MysteryChecker

Unpredictable attestation to detect repackaged malicious applications in Android

Jihwan Jeong, Dongwon Seo, Chanyoung Lee, Jonghoon Kwon, Heejo Lee, John Milburn

Research output: Chapter in Book/Report/Conference proceedingConference contribution

3 Citations (Scopus)

Abstract

The number of malicious applications, sometimes known as malapps, in Android smartphones has increased significantly in recent years. Malapp writers abuse repackaging techniques to rebuild applications with code changes. Existing anti-malware applications do not successfully defeat or defend against the repackaged malapps due to numerous variants. Software-based attestation approaches widely used in a resource-constrained environment have been developed to detect code changes of software with low resource consumption. In this paper, we propose a novel software-based attestation approach, called MysteryChecker, leveraging an unpredictable attestation algorithm. For its unpredictable attestation, MysteryChecker applies the concept of code obfuscation, which changes the syntax in order to avoid code analysis by adversaries. More precisely, unpredictable attestation is achieved by chaining randomly selected crypto functions. A verifier sends a randomly generated attestation module, and the target application must reply with a correct response using the attestation module. Also, the target application periodically receives a new module that contains a different attestation algorithm. Thus, even if the attacker analyzes the attestation module, the target application replaces the existing attestation module with a new one and the analysis done by the attacker becomes invalid. Experimental results show that MysteryChecker is completely able to detect known and unknown variants of repackaged malapps, while existing anti-malware applications only partially detect the variants.

Original languageEnglish
Title of host publicationProceedings of the 9th IEEE International Conference on Malicious and Unwanted Software, MALCON 2014
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages50-57
Number of pages8
ISBN (Print)9781479973293
DOIs
Publication statusPublished - 2014 Dec 29
Event9th IEEE International Conference on Malicious and Unwanted Software, MALCON 2014 - Fajardo, Puerto Rico
Duration: 2014 Oct 282014 Oct 30

Other

Other9th IEEE International Conference on Malicious and Unwanted Software, MALCON 2014
CountryPuerto Rico
CityFajardo
Period14/10/2814/10/30

Fingerprint

Smartphones
Attestation
Module
Software
Malware
Resources
Android (operating system)
Defeat
Abuse
Syntax
Writer

Keywords

  • Repackaged Application Detection
  • Smartphone Security
  • Software-based Attestation

ASJC Scopus subject areas

  • Artificial Intelligence
  • Visual Arts and Performing Arts

Cite this

Jeong, J., Seo, D., Lee, C., Kwon, J., Lee, H., & Milburn, J. (2014). MysteryChecker: Unpredictable attestation to detect repackaged malicious applications in Android. In Proceedings of the 9th IEEE International Conference on Malicious and Unwanted Software, MALCON 2014 (pp. 50-57). [6999415] Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/MALWARE.2014.6999415

MysteryChecker : Unpredictable attestation to detect repackaged malicious applications in Android. / Jeong, Jihwan; Seo, Dongwon; Lee, Chanyoung; Kwon, Jonghoon; Lee, Heejo; Milburn, John.

Proceedings of the 9th IEEE International Conference on Malicious and Unwanted Software, MALCON 2014. Institute of Electrical and Electronics Engineers Inc., 2014. p. 50-57 6999415.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Jeong, J, Seo, D, Lee, C, Kwon, J, Lee, H & Milburn, J 2014, MysteryChecker: Unpredictable attestation to detect repackaged malicious applications in Android. in Proceedings of the 9th IEEE International Conference on Malicious and Unwanted Software, MALCON 2014., 6999415, Institute of Electrical and Electronics Engineers Inc., pp. 50-57, 9th IEEE International Conference on Malicious and Unwanted Software, MALCON 2014, Fajardo, Puerto Rico, 14/10/28. https://doi.org/10.1109/MALWARE.2014.6999415
Jeong J, Seo D, Lee C, Kwon J, Lee H, Milburn J. MysteryChecker: Unpredictable attestation to detect repackaged malicious applications in Android. In Proceedings of the 9th IEEE International Conference on Malicious and Unwanted Software, MALCON 2014. Institute of Electrical and Electronics Engineers Inc. 2014. p. 50-57. 6999415 https://doi.org/10.1109/MALWARE.2014.6999415
Jeong, Jihwan ; Seo, Dongwon ; Lee, Chanyoung ; Kwon, Jonghoon ; Lee, Heejo ; Milburn, John. / MysteryChecker : Unpredictable attestation to detect repackaged malicious applications in Android. Proceedings of the 9th IEEE International Conference on Malicious and Unwanted Software, MALCON 2014. Institute of Electrical and Electronics Engineers Inc., 2014. pp. 50-57
@inproceedings{05ffc46c2d2241409f6b07a28f9f405b,
title = "MysteryChecker: Unpredictable attestation to detect repackaged malicious applications in Android",
abstract = "The number of malicious applications, sometimes known as malapps, in Android smartphones has increased significantly in recent years. Malapp writers abuse repackaging techniques to rebuild applications with code changes. Existing anti-malware applications do not successfully defeat or defend against the repackaged malapps due to numerous variants. Software-based attestation approaches widely used in a resource-constrained environment have been developed to detect code changes of software with low resource consumption. In this paper, we propose a novel software-based attestation approach, called MysteryChecker, leveraging an unpredictable attestation algorithm. For its unpredictable attestation, MysteryChecker applies the concept of code obfuscation, which changes the syntax in order to avoid code analysis by adversaries. More precisely, unpredictable attestation is achieved by chaining randomly selected crypto functions. A verifier sends a randomly generated attestation module, and the target application must reply with a correct response using the attestation module. Also, the target application periodically receives a new module that contains a different attestation algorithm. Thus, even if the attacker analyzes the attestation module, the target application replaces the existing attestation module with a new one and the analysis done by the attacker becomes invalid. Experimental results show that MysteryChecker is completely able to detect known and unknown variants of repackaged malapps, while existing anti-malware applications only partially detect the variants.",
keywords = "Repackaged Application Detection, Smartphone Security, Software-based Attestation",
author = "Jihwan Jeong and Dongwon Seo and Chanyoung Lee and Jonghoon Kwon and Heejo Lee and John Milburn",
year = "2014",
month = "12",
day = "29",
doi = "10.1109/MALWARE.2014.6999415",
language = "English",
isbn = "9781479973293",
pages = "50--57",
booktitle = "Proceedings of the 9th IEEE International Conference on Malicious and Unwanted Software, MALCON 2014",
publisher = "Institute of Electrical and Electronics Engineers Inc.",

