TY - GEN
T1 - MysteryChecker
T2 - 9th IEEE International Conference on Malicious and Unwanted Software, MALCON 2014
AU - Jeong, Jihwan
AU - Seo, Dongwon
AU - Lee, Chanyoung
AU - Kwon, Jonghoon
AU - Lee, Heejo
AU - Milburn, John
N1 - Publisher Copyright:
© 2014 IEEE.
PY - 2014/12/29
Y1 - 2014/12/29
N2 - The number of malicious applications, sometimes known as malapps, in Android smartphones has increased significantly in recent years. Malapp writers abuse repackaging techniques to rebuild applications with code changes. Existing anti-malware applications do not successfully defeat or defend against the repackaged malapps due to numerous variants. Software-based attestation approaches widely used in a resource-constrained environment have been developed to detect code changes of software with low resource consumption. In this paper, we propose a novel software-based attestation approach, called MysteryChecker, leveraging an unpredictable attestation algorithm. For its unpredictable attestation, MysteryChecker applies the concept of code obfuscation, which changes the syntax in order to avoid code analysis by adversaries. More precisely, unpredictable attestation is achieved by chaining randomly selected crypto functions. A verifier sends a randomly generated attestation module, and the target application must reply with a correct response using the attestation module. Also, the target application periodically receives a new module that contains a different attestation algorithm. Thus, even if the attacker analyzes the attestation module, the target application replaces the existing attestation module with a new one and the analysis done by the attacker becomes invalid. Experimental results show that MysteryChecker is completely able to detect known and unknown variants of repackaged malapps, while existing anti-malware applications only partially detect the variants.
AB - The number of malicious applications, sometimes known as malapps, in Android smartphones has increased significantly in recent years. Malapp writers abuse repackaging techniques to rebuild applications with code changes. Existing anti-malware applications do not successfully defeat or defend against the repackaged malapps due to numerous variants. Software-based attestation approaches widely used in a resource-constrained environment have been developed to detect code changes of software with low resource consumption. In this paper, we propose a novel software-based attestation approach, called MysteryChecker, leveraging an unpredictable attestation algorithm. For its unpredictable attestation, MysteryChecker applies the concept of code obfuscation, which changes the syntax in order to avoid code analysis by adversaries. More precisely, unpredictable attestation is achieved by chaining randomly selected crypto functions. A verifier sends a randomly generated attestation module, and the target application must reply with a correct response using the attestation module. Also, the target application periodically receives a new module that contains a different attestation algorithm. Thus, even if the attacker analyzes the attestation module, the target application replaces the existing attestation module with a new one and the analysis done by the attacker becomes invalid. Experimental results show that MysteryChecker is completely able to detect known and unknown variants of repackaged malapps, while existing anti-malware applications only partially detect the variants.
KW - Repackaged Application Detection
KW - Smartphone Security
KW - Software-based Attestation
UR - http://www.scopus.com/inward/record.url?scp=84922577177&partnerID=8YFLogxK
U2 - 10.1109/MALWARE.2014.6999415
DO - 10.1109/MALWARE.2014.6999415
M3 - Conference contribution
AN - SCOPUS:84922577177
T3 - Proceedings of the 9th IEEE International Conference on Malicious and Unwanted Software, MALCON 2014
SP - 50
EP - 57
BT - Proceedings of the 9th IEEE International Conference on Malicious and Unwanted Software, MALCON 2014
PB - Institute of Electrical and Electronics Engineers Inc.
Y2 - 28 October 2014 through 30 October 2014
ER -