MysteryChecker

TY - GEN

T1 - MysteryChecker

T2 - Unpredictable attestation to detect repackaged malicious applications in Android

AU - Jeong, Jihwan

AU - Seo, Dongwon

AU - Lee, Chanyoung

AU - Kwon, Jonghoon

AU - Lee, Heejo

AU - Milburn, John

PY - 2014/12/29

Y1 - 2014/12/29

N2 - The number of malicious applications, sometimes known as malapps, in Android smartphones has increased significantly in recent years. Malapp writers abuse repackaging techniques to rebuild applications with code changes. Existing anti-malware applications do not successfully defeat or defend against the repackaged malapps due to numerous variants. Software-based attestation approaches widely used in a resource-constrained environment have been developed to detect code changes of software with low resource consumption. In this paper, we propose a novel software-based attestation approach, called MysteryChecker, leveraging an unpredictable attestation algorithm. For its unpredictable attestation, MysteryChecker applies the concept of code obfuscation, which changes the syntax in order to avoid code analysis by adversaries. More precisely, unpredictable attestation is achieved by chaining randomly selected crypto functions. A verifier sends a randomly generated attestation module, and the target application must reply with a correct response using the attestation module. Also, the target application periodically receives a new module that contains a different attestation algorithm. Thus, even if the attacker analyzes the attestation module, the target application replaces the existing attestation module with a new one and the analysis done by the attacker becomes invalid. Experimental results show that MysteryChecker is completely able to detect known and unknown variants of repackaged malapps, while existing anti-malware applications only partially detect the variants.

AB - The number of malicious applications, sometimes known as malapps, in Android smartphones has increased significantly in recent years. Malapp writers abuse repackaging techniques to rebuild applications with code changes. Existing anti-malware applications do not successfully defeat or defend against the repackaged malapps due to numerous variants. Software-based attestation approaches widely used in a resource-constrained environment have been developed to detect code changes of software with low resource consumption. In this paper, we propose a novel software-based attestation approach, called MysteryChecker, leveraging an unpredictable attestation algorithm. For its unpredictable attestation, MysteryChecker applies the concept of code obfuscation, which changes the syntax in order to avoid code analysis by adversaries. More precisely, unpredictable attestation is achieved by chaining randomly selected crypto functions. A verifier sends a randomly generated attestation module, and the target application must reply with a correct response using the attestation module. Also, the target application periodically receives a new module that contains a different attestation algorithm. Thus, even if the attacker analyzes the attestation module, the target application replaces the existing attestation module with a new one and the analysis done by the attacker becomes invalid. Experimental results show that MysteryChecker is completely able to detect known and unknown variants of repackaged malapps, while existing anti-malware applications only partially detect the variants.

KW - Repackaged Application Detection

KW - Smartphone Security

KW - Software-based Attestation

UR - http://www.scopus.com/inward/record.url?scp=84922577177&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84922577177&partnerID=8YFLogxK

U2 - 10.1109/MALWARE.2014.6999415

DO - 10.1109/MALWARE.2014.6999415

M3 - Conference contribution

SN - 9781479973293

SP - 50

EP - 57

BT - Proceedings of the 9th IEEE International Conference on Malicious and Unwanted Software, MALCON 2014

PB - Institute of Electrical and Electronics Engineers Inc.

ER -