TY - GEN
T1 - Resilient decentralized android application repackaging detection using logic bombs
AU - Zeng, Qiang
AU - Luo, Lannan
AU - Qian, Zhiyun
AU - Du, Xiaojiang
AU - Li, Zhoujun
N1 - Publisher Copyright:
© 2018 Association for Computing Machinery.
PY - 2018/2/24
Y1 - 2018/2/24
N2 - Application repackaging is a severe threat to Android users and the market. Existing countermeasures mostly detect repackaging based on app similarity measurement and rely on a central party to perform detection, which is unscalable and imprecise. We instead consider building the detection capability into apps, such that user devices are made use of to detect repackaging in a decentralized fashion. The main challenge is how to protect repackaging detection code from attacks. We propose a creative use of logic bombs, which are regularly used in malware, to conquer the challenge. A novel bomb structure is invented and used: the trigger conditions are constructed to exploit the differences between the attacker and users, such that a bomb that lies dormant on the attacker side will be activated on one of the user devices, while the repackaging detection code, which is packed as the bomb payload, is kept inactive until the trigger conditions are satisfied. Moreover, the repackaging detection code is woven into the original app code and gets encrypted; thus, attacks by modifying or deleting suspicious code will corrupt the app itself. We have implemented a prototype, named BombDroid, that builds the repackaging detection into apps through bytecode instrumentation, and the evaluation shows that the technique is effective, efficient, and resilient to various adversary analysis including symbolic execution, multi-path exploration, and program slicing.
AB - Application repackaging is a severe threat to Android users and the market. Existing countermeasures mostly detect repackaging based on app similarity measurement and rely on a central party to perform detection, which is unscalable and imprecise. We instead consider building the detection capability into apps, such that user devices are made use of to detect repackaging in a decentralized fashion. The main challenge is how to protect repackaging detection code from attacks. We propose a creative use of logic bombs, which are regularly used in malware, to conquer the challenge. A novel bomb structure is invented and used: the trigger conditions are constructed to exploit the differences between the attacker and users, such that a bomb that lies dormant on the attacker side will be activated on one of the user devices, while the repackaging detection code, which is packed as the bomb payload, is kept inactive until the trigger conditions are satisfied. Moreover, the repackaging detection code is woven into the original app code and gets encrypted; thus, attacks by modifying or deleting suspicious code will corrupt the app itself. We have implemented a prototype, named BombDroid, that builds the repackaging detection into apps through bytecode instrumentation, and the evaluation shows that the technique is effective, efficient, and resilient to various adversary analysis including symbolic execution, multi-path exploration, and program slicing.
KW - Android app repackaging
KW - Code obfuscation
UR - https://www.scopus.com/pages/publications/85052761947
U2 - 10.1145/3168820
DO - 10.1145/3168820
M3 - 会议稿件
AN - SCOPUS:85052761947
T3 - CGO 2018 - Proceedings of the 2018 International Symposium on Code Generation and Optimization
SP - 50
EP - 61
BT - CGO 2018 - Proceedings of the 2018 International Symposium on Code Generation and Optimization
PB - Association for Computing Machinery, Inc
T2 - 16th International Symposium on Code Generation and Optimization, CGO 2018
Y2 - 24 February 2018 through 28 February 2018
ER -