachers deal with students’ cheating in Online Examinations: Design and Implementation of International Chinese Online Teaching Test Anti-Cheating Monitoring System (OICIE-ACS)Electronic Commerce Research10.1007/s10660-022-09649-2Online publication date: 15-Dec-2022
https://doi.org/10.1007/s10660-022-09649-2
Tang XLin YWu DGao DPapadimitratos PButler KPöpper C(2018)Towards Dynamically Monitoring Android Applications on Non-rooted Devices in the WildProceedings of the 11th ACM Conference on Security & Privacy in Wireless and Mobile Networks10.1145/3212480.3212504(212-223)Online publication date: 18-Jun-2018
https://dl.acm.org/doi/10.1145/3212480.3212504
Costamagna VZheng CHuang HXu ZXie TXiao XQian ZFaloutsos M(2018)Identifying and Evading Android Sandbox Through Usage-Profile Based FingerprintsProceedings of the First Workshop on Radical and Experiential Security10.1145/3203422.3203427(17-23)Online publication date: 24-May-2018
https://dl.acm.org/doi/10.1145/3203422.3203427
Wang XZhu X(2018)Anycast-Based Content-Centric MANETIEEE Systems Journal10.1109/JSYST.2016.261937412:2(1679-1687)Online publication date: Jun-2018
https://doi.org/10.1109/JSYST.2016.2619374
Xue YMeng GLiu YTan TChen HSun JZhang J(2017)Auditing Anti-Malware Tools by Evolving Android Malware and Dynamic Loading TechniqueIEEE Transactions on Information Forensics and Security10.1109/TIFS.2017.266172312:7(1529-1544)Online publication date: 1-Jul-2017
https://dl.acm.org/doi/10.1109/TIFS.2017.2661723
Ma SLo DLi TDeng RChen XWang XHuang X(2016)CDRepProceedings of the 11th ACM on Asia Conference on Computer and Communications Security10.1145/2897845.2897896(711-722)Online publication date: 30-May-2016
https://dl.acm.org/doi/10.1145/2897845.2897896
Meng GXue YMahinthan CNarayanan ALiu YZhang JChen TChen XWang XHuang X(2016)MystiqueProceedings of the 11th ACM on Asia Conference on Computer and Communications Security10.1145/2897845.2897856(365-376)Online publication date: 30-May-2016
https://dl.acm.org/doi/10.1145/2897845.2897856
Chen KWang PLee YWang XZhang NHuang HZou WLiu P(2015)Finding unknown malice in 10 secondsProceedings of the 24th USENIX Conference on Security Symposium10.5555/2831143.2831185(659-674)Online publication date: 12-Aug-2015
https://dl.acm.org/doi/10.5555/2831143.2831185
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents