TUM Logo

Automated and Targeted Execution of Android Apps via Byte Code Instrumentation

Android is the leading smart phone platform in the world both in number of mobile users and application downloads. Android provides a very open ecosystem to its users who can download millions of applications just by navigating to any popular Android application market. Installing an app just requires to review the permissions that it uses to access private information and interfaces that might leak collected data or cause monetary charges. It is proved by a study[13] that 42% of the people don’t even aware about these permissions or they don’t care to read them closely. Thus, a massive set population using Android smart phones are vulnerable to malware applications that abuse these privileges.E.g.: EuroGrabber[17] was one such attack using Trojans on Android and Blackberry mobiles that was able to steal around 36 Million Euros from multiple users bank accounts by reading the OTP password sent from bank to mobile in background and forwarding it to attacker’s server where it was used for forged transaction that looks completely authorized to banks.In order to prevent such misuse of privileges stringent mechanisms are required to analyze Android applications without the need of manual input. There are existing approaches that target to this area of research but they are either focusing on checking apps on an emulator with modified ROM that tracks the use of API and/or inject UI events which sometimes are blocked by the app as it gets to know it is running under surveillance. Also it is depended on Android modifications which have to be done for every version released.This thesis work provides an approach that can automatically target the execution of Android applications over a set of interesting call paths without requirement to modify Android. Instead, it provides a way to inject logs in the original application and modify it in such a way that it is able to be instrumented automatically over the desired call paths.This thesis also demonstrates a proof of concept for the proposed method that validates the theoretical approach in practice. The prototype also allows us to find out the limitations and pitfalls of proposed approach. E.g.: when a target method lies in external libraries used by developers like the advertisement libraries of Google and TapJoy, a huge number (>600,000) of different paths can exist that lead to triggering of target method. Executing all of these paths is possible but it will take very long and use a considerable amount of memory and computing resources. But this can be tackled provided we know the exact class names of the trusted 3rd party libraries or the common package name for the external classes as it is shown in the performed experiment.

Automated and Targeted Execution of Android Apps via Byte Code Instrumentation

Supervisor(s): Julian Schütte
Status: finished
Topic: Android stuff
Author: Anshul Vij
Submission: 2016-02-02
Type of Thesis: Masterthesis
Proof of Concept No
Thesis topic in co-operation with the Fraunhofer Institute for Applied and Integrated Security AISEC, Garching

Astract:

Android is the leading smart phone platform in the world both in number of mobile users and application downloads. Android provides a very open ecosystem to its users who can download millions of applications just by navigating to any popular Android application market. Installing an app just requires to review the permissions that it uses to access private information and interfaces that might leak collected data or cause monetary charges. It is proved by a study[13] that 42% of the people don’t even aware about these permissions or they don’t care to read them closely. Thus, a massive set population using Android smart phones are vulnerable to malware applications that abuse these privileges.E.g.: EuroGrabber[17] was one such attack using Trojans on Android and Blackberry mobiles that was able to steal around 36 Million Euros from multiple users bank accounts by reading the OTP password sent from bank to mobile in background and forwarding it to attacker’s server where it was used for forged transaction that looks completely authorized to banks.In order to prevent such misuse of privileges stringent mechanisms are required to analyze Android applications without the need of manual input. There are existing approaches that target to this area of research but they are either focusing on checking apps on an emulator with modified ROM that tracks the use of API and/or inject UI events which sometimes are blocked by the app as it gets to know it is running under surveillance. Also it is depended on Android modifications which have to be done for every version released.This thesis work provides an approach that can automatically target the execution of Android applications over a set of interesting call paths without requirement to modify Android. Instead, it provides a way to inject logs in the original application and modify it in such a way that it is able to be instrumented automatically over the desired call paths.This thesis also demonstrates a proof of concept for the proposed method that validates the theoretical approach in practice. The prototype also allows us to find out the limitations and pitfalls of proposed approach. E.g.: when a target method lies in external libraries used by developers like the advertisement libraries of Google and TapJoy, a huge number (>600,000) of different paths can exist that lead to triggering of target method. Executing all of these paths is possible but it will take very long and use a considerable amount of memory and computing resources. But this can be tackled provided we know the exact class names of the trusted 3rd party libraries or the common package name for the external classes as it is shown in the performed experiment.