PANDORA Applies Non-Deterministic Obfuscation Randomly to Android
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
PANDORA Applies Non-Deterministic Obfuscation Randomly to Android
Mykola Protsenko, Tilo Müller
Friedrich-Alexander University Erlangen-Nuremberg, Germany
mykola.protsenko@fau.de, tilo.mueller@cs.fau.de
Abstract framework [33]. PANDORA contains both obfuscating trans-
formations of the program’s object-oriented design and data
Android, a Linux-based operating system, is currently obfuscation techniques. As the name suggests, it performs
the most popular platform for mobile devices like smart- all transformations as randomly as possible, being able to
phones and tablets. Recently, two closely related security produce many different obfuscated versions of a program.
threats have become a major concern of the research com- Moreover, it operates on the bytecode level, which facilitates
munity: software piracy and malware. This paper studies its application with malicious intents to conceal malware or
the capabilities of code obfuscation for the purposes of pla- application piracy.
giarized software and malware diversification. Within the The results of our practical evaluation have shown high
scope of this work, the PANDORA (PANDORA Applies effectiveness of the PANDORA system utilized to prevent
Non-Deterministic Obfuscation Randomly to Android) trans- detection of known malware samples and recognition of pla-
formation system for Android bytecode was designed and giarized software. This indicates weaknesses of the current
implemented, combining techniques for data and object- detection engines and static software similarity algorithms.
oriented design obfuscation. Our evaluation results indicate At the same time, it witnesses good diversification quality of
deficiencies of the malware detection engines currently used the transformations we implemented.
in 46 popular antivirus products, which in most cases were The rest of this paper is organized as follows: Section 2
not able to detect samples obfuscated with PANDORA. Fur- provides background information and overviews related pub-
thermore, this paper reveals shortcomings of the Androsim lications. Section 3 describes the design of the PANDORA
tool and potentially other static software similarity algo- transformation system, which is then evaluated in Section 4.
rithms, recently proposed to address the piracy problem in We conclude in Section 5.
Android.
2 Background and Related Work
1 Introduction This section gives some background information on the
topics closely related to the scope of this paper and provides
As indicated by recent studies, the smartphone market an overview of important related research publications.
experienced explosive growth in recent years. From 2010 to
2011 sales soared up 42% [13], in the interval 2011 to 2012 2.1 Android Platform
the increase reached even 47% [14]. Among all smartphone
platforms, Android keeps dominating with 72% share of the Android is an open source Linux-based operating system
sales [14]. designed to run on mobile devices, like smartphones, tablets
Obviously, the high popularity and market penetration and netbooks. Among the reasons of its popularity, the ease
could not leave hackers, malware developers, and pirates of Android software development and distribution certainly
indifferent. Within the last few years, the theft of Android takes not the last place.
applications and malware distribution have reached exten- The source code of Android applications is written in the
sive dimensions [40, 39]. This paper addresses the closely Java language and converted into Dalvik bytecode. The cor-
related problems and aims to study the capabilities of mal- responding virtual machine (Dalvik VM) is register-based
ware developers and software pirates. For this purpose, an and is designed especially to meet the needs of mobile plat-
Android bytecode obfuscation system, called PANDORA forms, restricted in memory and computation power. The
(PANDORA Applies Non-Deterministic Obfuscation Ran- usual way of application distribution is given by online down-
domly to Android), was implemented on top of the Soot load centers also known as application markets, with GooglePlay [24] referred to as an official market and numerous overview of the important publications on these topics is
alternative markets (for example, the Amazon Android app given next.
store).
2.4.1 Malware
2.2 Obfuscation
The importance of the malware problem in Android systems
Software Obfuscation refers to semantics-preserving was recognized by many researchers. Zhou and Jiang [40]
transformations of a program in order to complicate its re- reported a dramatic increase of the number of new malware
verse engineering, i.e., the comprehension and modification specimens in 2011 compared to 2010. Their study also in-
of code [6]. A closely related matter, namely Artificial Code dicates significant evolution of the malware functionality
Diversity can be considered a branch of the obfuscation meth- and detection avoidance techniques. Furthermore, Zhu and
ods family, with a goal to generate multiple semantically Jiang [40] collected a set of 1,260 malware samples and
equal code versions of a program [6]. performed their classification according to distribution meth-
One of the pioneering efforts on semantics preserving ods, activation, and malicious payloads. They distinguished
program transformations belongs to Cohen [5], which aimed application piracy as the main way of malware distribution,
for defense against automated attacks by means of software adopted by about 86% of their samples. This proves a strong
diversity. Probably the most comprehensive study of prac- relation between malware and piracy threats.
