Conditional Context-Aware Detection for Android Malicious Virtualization Apps

MENG Zhao-yi; HUANG Wen-chao; ZHANG Wei-nan; XIONG Yan

doi:10.12263/DZXB.20230642

您当前的位置：

首页 >

文章列表页 >

Conditional Context-Aware Detection for Android Malicious Virtualization Apps

PAPERS | 更新时间：2025-12-11

- Conditional Context-Aware Detection for Android Malicious Virtualization Apps
- ACTA ELECTRONICA SINICA Vol. 52, Issue 11, Pages: 3669-3683(2024)
- 作者机构：
  
  1.安徽大学计算机科学与技术学院，安徽合肥 230601
  2.中国科学技术大学计算机科学与技术学院，安徽合肥 230026
- 作者简介：
- 基金信息：
  
  National Natural Science Foundation of China(62102385);Anhui Province Natural Science Foundation(2108085QF262)
- DOI：10.12263/DZXB.20230642
  CLC： TP309.5
- Received：05 July 2023，
  
  Revised：2024-01-15，
  
  Published：25 November 2024
- 稿件说明：
移动端阅览
孟昭逸, 黄文超, 张威楠, 等. 条件上下文敏感的安卓恶意虚拟化应用检测方法[J]. 电子学报, 2024, 52(11): 3669-3683.

MENG Zhao-yi, HUANG Wen-chao, ZHANG Wei-nan, et al. Conditional Context-Aware Detection for Android Malicious Virtualization Apps[J]. Acta Electronica Sinica, 2024, 52(11): 3669-3683.
孟昭逸, 黄文超, 张威楠, 等. 条件上下文敏感的安卓恶意虚拟化应用检测方法[J]. 电子学报, 2024, 52(11): 3669-3683. DOI：10.12263/DZXB.20230642

MENG Zhao-yi, HUANG Wen-chao, ZHANG Wei-nan, et al. Conditional Context-Aware Detection for Android Malicious Virtualization Apps[J]. Acta Electronica Sinica, 2024, 52(11): 3669-3683. DOI：10.12263/DZXB.20230642

摘要

安卓虚拟化应用作为宿主程序，支持以插件形式动态加载用户所需功能模块.恶意开发者可利用上述应用特性将其真实攻击意图隐藏在插件程序的执行中，以躲避针对宿主程序的检测.然而，插件程序数量众多且难以获取与分析，并且现有基于既定模式的安卓恶意虚拟化应用检测方案存在可检测应用类型有限的问题.本文提出一种条件上下文敏感的安卓恶意虚拟化应用检测方法并实现了原型工具MVFinder.该方法以安卓虚拟化应用代码中触发插件程序加载或调用行为的上下文环境为切入点，挖掘出隐藏的恶意性，避免耗费大量资源去尝试实时获取不同种类的插件程序或逐一解析插件的加载与运行模式.同时，该方法利用异常检测技术，发现与大多数善意应用的条件上下文存在较大差异的数据样本，进而识别出目标恶意应用，避免基于既定规则进行检测的局限性.实验结果表明，本方法对安卓恶意虚拟化应用检测的准确率和F

分数均优于当前学术界的代表性方案VAHunt、Drebin与Difuzer.此外，相较于VAHunt，MVFinder可识别出HummingBad和PluginPhantom恶意应用家族的变种.

Abstract

Android virtualization applications is host applications and support dynamic loading of functional modules required by users in the form of plugins. Malicious developers use the above application features to hide their real attack intents in plugin applications for avoiding detection against the host applications. However

plugins are numerous and difficult to obtain and analyze

and existing pattern-based Android malicious virtualization application detection solutions have the problem of limited detectable application types. We propose a method based on contexts of conditional statements for detecting Android malicious virtualization applications and implement a prototype tools named MVFinder. The method takes the contextual environment in the Android virtualized application code that triggers loading or calling behaviors of plugin programs as the entry point to uncover the hidden maliciousness

for avoiding the need to consume a large amount of resources to try to obtain different kinds of plugin programs in real time or to parse the loading and running mode of the plugins one by one. At the same time

the method leverages the anomaly detection technique to discover data samples that differ significantly fr

om the conditional contexts of most benignware

and thus identify the targeted malware

for avoiding the limitations of detecting with predefined rules. The experimental results show that this method outperforms the current representative schemes including VAHunt

Drebin

and Difuzer

in terms of accuracy and F

score for detecting Android malicious virtualization application. Compared to VAHunt

MVFinder achieves identification of variants of HummingBad and PluginPhantom malicious application families.

