Automated Android Security Assessment: Malware, Vulnerabilities, and Exploits
Android has become the dominant mobile platform. Millions of Android apps have been produced and disseminated across app markets, spurred by the relative ease of construction using the Android development framework. Unfortunately, this ease of dissemination and construction, and access to millions of users, has attracted malicious app developers and contributed to a growing number of exploitable software vulnerabilities. In this talk, to address these aforementioned challenges, I present two approaches for Android security assessment that I have constructed: LetterBomb, the first approach for automatically generating exploits for Android apps, and RevealDroid, a lightweight, obfuscation-resilient approach for malware detection and family identification that leverages machine learning and static analysis of both conventional and unconventional code (i.e., reflective code and native code). In the first part of this talk, I introduce LetterBomb, which relies on a combined path-sensitive symbolic execution-based static analysis, and the use of software instrumentation and test oracles. I ran LetterBomb on 10,000 Android apps from Google Play, where I identified nearly 200 exploits from over 800 vulnerable apps, including popular apps with up to 10 million downloads. Compared to a state-of-the-art detection approach for three inter-component communication-based vulnerabilities, LetterBomb obtains 30%-60% more vulnerabilities at a 7 times faster speed. In the second part of this talk, I present RevealDroid, which operates without the need to perform complex program analyses or to extract large sets of features, and examines unconventional code. Specifically, our selected features leverage categorized Android API usage, reflection-based features, and features from native binaries of apps. I assessed RevealDroid on more than 54,000 malicious and benign apps, where it achieved an accuracy of 98% for detection of malware, an accuracy of 95% for determination of their families, and very high obfuscation resiliency. I further demonstrate RevealDroid’s superiority against state-of-the-art approaches.