tical obfuscation methods to this day remains the work by Many approaches to Android malware detection were pro-
Collberg and Nagra [6], which summarizes the scientific posed recently by the research community, mostly involving
achievements on the topics related to software protection and dynamic program analysis [41, 37] and online application
provides an overview of numerous techniques. Additionally, behavior analysis [28, 10, 11].
some program transformations implemented in our system The scanning performance of current antivirus software,
originate from the field of program refactoring, for more hosted on the VirusTotal website [34], was evaluated by
information on which see Fowler et al. [12]. Other ones Zheng et al. [38]. Their evaluation framework ADAM ap-
were borrowed from Majumdar, Drape, and Thomborson plies simple obfuscation techniques like identifier renam-
[21, 22], who performed manual applications of obfuscation ing, adding bogus edge to a method’s control flow graph
techniques in order to defeat slicing attacks (for more infor- (CFG), and string encryption, on a set of 222 malware sam-
mation on slicing see Weiser [36] and Horwitz, Reps, and ples. Their results indicate that, as for November 2011, such
Binkley [15]). obfuscation lead to significant decrease of detection, on av-
erage to about 51%, 55%, and 77% of the original detection
2.3 Software Similarity for string encryption, renaming, and CFG modification, re-
spectively. On the other hand, some of the tested antivirus
The goal of software similarity analysis is to give a quan- programs showed resulting rates close to 90% of the original
titative measure on how much two programs are alike. Here detection for all obfuscation methods. Furthermore, the au-
we are interested in software similarity algorithms in the thors confirm improvements of the detection performance in
context of program plagiarism and malware detection. a time between October 2011 and February 2012. The main
In general, a software similarity algorithm can be seen shortcoming of their study can be seen in the weakness of
as a composition of two parts [6]. The first one extracts their applied transformations that did not sufficiently affect
a specific identifying property from the program, which is the detection rate of the tested antivirus products.
referred to as a fingerprint or a birthmark. The second one Zhou and Jiang [40] performed an evaluation of four
computes a similarity distance between the fingerprints of mobile antivirus programs on a collection of 1,260 malware
given programs. The program properties used to form a samples. Their tested programs have successfully detected
fingerprint can include sequences of instructions [39], API not more than 79% of the samples, which is a surprisingly
method calls [30, 35], inheritance hierarchy [30] and de- low rate as for already discovered malware types.
pendency relationships between instructions [20]. The ex- Another evaluation of the antivirus products for the An-
traction of fingerprints can be performed both statically and droid platform was performed recently by Rastogi, Chen, and
dynamically [6]. Jiang [25] using their DroidChameleon framework. Their
study is based on a similar transformation set as ours and
2.4 Android Security Threats concludes similar results. One of the main differences lies in
our conscious decision to leave out dynamic transformations
The two Android security problems addressed by this such as code encryption, as the one having very low stealth
paper, namely software piracy and malware, have been sub- and resilience against dynamic analysis [6]. Also PANDORA
ject to intensive research over the past few years. A short has a slightly richer static transformation set. Furthermore,our study includes evaluation of the transformations for the as random as possible to introduce non-determinism in the
goal of plagiarism detection mitigation. obfuscation process. That is, the parts of the program’s
code to be transformed as well as the parameters of the
2.4.2 Piracy obfuscation techniques are selected randomly.
Since a detailed description of the transformations and
Android application piracy has become a major concern in their implementation would blow up the scope of this paper,
the developer and research communities over the past few the following subsections provide a bird’s eye perspective of
years [39, 23, 18, 8, 4, 17]. Recent research by Zhou et al. the PANDORA transformations.
[39] indicates that 5-13% of the applications in third-party
markets are repackaged from the Google Play Market, and 3.1 Data Obfuscation
are therefore most probably stolen. Furthermore, as pre-
viously mentioned, repackaging constitutes the main way The goal of the transformations falling into this category
of malware spread [40]. To address this issue, Potharaju is to obscure the usage of variables, and therefore operations
et al. [23] proposed to enhance markets with a plagiarism on basic data types and objects. Currently implemented
detection system which rejects applications recognized as techniques are described below.
repackaged. The proposed system utilizes a software simi-
larity algorithm based on the restricted representation of a 3.1.1 String Encryption
method’s syntactic structure, which involves only method
invocation instructions. String constants constitute an important source of informa-
Zhou et al. [39] presented a prototype plagiarism detec- tion for reverse engineers [6] and are often utilized by soft-
tion tool called DroidMOSS, which was used in their study ware similarity measurement tools. The current version of
of repackaged Android applications. This tool utilizes fin- the PANDORA system provides two simple polyalphabetic
gerprints computed from a sequence of opcodes using the string encryption algorithms, i.e., algorithms substituting
fuzzy hashing approach [16]. each string character with a varying another character [3].
