Abstract
Android is present in more than 85% of mobile devices, making it a prime target for malware. Malicious code is becoming increasingly sophisticated and relies on <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">logic bombs</i> to hide itself from dynamic analysis. In this article, we perform a large scale study of <sc xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">TSOpen</small> , our open-source implementation of the state-of-the-art static logic bomb scanner <sc xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">TriggerScope</small> , on more than 500k Android applications. Results indicate that the approach scales. Moreover, we investigate the discrepancies and show that the approach can reach a very low false-positive rate, 0.3%, but at a particular cost, e.g., removing 90% of sensitive methods. Therefore, it might not be realistic to rely on such an approach to automatically detect <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">all</i> logic bombs in large datasets. However, it could be used to speed up the location of malicious code, for instance, while reverse engineering applications. We also present <sc xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">TrigDB</small> a database of 68 Android applications containing trigger-based behavior as a ground-truth to the research community.
Highlights
Android is the most popular mobile operating system with more than 85% of the market share in 2020 [1], which undeniably makes it a target of choice for attackers
We experimentally show that TRIGGERSCOPE’s approach might not be usable in a realistic setting to detect logic bombs with the information given in the original paper
We empirically show that using TRIGGERSCOPE’s approach, trigger analysis is not sufficient to detect logic bombs
Summary
Android is the most popular mobile operating system with more than 85% of the market share in 2020 [1], which undeniably makes it a target of choice for attackers. Google set up different solutions to secure access for applications in their Google Play. It ranges from fullyautomated programs using state-of-the-art technologies (e.g., Google Play Protect [2]) to manual reviews of randomly selected applications. The main challenge for attackers is to build malicious applications that remain under the radar of automated techniques. For this purpose, they can obfuscate the code to make the analysis more difficult. Attackers can use other techniques such as packing [6] which relies on encryption to hide their malicious code. A logic bomb is code logic which executes malicious code only when particular conditions are met
Sign-in/Register to view highlights & summary 
Published Version (
Free)
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callMore From: IEEE Transactions on Dependable and Secure Computing
Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
