Defining and detecting environment discrimination in android apps

Yunfeng Hong, Yongjian Hu, Chun Ming Lai, S. Felix Wu, Iulian Neamtiu, Patrick McDaniel, Paul Yu, Hasan Cam, Gail Joon Ahn

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Environment discrimination—a program behaving differently on different platforms—is used in many contexts. For example, malware can use environment discrimination to thwart detection attempts: as malware detectors employ automated dynamic analysis while running the potentially malicious program in a virtualized environment, the malware author can make the program virtual environment-aware so the malware turns off the nefarious behavior when it is running in a virtualized environment. Therefore, an approach for detecting environment discrimination can help security researchers and practitioners better understand the behavior of, and consequently counter, malware. In this paper we formally define environment discrimination, and propose an approach based on abstract traces and symbolic execution to detect discrimination in Android apps. Furthermore, our approach discovers what API calls expose the environment information to malware, which is a valuable reference for virtualization developers to improve their products. We also apply our approach to the real malware and third-party-researcher designed benchmark apps. The result shows that the algorithm and framework we proposed achieves 97% accuracy.

Original languageEnglish (US)
Title of host publicationSecurity and Privacy in Communication Networks - 13th International Conference, SecureComm 2017, Proceedings
EditorsAli Ghorbani, Xiaodong Lin, Kui Ren, Sencun Zhu, Aiqing Zhang
PublisherSpringer Verlag
Pages510-529
Number of pages20
ISBN (Print)9783319788128
DOIs
StatePublished - Jan 1 2018
Event13th EAI International Conference on Security and Privacy in Communication Networks, SecureComm 2017 - [state] ON, Canada
Duration: Oct 22 2017Oct 25 2017

Publication series

NameLecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST
Volume238
ISSN (Print)1867-8211

Other

Other13th EAI International Conference on Security and Privacy in Communication Networks, SecureComm 2017
CountryCanada
City[state] ON
Period10/22/1710/25/17

Fingerprint

Application programs
Malware
Android (operating system)
Application programming interfaces (API)
Dynamic analysis
Virtual reality
Detectors

All Science Journal Classification (ASJC) codes

  • Computer Networks and Communications

Cite this

Hong, Y., Hu, Y., Lai, C. M., Felix Wu, S., Neamtiu, I., McDaniel, P., ... Ahn, G. J. (2018). Defining and detecting environment discrimination in android apps. In A. Ghorbani, X. Lin, K. Ren, S. Zhu, & A. Zhang (Eds.), Security and Privacy in Communication Networks - 13th International Conference, SecureComm 2017, Proceedings (pp. 510-529). (Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST; Vol. 238). Springer Verlag. https://doi.org/10.1007/978-3-319-78813-5_26
Hong, Yunfeng ; Hu, Yongjian ; Lai, Chun Ming ; Felix Wu, S. ; Neamtiu, Iulian ; McDaniel, Patrick ; Yu, Paul ; Cam, Hasan ; Ahn, Gail Joon. / Defining and detecting environment discrimination in android apps. Security and Privacy in Communication Networks - 13th International Conference, SecureComm 2017, Proceedings. editor / Ali Ghorbani ; Xiaodong Lin ; Kui Ren ; Sencun Zhu ; Aiqing Zhang. Springer Verlag, 2018. pp. 510-529 (Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST).
@inproceedings{d155ea1ae6984dc3aae7d64ad91a7e60,
title = "Defining and detecting environment discrimination in android apps",
abstract = "Environment discrimination—a program behaving differently on different platforms—is used in many contexts. For example, malware can use environment discrimination to thwart detection attempts: as malware detectors employ automated dynamic analysis while running the potentially malicious program in a virtualized environment, the malware author can make the program virtual environment-aware so the malware turns off the nefarious behavior when it is running in a virtualized environment. Therefore, an approach for detecting environment discrimination can help security researchers and practitioners better understand the behavior of, and consequently counter, malware. In this paper we formally define environment discrimination, and propose an approach based on abstract traces and symbolic execution to detect discrimination in Android apps. Furthermore, our approach discovers what API calls expose the environment information to malware, which is a valuable reference for virtualization developers to improve their products. We also apply our approach to the real malware and third-party-researcher designed benchmark apps. The result shows that the algorithm and framework we proposed achieves 97{\%} accuracy.",
author = "Yunfeng Hong and Yongjian Hu and Lai, {Chun Ming} and {Felix Wu}, S. and Iulian Neamtiu and Patrick McDaniel and Paul Yu and Hasan Cam and Ahn, {Gail Joon}",
year = "2018",
month = "1",
day = "1",
doi = "10.1007/978-3-319-78813-5_26",
language = "English (US)",
isbn = "9783319788128",
series = "Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST",
publisher = "Springer Verlag",
pages = "510--529",
editor = "Ali Ghorbani and Xiaodong Lin and Kui Ren and Sencun Zhu and Aiqing Zhang",
booktitle = "Security and Privacy in Communication Networks - 13th International Conference, SecureComm 2017, Proceedings",
address = "Germany",

