Automated Hybrid Analysis of Android Malware through Augmenting Fuzzing with Forced Execution

Xiaolei Wang, Yuexiang Yang, Sencun Zhu

Research output: Contribution to journalArticle

Abstract

Automatically triggering malicious behaviors is an essential step to understand malware for developing effective solutions. Existing automated dynamic analysis approaches usually try to trigger the malicious behaviors by relying on simple fuzzing or complex input generation techniques (e.g., concolic execution). However, advanced malware often adopt various evasion techniques to hide malicious behaviors, e.g., by introducing complex condition checks which are very hard to trigger. In this paper, we propose a new approach named DirectDroid, which bypasses related checks through on-demand forced execution while adopting fuzzing to feed the necessary program input. In this way, many hidden malicious behaviors can be successfully triggered. To ensure the normal execution towards the malicious behaviors, DirectDroid also largely handles potential program crashes caused by forced execution. Finally, we implement a prototype of DirectDroid and evaluate it against 951 recent malware samples. Our experiment results show that DirectDroid can trigger many more malicious behaviors than several previous works, even when crashes happened. Our further analysis shows that DirectDroid has a low false positive rate even though it adopts forced execution.

Original languageEnglish (US)
Article number8576654
Pages (from-to)2768-2782
Number of pages15
JournalIEEE Transactions on Mobile Computing
Volume18
Issue number12
DOIs
StatePublished - Dec 1 2019

Fingerprint

Dynamic analysis
Malware
Experiments

All Science Journal Classification (ASJC) codes

  • Software
  • Computer Networks and Communications
  • Electrical and Electronic Engineering

Cite this

@article{b7cc5e80419a4a7a8fd41b1683cd1164,
title = "Automated Hybrid Analysis of Android Malware through Augmenting Fuzzing with Forced Execution",
abstract = "Automatically triggering malicious behaviors is an essential step to understand malware for developing effective solutions. Existing automated dynamic analysis approaches usually try to trigger the malicious behaviors by relying on simple fuzzing or complex input generation techniques (e.g., concolic execution). However, advanced malware often adopt various evasion techniques to hide malicious behaviors, e.g., by introducing complex condition checks which are very hard to trigger. In this paper, we propose a new approach named DirectDroid, which bypasses related checks through on-demand forced execution while adopting fuzzing to feed the necessary program input. In this way, many hidden malicious behaviors can be successfully triggered. To ensure the normal execution towards the malicious behaviors, DirectDroid also largely handles potential program crashes caused by forced execution. Finally, we implement a prototype of DirectDroid and evaluate it against 951 recent malware samples. Our experiment results show that DirectDroid can trigger many more malicious behaviors than several previous works, even when crashes happened. Our further analysis shows that DirectDroid has a low false positive rate even though it adopts forced execution.",
author = "Xiaolei Wang and Yuexiang Yang and Sencun Zhu",
year = "2019",
month = "12",
day = "1",
doi = "10.1109/TMC.2018.2886881",
language = "English (US)",
volume = "18",
pages = "2768--2782",
journal = "IEEE Transactions on Mobile Computing",
issn = "1536-1233",
publisher = "Institute of Electrical and Electronics Engineers Inc.",
number = "12",

}

Automated Hybrid Analysis of Android Malware through Augmenting Fuzzing with Forced Execution. / Wang, Xiaolei; Yang, Yuexiang; Zhu, Sencun.

In: IEEE Transactions on Mobile Computing, Vol. 18, No. 12, 8576654, 01.12.2019, p. 2768-2782.

Research output: Contribution to journalArticle

TY - JOUR

T1 - Automated Hybrid Analysis of Android Malware through Augmenting Fuzzing with Forced Execution

AU - Wang, Xiaolei

AU - Yang, Yuexiang

AU - Zhu, Sencun

PY - 2019/12/1

Y1 - 2019/12/1

N2 - Automatically triggering malicious behaviors is an essential step to understand malware for developing effective solutions. Existing automated dynamic analysis approaches usually try to trigger the malicious behaviors by relying on simple fuzzing or complex input generation techniques (e.g., concolic execution). However, advanced malware often adopt various evasion techniques to hide malicious behaviors, e.g., by introducing complex condition checks which are very hard to trigger. In this paper, we propose a new approach named DirectDroid, which bypasses related checks through on-demand forced execution while adopting fuzzing to feed the necessary program input. In this way, many hidden malicious behaviors can be successfully triggered. To ensure the normal execution towards the malicious behaviors, DirectDroid also largely handles potential program crashes caused by forced execution. Finally, we implement a prototype of DirectDroid and evaluate it against 951 recent malware samples. Our experiment results show that DirectDroid can trigger many more malicious behaviors than several previous works, even when crashes happened. Our further analysis shows that DirectDroid has a low false positive rate even though it adopts forced execution.

AB - Automatically triggering malicious behaviors is an essential step to understand malware for developing effective solutions. Existing automated dynamic analysis approaches usually try to trigger the malicious behaviors by relying on simple fuzzing or complex input generation techniques (e.g., concolic execution). However, advanced malware often adopt various evasion techniques to hide malicious behaviors, e.g., by introducing complex condition checks which are very hard to trigger. In this paper, we propose a new approach named DirectDroid, which bypasses related checks through on-demand forced execution while adopting fuzzing to feed the necessary program input. In this way, many hidden malicious behaviors can be successfully triggered. To ensure the normal execution towards the malicious behaviors, DirectDroid also largely handles potential program crashes caused by forced execution. Finally, we implement a prototype of DirectDroid and evaluate it against 951 recent malware samples. Our experiment results show that DirectDroid can trigger many more malicious behaviors than several previous works, even when crashes happened. Our further analysis shows that DirectDroid has a low false positive rate even though it adopts forced execution.

UR - http://www.scopus.com/inward/record.url?scp=85058898508&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85058898508&partnerID=8YFLogxK

U2 - 10.1109/TMC.2018.2886881

DO - 10.1109/TMC.2018.2886881

M3 - Article

AN - SCOPUS:85058898508

VL - 18

SP - 2768

EP - 2782

JO - IEEE Transactions on Mobile Computing

JF - IEEE Transactions on Mobile Computing

SN - 1536-1233

IS - 12

M1 - 8576654

ER -