Abstract
Android has provided dynamic code loading (DCL) since API level one. DCL allows an app developer to load additional code at runtime. DCL raises numerous challenges with regards to security and accountability analysis of apps. While previous studies have investigated DCL on Android, in this paper we formulate and answer three critical questions that are missing from previous studies: (1) Where does the loaded code come from (remotely fetched or locally packaged), and who is the responsible entity to invoke its functionality? (2) In what ways is DCL utilized to harden mobile apps, specifically, application obfuscation? (3) What are the security risks and implications that can be found from DCL in off-the-shelf apps? We design and implement DyDroid, a system which uses both dynamic and static analysis to analyze dynamically loaded code. Dynamic analysis is used to automatically exercise apps, capture DCL behavior, and intercept the loaded code. Static analysis is used to investigate malicious behavior and privacy leakage in that dynamically loaded code. We have used DyDroid to analyze over 46K apps with little manual intervention, allowing us to conduct a large-scale measurement to investigate five aspects of DCL, such as source identification, malware detection, vulnerability analysis, obfuscation analysis, and privacy tracking analysis. We have several interesting findings. (1) 27 apps are found to violate the content policy of Google Play by executing code downloaded from remote servers. (2) We determine the distribution, pros/cons, and implications of several common obfuscation methods, including DEX encryption/loading. (3) DCL's stealthiness enables it to be a channel to deploy malware, and we find 87 apps loading malicious binaries which are not detected by existing antivirus tools. (4) We found 14 apps that are vulnerable to code injection attacks due to dynamically loading code which is writable by other apps. (5) DCL is mainly used by third-party SDKs, meaning that app developers may not know what sort of sensitive functionality is injected into their apps.
Original language | English (US) |
---|---|
Title of host publication | Proceedings - 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2017 |
Publisher | Institute of Electrical and Electronics Engineers Inc. |
Pages | 415-426 |
Number of pages | 12 |
ISBN (Electronic) | 9781538605417 |
DOIs | |
State | Published - Aug 30 2017 |
Event | 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2017 - Denver, United States Duration: Jun 26 2017 → Jun 29 2017 |
Conference
Conference | 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2017 |
---|---|
Country/Territory | United States |
City | Denver |
Period | 6/26/17 → 6/29/17 |
Keywords
- Android
- Dynamic analysis
- Dynamic Code Loading
- Measurement
- Mobile security
- Smartphone
ASJC Scopus subject areas
- Hardware and Architecture
- Computer Networks and Communications
- Safety, Risk, Reliability and Quality