}

TY - GEN

T1 - MysteryChecker

T2 - Unpredictable attestation to detect repackaged malicious applications in Android

AU - Jeong, Jihwan

AU - Seo, Dongwon

AU - Lee, Chanyoung

AU - Kwon, Jonghoon

AU - Lee, Heejo

AU - Milburn, John

PY - 2014/12/29

Y1 - 2014/12/29

N2 - The number of malicious applications, sometimes known as malapps, in Android smartphones has increased significantly in recent years. Malapp writers abuse repackaging techniques to rebuild applications with code changes. Existing anti-malware applications do not successfully defeat or defend against the repackaged malapps due to numerous variants. Software-based attestation approaches widely used in a resource-constrained environment have been developed to detect code changes of software with low resource consumption. In this paper, we propose a novel software-based attestation approach, called MysteryChecker, leveraging an unpredictable attestation algorithm. For its unpredictable attestation, MysteryChecker applies the concept of code obfuscation, which changes the syntax in order to avoid code analysis by adversaries. More precisely, unpredictable attestation is achieved by chaining randomly selected crypto functions. A verifier sends a randomly generated attestation module, and the target application must reply with a correct response using the attestation module. Also, the target application periodically receives a new module that contains a different attestation algorithm. Thus, even if the attacker analyzes the attestation module, the target application replaces the existing attestation module with a new one and the analysis done by the attacker becomes invalid. Experimental results show that MysteryChecker is completely able to detect known and unknown variants of repackaged malapps, while existing anti-malware applications only partially detect the variants.

AB - The number of malicious applications, sometimes known as malapps, in Android smartphones has increased significantly in recent years. Malapp writers abuse repackaging techniques to rebuild applications with code changes. Existing anti-malware applications do not successfully defeat or defend against the repackaged malapps due to numerous variants. Software-based attestation approaches widely used in a resource-constrained environment have been developed to detect code changes of software with low resource consumption. In this paper, we propose a novel software-based attestation approach, called MysteryChecker, leveraging an unpredictable attestation algorithm. For its unpredictable attestation, MysteryChecker applies the concept of code obfuscation, which changes the syntax in order to avoid code analysis by adversaries. More precisely, unpredictable attestation is achieved by chaining randomly selected crypto functions. A verifier sends a randomly generated attestation module, and the target application must reply with a correct response using the attestation module. Also, the target application periodically receives a new module that contains a different attestation algorithm. Thus, even if the attacker analyzes the attestation module, the target application replaces the existing attestation module with a new one and the analysis done by the attacker becomes invalid. Experimental results show that MysteryChecker is completely able to detect known and unknown variants of repackaged malapps, while existing anti-malware applications only partially detect the variants.

KW - Repackaged Application Detection

KW - Smartphone Security

KW - Software-based Attestation

UR - http://www.scopus.com/inward/record.url?scp=84922577177&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84922577177&partnerID=8YFLogxK

U2 - 10.1109/MALWARE.2014.6999415

DO - 10.1109/MALWARE.2014.6999415

M3 - Conference contribution

SN - 9781479973293

SP - 50

EP - 57

BT - Proceedings of the 9th IEEE International Conference on Malicious and Unwanted Software, MALCON 2014

PB - Institute of Electrical and Electronics Engineers Inc.

ER -