As a part of the Androguard toolbox, Desnos and Both the key and the encryption method are randomly chosen
Gueguen [8] presented the Androsim application similar- in PANDORA.
ity measurement tool. The underlying algorithms utilize
fingerprints based on the instruction sequences, properties Vigenère Encryption The first implemented encryption
of the methods’ CFGs, API calls, strings, and exceptions. method is Vigenère [32], an improvement of the Caesar
As the only publicly available plagiarism detection tool for cipher [3]. It uses another string as a key, which periodically
the Android platform, this tool was used in our evaluation determinates the shift for each symbol of the text being
described in Section 4. encrypted.
3 The PANDORA System Dynamic Key Encryption The second encryption algo-
rithm used in our work is denoted as the Dynamic Key En-
We describe the design and key implementation princi- cryption. The shift of plaintext characters is defined by a key
ples of the PANDORA transformation system. In order to sequence ki , a pseudorandom number sequence generated
facilitate analysis and manipulation of Android applications, using the Linear Congruential Method [19]. The generation
our system was designed on top of the Soot framework [33], of the key sequence is described by
which provides all necessary functionality regarding analysis,
ki+1 = (a · ki + b) mod m
modification, and generation of Java bytecode. Retargeting
from Dalvik to Java bytecode and back again is performed with a denoting the multiplier, b being the increment, m
using the Dex2Jar tool. A direct support of the Dalvik byte- being the modulo, ki+1 and ki denoting the (i + 1)-th and
code is planned for inclusion in the next release of Soot [2]. the i-th key of the sequence, respectively.
The current version of the PANDORA system contains 7
data obfuscation techniques and 6 transformations aiming
3.1.2 Integer Encoding
to obscure the object-oriented design of a program. Fur-
thermore, name obfuscation of classes, methods and fields The two integer encodings implemented in PANDORA are
based on the Java Bytecode Obfuscator (JBCO) tool [1] is able to perform operations of addition, subtraction, multipli-
included. cation, and comparison in a homomorphic manner, i.e., the
One of the main overall design goals of our proposed decoding into unobfuscated form is not required. However,
transformation system is to maximize the diversification one operation in the cleartext representation corresponds to
impact of the implemented transformations by applying them a few operations in the obfuscated representation. For thenon-supported operations, e.g., division, the original value types of containers are available: arrays and maps. For a
has to be restored prior and encoded again after the operation. composition, each variable of the group is assigned a unique
Note that both of our encodings do not preserve the overflow key at obfuscation time. In case of an array, a key corre-
behavior of a variable. sponds to the array index. In case of a map, a randomly
generated key can be of type string, character, or integer.
Split Modulo The first integer obfuscation splits a variable
in two parts: a quotient and a rest. This representation is 3.2 OOD Obfuscation
a slight generalization of the one proposed by Majumdar,
Drape, and Thomborson [22]. For a given modulo value The Object-Oriented Design (OOD) obfuscation methods
m > 1, an integer variable x is splitted into the variables a constitute the second class of transformations implemented
and b as follows: in the PANDORA system. The goal of these transformations
is to modify and distort the original design and structure
a = x/m, b = x mod m of applications by affecting their object-oriented building
blocks such as fields, methods, and classes. Because of
where “/” denotes integer division. The original value can their nature, such transformations are referred to as false
be obtained from a and b as: refactorings [7].
x=a·m+b
3.2.1 Drop Modifiers
Linear Encoding The second integer encoding, presented The first and probably the simplest OOD obfuscation trans-
by Collberg, Thomborson, and Low [7], applies a linear formation is Drop Modifiers. It discards access restrictions
transformation to a variable. Given an integer variable x, a on application classes and their members, i.e., it makes fields,
multiplier parameter α > 0 and an increment parameter β, methods, and classes public and removes the final modi-
the linear transformation is performed as: fier. Applied on its own, this transformation has low potency.
However, it opens the door for numerous other transfor-
z =α·x+β mations described below by permitting various actions on
objects.
with z being the obfuscated form of value x. To avoid over-
flows, z should be stored in the variable of the next size
integer type, i.e., long for int type of x. The original 3.2.2 Extract Method
value can be restored as The Extract Method transformation was designed in order to
unleash more powerful techniques upon additional pieces of
x = (z − β)/α
program code. It implements a simplified version of the out-
line method refactoring [12] by outlining the complete body
3.1.3 Array Index Shift of a given method. It creates a new method with the same
To slightly obscure the usage of arrays in a program and to parameters and the same body as the given one, and replaces
make the order of stored elements appear random, the access the body of the original method with an invocation statement
to an array’s elements can be modified by cyclic shifts of for the newly created method, passing all parameters to it.
indices. For a given constant shift value s > 0, the access to This transformation is applied on methods with signa-
the i-th element of an array A of the length l is replaced by tures (method names and parameter types list) that cannot
be changed, like onClick methods of the GUI elements or
A[i] ⇒ A[(i + s) mod l] onCreate methods of Android Activity classes. Such
extractions make the bodies of methods eligible for further
3.1.4 Locals Composition transformations like Move Methods and Merge Methods,
which are described below.
