| Android恶意广告威胁分析与检测技术 |
| 韩心慧, 丁怡婧, 王东祺, 黎桐辛, 叶志远 |
| 北京大学 计算机科学与技术研究所, 北京 100080 |
| Android malicious AD threat analysis and detection techniques |
| HAN Xinhui, DING Yijing, WANG Dongqi, LI Tongxin, YE Zhiyuan |
| Institute of Computer Science and Technology, Peking University, Beijing 100080, China |
摘要:
| |||
| 摘要Android第三方广告框架应用广泛, 但Android系统漏洞和Android第三方广告框架的逻辑缺陷严重威胁着Android市场安全。攻击者可以通过恶意广告获取敏感数据、触发敏感操作, 甚至是以应用程序的权限执行任意代码。该文总结了4种Android恶意广告攻击方式, 并针对这4种方式设计了一种基于后向切片算法和静态污点分析的Android第三方广告框架静态测量方法, 以及一种基于API Hook和靶向API Trace的Android恶意广告敏感行为动态检测方法。基于以上研究, 该文设计并实现了Android恶意广告威胁分析与检测系统, 通过实例证明该系统能够有效地分析Android第三方广告框架可能存在的安全隐患, 并能够动态检测Android恶意广告的敏感行为。 | |||
| 关键词 :Android,恶意广告,威胁,静态分析,动态分析 | |||
| Abstract:Android third-party advertising frameworks are deployed in almost every Android app. The vulnerabilities of the Android OS and these advertising frameworks greatly impact the security of the Android market. The attacker can get the users' private data, trigger sensitive operations and execute arbitrary code on the device. This paper summarizes four classes of attacks in Android third-party advertising frameworks and gives two detection algorithms to discover these four classes of vulnerabilities. The first detection algorithm statically analyzes the advertising frameworks using a backward slicing algorithm and a static forward tainting analysis. The second algorithm dynamically detects malicious behavior in advertising frameworks using API hooking and targeted API tracing. An Android malicious ad security threat analysis and detection system is designed and implemented based on these two algorithms. Tests show that this system effectively discovers potential vulnerabilities in advertising frameworks and dynamically detects malicious behavior in advertisements. | |||
| Key words:Androidmalicious ADthreatstatic analysisdynamic analysis | |||
| 收稿日期: 2016-01-21 出版日期: 2016-05-19 | |||
| |||
| 引用本文: |
| 韩心慧, 丁怡婧, 王东祺, 黎桐辛, 叶志远. Android恶意广告威胁分析与检测技术[J]. 清华大学学报(自然科学版), 2016, 65(5): 468-477. HAN Xinhui, DING Yijing, WANG Dongqi, LI Tongxin, YE Zhiyuan. Android malicious AD threat analysis and detection techniques. Journal of Tsinghua University(Science and Technology), 2016, 65(5): 468-477. |
| 链接本文: |
| http://jst.tsinghuajournals.com/CN/10.16511/j.cnki.qhdxxb.2016.25.003或 http://jst.tsinghuajournals.com/CN/Y2016/V65/I5/468 |
图表:
 |
| 图1 Util类的实现 |
 |
| 图2 DummyMain函数中回调函数模拟调用指令的伪代码 |
 |
| 图3 WebView 中JavaScript代码调用JavaScript接口函数的处理机制 |
 |
| 图4 靶向APITrace优化方法 |
 |
| 图5 Android恶意广告威胁分析与检测系统架构图 |
 |
| 表1 基于静态分析的Android广告框架测量实验结果 |
 |
| 表1 基于静态分析的Android广告框架测量实验结果(续表) |
 |
| 图6 基于静态分析的Android广告框架测量实验结果统计 |
 |
| 表2 基于动态分析的Android广告框架漏洞验证实验结果 |
 |
| 图7 某广告框架敏感行为捕获 |
参考文献:
| [1] Manoogian J. How free apps can make more money than paid apps[Z/OL]. (2015-6-10). http://techcrunch.com/2012/08/26/how-free-apps-can-make-more-money-than-paid-apps/. [2] Hruska J. Google throws nearly a billion Android users under the bus, refuses to patch OS vulnerability[Z/OL]. (2015-6-10). http://www.extremetech.com/mobile/197346-google-throws-nearly-a-billion-android-users-under-the-bus-refuses-to-patch-os-vulnerability. [3] Vidas T, Votipka D, Christin N. All your droid are belong to us:A survey of current Android attacks[C]//Proceedings of the 5th USENIX Workshop on Offensive Technologies (WOOT 2011). San Francisco, USA:USENIX, 2011:81-90. [4] AVL团队. 