NCScope: Hardware-Assisted analyzer for native code in Android apps

Hao Zhou, Shuohan Wu, Xiapu Luo, Ting Wang, Yajin Zhou, Chao Zhang, Haipeng Cai

Research output: Chapter in Book/Report/Conference proceedingConference contribution

4 Scopus citations

Abstract

More and more Android apps implement their functionalities in native code, so does malware. Although various approaches have been designed to analyze the native code used by apps, they usually generate incomplete and biased results due to their limitations in obtaining and analyzing high-fidelity execution traces and memory data with low overheads. To fill the gap, in this paper, we propose and develop a novel hardware-Assisted analyzer for native code in apps. We leverage ETM, a hardware feature of ARM platform, and eBPF, a kernel component of Android system, to collect real execution traces and relevant memory data of target apps, and design new methods to scrutinize native code according to the collected data. To show the unique capability of NCScope, we apply it to four applications that cannot be accomplished by existing tools, including systematic studies on self-protection and anti-Analysis mechanisms implemented in native code of apps, analysis of memory corruption in native code, and identification of performance differences between functions in native code. The results uncover that only 26.8% of the analyzed financial apps implement self-protection methods in native code, implying that the security of financial apps is far from expected. Meanwhile, 78.3% of the malicious apps under analysis have anti-Analysis behaviors, suggesting that NCScope is very useful to malware analysis. Moreover, NCScope can effectively detect bugs in native code and identify performance differences.

Original languageEnglish (US)
Title of host publicationISSTA 2022 - Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis
EditorsSukyoung Ryu, Yannis Smaragdakis
PublisherAssociation for Computing Machinery, Inc
Pages629-641
Number of pages13
ISBN (Electronic)9781450393799
DOIs
StatePublished - Jul 18 2022
Event31st ACM SIGSOFT International Symposium on Software Testing and Analysis, ISSTA 2022 - Virtual, Online, Korea, Republic of
Duration: Jul 18 2022Jul 22 2022

Publication series

NameISSTA 2022 - Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis

Conference

Conference31st ACM SIGSOFT International Symposium on Software Testing and Analysis, ISSTA 2022
Country/TerritoryKorea, Republic of
CityVirtual, Online
Period7/18/227/22/22

All Science Journal Classification (ASJC) codes

  • Computational Theory and Mathematics
  • Computer Science Applications
  • Software

Fingerprint

Dive into the research topics of 'NCScope: Hardware-Assisted analyzer for native code in Android apps'. Together they form a unique fingerprint.

Cite this