A further method to modify the usage of local variables
implemented in PANDORA is their composition to container
3.2.3 Encapsulate Field
objects. This makes a group of variables appear semantically
related. Another rather auxiliary transformation is Encapsulate
To perform this composition, a set of local variables of Field [12]. For a given field, it creates a setter and a getter
the same type is selected. For this set, a container is created method, i.e., methods that take over the definition of the
for storing the values of the variables. After the definition, field’s value and its extraction, respectively. Then, some of
the value of a variable is saved in the container and can be the direct accesses to the encapsulated field are replaced with
extracted from there before it is used again. Currently, two corresponding methods.The goal of this transformation is to slightly camouflage 4.1 Transformation Levels
field usage. Additionally, it creates new methods in the
declaring class. These new methods become a target of other To study the impact of different transformation types, we
obfuscation techniques (see below), which further increase define multiple obfuscation levels:
the complexity of the field access.
• Level 0 (L0) The L0 transformation level denotes plain
identifier renaming (including renaming of the corre-
3.2.4 Move Field sponding Manifest entries) as the only obfuscation tech-
nique applied.
The Move Field refactoring moves a field from one applica-
tion class to another [12]. For static fields this transformation • Level 1 (L1) Identifier renaming combined with all data
is straightforward: all references of the old field have to be obfuscation transformations described in Section 3.1
replaced with references to the new one. Moving instance are denoted as the L1 level.
fields, however, is a more challenging task. Each access to
• Level 2 (L2) The L2 transformation level includes all
the instance field requires a base object, hence, after a field
techniques of the OOD obfuscation described in Sec-
is moved, a corresponding reference to an object of the new
tion 3.2 in combination with identifier renaming.
hosting class must be created in the old one.
• Level 3 (L3) The L3 level is the obfuscation configura-
tion which is constituted by all name, data, and OOD
3.2.5 Move Method obfuscations available in PANDORA.
The Move Method transformation moves a method from
one application class to another [12]. Analogously to the 4.1.1 Malicious Code Injection
Move Field operation, moving static methods is performed Another transformation level, also denoted as L3-Inj, cor-
easily by replacing the corresponding invocation statements, responds to the injection of malicious code into a benign
whereas instance methods require base objects. Furthermore, application, followed with the level L3 obfuscation of the
if the moved method makes use of the implicit this param- merged code. The motivation behind this level is given by
eter, this must be added explicitly to the parameter list and the assumption that the overall effect of the performed ob-
passed on each invocation. fuscations depends on the amount of the application’s code.
Within our evaluation tests, the OI Notepad application was
used to be merged with malware samples.
3.2.6 Merge Methods
A further method obfuscation transformation is Merge Meth- 4.1.2 Rebuilding Malware
ods, which is performed as follows. If two methods declared An additional technique, used to evaluate the detection per-
in the same class have equal return types and same access formance of antivirus products, is application rebuilding. In
modifiers, their bodies can be interleaved, and their invoca- this context, rebuilding refers to decoding an application
tions can be replaced with calls to the merged method [7]. with the Apktool and encoding it back. A rebuilt application
Interleaving is achieved by merging the parameter lists, local is then signed using the Dex2Jar tool. Although rebuilding
variables, and bodies, i.e., code instructions. The selection does not affect contents of the apk file like resources and
of a body to be executed is performed using the new key Manifest, it can slightly modify the bytecode order [38], and
parameter added to the merged method’s parameter list. it certainly changes the hash of an application. Therefore,
this technique is utilized to sort out antivirus products whose
detection algorithms are based solely on the hash signature
4 Evaluation
of submitted files.
The practical evaluation of the PANDORA transformation 4.2 Malware Diversification
system was performed within two test scenarios: malware
diversification and pirated application diversification. For the malware diversification scenario, we have selected
During all current evaluation tests, the whole transfor- 20 known samples from different malware families provided
mation system was configured to achieve maximum perfor- by Spreitzenbarth et al. [29]. Each of the samples was sub-
mance in terms of diversity and complexity, without consid- mitted to the VirusTotal website [34] in its original state and
ering or trying to limit possible increase of execution time, after its transformation according to the levels L0 to L3 de-
memory consumption, and application size. scribed above. Our evaluation took place in February 2013.Note that since submissions were spread in the time over of the antivirus products were able to detect FakeInst on
one week, we cannot completely exclude the possibility of such resources as xml files, icons, and pictures. Since we
changes in the detection engines or signature databases. currently do not obfuscate resources, those four outliers are
Through the rest of this paper, the detection rate of a to be considered special cases.
