TY - GEN
T1 - Detecting Vulnerable Android Inter-App Communication in Dynamically Loaded Code
AU - Alhanahnah, Mohannad
AU - Yan, Qiben
AU - Bagheri, Hamid
AU - Zhou, Hao
AU - Tsutano, Yutaka
AU - Srisa-An, Witawas
AU - Luo, Xiapu
PY - 2019/4
Y1 - 2019/4
N2 - Java reflection and dynamic class loading (DCL) are effective features for enhancing the functionalities of Android apps. However, these features can be abused by sophisticated malware to bypass detection schemes. Advanced malware can utilize reflection and DCL in conjunction with Android Inter-App Communication (IAC) to launch collusion attacks using two or more apps. Such dynamically revealed malicious behaviors enable a new type of stealthy, collusive attacks, bypassing all existing detection mechanisms. In this paper, we present DINA, a novel hybrid analysis approach for identifying malicious IAC behaviors concealed within dynamically loaded code through reflective/DCL calls. DINA continuously appends reflection and DCL invocations to control-flow graphs; it then performs incremental dynamic analysis on such augmented graphs to detect the misuse of reflection and DCL that may lead to malicious, yet concealed, IAC activities. Our extensive evaluation on 3,000 real-world Android apps and 14,000 malicious apps corroborates the prevalent usage of reflection and DCL, and reveals previously unknown and potentially harmful, hidden IAC behaviors in real-world apps.
AB - Java reflection and dynamic class loading (DCL) are effective features for enhancing the functionalities of Android apps. However, these features can be abused by sophisticated malware to bypass detection schemes. Advanced malware can utilize reflection and DCL in conjunction with Android Inter-App Communication (IAC) to launch collusion attacks using two or more apps. Such dynamically revealed malicious behaviors enable a new type of stealthy, collusive attacks, bypassing all existing detection mechanisms. In this paper, we present DINA, a novel hybrid analysis approach for identifying malicious IAC behaviors concealed within dynamically loaded code through reflective/DCL calls. DINA continuously appends reflection and DCL invocations to control-flow graphs; it then performs incremental dynamic analysis on such augmented graphs to detect the misuse of reflection and DCL that may lead to malicious, yet concealed, IAC activities. Our extensive evaluation on 3,000 real-world Android apps and 14,000 malicious apps corroborates the prevalent usage of reflection and DCL, and reveals previously unknown and potentially harmful, hidden IAC behaviors in real-world apps.
KW - dynamically loaded code
KW - inter-app communication
KW - Mobile security
KW - reflection
UR - http://www.scopus.com/inward/record.url?scp=85068220924&partnerID=8YFLogxK
U2 - 10.1109/INFOCOM.2019.8737637
DO - 10.1109/INFOCOM.2019.8737637
M3 - Conference article published in proceeding or book
AN - SCOPUS:85068220924
T3 - Proceedings - IEEE INFOCOM
SP - 550
EP - 558
BT - INFOCOM 2019 - IEEE Conference on Computer Communications
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 2019 IEEE Conference on Computer Communications, INFOCOM 2019
Y2 - 29 April 2019 through 2 May 2019
ER -