MysteryChecker: Unpredictable attestation to detect repackaged malicious applications in Android

Jihwan Jeong; Dongwon Seo; Chanyoung Lee; Jonghoon Kwon; Heejo Lee; John Milburn

doi:10.1109/MALWARE.2014.6999415

MysteryChecker: Unpredictable attestation to detect repackaged malicious applications in Android

Jihwan Jeong, Dongwon Seo, Chanyoung Lee, Jonghoon Kwon, Heejo Lee, John Milburn

Department of Computer Science and Engineering

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

4 Citations (Scopus)

Abstract

The number of malicious applications, sometimes known as malapps, in Android smartphones has increased significantly in recent years. Malapp writers abuse repackaging techniques to rebuild applications with code changes. Existing anti-malware applications do not successfully defeat or defend against the repackaged malapps due to numerous variants. Software-based attestation approaches widely used in a resource-constrained environment have been developed to detect code changes of software with low resource consumption. In this paper, we propose a novel software-based attestation approach, called MysteryChecker, leveraging an unpredictable attestation algorithm. For its unpredictable attestation, MysteryChecker applies the concept of code obfuscation, which changes the syntax in order to avoid code analysis by adversaries. More precisely, unpredictable attestation is achieved by chaining randomly selected crypto functions. A verifier sends a randomly generated attestation module, and the target application must reply with a correct response using the attestation module. Also, the target application periodically receives a new module that contains a different attestation algorithm. Thus, even if the attacker analyzes the attestation module, the target application replaces the existing attestation module with a new one and the analysis done by the attacker becomes invalid. Experimental results show that MysteryChecker is completely able to detect known and unknown variants of repackaged malapps, while existing anti-malware applications only partially detect the variants.

Original language	English
Title of host publication	Proceedings of the 9th IEEE International Conference on Malicious and Unwanted Software, MALCON 2014
Publisher	Institute of Electrical and Electronics Engineers Inc.
Pages	50-57
Number of pages	8
ISBN (Print)	9781479973293
DOIs	https://doi.org/10.1109/MALWARE.2014.6999415
Publication status	Published - 2014 Dec 29
Event	9th IEEE International Conference on Malicious and Unwanted Software, MALCON 2014 - Fajardo, Puerto Rico Duration: 2014 Oct 28 → 2014 Oct 30

Other

Other	9th IEEE International Conference on Malicious and Unwanted Software, MALCON 2014
Country	Puerto Rico
City	Fajardo
Period	14/10/28 → 14/10/30

Fingerprint

Keywords

Repackaged Application Detection
Smartphone Security
Software-based Attestation

ASJC Scopus subject areas

Artificial Intelligence
Visual Arts and Performing Arts

Cite this

Jeong, J., Seo, D., Lee, C., Kwon, J., Lee, H., & Milburn, J. (2014). MysteryChecker: Unpredictable attestation to detect repackaged malicious applications in Android. In Proceedings of the 9th IEEE International Conference on Malicious and Unwanted Software, MALCON 2014 (pp. 50-57). [6999415] Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/MALWARE.2014.6999415

MysteryChecker : Unpredictable attestation to detect repackaged malicious applications in Android. / Jeong, Jihwan; Seo, Dongwon; Lee, Chanyoung; Kwon, Jonghoon; Lee, Heejo; Milburn, John.

Proceedings of the 9th IEEE International Conference on Malicious and Unwanted Software, MALCON 2014. Institute of Electrical and Electronics Engineers Inc., 2014. p. 50-57 6999415.

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Jeong, J, Seo, D, Lee, C, Kwon, J, Lee, H & Milburn, J 2014, MysteryChecker: Unpredictable attestation to detect repackaged malicious applications in Android. in Proceedings of the 9th IEEE International Conference on Malicious and Unwanted Software, MALCON 2014., 6999415, Institute of Electrical and Electronics Engineers Inc., pp. 50-57, 9th IEEE International Conference on Malicious and Unwanted Software, MALCON 2014, Fajardo, Puerto Rico, 14/10/28. https://doi.org/10.1109/MALWARE.2014.6999415

Jeong J, Seo D, Lee C, Kwon J, Lee H, Milburn J. MysteryChecker: Unpredictable attestation to detect repackaged malicious applications in Android. In Proceedings of the 9th IEEE International Conference on Malicious and Unwanted Software, MALCON 2014. Institute of Electrical and Electronics Engineers Inc. 2014. p. 50-57. 6999415 https://doi.org/10.1109/MALWARE.2014.6999415