sample denotes the number of antivirus products classifying However, as for the other four samples which were
it as malicious, varying from 0 to 46. At the same time, the still recognized by at least one antivirus program after the
detection rate of an antivirus program refers to the number strongest transformation, the replacement of the dex file
of samples it was able to detect, lying between 0 and 20. and Android Manifest resulted in zero detection, witnessing
that the other contents of the application package are not
Malware Orig Reb L0 L1 L2 L3 L3-Inj relevant for the sample recognition. What properties of the
1 Adsms 30 11 6 5 5 1 0
2 CI4 30 13 9 1 8 1 0
code contributed to the detection after the L3-Inj transforma-
3 Crusewind 31 11 6 1 5 1 0 tion by the few antivirus products is currently unknown and
4 DougaLeaker 33 12 5 0 3 0 0 requires further investigation. One possibility is the object-
5 FakePlayerA 35 12 3 2 3 0 0
6 DroidDream 36 35 35 35 35 35 35 oriented inheritance hierarchy, which is virtually the only
7 DroidKungFuGunfu 33 29 29 29 28 29 28 part of the program’s structure not altered by PANDORA,
8 DroidKungfu2 32 22 19 19 19 19 19
9 Dropdialer 26 11 6 3 6 3 2 and hence can be utilized to infer similarity with known
10 FakeInst 27 18 7 7 7 7 8 malware samples [30].
11 Foncy 25 11 6 0 7 0 0
12 GGTracker 31 13 10 1 12 0 0
13 GoneIn60Seconds 28 12 6 3 7 1 0
14 HippoSMS 32 12 6 2 6 2 2
4.2.2 Antivirus Products Evaluation
15 Loozfon 23 11 7 2 8 1 0
16 Lovetrap 29 10 8 1 7 1 1 The malware detection rates presented above were consid-
17 LuckyCat 26 11 4 1 5 0 0 ered independent from the individual detection performance
18 Luvrtrap 28 13 8 1 8 0 0
19 Netisend 28 12 4 0 4 0 0 of single antivirus programs. Next, the evaluation results are
20 Nickyspy 33 15 10 5 12 4 4 discussed from the antivirus-centric point of view.
AVERAGE 29.8 14.7 9.7 5.9 10.54 5.25 4.95 Table 2 summarizes the detection rates that are achieved
by the top-10 of our tested antivirus products. These an-
Table 1: Malware Detection Rate tivirus programs were selected according to their detection
rates on the L3-Inj transformation level, i.e., the software
included in the table has shown the best performance on the
L3-Inj sample set among other products.
4.2.1 Transformation Evaluation These results show that even the best antivirus software
was able to detect only 6 out of 20 samples transformed
Detection rates for all malware types and transformation
at PANDORA’s obfuscation level L3 or L3-Inj. Compar-
levels are summarized in Table 1. These results indicate
ing our results with those obtained by Zheng et al. [38]
that although the original samples are known in the research
and their ADAM system, we want to emphasize two points.
community, and therefore should be detected by nearly all
First, more then a year after the ADAM publication, simple
antivirus software, their average detection rate is less then
transformations like rebuilding and renaming are still able
30 out of 46, a surprisingly low number. Furthermore, even
to defeat most malware detection products. Second, no an-
simple modifications like rebuilding, reduce the number of
tivirus program can show a sufficiently good performance
detecting antivirus products to less than the half of the origi-
on the samples after the strongest transformation level of
nal detection rate for most samples. The strongest impact is
PANDORA.
reached by the L3 transformation level, especially combined
with code injection, i.e., L3-Inj. Only 8 out of 20 samples AV Product Orig Reb L0 L1 L2 L3 L3-Inj
transformed according to the L3-Inj level were detected by 1 GData 20 20 17 7 17 6 6
2 Avast 20 20 16 7 16 6 6
at least one antivirus program. 3 Kaspersky 20 20 12 4 12 4 5
For the notably high detection after the L3-Inj transforma- 4 Ikarus 20 11 8 5 18 4 4
5 Sophos 17 18 12 7 12 4 4
tion, we can identify four malware samples, namely Droid- 6 TrendMicro-HouseCall 20 8 7 4 12 4 4
Dream, DroidKungFuGunfu, DroidKungfu2, and FakeInst. 7 ESET-NOD32 20 20 13 4 9 4 4
Further investigations showed that these samples can be 8 Comodo 20 8 6 4 8 4 4
9 F-Secure 20 20 14 5 13 3 4
detected even with completely replaced Dalvik code and An- 10 CAT-QuickHeal 20 18 12 3 10 3 3
droid Manifests, i.e., by their resources only. DroidDream TOTAL 20 20 20 17 20 13 8
and DroidKungFuGunfu, for example, were found to contain
additional apk files hidden as resources, and DroidKungfu2 Table 2: AV Products Detection Performance
a binary executable revealed as a Trojan malware. SomeSummarizing the results of the antivirus products evalu- of PANDORA. Knowing the way PANDORA changes a pro-
ation described above, one can categorize the utilized sig- gram’s structure and methods of the fingerprint extraction,
natures in those based on: hash values, identifier names, we can assume that our proposed transformation system
strings and other program data, call graph and object ori- shows high performance against most of the static software
ented design, resources inside the application package, and similarity algorithms published in the literature, with excep-
potentially class hierarchy. Note that some antivirus pro- tion of methods based on Inheritance Structure by Tamada
grams seem to use different signature types for different et al. [30]. Recent approaches dedicated especially to the
malware samples. Android piracy problem presented by Potharaju et al. [23]
and Zhou et al. [39], are also anticipated to fail recognition of
4.3 Plagiarized Application Diversifica- transformed application copies. The PANDORA transforma-
tion tion system, however, cannot be expected to defeat dynamic
similarity measurement approaches, e.g., algorithms based
The next scenario studies the confrontation between soft- on the sequence of API calls recorded at runtime [31, 26, 27].
