DyDroid: Measuring Dynamic Code Loading and Its Security Implications in Android Applications

Zhengyang Qu, Shahid Alam, Yan Chen, Xiaoyong Zhou, Wangjun Hong, Ryan Riley

Research output: Chapter in Book/Report/Conference proceedingConference contribution

24 Scopus citations

Abstract

Android has provided dynamic code loading (DCL) since API level one. DCL allows an app developer to load additional code at runtime. DCL raises numerous challenges with regards to security and accountability analysis of apps. While previous studies have investigated DCL on Android, in this paper we formulate and answer three critical questions that are missing from previous studies: (1) Where does the loaded code come from (remotely fetched or locally packaged), and who is the responsible entity to invoke its functionality? (2) In what ways is DCL utilized to harden mobile apps, specifically, application obfuscation? (3) What are the security risks and implications that can be found from DCL in off-the-shelf apps? We design and implement DyDroid, a system which uses both dynamic and static analysis to analyze dynamically loaded code. Dynamic analysis is used to automatically exercise apps, capture DCL behavior, and intercept the loaded code. Static analysis is used to investigate malicious behavior and privacy leakage in that dynamically loaded code. We have used DyDroid to analyze over 46K apps with little manual intervention, allowing us to conduct a large-scale measurement to investigate five aspects of DCL, such as source identification, malware detection, vulnerability analysis, obfuscation analysis, and privacy tracking analysis. We have several interesting findings. (1) 27 apps are found to violate the content policy of Google Play by executing code downloaded from remote servers. (2) We determine the distribution, pros/cons, and implications of several common obfuscation methods, including DEX encryption/loading. (3) DCL's stealthiness enables it to be a channel to deploy malware, and we find 87 apps loading malicious binaries which are not detected by existing antivirus tools. (4) We found 14 apps that are vulnerable to code injection attacks due to dynamically loading code which is writable by other apps. (5) DCL is mainly used by third-party SDKs, meaning that app developers may not know what sort of sensitive functionality is injected into their apps.

Original languageEnglish (US)
Title of host publicationProceedings - 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2017
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages415-426
Number of pages12
ISBN (Electronic)9781538605417
DOIs
StatePublished - Aug 30 2017
Event47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2017 - Denver, United States
Duration: Jun 26 2017Jun 29 2017

Conference

Conference47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2017
Country/TerritoryUnited States
CityDenver
Period6/26/176/29/17

Keywords

  • Android
  • Dynamic analysis
  • Dynamic Code Loading
  • Measurement
  • Mobile security
  • Smartphone

ASJC Scopus subject areas

  • Hardware and Architecture
  • Computer Networks and Communications
  • Safety, Risk, Reliability and Quality

Fingerprint

Dive into the research topics of 'DyDroid: Measuring Dynamic Code Loading and Its Security Implications in Android Applications'. Together they form a unique fingerprint.

Cite this