Resilient User-Side Android Application Repackaging and Tampering Detection Using Cryptographically Obfuscated Logic Bombs

Abstract

Application repackaging is a severe threat to Android users and the market. Not only does it infringe on intellectual property, but it is also one of the most common ways of propagating mobile malware. Existing countermeasures mostly detect repackaging based on app similarity measurement, which tends to be imprecise when obfuscations are applied to repackaged apps. Moreover, they rely on a central party, typically the hosting app store, to perform the detection, but many app stores fail to commit proper effort to piracy detection. We consider building the application repackaging detection capability into apps, such that user devices are made use to detect repackaging in a decentralized fashion. <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">The main challenge is how to protect the detection code from being manipulated by attacks</i> . We propose a creative use of <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">logic bombs</i> , which are otherwise regularly used in malware. The <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">trigger conditions</i> of bombs are constructed to exploit the differences between the attacker and users, such that a bomb that lies dormant on the attacker side will be activated on the user side. The detection code, which is part of the bomb <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">payload</i> , is executed only if the bomb is activated. We introduce <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">cryptographically obfuscated logic bomb</i> to enhance the bomb: (1) the detection code is <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">woven</i> into the neighboring original app code, (2) the mixed code gets encrypted using a key, and (3) the key is deleted from the app and can only be derived when the bomb is activated. Thus, attacks that try to modify or delete the detection code will corrupt the app itself, and searching the key in the application will be in vain. Moreover, we propose a <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">bomb spraying</i> technique that allows many bombs to be injected into an app, multiplying the needed adversary effort for bypassing the detection. In addition to repackaging detection, we present application tampering detection to fight attacks that insert malicious code into repackaged apps. We have implemented a prototype, named <sc xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">BombDroid</small> , that builds repackaging and tampering detection into apps through bytecode instrumentation. The evaluation and the security analysis show that the technique is effective, efficient, and resilient to various bomb analysis techniques including fuzzing, symbolic execution, multi-path exploration, and program slicing. Ethical issues due to the use of logic bombs are also discussed.