广告件发展现状分析[Z/OL]. (2015-06-10). http://blog.avlyun.com/2015/01/2079/malicious-adware/. AVL Team.Analysis of the development of adware[Z/OL]. (2015-06-10). http://blog.avlyun.com/2015/01/2079/malicious-adware/. (in Chinese) [5] Fuchs A P, Chaudhuri A, Foster J S. Scandroid:Automated security certification of Android applications[R]. Maryland:University of Maryland,2009. [6] Chin E, Felt A P, Greenwood K, et al. Analyzing inter-application communication in Android[C]//Proceedings of the 9th International Conference on Mobile Systems, Applications, and Services. Washington D C, USA:ACM, 2011:239-252. [7] Octeau D, McDaniel P, Jha S, et al. Effective inter-component communication mapping in Android with epicc:An essential step towards holistic security analysis[C]//Proceedings of the 22nd USENIX Security Symposium. Washington D C, USA:USENIX, 2013:543-558. [8] Arzt S, Rasthofer S, Fritz C, et al. Flowdroid:Precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps[C]//Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation. Edinburgh, UK:ACM, 2014:49(6):259-269. [9] Soot Developers. Soot[Z/OL]. (2015-6-10). http://sable.github.io/soot/. [10] Enck W, Gilbert P, Han S, et al. TaintDroid:An information-flow tracking system for realtime privacy monitoring on smartphones[J].ACM Transactions on Computer Systems (TOCS), 2014,32(2):5. [11] Newsome J, Song D. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software[C]//Proceedings of the 12th Network and Distributed System Security Symposium (NDSS'05). San Diego, California, USA:ISOC, 2005. [12] Reina A, Fattori A, Cavallaro L. A system call-centric analysis and stimulation technique to automatically reconstruct Android malware behaviors[J].EuroSec, April, 2013. [13] Xu R, Saïdi H, Anderson R. Aurasium:Practical policy enforcement for Android applications[C]//USENIX Security Symposium. Tucson, Arizona, USA:USENIX, 2012:539-552. [14] Grace M C, Zhou W, Jiang X X, et al. Unsafe exposure analysis of mobile in-app advertisements[C]//Proceedings of the Fifth ACM Conference on Security and Privacy in Wireless and Mobile Networks. Tucson, Arizona, USA:ACM, 2012:101-112. [15] Stevens R, Gibler C, Crussell J, et al. Investigating user privacy in Android ad libraries[C]//Workshop on Mobile Security Technologies (MoST). San Francisco, USA:IEEE CS Technical Committee on Security and Privacy, 2012. [16] Pearce P, Felt A P, Nunez G, et al. Addroid:Privilege separation for applications and advertisers in Android[C]//Proceedings of the 7th ACM Symposium on Information, Computer and Communications Security. Seoul, Korea:ACM, 2012:71-72. [17] Shekhar S, Dietz M, Wallach D S. AdSplit:Separating smartphone advertising from applications[C]//USENIX Security Symposium. Tucson, Arizona, USA:USENIX, 2012:553-567. [18] Kawabata H, Isohara T, Takemori K, et al. Sandbox:Sandboxing third party advertising libraries in a mobile application[C]//Communications (ICC), 2013 IEEE International Conference on IEEE. Budapest, Hungary:IEEE, 2013:2150-2154. [19] WEI Tao, ZHANG Yulong, XUE Hui, et al. Sidewinder targeted attack against Android in the golden age of ad libraries[C]//Proceedings of Black Hat USA 2014. Las Vegas, USA, 2014. [20] Fireeye. JS-Binding-Over-HTTP vulnerability and JavaScript sidedoor:Security risks affecting billions of Android app downloads[Z/OL]. (2015-6-10). https://www.fireeye.com/blog/threat-research/2014/01/js-binding-over-http-vulnerability-and-javascript-sidedoor.html. [21] Wikipedia Contributors. Same-origin policy[Z/OL]. (2015-6-10). http://en.wikipedia.org/wiki/Same-origin_policy. [22] CVE Details. Vulnerability details:CVE-2014-6041[Z/OL]. (2015-6-10). http://www.cvedetails.com/cve/CVE-2014-6041/. [23] Bianchi A, Corbetta J, Invernizzi L, et al. What the app is that? Deception and countermeasures in the Android user interface[C]//2015 IEEE Symposium on Security and Privacy. San Jose, CA, USA:IEEE, 2015:931-948. [24] Xposed. Xposed module repository[Z/OL]. (2015-6-10). http://repo.xposed.info/module/de.robv.android.xposed. installer. |
相关文章:
|