关键词

Keywords

references

BARLETTE Y , JAOUEN A , BAILLETTE P . Bring Your Own Device (BYOD) as reversed IT adoption: Insights into managers' coping strategies [J ] . International Journal of Information Management , 2021 , 56 : 102212 .

SHI L M , MING J , FU J M , et al . VAHunt: Warding off new repackaged android malware in app-virtualization's clothing [C ] // Procedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security . New York : ACM , 2020 : 535 - 549 .

LBE Tech . Google Play [EB/OL ] . [ 2023-07-05 ] . https://play.google.com/store/apps/details?id=com.lbe.parallel.intl.2023.04.18 https://play.google.com/store/apps/details?id=com.lbe.parallel.intl.2023.04.18 .

ZHANG L , YANG Z M , HE Y Y , et al . App in the middle: Demystify application virtualization in android and its security threats [J ] . Proceedings of the ACM on Measurement and Analysis of Computing Systems , 2019 , 3 ( 1 ): 1 - 24 .

DAI D S , LI R X , TANG J W , et al . Parallel space traveling: A security analysis of app-level virtualization in android [C ] // Proceedings of the 25th ACM Symposium on Access Control Models and Technologies . New York : ACM , 2020 : 25 - 32 .

RUGGIA A , LOSIOUK E , VERDERAME L , et al . Repack me if you can: An anti-repackaging solution based on android virtualization [C ] // Proceedings of the 37th Annual Computer Security Applications Conference . New York : ACM , 2021 : 970 - 981 .

WU Y F , HUANG J J , LIANG B , et al . Do not jail my app: Detecting the Android plugin environments by time lag contradiction [J ] . Journal of Computer Security , 2020 , 28 ( 2 ): 269 - 293 .

ZHENG C , HU W J , XU Z . A new trend in android adware: Abusing android plugin frameworks [EB/OL ] . ( 2017-3-22 )[ 2023-07-05 ] . https://unit42.paloaltonetworks.com/unit42-new-trend-android-adware-abusing-android-plugin-frameworks/ https://unit42.paloaltonetworks.com/unit42-new-trend-android-adware-abusing-android-plugin-frameworks/ .

SWATI K . Nasty android malware that infected millions returns to Google play store [EB/OL ] . ( 2017-1-24 )[ 2023-07-05 ] . https://thehackernews.com/2017/01/hummingbad-android-malware.html https://thehackernews.com/2017/01/hummingbad-android-malware.html .

侯俊行 , 杨哲慜 , 杨珉 . 安全隔离的安卓应用虚拟化框架设计与实现 [J ] . 小型微型计算机系统 , 2019 , 40 ( 9 ): 1987 - 1993 .

HOU J H , YANG Z M , YANG M . Security isolated application virtualization framework in android [J ] . Journal of Chinese Computer Systems , 2019 , 40 ( 9 ): 1987 - 1993 . (in Chinese)

张威楠 , 孟昭逸 , 熊焰 , 等 . 基于异质信息网络的安卓虚拟化程序检测方法 [J ] . 计算机应用研究 , 2023 , 40 ( 6 ): 1764 - 1770 .

ZHANG W N , MENG Z Y , XIONG Y , et al . Detection method of android virtualization program based on heterogeneous information network [J ] . Application Research of Computers , 2023 , 40 ( 6 ): 1764 - 1770 . (in Chinese)

LUO T B , ZHENG C , XU Z , et al . Anti-plugin: Don't let your app play as an android plugin [J ] . Proceedings of Blackhat Asia 2017. Singapore: Blackhat Asia , 2017 : 1 - 10 .

