TY - GEN
T1 - Defining and detecting environment discrimination in android apps
AU - Hong, Yunfeng
AU - Hu, Yongjian
AU - Lai, Chun Ming
AU - Felix Wu, S.
AU - Neamtiu, Iulian
AU - McDaniel, Patrick
AU - Yu, Paul
AU - Cam, Hasan
AU - Ahn, Gail Joon
N1 - Funding Information:
Acknowledgement. The effort described in this article was partially sponsored by the U.S. Army Research Laboratory Cyber Security Collaborative Research Alliance under Contract Number W911NF-13-2-0045. The views and conclusions contained in this document are those of the authors, and should not be interpreted as representing the official policies, either expressed or implied, of the Army Research Laboratory or the U.S. Government. The U.S. Government is authorized to reproduce and distribute reprints for Government purposes notwithstanding any copyright notation hereon.
Publisher Copyright:
© ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering 2018.
PY - 2018
Y1 - 2018
N2 - Environment discrimination—a program behaving differently on different platforms—is used in many contexts. For example, malware can use environment discrimination to thwart detection attempts: as malware detectors employ automated dynamic analysis while running the potentially malicious program in a virtualized environment, the malware author can make the program virtual environment-aware so the malware turns off the nefarious behavior when it is running in a virtualized environment. Therefore, an approach for detecting environment discrimination can help security researchers and practitioners better understand the behavior of, and consequently counter, malware. In this paper we formally define environment discrimination, and propose an approach based on abstract traces and symbolic execution to detect discrimination in Android apps. Furthermore, our approach discovers what API calls expose the environment information to malware, which is a valuable reference for virtualization developers to improve their products. We also apply our approach to the real malware and third-party-researcher designed benchmark apps. The result shows that the algorithm and framework we proposed achieves 97% accuracy.
AB - Environment discrimination—a program behaving differently on different platforms—is used in many contexts. For example, malware can use environment discrimination to thwart detection attempts: as malware detectors employ automated dynamic analysis while running the potentially malicious program in a virtualized environment, the malware author can make the program virtual environment-aware so the malware turns off the nefarious behavior when it is running in a virtualized environment. Therefore, an approach for detecting environment discrimination can help security researchers and practitioners better understand the behavior of, and consequently counter, malware. In this paper we formally define environment discrimination, and propose an approach based on abstract traces and symbolic execution to detect discrimination in Android apps. Furthermore, our approach discovers what API calls expose the environment information to malware, which is a valuable reference for virtualization developers to improve their products. We also apply our approach to the real malware and third-party-researcher designed benchmark apps. The result shows that the algorithm and framework we proposed achieves 97% accuracy.
UR - http://www.scopus.com/inward/record.url?scp=85045969514&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85045969514&partnerID=8YFLogxK
U2 - 10.1007/978-3-319-78813-5_26
DO - 10.1007/978-3-319-78813-5_26
M3 - Conference contribution
AN - SCOPUS:85045969514
SN - 9783319788128
T3 - Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST
SP - 510
EP - 529
BT - Security and Privacy in Communication Networks - 13th International Conference, SecureComm 2017, Proceedings
A2 - Ghorbani, Ali
A2 - Lin, Xiaodong
A2 - Ren, Kui
A2 - Zhu, Sencun
A2 - Zhang, Aiqing
PB - Springer Verlag
T2 - 13th EAI International Conference on Security and Privacy in Communication Networks, SecureComm 2017
Y2 - 22 October 2017 through 25 October 2017
ER -