ware pirates and plagiarism detection tools. Similarly to the
case of malware, this evaluation works both ways: similarity 4.3.3 Diversifying Effect
measurement algorithms have to show resilience against
transformation techniques available to pirates, whereas The goal of artificial software diversity [6] is to generate
“good” transformations are distinguished by the ability to multiple semantically equivalent versions of a program, but
confuse popular software similarity algorithms. with different code. Ideally, randomly generated versions of
For this part of the evaluation, 13 open source Android the same application are recognized as different applications
applications are assumed to be “stolen”. As a main opponent by software similarity algorithms. The grade to which a
for PANDORA, we use the Androsim tool from the Andro- program version produced by the PANDORA system differs
guard toolbox. from each other is evaluated now.
For this evaluation, 5 different versions of the application
4.3.1 Similarity Experiment GhostCommander were generated with PANDORA config-
ured at level L3. The similarities between all pairs of these
The Androsim tool gives the similarity score of 100% to versions were measured again with the Androsim tool. The
identical applications [9]. The possible similarity values measurement outcome indicates that the similarity of differ-
reached by distinct applications, however, are unknown. ent versions has a very dense distribution and is close to 35%.
To assess the similarity score threshold, below which the This almost reaches the values which could correspond to
recognition of a program as “plagiarized” becomes impracti- different applications, and hence witnesses that the proposed
cal, a similarity measure between all 78 distinct pairs of the transformation system achieves a high non-determinism in
selected 13 applications were computed, which inferred the the produced code.
mean value close to 10%. This defines the goal of program
transformation tools in the context of the application piracy
5 Conclusion
scenario.
We presented the PANDORA transformation system for
4.3.2 Concealing Plagiarism
Android applications. A system capable of unleashing the
Each of the “stolen” applications was transformed according evils of the piracy and malware upon innocent developers
to the levels L0, L1, L2 and L3. For each application and and users.
each transformation level, the similarity with the original Our study indicates inefficiency of static software simi-
version is measured using Androsim. The results indicate larity analysis algorithms in recognition of transformed ap-
that level L0 and L1 transformations yield a relatively high plication copies. This observation opens up a question of
similarity with the original program, about 90% and 60% the possible theoretical and practical borders for the capa-
on average respectively, and therefore the detection of pla- bilities of similarity algorithms. The current state-of-the-art
giarism is possible with high precision. The L2 and L3 in this area raises the impression that any static similarity
transformation levels, however, reach a similarity distribu- analysis approach can be countered by dedicated program
tion very close to that of distinct programs, on average about transformation techniques. The correctness of this statement
13% and 8% respectively, so the detection of a copy becomes requires further investigation. Dynamic software similarity
intractable for the Androsim tool. analysis algorithms, however, can be expected to have higher
For other software similarity algorithms than Androsim, resilience against static program transformations.
which are not available as public tools, we can only speculate Limitations of existing solutions are also revealed in the
about their potential performance against the transformation current antivirus and malware detection tools. This mightdrive to the conclusion that static detection techniques are [11] W. Enck, P. Gilbert, B.-G. Chun, L. P. Cox, J. Jung,
not to be considered reliable as such, promoting the use of P. McDaniel, and A. N. Sheth. Taintdroid: an
dynamic and behavior-based approaches. information-flow tracking system for realtime privacy
monitoring on smartphones. In Proceedings of the 9th
References USENIX conference on Operating systems design and
implementation, OSDI’10, pages 1–6, Berkeley, CA,
[1] M. Batchelder and L. Hendren. Obfuscating Java: the USA, 2010. USENIX Association.
most pain for the least gain. In Proceedings of the
16th international conference on Compiler construc- [12] M. Fowler, K. Beck, J. Brant, W. Opdyke, and
tion, CC’07, pages 96–110, Berlin, Heidelberg, 2007. D. Roberts. Refactoring: Improving the Design of Ex-
Springer-Verlag. isting Code. Addison-Wesley Professional, 1 edition,
July 1999.
