基于控制依赖分析的Android远程控制类恶意软件检测

删除或更新信息，请邮件至freekaoyan#163.com(#换成@)

清华大学辅仁网/2017-07-07

李京哲(

),梁彬,游伟,王鹏,石文昌

Control dependency analyses for detecting remote control Android malware

Jingzhe LI(

),Bin LIANG,Wei YOU,Peng WANG,Wenchang SHI

School of Information, Renmin University of China, Beijing 100872, China

摘要:

HTML
输出: BibTeX | EndNote (RIS) 背景资料

文章导读

摘要为检测Android远程控制类恶意软件,该文通过对实际的该类软件进行分析,提出一种基于控制依赖分析的动态污点检测方法。动态污点分析技术是一种检测恶意软件的主流技术。该文对传统的动态污点分析进行扩展以检测Android远程控制类恶意软件。首先采用静态分析确定条件转移指令的控制范围; 再使用静态插桩在目标应用中添加分析控制依赖的功能。插桩后的应用可在运行时检查敏感操作是否控制依赖于污染数据,进而对远程控制类恶意软件进行有效的分析和检测。该文实现了一个原型检测系统。实验结果表明: 应用此方法可以有效地检测出实际的Android远程控制类恶意应用。

关键词 ：远程控制类恶意软件,动态污点分析,控制依赖

Abstract：A method is given to detect remote control Android malware using a control dependency analysis based on real-world malware characteristics. The malware is detected using dynamic taint analysis. An extended dynamic taint analysis method is used to detect remote control malware. A static analysis is used first to identify the control range of the conditional instructions, and the static instrumentation technique insered into the target application to track the control dependence. The instrumented application can then check whether the current sensitive operation depends on the tainted data at runtime. Then users can then effectively analyze and detect remote control malware. A prototype system based on the method shows that this method effectively detects real remote control malware.

Key words：remote control malware dynamic taint analysis control dependence

收稿日期: 2013-12-01 出版日期: 2015-04-16

ZTFLH:

基金资助:国家自然科学基金资助项目 (61170240, 61070192);核高基重大专项资助项目 (2012ZX01039-004)

引用本文:

李京哲, 梁彬, 游伟, 王鹏, 石文昌. 基于控制依赖分析的Android远程控制类恶意软件检测[J]. 清华大学学报（自然科学版）, 2014, 54(1): 8-13.
Jingzhe LI, Bin LIANG, Wei YOU, Peng WANG, Wenchang SHI. Control dependency analyses for detecting remote control Android malware. Journal of Tsinghua University(Science and Technology), 2014, 54(1): 8-13.

链接本文:

http://jst.tsinghuajournals.com/CN/或 http://jst.tsinghuajournals.com/CN/Y2014/V54/I1/8

图表:

Geinimi实现发送短信和删除短信记录的关键代码片段

Geinimi选择控制操作的代码片段

Android远程控制类恶意软件的检测流程

示例代码片段以及其CFG和PDT

样本类别	样本个数	恶意行为
Geinimi	7	远程控制发送短信
GoldDream	6	远程控制发送短信
Anserverbot	2	远程控制下载

Android远程控制类恶意软件检测结果

参考文献:

[1]	ZHOU Yajin, JIANG Xuxian. Dissecting Android malware: Characterization and evolution [C]// Proceedings of the IEEE Symposium on Security and Privacy. San Francisco, USA:IEEE, 2012: 95-109.
[2]	网秦公司. 2013年上半年网秦全球手机安全报告 [Z/OL]. (2013-11-25), http://cn.nq.com/neirong/2013Q2.pdf. Wangqin Company. Wangqin global moble phone security in the first half of 2013 [Z/OL]. (2013-10-25), http://cn.nq.com/neirong/2013Q2.pdf. (in Chinese)
[3]	ZHOU Yajin, WANG Zhi, WU Zhou, et al.Hey, you, get off of my market: Detecting malicious apps in official and alternative Android markets [C]// Proceedings of the Network and Distributed System Security Symposium. San Diego, USA: Internet Society, 2012.
[4]	Fritz C, Arzt S, Rasthofer S, et al. Highly precise taint analysis for android applications [Z/OL]. (2013-11-25), http://www.bodden.de/pubs/TUD-CS-2013-0113.pdf.
[5]	Gibler C, Crussell J, Erickson J, et al.AndroidLeaks: Automatically detecting potential privacy leaks in Android applications on a large scale [C]// Proceedings of the 5th International Conference, TRUST 2012. Vienna, Austria:Springer, 2012: 291-307
[6]	Schwartzbach M I. Lecture notes on static analysis [Z/OL]. (2013-11-25), http://pp.ipd.kit.edu/lehre/SS2009/compiler2/schwarzbach-static-analysis.pdf.
[7]	Schwartz E J, Avgerinos T, Brumley D. All you ever wanted to know about dynamic taint analysis and forward symbolic execution [C]// Proceedings of the IEEE Symposium on Security and Privacy. Oakland, USA: IEEE, 2010, 317-331
[8]	Enck W, Gilbert P, Chun B G, et al.TaintDroid: An information-fiow tracking system for realtime privacy monitoring on smartphones [C]// Proceedings of the 9th USENIX Conference on Operating Systems Design and Implementation. Vancouver, Canada:USENIX, 2010: 1-6.
[9]	Yan L, Yin H. DroidScope: Seamlessly reconstructing the OS and Dalvik semantic views for dynamic Android malware analysis [C]// Proceedings of the 21st USENIX Security Symposium. Bellevue, USA:USENIX, 2012: 29-29.
[10]	Strazzere T, Wyatt T. Geinimi Trojan technical teardown [Z/OL]. (2013-11-25), https://blog.lookout.com/_media/Geinimi_Trojan_Teardown.pdf.
[11]	Kang M G, McCamant S, Poosankam P, et al. DTA++: Dynamic taint analysis with targeted control-flow propagation [C]// Proceedings of the Network and Distributed System Security Symposium. San Diego, USA: Internet Society 2011.
[12]	Clause J, LI Wanchun, Orso A. Dytan: A generic dynamic taint analysis framework [C]// Proceedings of the 2007 International Symposium on Software Testing and Analysis. New York, USA: ACM, 2011: 196-206
[13]	Aho A V, Lam M S, Sethi R, et al.Compilers Principles, Techniques, and Tools [M]. 赵建华, 郑滔, 戴新宇, 译. 北京: 机械工业出版社, 2009 Aho A V, Lam M S, Sethi R, et al.Compilers Principles, Techniques, and Tools [M]. ZHAO Jianhua, ZHENG Tao, DAI Xinyu. Beijing: China Machine Press, 2009 (in Chinese)
[14]	Lengauer T, Tarjan R E. A fast algorithm for finding dominators in a flowgraph [C]// Proceedings of ACM Transactions on Programming Languages and Systems. New York, USA: Association for Computing Machinery, 1979: 121-141.

[1]	王振波, 张君, 罗孙一鸣. 喷水法成型纤维网增强水泥基板材抗弯性能[J]. 清华大学学报（自然科学版）, 2014, 54(5): 551-555.
[2]	韩心慧, 肖祥全, 张建宇, 刘丙双, 张缘. 基于社交关系的DHT网络Sybil攻击防御[J]. 清华大学学报（自然科学版）, 2014, 54(1): 1-7.