In the last decade, we have faced the rise of mobile devices as a fundamental tool in our everyday lives. At the time of writing, there are more than 4.2 billion active mobile users, and 71% of them take advantage of the Android operating system. The functionalities of smartphones are enriched by mobile applications through which users can perform every operation that in the past has been made possible only on computers or web applications. Although this introduces advantages and conveniences for the end users as they can perform operations from the comfort of their mobile devices, it also presents several security challenges. In particular, Android devices and applications become a desirable target for large-scale malware distribution. Thus, malicious applications have constantly evolved, becoming increasingly sophisticated and stealthy. The aim of malware authors is twofold. They aim at fooling as many final users as possible to install their malicious applications and they pay special attention to flying under the radar of analysis tools to avoid manual and automatic detection to operate undisturbed. The response from the community was swift, and many researchers have ventured to defend this system, constantly proposing protection methodologies or novel and more robust analysis techniques. This thesis aims to contribute to this cat-and-mouse game by analyzing some of the open problems affecting different security aspects of the Android ecosystem. This thesis starts with analyzing modern repackaging attacks -- widely used by malicious actors to distribute malware samples stealthily -- and introduces a novel anti-repackaging scheme that considers the security requirements a protection technique should follow. Then, this thesis focuses on the security analysis of modern anti-analysis and protection techniques exploited by Android applications. In particular, it focuses on revealing the role of native (C/C++) code in malware samples and the evasive techniques used by both benign and malicious applications. To those aims, this thesis also proposes a novel methodology to reverse engineering Android applications focusing on suspicious patterns related to native components and a probe-based sandbox -- a dynamic analysis system -- which circumvents evasive techniques thanks to a substantial engineering effort, making the applications under analysis believe they are running on an actual device. Our results depict typical behaviors of modern malware and its evolution and reveal insights about the anti-analysis techniques' purpose, differences, and relationships between legitimate and harmful behaviors. Finally, the analysis of the native layer brought to light a novel state inference attack that can be abused by modern malware to carry out more complex attacks, such as phishing. This thesis also highlights how there still needs to be a system in place to allow applications to protect themselves against this novel attack vector.
Shades of Gray: Delving Surreptitious Code in Android Applications
RUGGIA, ANTONIO
2024
Abstract
In the last decade, we have faced the rise of mobile devices as a fundamental tool in our everyday lives. At the time of writing, there are more than 4.2 billion active mobile users, and 71% of them take advantage of the Android operating system. The functionalities of smartphones are enriched by mobile applications through which users can perform every operation that in the past has been made possible only on computers or web applications. Although this introduces advantages and conveniences for the end users as they can perform operations from the comfort of their mobile devices, it also presents several security challenges. In particular, Android devices and applications become a desirable target for large-scale malware distribution. Thus, malicious applications have constantly evolved, becoming increasingly sophisticated and stealthy. The aim of malware authors is twofold. They aim at fooling as many final users as possible to install their malicious applications and they pay special attention to flying under the radar of analysis tools to avoid manual and automatic detection to operate undisturbed. The response from the community was swift, and many researchers have ventured to defend this system, constantly proposing protection methodologies or novel and more robust analysis techniques. This thesis aims to contribute to this cat-and-mouse game by analyzing some of the open problems affecting different security aspects of the Android ecosystem. This thesis starts with analyzing modern repackaging attacks -- widely used by malicious actors to distribute malware samples stealthily -- and introduces a novel anti-repackaging scheme that considers the security requirements a protection technique should follow. Then, this thesis focuses on the security analysis of modern anti-analysis and protection techniques exploited by Android applications. In particular, it focuses on revealing the role of native (C/C++) code in malware samples and the evasive techniques used by both benign and malicious applications. To those aims, this thesis also proposes a novel methodology to reverse engineering Android applications focusing on suspicious patterns related to native components and a probe-based sandbox -- a dynamic analysis system -- which circumvents evasive techniques thanks to a substantial engineering effort, making the applications under analysis believe they are running on an actual device. Our results depict typical behaviors of modern malware and its evolution and reveal insights about the anti-analysis techniques' purpose, differences, and relationships between legitimate and harmful behaviors. Finally, the analysis of the native layer brought to light a novel state inference attack that can be abused by modern malware to carry out more complex attacks, such as phishing. This thesis also highlights how there still needs to be a system in place to allow applications to protect themselves against this novel attack vector.File | Dimensione | Formato | |
---|---|---|---|
phdunige_4207898.pdf
accesso aperto
Dimensione
3.04 MB
Formato
Adobe PDF
|
3.04 MB | Adobe PDF | Visualizza/Apri |
I documenti in UNITESI sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
https://hdl.handle.net/20.500.14242/125884
URN:NBN:IT:UNIGE-125884