[2] E. Bodden. Instrumenting Android Apps with
Soot. http://www.bodden.de/2013/01/ [13] Gartner Says Sales of Mobile Devices Grew 5.6 Per-
08/soot-android-instrumentation/. Ac- cent in Third Quarter of 2011; Smartphone Sales In-
cessed: 14.02.2013. creased 42 Percent. http://www.gartner.com/
newsroom/id/1848514. Accessed: 01.02.2013.
[3] A. Bruen and M. Forcinito. Cryptography, Information
Theory, and Error-Correction: A Handbook for the [14] Gartner Says Worldwide Sales of Mobile Phones De-
21st Century. Wiley Series in Discrete Mathematics clined 3 Percent in Third Quarter of 2012; Smart-
and Optimization. Wiley, 2011. phone Sales Increased 47 Percent. http://www.
[4] S. Choi, J. Jang, and E. Jae. Android application’s copy- gartner.com/newsroom/id/2237315. Ac-
right protection technology based on forensic mark. In cessed: 01.02.2013.
Proceedings of the 2012 ACM Research in Applied
Computation Symposium, RACS ’12, pages 338–339, [15] S. Horwitz, T. Reps, and D. Binkley. Interprocedural
New York, NY, USA, 2012. ACM. slicing using dependence graphs. ACM Trans. Program.
Lang. Syst., 12(1):26–60, Jan. 1990.
[5] F. B. Cohen. Operating system protection through
program evolution. Comput. Secur., 12(6):565–584, [16] D. Hurlbut. Fuzzy hashing for digital forensic investi-
Oct. 1993. gators. Technical report, Access Data Inc., Jan. 2009.
[6] C. Collberg and J. Nagra. Surreptitious Software: Ob-
[17] Y.-S. Jeong, Y.-U. Park, J.-C. Moon, S.-J. Cho, D. Kim,
fuscation, Watermarking, and Tamperproofing for Soft-
and M. Park. An anti-piracy mechanism based on class
ware Protection. Addison-Wesley Professional, 1st
separation and dynamic loading for android applica-
edition, 2009.
tions. In Proceedings of the 2012 ACM Research in
[7] C. Collberg, C. Thomborson, and D. Low. A taxon- Applied Computation Symposium, RACS ’12, pages
omy of obfuscating transformations. Technical Report 328–332, New York, NY, USA, 2012. ACM.
148, Department of Computer Science, University of
Auckland, July 1997. [18] S. Kim, E. Kim, and J. Choi. A method for detecting il-
legally copied apk files on the network. In Proceedings
[8] A. Desnos. Android: Static analysis using similarity of the 2012 ACM Research in Applied Computation
distance. In System Science (HICSS), 2012 45th Hawaii Symposium, RACS ’12, pages 253–256, New York,
International Conference on, pages 5394 –5403, jan. NY, USA, 2012. ACM.
2012.
[9] A. Desnos and G. Gueguen. Android: From reversing [19] D. E. Knuth. The Art of Computer Programming,
to decompilation. In Black Hat Abu Dhabi, 2011. Volume II: Seminumerical Algorithms, 2nd Edition.
Addison-Wesley, 1981.
[10] G. Dini, F. Martinelli, A. Saracino, and D. Sgandurra.
Madam: a multi-level anomaly detector for android [20] C. Liu, C. Chen, J. Han, and P. S. Yu. Gplag: detection
malware. In Proceedings of the 6th international con- of software plagiarism by program dependence graph
ference on Mathematical Methods, Models and Archi- analysis. In Proceedings of the 12th ACM SIGKDD
tectures for Computer Network Security: computer international conference on Knowledge discovery and
network security, MMM-ACNS’12, pages 240–253, data mining, KDD ’06, pages 872–881, New York, NY,
Berlin, Heidelberg, 2012. Springer-Verlag. USA, 2006. ACM.[21] A. Majumdar, S. Drape, and C. Thomborson. Metrics- [31] H. Tamada, K. Okamoto, M. Nakamura, A. Monden,
based evaluation of slicing obfuscations. In Proceed- and Matsumoto. K.: Dynamic software birthmarks to
ings of the Third International Symposium on Informa- detect the theft of windows applications. In In: Inter-
tion Assurance and Security, IAS ’07, pages 472–477, national Symposium on Future Software Technology,
Washington, DC, USA, 2007. IEEE Computer Society. 2004.