YANG J Y , TANG J , YAN R , et al . Android malware detection method based on permission complement and API calls [J ] . Chinese Journal of Electronics , 2022 , 31 ( 4 ): 773 - 785 .

SCHÖLKOPF B , PLATT J C , SHAWE-TAYLOR J , et al . Estimating the support of a high-dimensional distribution [J ] . Neural Computation , 2001 , 13 ( 7 ): 1443 - 1471 .

asLody . VirtualApp [EB/OL ] . [ 2023-07-05 ] . https://github.com/asLody/VirtualApp https://github.com/asLody/VirtualApp .

Qihoo 360 . DroidPlugin [EB/OL ] . [ 2023-07-05 ] . https://github.com/DroidPluginTeam/DroidPlugin https://github.com/DroidPluginTeam/DroidPlugin .

LAM P , BODDEN E , LHOTAK O , et al . The Soot framework for Java program analysis: A retrospective [J ] . In Cetus Users and Compiler Infastructure Workshop , 2011 , 15 : 1 - 8 .

RASTHOFER S , ARZT S , BODDEN E . A machine-learning approach for classifying and categorizing android sources and sinks [C ] // Proceedings 2014 Network and Distributed System Security Symposium . Reston, VA : Internet Society , 2014 : 1125 .

ARZT S , RASTHOFER S , FRITZ C , et al . FLOWDROID: Precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps [J ] . ACM SIGPLAN Notices , 2014 , 49 ( 6 ): 259 - 269 .

GORDON M I , KIM D , PERKINS J , et al . Information-flow analysis of android applications in DroidSafe [C ] // Proceedings 2014 Network and Distributed System Security Symposium . Reston, VA : Internet Society , 2015 : 110 .

WEI F G , ROY S , OU X M , et al . Amandroid: A precise and general inter-component data flow analysis framework for security vetting of android apps [J ] . ACM Transactions on Privacy and Security , 2018 , 21 ( 3 ): 1 - 32 .

LI P W , FU J M , XU C , et al . Differentiating malicious and benign android app operations using second-step behavior features [J ] . Chinese Journal of Electronics , 2019 , 28 ( 5 ): 944 - 952 .

SAMHI J , LI L , BISSYANDÉ T F , et al . Difuzer: Uncovering suspicious hidden sensitive operations in android apps [C ] // 2022 IEEE/ACM 44th International Conference on Software Engineering (ICSE) . Piscataway : IEEE , 2022 : 723 - 735 .

MENG Z Y , XIONG Y , HUANG W C , et al . AppScalpel: Combining static analysis and outlier detection to identify and prune undesirable usage of sensitive data in android applications [J ] . Neurocomputing , 2019 , 341 : 10 - 25 .

LI L , BISSYANDÉ T F , OCTEAU D , et al . DroidRA: Taming reflection to support whole-program analysis of android apps [C ] // Proceedings of the 25th International Symposium on Software Testing and Analysis . New York : ACM , 2016 : 318 - 329 .

POEPLAU S , FRATANTONIO Y , BIANCHI A , et al . Execute this! analyzing unsafe and malicious dynamic code loading in android applications [C ] // Proceedings 2014 Network and Distributed System Security Symposium . Reston, VA : Internet Society , 2014 : 23 - 26 .

KIM T , KANG B , RHO M , et al . A multimodal deep learning method for android malware detection using various features [J ] . IEEE Transactions on Information Forensics and Security , 2019 , 14 ( 3 ): 773 - 788 .

HEI Y M , YANG R Y , PENG H , et al . Hawk: Rapid android malware detection through heterogeneous graph attention networks [J ] . IEEE Transactions on Neural Networks and Learning Systems , 2024 , 35 ( 4 ): 4703 - 4717 .

YANG W , XIAO X S , ANDOW B , et al . AppContext: Differentiating malicious and benign mobile app behaviors using context [C ] // 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering . Piscataway : IEEE , 2015 : 303 - 313 .