}

Hong, Y, Hu, Y, Lai, CM, Felix Wu, S, Neamtiu, I, McDaniel, P, Yu, P, Cam, H & Ahn, GJ 2018, Defining and detecting environment discrimination in android apps. in A Ghorbani, X Lin, K Ren, S Zhu & A Zhang (eds), Security and Privacy in Communication Networks - 13th International Conference, SecureComm 2017, Proceedings. Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST, vol. 238, Springer Verlag, pp. 510-529, 13th EAI International Conference on Security and Privacy in Communication Networks, SecureComm 2017, [state] ON, Canada, 10/22/17. https://doi.org/10.1007/978-3-319-78813-5_26

Defining and detecting environment discrimination in android apps. / Hong, Yunfeng; Hu, Yongjian; Lai, Chun Ming; Felix Wu, S.; Neamtiu, Iulian; McDaniel, Patrick; Yu, Paul; Cam, Hasan; Ahn, Gail Joon.

Security and Privacy in Communication Networks - 13th International Conference, SecureComm 2017, Proceedings. ed. / Ali Ghorbani; Xiaodong Lin; Kui Ren; Sencun Zhu; Aiqing Zhang. Springer Verlag, 2018. p. 510-529 (Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST; Vol. 238).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

TY - GEN

T1 - Defining and detecting environment discrimination in android apps

AU - Hong, Yunfeng

AU - Hu, Yongjian

AU - Lai, Chun Ming

AU - Felix Wu, S.

AU - Neamtiu, Iulian

AU - McDaniel, Patrick

AU - Yu, Paul

AU - Cam, Hasan

AU - Ahn, Gail Joon

PY - 2018/1/1

Y1 - 2018/1/1

N2 - Environment discrimination—a program behaving differently on different platforms—is used in many contexts. For example, malware can use environment discrimination to thwart detection attempts: as malware detectors employ automated dynamic analysis while running the potentially malicious program in a virtualized environment, the malware author can make the program virtual environment-aware so the malware turns off the nefarious behavior when it is running in a virtualized environment. Therefore, an approach for detecting environment discrimination can help security researchers and practitioners better understand the behavior of, and consequently counter, malware. In this paper we formally define environment discrimination, and propose an approach based on abstract traces and symbolic execution to detect discrimination in Android apps. Furthermore, our approach discovers what API calls expose the environment information to malware, which is a valuable reference for virtualization developers to improve their products. We also apply our approach to the real malware and third-party-researcher designed benchmark apps. The result shows that the algorithm and framework we proposed achieves 97% accuracy.

AB - Environment discrimination—a program behaving differently on different platforms—is used in many contexts. For example, malware can use environment discrimination to thwart detection attempts: as malware detectors employ automated dynamic analysis while running the potentially malicious program in a virtualized environment, the malware author can make the program virtual environment-aware so the malware turns off the nefarious behavior when it is running in a virtualized environment. Therefore, an approach for detecting environment discrimination can help security researchers and practitioners better understand the behavior of, and consequently counter, malware. In this paper we formally define environment discrimination, and propose an approach based on abstract traces and symbolic execution to detect discrimination in Android apps. Furthermore, our approach discovers what API calls expose the environment information to malware, which is a valuable reference for virtualization developers to improve their products. We also apply our approach to the real malware and third-party-researcher designed benchmark apps. The result shows that the algorithm and framework we proposed achieves 97% accuracy.

UR - http://www.scopus.com/inward/record.url?scp=85045969514&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85045969514&partnerID=8YFLogxK

U2 - 10.1007/978-3-319-78813-5_26

DO - 10.1007/978-3-319-78813-5_26

M3 - Conference contribution

AN - SCOPUS:85045969514

SN - 9783319788128

T3 - Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST

SP - 510

EP - 529

BT - Security and Privacy in Communication Networks - 13th International Conference, SecureComm 2017, Proceedings

A2 - Ghorbani, Ali

A2 - Lin, Xiaodong

A2 - Ren, Kui

A2 - Zhu, Sencun

A2 - Zhang, Aiqing

PB - Springer Verlag

ER -

Hong Y, Hu Y, Lai CM, Felix Wu S, Neamtiu I, McDaniel P et al. Defining and detecting environment discrimination in android apps. In Ghorbani A, Lin X, Ren K, Zhu S, Zhang A, editors, Security and Privacy in Communication Networks - 13th International Conference, SecureComm 2017, Proceedings. Springer Verlag. 2018. p. 510-529. (Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST). https://doi.org/10.1007/978-3-319-78813-5_26