[22] A. Majumdar, S. J. Drape, and C. D. Thomborson. Slic- [32] J. Vacca. Network and System Security. Elsevier Sci-
ing obfuscations: design, correctness, and evaluation. ence, 2010.
In Proceedings of the 2007 ACM workshop on Digi- [33] R. Vallée-Rai, P. Co, E. Gagnon, L. Hendren, P. Lam,
tal Rights Management, DRM ’07, pages 70–81, New and V. Sundaresan. Soot - a Java bytecode optimization
York, NY, USA, 2007. ACM. framework. In Proceedings of the 1999 conference
[23] R. Potharaju, A. Newell, C. Nita-Rotaru, and X. Zhang. of the Centre for Advanced Studies on Collaborative
Plagiarizing smartphone applications: attack strategies research, CASCON ’99, pages 13–. IBM Press, 1999.
and defense techniques. In Proceedings of the 4th [34] VirusTotal Malware Detection. https://www.
international conference on Engineering Secure Soft- virustotal.com/. Accessed: 24.01.2013.
ware and Systems, ESSoS’12, pages 106–120, Berlin,
Heidelberg, 2012. Springer-Verlag. [35] X. Wang, Y.-C. Jhi, S. Zhu, and P. Liu. Detecting
software theft via system call based birthmarks. In
[24] T. A. O. S. Project. Google play distri- Computer Security Applications Conference, 2009. AC-
bution. http://developer.android.com/ SAC ’09. Annual, pages 149 –158, dec. 2009.
google/play/dist.html, 2012. Accessed:
18.01.2013. [36] M. Weiser. Program slicing. In Proceedings of the
5th international conference on Software engineering,
[25] V. Rastogi, Y. Chen, and X. Jiang. Droidchameleon: ICSE ’81, pages 439–449, Piscataway, NJ, USA, 1981.
evaluating android anti-malware against transformation IEEE Press.
attacks. In Proceedings of the 8th ACM SIGSAC sym-
[37] L. K. Yan and H. Yin. Droidscope: seamlessly re-
posium on Information, computer and communications
constructing the os and dalvik semantic views for dy-
security, ASIA CCS ’13, pages 329–334, New York,
namic android malware analysis. In Proceedings of
NY, USA, 2013. ACM.
the 21st USENIX conference on Security symposium,
[26] D. Schuler and V. Dallmeier. Detecting software theft Security’12, pages 29–29, Berkeley, CA, USA, 2012.
with api call sequence sets. In Proceedings of the 8th USENIX Association.
Workshop Software Reengineering, May 2006. [38] M. Zheng, P. P. Lee, and J. C. Lui. ADAM: An Auto-
[27] D. Schuler, V. Dallmeier, and C. Lindig. A dynamic matic and Extensible Platform to Stress Test Android
birthmark for Java. In ASE ’07: Proceedings of the Anti-Virus Systems. In Proceedings of the 9th Con-
22nd International Conference on Automated Software ference on Detection of Intrusions and Malware &
Engineering, pages 274–283, Nov. 2007. Vulnerability Assessment, DIMVA ’ 12, July 2012.
[28] A. Shabtai, U. Kanonov, Y. Elovici, C. Glezer, and [39] W. Zhou, Y. Zhou, X. Jiang, and P. Ning. Detecting
Y. Weiss. ”andromaly”: a behavioral malware detection repackaged smartphone applications in third-party an-
framework for android devices. J. Intell. Inf. Syst., droid marketplaces. In Proceedings of the second ACM
38(1):161–190, Feb. 2012. conference on Data and Application Security and Pri-
vacy, CODASPY ’12, pages 317–326, New York, NY,
[29] M. Spreitzenbarth, F. Freiling, F. Echtler, T. Schreck, USA, 2012. ACM.
and J. Hoffmann. Mobile-sandbox: having a deeper
[40] Y. Zhou and X. Jiang. Dissecting android malware:
look into android applications. In Proceedings of the
Characterization and evolution. In Security and Privacy
28th Annual ACM Symposium on Applied Computing,
(SP), 2012 IEEE Symposium on, pages 95 –109, may
SAC ’13, pages 1808–1815, New York, NY, USA,
2012.
2013. ACM.
[41] Y. Zhou, Z. Wang, W. Zhou, and X. Jiang. Hey, you, get
[30] H. Tamada, M. Nakamura, A. Monden, and K. ichi off of my market: Detecting malicious apps in official
Matsumoto. Design and evaluation of birthmarks for and alternative Android markets. In Proceedings of the
detecting theft of Java programs. In IN PROC. OF THE 19th Annual Network & Distributed System Security
IASTED INT. CONF. ON SOFTWARE ENGINEERING, Symposium, Feb. 2012.
pages 569–575, 2004.You can also read
