Please wait a minute...
 首页  期刊介绍 期刊订阅 联系我们 横山亮次奖 百年刊庆
 
最新录用  |  预出版  |  当期目录  |  过刊浏览  |  阅读排行  |  下载排行  |  引用排行  |  横山亮次奖  |  百年刊庆
清华大学学报(自然科学版)  2016, Vol. 65 Issue (5): 468-477    DOI: 10.16511/j.cnki.qhdxxb.2016.25.003
  信息安全 本期目录 | 过刊浏览 | 高级检索 |
Android恶意广告威胁分析与检测技术
韩心慧, 丁怡婧, 王东祺, 黎桐辛, 叶志远
北京大学 计算机科学与技术研究所, 北京 100080
Android malicious AD threat analysis and detection techniques
HAN Xinhui, DING Yijing, WANG Dongqi, LI Tongxin, YE Zhiyuan
Institute of Computer Science and Technology, Peking University, Beijing 100080, China
全文: PDF(1774 KB)  
输出: BibTeX | EndNote (RIS)      
摘要 Android第三方广告框架应用广泛, 但Android系统漏洞和Android第三方广告框架的逻辑缺陷严重威胁着Android市场安全。攻击者可以通过恶意广告获取敏感数据、触发敏感操作, 甚至是以应用程序的权限执行任意代码。该文总结了4种Android恶意广告攻击方式, 并针对这4种方式设计了一种基于后向切片算法和静态污点分析的Android第三方广告框架静态测量方法, 以及一种基于API Hook和靶向API Trace的Android恶意广告敏感行为动态检测方法。基于以上研究, 该文设计并实现了Android恶意广告威胁分析与检测系统, 通过实例证明该系统能够有效地分析Android第三方广告框架可能存在的安全隐患, 并能够动态检测Android恶意广告的敏感行为。
服务
把本文推荐给朋友
加入引用管理器
E-mail Alert
RSS
作者相关文章
韩心慧
丁怡婧
王东祺
黎桐辛
叶志远
关键词 Android恶意广告威胁静态分析动态分析    
Abstract:Android third-party advertising frameworks are deployed in almost every Android app. The vulnerabilities of the Android OS and these advertising frameworks greatly impact the security of the Android market. The attacker can get the users' private data, trigger sensitive operations and execute arbitrary code on the device. This paper summarizes four classes of attacks in Android third-party advertising frameworks and gives two detection algorithms to discover these four classes of vulnerabilities. The first detection algorithm statically analyzes the advertising frameworks using a backward slicing algorithm and a static forward tainting analysis. The second algorithm dynamically detects malicious behavior in advertising frameworks using API hooking and targeted API tracing. An Android malicious ad security threat analysis and detection system is designed and implemented based on these two algorithms. Tests show that this system effectively discovers potential vulnerabilities in advertising frameworks and dynamically detects malicious behavior in advertisements.
Key wordsAndroid    malicious AD    threat    static analysis    dynamic analysis
收稿日期: 2016-01-21      出版日期: 2016-05-19
ZTFLH:  TP393.08  
引用本文:   
韩心慧, 丁怡婧, 王东祺, 黎桐辛, 叶志远. Android恶意广告威胁分析与检测技术[J]. 清华大学学报(自然科学版), 2016, 65(5): 468-477.
HAN Xinhui, DING Yijing, WANG Dongqi, LI Tongxin, YE Zhiyuan. Android malicious AD threat analysis and detection techniques. Journal of Tsinghua University(Science and Technology), 2016, 65(5): 468-477.
链接本文:  
http://jst.tsinghuajournals.com/CN/10.16511/j.cnki.qhdxxb.2016.25.003  或          http://jst.tsinghuajournals.com/CN/Y2016/V65/I5/468
  图1 Util类的实现
  图2 DummyMain函数中回调函数模拟调用指令的伪代码
  图3 WebView 中JavaScript代码调用JavaScript接口函数的处理机制
  图4 靶向APITrace优化方法
  图5 Android恶意广告威胁分析与检测系统架构图
  表1 基于静态分析的Android广告框架测量实验结果
  表1 基于静态分析的Android广告框架测量实验结果(续表)
  图6 基于静态分析的Android广告框架测量实验结果统计
  表2 基于动态分析的Android广告框架漏洞验证实验结果
  图7 某广告框架敏感行为捕获
[1] Manoogian J. How free apps can make more money than paid apps[Z/OL]. (2015-6-10). http://techcrunch.com/2012/08/26/how-free-apps-can-make-more-money-than-paid-apps/.
[2] Hruska J. Google throws nearly a billion Android users under the bus, refuses to patch OS vulnerability[Z/OL]. (2015-6-10). http://www.extremetech.com/mobile/197346-google-throws-nearly-a-billion-android-users-under-the-bus-refuses-to-patch-os-vulnerability.
[3] Vidas T, Votipka D, Christin N. All your droid are belong to us:A survey of current Android attacks[C]//Proceedings of the 5th USENIX Workshop on Offensive Technologies (WOOT 2011). San Francisco, USA:USENIX, 2011:81-90.
[4] AVL团队. 广告件发展现状分析[Z/OL]. (2015-06-10). http://blog.avlyun.com/2015/01/2079/malicious-adware/. AVL Team.Analysis of the development of adware[Z/OL]. (2015-06-10). http://blog.avlyun.com/2015/01/2079/malicious-adware/. (in Chinese)
[5] Fuchs A P, Chaudhuri A, Foster J S. Scandroid:Automated security certification of Android applications[R]. Maryland:University of Maryland,2009.
[6] Chin E, Felt A P, Greenwood K, et al. Analyzing inter-application communication in Android[C]//Proceedings of the 9th International Conference on Mobile Systems, Applications, and Services. Washington D C, USA:ACM, 2011:239-252.