AVDIIENKO V , KUZNETSOV K , GORLA A , et al . Mining apps for abnormal usage of sensitive data [C ] // 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering . Piscataway : IEEE , 2015 : 426 - 436 .

GORLA A , TAVECCHIA I , GROSS F , et al . Checking app behavior against app descriptions [C ] // Proceedings of the 36th International Conference on Software Engineering . New York : ACM , 2014 : 1025 - 1035 .

PEDREGOSA F , VAROQUAUX G , GRAMFORT A , et al . Scikit-learn: Machine learning in python [J ] . The Journal of Machine Learning Research , 2011 , 12 : 2825 - 2830 .

Koodous . Collective intelligence against android malware [EB/OL ] . [ 2023-07-05 ] . https://koodous.com/ https://koodous.com/ .

ALLIX K , BISSYANDÉ T F , KLEIN J , et al . AndroZoo: Collecting millions of android apps for the research community [C ] // 2016 IEEE/ACM 13th Working Conference on Mining Software Repositories (MSR) . Piscataway : IEEE , 2016 : 468 - 471 .

Checkpoint . From hummingbad to worse [EB/OL ] . [ 2023-07-05 ] . https://blog.checkpoint.com/wp-content/uploads/2016/07/HummingBad-Research-report_FINAL-62916.pdf https://blog.checkpoint.com/wp-content/uploads/2016/07/HummingBad-Research-report_FINAL-62916.pdf .

VirusTotal [EB/OL ] . [ 2023-07-05 ] . https://www.virustotal.com/gui/home/upload https://www.virustotal.com/gui/home/upload .

ARP D , SPREITZENBARTH M , HÜBNER M , et al . Drebin: Effective and explainable detection of android malware in your pocket [C ] // Proceedings 2014 Network and Distributed System Security Symposium . Reston : Internet Society , 2014 : 23 - 26 .

ZHANG J B , WANG Y Y , QIU L N , et al . Analyzing android taint analysis tools: FlowDroid, Amandroid, and DroidSafe [J ] . IEEE Transactions on Software Engineering , 2022 , 48 ( 10 ): 4014 - 4040 .

SONG W , HAN M Q , HUANG J . IMGDroid: Detecting image loading defects in android applications [C ] // 2021 IEEE/ACM 43rd International Conference on Software Engineering (ICSE) . Piscataway : IEEE , 2021 : 823 - 834 .

LEE Y K , BANG J Y , SAFI G , et al . A sealant for inter-app security holes in android [C ] // 2017 IEEE/ACM 39th International Conference on Software Engineering (ICSE) . Piscataway : IEEE , 2017 : 312 - 323 .

YUAN X Z , SETAYESHFAR O , YAN H F , et al . DroidForensics: Accurate reconstruction of android attacks via multi-layer forensic logging [C ] // Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security . New York : ACM , 2017 : 666 - 677 .

ZHANG J , TIAN C , DUAN Z H . An efficient approach for taint analysis of android applications [J ] . Computers & Security , 2021 , 104 : 102161 .

Views

下载量

CSCD

Alert me when the article has been cited

提交

Tools

Publicity Resources

A Fast Malicious Code Detection Method Based on Feature Fusion

A Method of Variable Range Analysis Based on Abstract Interpretation and Its Applications

Precisely Detecting Buffer Overflow Vulnerabilities

Related Author

SONG Ya-fei

WANG Ya-nan

WANG Jian

WANG Shuo

YANG Zhao-hong

WANG Ya-wen

GONG Yun-zhan

XIAO Qing

Related Institution

Air Defense and Antimissile School, Air Force Engineering University

Department of Information Engineering Academy of Armored Force Engineering Beijing China

State Key Laboratory of Networking and Switching Technology Beijing University of Posts and Telecommunications Beijing China

Department of Information Engineering, Academy of Armored Force Engineering

State Key Laboratory of Networking and Switching Technology, Beijing University of Posts and Telecommunications

⁰