Droid-AntiRM: Taming control flow anti-Analysis to support automated dynamic analysis of android malware

Xiaolei Wang, Sencun Zhu, Dehua Zhou, Yuexiang Yang

Research output: Chapter in Book/Report/Conference proceedingConference contribution

23 Scopus citations

Abstract

While many test input generation techniques have been proposed to improve the code coverage of dynamic analysis, they are still inefficient in triggering hidden malicious behaviors protected by anti-Analysis techniques. In this work, we design and implement Droid-AntiRM, a new approach seeking to tame anti-Analysis automatically and improve automated dynamic analysis. Our approach leverages three key observations: 1) Logic-bomb based anti-Analysis techniques control the execution of certain malicious behaviors; 2) Anti-Analysis techniques are normally implemented through condition statements; 3) Anti-Analysis techniques normally have no dependence on program inputs. Based on these observations, Droid-AntiRM uses various techniques to detect anti-Analysis in malware samples, and rewrite the condition statements in antianalysis cases through bytecode instrumentation, thus forcing the hidden behavior to be executed at runtime. Through a study of 3187 malware samples, we find that 32.50% of them employ various anti-Analysis techniques. Our experiments demonstrate that Droid-AntiRM can identify anti-Analysis instances from 30 malware samples with a true positive rate of 89.15% and zero false negative. By taming the identified anti-Analysis, Droid-AntiRM can greatly improve the automated dynamic analysis, successfully triggering 44 additional hidden malicious behaviors from the 30 samples. Further performance evaluation shows that Droid-AntiRM has good efficiency to perform large-scale analysis.

Original languageEnglish (US)
Title of host publicationProceedings - 33rd Annual Computer Security Applications Conference, ACSAC 2017
PublisherAssociation for Computing Machinery
Pages350-361
Number of pages12
ISBN (Electronic)9781450353458
DOIs
StatePublished - Dec 4 2017
Event33rd Annual Computer Security Applications Conference, ACSAC 2017 - Orlando, United States
Duration: Dec 4 2017Dec 8 2017

Publication series

NameACM International Conference Proceeding Series
VolumePart F132521

Other

Other33rd Annual Computer Security Applications Conference, ACSAC 2017
Country/TerritoryUnited States
CityOrlando
Period12/4/1712/8/17

All Science Journal Classification (ASJC) codes

  • Software
  • Human-Computer Interaction
  • Computer Vision and Pattern Recognition
  • Computer Networks and Communications

Fingerprint

Dive into the research topics of 'Droid-AntiRM: Taming control flow anti-Analysis to support automated dynamic analysis of android malware'. Together they form a unique fingerprint.

Cite this