CRII: SaTC: A Malware-Inspired Approach to Mobile Application Repackaging and Tampering Detection

CRII：SaTC：一种受恶意软件启发的移动应用程序重新打包和篡改检测方法

• 批准号: 1850278
• 负责人: Lannan Luo
• 金额: $ 17.49万
• 依托单位: University of South Carolina at Columbia
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2019
• 资助国家: 美国
• 起止时间: 2019-06-15 至 2022-05-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1850278&HistoricalAwards=false
• 关键词: CRII; SaTC; Malware; Inspired; Approach

Mobile application ("app") repackaging is a severe threat to the flourishing mobile market and numerous users. 97% of the top paid Android apps and 87% of the iOS ones have been repackaged. Besides, it is one of the most common ways of propagating mobile malware. Existing countermeasures mostly detect repackaging based on app similarity measurement, which tends to be imprecise when obfuscations are applied to repackaged apps. Moreover, they rely on a centralized party, typically the hosting app store, to perform the detection, but many alternative app stores fail to commit proper effort to piracy detection. This research aims at an effective defense against app repackaging, and will result in substantial progress in tackling malware propagated via repackaged apps. It will help mitigate attacks such as ransomware or DDoS launched from repackaged apps. It will also help reduce the massive monetary loss of legitimate app developers. Industrial collaborations ensure rapidly translate scientific discovery and technical knowledge into beneficial commercial products. Educational resources from this project, including course modules on mobile security and malware detection, will be disseminated through a dedicated web site. This research will foster new research and education opportunities at University of South Carolina. Students from underrepresented groups will participate in the project.This research is to explore a decentralized scheme that adds repackaging detection capability into the app to be protected, such that the host devices are made use of to conduct detection when the app is running. The main challenge is how to protect the repackaging detection code from attacks. The team of research proposes a novel malware-inspired approach to handling the important mobile app repackaging problem. The team will explore a creative use of logic bombs, which are regularly used in malware: the trigger conditions are constructed to exploit the differences between the attacker and users (in terms of hardware, sensor values, and inputs), such that a bomb that lies dormant on the attacker side will be activated on the user side. The repackaging detection code, which is packed as the bomb payload, is executed only if the bomb is activated. (2) Unlike many conventional software tampering detection techniques that try to conceal the detection code, by leveraging various methods used in malware this design is non-stealthy, which means that the detection code is not hidden, yet still resilient to attacks. (3) The proposed system also aims to detect code tampering, which occurs when malicious code is inserted and hence implies extraordinary dangers. (4) The decentralized repackaging/tampering detection is proposed to be used for crowdsourced malware information collection to fight against malware propagation. (5) Finally, the team is to address how to prevent the proposed techniques from being abused by malware authors.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

移动应用程序（“app”）的重新包装是对蓬勃发展的移动市场和众多用户的严重威胁。97%的Android付费应用和87%的iOS付费应用都进行了重新包装。此外，它也是传播移动恶意软件的最常见方式之一。现有的对策主要是基于应用相似性测量来检测重新包装，当对重新包装的应用进行混淆时，这种方法往往不精确。此外，它们依赖于一个中心化的组织（通常是托管应用商店）来执行检测，但许多替代应用商店并没有对盗版检测做出适当的努力。这项研究旨在有效防御应用程序重新打包，并将在解决通过重新打包的应用程序传播的恶意软件方面取得实质性进展。它将有助于减轻从重新打包的应用程序发起的勒索软件或DDoS等攻击。这也将有助于减少合法应用开发者的巨额金钱损失。工业合作确保科学发现和技术知识迅速转化为有益的商业产品。这个项目的教育资源，包括手机安全和恶意软件检测的课程模块，将通过一个专门的网站进行传播。这项研究将在南卡罗莱纳大学培养新的研究和教育机会。来自代表性不足群体的学生将参与该项目。本研究旨在探索一种去中心化的方案，在被保护的应用中加入重新包装检测功能，从而在应用运行时利用主机设备进行检测。主要的挑战是如何保护重包装检测代码免受攻击。研究小组提出了一种新的恶意软件启发的方法来处理重要的移动应用程序重新包装问题。该团队将探索逻辑炸弹的创造性使用，这是恶意软件中经常使用的：触发器条件被构建为利用攻击者和用户之间的差异（在硬件，传感器值和输入方面），这样在攻击者侧处于休眠状态的炸弹将在用户侧激活。重新包装检测代码是作为炸弹有效载荷打包的，只有在炸弹被激活时才会执行。(2)与许多试图隐藏检测代码的传统软件篡改检测技术不同，通过利用恶意软件中使用的各种方法，这种设计是非隐形的，这意味着检测代码不被隐藏，但仍然能够抵御攻击。(3)提出的系统还旨在检测代码篡改，这种情况发生在恶意代码插入时，因此意味着非常危险。(4)提出将去中心化的重包装/篡改检测用于众包恶意软件信息收集，对抗恶意软件传播。(5)最后，该团队将解决如何防止所提出的技术被恶意软件作者滥用。该奖项反映了美国国家科学基金会的法定使命，并通过使用基金会的知识价值和更广泛的影响审查标准进行评估，被认为值得支持。

项目成果

Privacy Leakage Analysis for Colluding Smart Apps

• DOI: 10.1109/dsn-w54100.2022.00025
• 发表时间: 2022-06
• 期刊: 2022 52nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks Workshops (DSN-W)
• 作者: Junzhe Wang;Lannan Luo

PFirewall: Semantics-Aware Customizable Data Flow Control for Smart Home Privacy Protection

• DOI: 10.14722/ndss.2021.24464
• 发表时间: 2021-01
• 期刊: ArXiv
• 作者: Haotian Chi;Qiang Zeng;Xiaojiang Du;Lannan Luo

Exploiting the Inherent Limitation of L0 Adversarial Examples

• 发表时间: 2018-12
• 作者: F. Zuo;Bokai Yang;Xiaopeng Li;Qiang Zeng

Westworld: Fuzzing-Assisted Remote Dynamic Symbolic Execution of Smart Apps on IoT Cloud Platforms

• DOI: 10.1145/3485832.3488022
• 发表时间: 2021-12
• 期刊: Proceedings of the 37th Annual Computer Security Applications Conference
• 作者: Lannan Luo;Qiang Zeng;Bokai Yang;Fei Zuo;Junzhe Wang

Tainting-Assisted and Context-Migrated Symbolic Execution of Android Framework for Vulnerability Discovery and Exploit Generation

用于漏洞发现和利用生成的 Android 框架的污染辅助和上下文迁移符号执行

• DOI: 10.1109/tmc.2019.2936561
• 发表时间: 2020-12
• 期刊: IEEE Transactions on Mobile Computing
• 影响因子: 7.9
• 作者: Luo Lannan;Zeng Qiang;Cao Chen;Chen Kai;Liu Jian;Liu Limin;Gao Neng;Yang Min;Xing Xinyu;Liu Peng
• 通讯作者: Liu Peng