Abstract:Android third-party advertising frameworks are deployed in almost every Android app. The vulnerabilities of the Android OS and these advertising frameworks greatly impact the security of the Android market. The attacker can get the users' private data, trigger sensitive operations and execute arbitrary code on the device. This paper summarizes four classes of attacks in Android third-party advertising frameworks and gives two detection algorithms to discover these four classes of vulnerabilities. The first detection algorithm statically analyzes the advertising frameworks using a backward slicing algorithm and a static forward tainting analysis. The second algorithm dynamically detects malicious behavior in advertising frameworks using API hooking and targeted API tracing. An Android malicious ad security threat analysis and detection system is designed and implemented based on these two algorithms. Tests show that this system effectively discovers potential vulnerabilities in advertising frameworks and dynamically detects malicious behavior in advertisements.
韩心慧, 丁怡婧, 王东祺, 黎桐辛, 叶志远. Android恶意广告威胁分析与检测技术[J]. 清华大学学报(自然科学版), 2016, 56(5): 468-477.
HAN Xinhui, DING Yijing, WANG Dongqi, LI Tongxin, YE Zhiyuan. Android malicious AD threat analysis and detection techniques. Journal of Tsinghua University(Science and Technology), 2016, 56(5): 468-477.
[1] Manoogian J. How free apps can make more money than paid apps[Z/OL]. (2015-6-10). http://techcrunch.com/2012/08/26/how-free-apps-can-make-more-money-than-paid-apps/.
[2] Hruska J. Google throws nearly a billion Android users under the bus, refuses to patch OS vulnerability[Z/OL]. (2015-6-10). http://www.extremetech.com/mobile/197346-google-throws-nearly-a-billion-android-users-under-the-bus-refuses-to-patch-os-vulnerability.
[3] Vidas T, Votipka D, Christin N. All your droid are belong to us:A survey of current Android attacks[C]//Proceedings of the 5th USENIX Workshop on Offensive Technologies (WOOT 2011). San Francisco, USA:USENIX, 2011:81-90.
[4] AVL团队. 广告件发展现状分析[Z/OL]. (2015-06-10). http://blog.avlyun.com/2015/01/2079/malicious-adware/. AVL Team.Analysis of the development of adware[Z/OL]. (2015-06-10). http://blog.avlyun.com/2015/01/2079/malicious-adware/. (in Chinese)
[5] Fuchs A P, Chaudhuri A, Foster J S. Scandroid:Automated security certification of Android applications[R]. Maryland:University of Maryland,2009.
[6] Chin E, Felt A P, Greenwood K, et al. Analyzing inter-application communication in Android[C]//Proceedings of the 9th International Conference on Mobile Systems, Applications, and Services. Washington D C, USA:ACM, 2011:239-252.
[7] Octeau D, McDaniel P, Jha S, et al. Effective inter-component communication mapping in Android with epicc:An essential step towards holistic security analysis[C]//Proceedings of the 22nd USENIX Security Symposium. Washington D C, USA:USENIX, 2013:543-558.
[8] Arzt S, Rasthofer S, Fritz C, et al. Flowdroid:Precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps[C]//Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation. Edinburgh, UK:ACM, 2014:49(6):259-269.
[9] Soot Developers. Soot[Z/OL]. (2015-6-10). http://sable.github.io/soot/.
[10] Enck W, Gilbert P, Han S, et al. TaintDroid:An information-flow tracking system for realtime privacy monitoring on smartphones[J].ACM Transactions on Computer Systems (TOCS), 2014,32(2):5.
[11] Newsome J, Song D. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software[C]//Proceedings of the 12th Network and Distributed System Security Symposium (NDSS'05). San Diego, California, USA:ISOC, 2005.
[12] Reina A, Fattori A, Cavallaro L. A system call-centric analysis and stimulation technique to automatically reconstruct Android malware behaviors[J].EuroSec, April, 2013.
[13] Xu R, Saïdi H, Anderson R. Aurasium:Practical policy enforcement for Android applications[C]//USENIX Security Symposium. Tucson, Arizona, USA:USENIX, 2012:539-552.
[14] Grace M C, Zhou W, Jiang X X, et al. Unsafe exposure analysis of mobile in-app advertisements[C]//Proceedings of the Fifth ACM Conference on Security and Privacy in Wireless and Mobile Networks. Tucson, Arizona, USA:ACM, 2012:101-112.
[15] Stevens R, Gibler C, Crussell J, et al. Investigating user privacy in Android ad libraries[C]//Workshop on Mobile Security Technologies (MoST). San Francisco, USA:IEEE CS Technical Committee on Security and Privacy, 2012.
[16] Pearce P, Felt A P, Nunez G, et al. Addroid:Privilege separation for applications and advertisers in Android[C]//Proceedings of the 7th ACM Symposium on Information, Computer and Communications Security. Seoul, Korea:ACM, 2012:71-72.
[17] Shekhar S, Dietz M, Wallach D S. AdSplit:Separating smartphone advertising from applications[C]//USENIX Security Symposium. Tucson, Arizona, USA:USENIX, 2012:553-567.
[18] Kawabata H, Isohara T, Takemori K, et al. Sandbox:Sandboxing third party advertising libraries in a mobile application[C]//Communications (ICC), 2013 IEEE International Conference on IEEE. Budapest, Hungary:IEEE, 2013:2150-2154.
[19] WEI Tao, ZHANG Yulong, XUE Hui, et al. Sidewinder targeted attack against Android in the golden age of ad libraries[C]//Proceedings of Black Hat USA 2014. Las Vegas, USA, 2014.
[20] Fireeye. JS-Binding-Over-HTTP vulnerability and JavaScript sidedoor:Security risks affecting billions of Android app downloads[Z/OL]. (2015-6-10). https://www.fireeye.com/blog/threat-research/2014/01/js-binding-over-http-vulnerability-and-javascript-sidedoor.html.
[21] Wikipedia Contributors. Same-origin policy[Z/OL]. (2015-6-10). http://en.wikipedia.org/wiki/Same-origin_policy.
[22] CVE Details. Vulnerability details:CVE-2014-6041[Z/OL]. (2015-6-10). http://www.cvedetails.com/cve/CVE-2014-6041/.
[23] Bianchi A, Corbetta J, Invernizzi L, et al. What the app is that? Deception and countermeasures in the Android user interface[C]//2015 IEEE Symposium on Security and Privacy. San Jose, CA, USA:IEEE, 2015:931-948.
[24] Xposed. Xposed module repository[Z/OL]. (2015-6-10). http://repo.xposed.info/module/de.robv.android.xposed. installer.