TY - JOUR
T1 - Resilient User-Side Android Application Repackaging and Tampering Detection Using Cryptographically Obfuscated Logic Bombs
AU - Zeng, Qiang
AU - Luo, Lannan
AU - Qian, Zhiyun
AU - Du, Xiaojiang
AU - Li, Zhoujun
AU - Huang, Chin Tser
AU - Farkas, Csilla
N1 - Publisher Copyright:
© 2004-2012 IEEE.
PY - 2021
Y1 - 2021
N2 - Application repackaging is a severe threat to Android users and the market. Not only does it infringe on intellectual property, but it is also one of the most common ways of propagating mobile malware. Existing countermeasures mostly detect repackaging based on app similarity measurement, which tends to be imprecise when obfuscations are applied to repackaged apps. Moreover, they rely on a central party, typically the hosting app store, to perform the detection, but many app stores fail to commit proper effort to piracy detection. We consider building the application repackaging detection capability into apps, such that user devices are made use to detect repackaging in a decentralized fashion. The main challenge is how to protect the detection code from being manipulated by attacks. We propose a creative use of logic bombs, which are otherwise regularly used in malware. The trigger conditions of bombs are constructed to exploit the differences between the attacker and users, such that a bomb that lies dormant on the attacker side will be activated on the user side. The detection code, which is part of the bomb payload, is executed only if the bomb is activated. We introduce cryptographically obfuscated logic bomb to enhance the bomb: (1) the detection code is woven into the neighboring original app code, (2) the mixed code gets encrypted using a key, and (3) the key is deleted from the app and can only be derived when the bomb is activated. Thus, attacks that try to modify or delete the detection code will corrupt the app itself, and searching the key in the application will be in vain. Moreover, we propose a bomb spraying technique that allows many bombs to be injected into an app, multiplying the needed adversary effort for bypassing the detection. In addition to repackaging detection, we present application tampering detection to fight attacks that insert malicious code into repackaged apps. We have implemented a prototype, named BombDroid, that builds repackaging and tampering detection into apps through bytecode instrumentation. The evaluation and the security analysis show that the technique is effective, efficient, and resilient to various bomb analysis techniques including fuzzing, symbolic execution, multi-path exploration, and program slicing. Ethical issues due to the use of logic bombs are also discussed.
AB - Application repackaging is a severe threat to Android users and the market. Not only does it infringe on intellectual property, but it is also one of the most common ways of propagating mobile malware. Existing countermeasures mostly detect repackaging based on app similarity measurement, which tends to be imprecise when obfuscations are applied to repackaged apps. Moreover, they rely on a central party, typically the hosting app store, to perform the detection, but many app stores fail to commit proper effort to piracy detection. We consider building the application repackaging detection capability into apps, such that user devices are made use to detect repackaging in a decentralized fashion. The main challenge is how to protect the detection code from being manipulated by attacks. We propose a creative use of logic bombs, which are otherwise regularly used in malware. The trigger conditions of bombs are constructed to exploit the differences between the attacker and users, such that a bomb that lies dormant on the attacker side will be activated on the user side. The detection code, which is part of the bomb payload, is executed only if the bomb is activated. We introduce cryptographically obfuscated logic bomb to enhance the bomb: (1) the detection code is woven into the neighboring original app code, (2) the mixed code gets encrypted using a key, and (3) the key is deleted from the app and can only be derived when the bomb is activated. Thus, attacks that try to modify or delete the detection code will corrupt the app itself, and searching the key in the application will be in vain. Moreover, we propose a bomb spraying technique that allows many bombs to be injected into an app, multiplying the needed adversary effort for bypassing the detection. In addition to repackaging detection, we present application tampering detection to fight attacks that insert malicious code into repackaged apps. We have implemented a prototype, named BombDroid, that builds repackaging and tampering detection into apps through bytecode instrumentation. The evaluation and the security analysis show that the technique is effective, efficient, and resilient to various bomb analysis techniques including fuzzing, symbolic execution, multi-path exploration, and program slicing. Ethical issues due to the use of logic bombs are also discussed.
KW - Android app repackaging
KW - logic bombs
KW - tamper-proofing
UR - http://www.scopus.com/inward/record.url?scp=85119509623&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85119509623&partnerID=8YFLogxK
U2 - 10.1109/TDSC.2019.2957787
DO - 10.1109/TDSC.2019.2957787
M3 - Article
AN - SCOPUS:85119509623
SN - 1545-5971
VL - 18
SP - 2582
EP - 2600
JO - IEEE Transactions on Dependable and Secure Computing
JF - IEEE Transactions on Dependable and Secure Computing
IS - 6
ER -