[7] Octeau D, McDaniel P, Jha S, et al. Effective inter-component communication mapping in Android with epicc:An essential step towards holistic security analysis[C]//Proceedings of the 22nd USENIX Security Symposium. Washington D C, USA:USENIX, 2013:543-558.
[8] Arzt S, Rasthofer S, Fritz C, et al. Flowdroid:Precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps[C]//Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation. Edinburgh, UK:ACM, 2014:49(6):259-269.
[9] Soot Developers. Soot[Z/OL]. (2015-6-10). http://sable.github.io/soot/.
[10] Enck W, Gilbert P, Han S, et al. TaintDroid:An information-flow tracking system for realtime privacy monitoring on smartphones[J].ACM Transactions on Computer Systems (TOCS), 2014,32(2):5.
[11] Newsome J, Song D. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software[C]//Proceedings of the 12th Network and Distributed System Security Symposium (NDSS'05). San Diego, California, USA:ISOC, 2005.
[12] Reina A, Fattori A, Cavallaro L. A system call-centric analysis and stimulation technique to automatically reconstruct Android malware behaviors[J].EuroSec, April, 2013.
[13] Xu R, Saïdi H, Anderson R. Aurasium:Practical policy enforcement for Android applications[C]//USENIX Security Symposium. Tucson, Arizona, USA:USENIX, 2012:539-552.
[14] Grace M C, Zhou W, Jiang X X, et al. Unsafe exposure analysis of mobile in-app advertisements[C]//Proceedings of the Fifth ACM Conference on Security and Privacy in Wireless and Mobile Networks. Tucson, Arizona, USA:ACM, 2012:101-112.
[15] Stevens R, Gibler C, Crussell J, et al. Investigating user privacy in Android ad libraries[C]//Workshop on Mobile Security Technologies (MoST). San Francisco, USA:IEEE CS Technical Committee on Security and Privacy, 2012.
[16] Pearce P, Felt A P, Nunez G, et al. Addroid:Privilege separation for applications and advertisers in Android[C]//Proceedings of the 7th ACM Symposium on Information, Computer and Communications Security. Seoul, Korea:ACM, 2012:71-72.
[17] Shekhar S, Dietz M, Wallach D S. AdSplit:Separating smartphone advertising from applications[C]//USENIX Security Symposium. Tucson, Arizona, USA:USENIX, 2012:553-567.
[18] Kawabata H, Isohara T, Takemori K, et al. Sandbox:Sandboxing third party advertising libraries in a mobile application[C]//Communications (ICC), 2013 IEEE International Conference on IEEE. Budapest, Hungary:IEEE, 2013:2150-2154.
[19] WEI Tao, ZHANG Yulong, XUE Hui, et al. Sidewinder targeted attack against Android in the golden age of ad libraries[C]//Proceedings of Black Hat USA 2014. Las Vegas, USA, 2014.
[20] Fireeye. JS-Binding-Over-HTTP vulnerability and JavaScript sidedoor:Security risks affecting billions of Android app downloads[Z/OL]. (2015-6-10). https://www.fireeye.com/blog/threat-research/2014/01/js-binding-over-http-vulnerability-and-javascript-sidedoor.html.
[21] Wikipedia Contributors. Same-origin policy[Z/OL]. (2015-6-10). http://en.wikipedia.org/wiki/Same-origin_policy.
[22] CVE Details. Vulnerability details:CVE-2014-6041[Z/OL]. (2015-6-10). http://www.cvedetails.com/cve/CVE-2014-6041/.
[23] Bianchi A, Corbetta J, Invernizzi L, et al. What the app is that? Deception and countermeasures in the Android user interface[C]//2015 IEEE Symposium on Security and Privacy. San Jose, CA, USA:IEEE, 2015:931-948.
[24] Xposed. Xposed module repository[Z/OL]. (2015-6-10). http://repo.xposed.info/module/de.robv.android.xposed. installer.
[1] 邓辉, 刘晖, 张宝峰, 毛军捷, 郭颖, 熊琦, 谢仕华. 面向复杂网络的威胁度量及聚合方法[J]. 清华大学学报(自然科学版), 2016, 65(5): 511-516.
[2] 董国伟, 王眉林, 邵帅, 朱龙华. 基于特征匹配的Android应用漏洞分析框架[J]. 清华大学学报(自然科学版), 2016, 65(5): 461-467.
[3] 李舟军, 吴春明, 王啸. 基于沙盒的Android应用风险行为分析与评估[J]. 清华大学学报(自然科学版), 2016, 65(5): 453-460.
[4] 徐强, 梁彬, 游伟, 石文昌. 基于SURF算法的Android恶意应用钓鱼登录界面检测[J]. 清华大学学报(自然科学版), 2016, 56(1): 77-82.
[5] 马刚, 杜宇鸽, 荣江, 甘家瑞, 史忠植, 安波. 基于威胁传播的复杂信息系统安全风险评估[J]. 清华大学学报(自然科学版), 2014, 54(1): 35-43.
Viewed
Full text


Abstract

Cited

  Shared   
  Discussed   
版权所有 © 《清华大学学报(自然科学版)》编辑部
本系统由北京玛格泰克科技发展有限公司设计开发 技术支持:support@magtech.com.cn