@inproceedings{05ffc46c2d2241409f6b07a28f9f405b,

title = "MysteryChecker: Unpredictable attestation to detect repackaged malicious applications in Android",

abstract = "The number of malicious applications, sometimes known as malapps, in Android smartphones has increased significantly in recent years. Malapp writers abuse repackaging techniques to rebuild applications with code changes. Existing anti-malware applications do not successfully defeat or defend against the repackaged malapps due to numerous variants. Software-based attestation approaches widely used in a resource-constrained environment have been developed to detect code changes of software with low resource consumption. In this paper, we propose a novel software-based attestation approach, called MysteryChecker, leveraging an unpredictable attestation algorithm. For its unpredictable attestation, MysteryChecker applies the concept of code obfuscation, which changes the syntax in order to avoid code analysis by adversaries. More precisely, unpredictable attestation is achieved by chaining randomly selected crypto functions. A verifier sends a randomly generated attestation module, and the target application must reply with a correct response using the attestation module. Also, the target application periodically receives a new module that contains a different attestation algorithm. Thus, even if the attacker analyzes the attestation module, the target application replaces the existing attestation module with a new one and the analysis done by the attacker becomes invalid. Experimental results show that MysteryChecker is completely able to detect known and unknown variants of repackaged malapps, while existing anti-malware applications only partially detect the variants.",

keywords = "Repackaged Application Detection, Smartphone Security, Software-based Attestation",

author = "Jihwan Jeong and Dongwon Seo and Chanyoung Lee and Jonghoon Kwon and Heejo Lee and John Milburn",

year = "2014",

month = "12",

day = "29",

doi = "10.1109/MALWARE.2014.6999415",

language = "English",

isbn = "9781479973293",

pages = "50--57",

booktitle = "Proceedings of the 9th IEEE International Conference on Malicious and Unwanted Software, MALCON 2014",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

note = "9th IEEE International Conference on Malicious and Unwanted Software, MALCON 2014 ; Conference date: 28-10-2014 Through 30-10-2014",

}

TY - GEN

T1 - MysteryChecker

T2 - 9th IEEE International Conference on Malicious and Unwanted Software, MALCON 2014

AU - Jeong, Jihwan

AU - Seo, Dongwon

AU - Lee, Chanyoung

AU - Kwon, Jonghoon

AU - Lee, Heejo

AU - Milburn, John

PY - 2014/12/29

Y1 - 2014/12/29

N2 - The number of malicious applications, sometimes known as malapps, in Android smartphones has increased significantly in recent years. Malapp writers abuse repackaging techniques to rebuild applications with code changes. Existing anti-malware applications do not successfully defeat or defend against the repackaged malapps due to numerous variants. Software-based attestation approaches widely used in a resource-constrained environment have been developed to detect code changes of software with low resource consumption. In this paper, we propose a novel software-based attestation approach, called MysteryChecker, leveraging an unpredictable attestation algorithm. For its unpredictable attestation, MysteryChecker applies the concept of code obfuscation, which changes the syntax in order to avoid code analysis by adversaries. More precisely, unpredictable attestation is achieved by chaining randomly selected crypto functions. A verifier sends a randomly generated attestation module, and the target application must reply with a correct response using the attestation module. Also, the target application periodically receives a new module that contains a different attestation algorithm. Thus, even if the attacker analyzes the attestation module, the target application replaces the existing attestation module with a new one and the analysis done by the attacker becomes invalid. Experimental results show that MysteryChecker is completely able to detect known and unknown variants of repackaged malapps, while existing anti-malware applications only partially detect the variants.

AB - The number of malicious applications, sometimes known as malapps, in Android smartphones has increased significantly in recent years. Malapp writers abuse repackaging techniques to rebuild applications with code changes. Existing anti-malware applications do not successfully defeat or defend against the repackaged malapps due to numerous variants. Software-based attestation approaches widely used in a resource-constrained environment have been developed to detect code changes of software with low resource consumption. In this paper, we propose a novel software-based attestation approach, called MysteryChecker, leveraging an unpredictable attestation algorithm. For its unpredictable attestation, MysteryChecker applies the concept of code obfuscation, which changes the syntax in order to avoid code analysis by adversaries. More precisely, unpredictable attestation is achieved by chaining randomly selected crypto functions. A verifier sends a randomly generated attestation module, and the target application must reply with a correct response using the attestation module. Also, the target application periodically receives a new module that contains a different attestation algorithm. Thus, even if the attacker analyzes the attestation module, the target application replaces the existing attestation module with a new one and the analysis done by the attacker becomes invalid. Experimental results show that MysteryChecker is completely able to detect known and unknown variants of repackaged malapps, while existing anti-malware applications only partially detect the variants.

KW - Repackaged Application Detection

KW - Smartphone Security

KW - Software-based Attestation

UR - http://www.scopus.com/inward/record.url?scp=84922577177&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84922577177&partnerID=8YFLogxK

U2 - 10.1109/MALWARE.2014.6999415

DO - 10.1109/MALWARE.2014.6999415

M3 - Conference contribution

AN - SCOPUS:84922577177

SN - 9781479973293

SP - 50

EP - 57

BT - Proceedings of the 9th IEEE International Conference on Malicious and Unwanted Software, MALCON 2014

PB - Institute of Electrical and Electronics Engineers Inc.

Y2 - 28 October 2014 through 30 October 2014

ER -

Access to Document

10.1109/MALWARE.2014.6999415