"Automatically Locating Malicious Packages in Piggybacked Android Apps" by Li Li with Daoyuan Li, Tegawendé F. Bissyandé, Jacques Klein, Haipeng Cai, David Lo, and Yves le Traon.
MobileSoft17, Buenos Aires, Argentina, 2017.
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
Automatically Locating Malicious Packages in Piggybacked Android Apps
1. 15-1
11
Automatically Locating Malicious
Packages in Piggybacked Android Apps
Li LI, SnT, University of Luxembourg
Daoyuan Li, Tegawendé F. Bissyandé, Jacques Klein,
Haipeng Cai, David Lo, and Yves le Traon
7. 15-7SnT, University of Luxembourg
7
Piggybacked
App
Original
App
Malicious
Payload
Goal: Locating Malicious Payloads
Piggybacked Malicious Apps
Carrier Rider
Hook
Wu Zhou, Yajin Zhou, Michael Grace, Xuxian Jiang, and Shihong Zou. Fast, scalable
detection of “piggybacked” mobile applications. In CODASPY ’13, pages 185–196,
New York, NY, USA, 2013
8. 15-8SnT, University of Luxembourg
Piggybacked Malicious Apps
8
Piggybacked
App
Original
Counterpart
Malicious
Diff
Li Li, Daoyuan Li, Tegawendé F. Bissyandé, Jacques Klein, Yves Le Traon,
David Lo and Lorenzo Cavallaro, Understanding Android App
Piggybacking, The 39th International Conference on Software Engineering,
Poster Track (ICSE), 2017 Full paper appears to IEEE TIFS journal, 2017
9. 15-9SnT, University of Luxembourg
Piggybacked Malicious Apps
9
Piggybacked
App
Malicious
Diff
When the Original Counterpart is Unknown?
10. 15-10SnT, University of Luxembourg
HookRanker
10
com.umeng.common
com.umeng.xp
com.unity3d.player
com.gamegod
org.fmod
com.umeng.analytics
com.mobile.co
com.ah.mfcom.android.kode_p
1
4
4
132
1
4
4
3
6
Package Dependence
Graph (PDGraph)
The objective of HookRanker is to build a ranked list of the
packages based on a likelihood score that a package is the entry
point of the malicious payloads.
12. 15-12SnT, University of Luxembourg
HookRanker
12
Ø Weighted Indgree (w1)
Ø Unweighted indegree (w2)
Ø Maximum shortest path (w3)
Ø Energy (w4)
Metrics Constraints
Ø No closed walk
Ø Limited clustering
coefficient
13. 15-13
13
SnT, University of Luxembourg
13
Evaluation
Ø RQ1: Can we identify hooks? If So, what is the hook
distribution?
Ø RQ2: Is our proposed metrics capable of locating hooks in
piggybacked Android apps? If so, what is the accuracy?
Experimental Setup: 500 known piggybacked app pairs
Li Li, Daoyuan Li, Tegawendé F. Bissyandé, Jacques Klein, Yves Le Traon, David
Lo and Lorenzo Cavallaro, Understanding Android App Piggybacking: A
Systematic Study of Malicious Code Grafting, IEEE Transactions on Information
Forensics & Security (TIFS), 2017
14. 15-14
14
SnT, University of Luxembourg
14
RQ1: Hook Distribution
0.0 0.5 1.0 1.5 2.0
The Number of Hooks
341, out of 500 piggybacked malicious apps contain hooks
15. 15-15
15
SnT, University of Luxembourg
15
Evaluation
Ø RQ1: Can we identify hooks? If So, what is the hook
distribution?
Ø RQ2: Is our proposed metrics capable of locating hooks in
piggybacked Android apps? If so, what is the accuracy?
Experimental Setup: 500 known piggybacked app pairs
Li Li, Daoyuan Li, Tegawendé F. Bissyandé, Jacques Klein, Yves Le Traon, David
Lo and Lorenzo Cavallaro, Understanding Android App Piggybacking: A
Systematic Study of Malicious Code Grafting, IEEE Transactions on Information
Forensics & Security (TIFS), 2017
16. 15-16
16
SnT, University of Luxembourg
16
RQ2: Hook Identification
Overall, HookRanker yields an accuracy@5 of 83.6%
17. 15-17
17
SnT, University of Luxembourg
17
Conclusion
Li Li
Luxembourg
li.li@uni.lu
http://lilicoding.github.io
Ø We propose an automated approach for locating hooks (i.e.,
code that switches the execution context from benign to
malicious code) within piggybacked malicious apps.
Ø We present a tool called HookRanker to automatically
recommend potential malicious packages.
18. 15-18SnT, University of Luxembourg
Piggybacked Malicious Apps
18
Set of Android Apps
Carrier Rider
piggybacked APP (a2)
Hook
original
APP (a1)
Set of Piggybacked Apps
Set of Malware
Wu Zhou, Yajin Zhou, Michael Grace, Xuxian Jiang, and Shihong Zou. Fast, scalable
detection of “piggybacked” mobile applications. In CODASPY ’13, pages 185–196,
New York, NY, USA, 2013