Fig 1 - uploaded by Dominik Maier
Content may be subject to copyright.
Source publication
The continued popularity of smartphones has led companies from all business sectors to use them for security-sensitive tasks like two-factor authentication. Android, however, suffers from a fragmented landscape of devices and versions, which leaves many devices unpatched by their manufacturers. This security gap has created a vital market of commer...
Contexts in source publication
Context 1
... life cycle of an app protected by Promon Shield is illustrated in Fig. 1. The app first loads the native library libshield.so. For this, the integration tool adds initializing Java code to the onCreate method of the main activity, as specified in AndroidManifest.xml. The native library relies on three files which are a product of the integration tool and are added encrypted to the assets of the APK: ...
Context 2
... Externalization. Apart from the substitution of strings with method calls to Promon's getStr method, it also externalizes Java constants in a clever way. This works as follows and the process is further illustrated in Fig. 3: (1) The Promon integration tool replaces any class member field declared as static and final with a random value of the correct type. Similar to the string externalization, the replaced values of a class are stored in a nested dictionary: While the first level takes the fully qualified class name as a key, its value is a dictionary that ...
Citations
... However, their study used static analysis techniques, which are susceptible to errors due to obfuscation, and did not cover all the resiliency requirements set forth by the OWASP. Prior works have also extensively evaluated app hardening techniques [14], audited runtime protection mechanisms [13], or scrutinized specific defense mechanisms such as anti-root [12] or defense libraries such as ProGuard [15]. While previous studies used static analysis and focused on the usage of specific protection methods, the presence of a defense mechanism against a specific type of attack does not guarantee safety against any tampering attack. ...
... For a wider understanding of how multiple resiliency methods are in place, researchers also analyzed more than one attack vector at a time. Haupert et al, [14] examined a widely used library which provides app selfprotection, and demonstrated two runtime attacks against the protections in place to disable security measures. In their work, they analyzed the custom libraries which can provide multiple self-protection methods, however were able to exploit the integrity of apps regardless. ...
... Malware researchers are propagating obfuscated and encrypted banking trojans, evading anti-malware scanners. They employ code obfuscation, encryption, dynamic loading and native code execution to circumvent Google Play protection [5,6,7,8,9,10,11,12,13,14]. App developers, on the other hand, are us- 30 ing them to prevent their source code and intellectual property from misuse. ...
... Note that the graph only accounts for publications having the desired keyword(s) in its title or abstract and belonging to the related field of research. Figure 2: Layout of the survey droid malware evolution and detection techniques [16,11,17] but in detail focuses on Android application hardening methods systematically. It differs from previous surveys as depicted in table 1. ...
... Attackers are always trying to reverse popular applications to inject mali-750 cious code. An attacker using the tampered application can get inside smartphone to access, manipulate and exchange user data [42,11,122]. Anti tampering popular as Integrity Checking uses methods to ensure that application code and resources are not altered by a third party. ...
In the age of increasing mobile and smart connectivity, malware poses an ever evolving threat to individuals, societies and nations. Anti-malware companies are often the first and only line of defense for mobile users. Driven by economic benefits, quantity and complexity of Android malware are increasing, thus making them difficult to detect. Malware authors employ multiple techniques (e.g. code obfuscation, packaging and encryption) to evade static analysis (signature based) and dynamic analysis (behavior based) detection methods. In this article, we present an overview of Android and its state of the art security services. We then present an exhaustive and analytic taxonomy of Android malware hardening techniques available in the literature. Furthermore, we review and analyze the code obfuscation and preventive techniques used by malware to evade detection. Hardening mechanisms are also popular amongst application developers to fortify against reverse engineering. Based on our in-depth survey, we highlight the issues related to them and manifest future directions. We believe the need to examine the effectiveness and efficiency of hardening techniques and their combination.
... Application hardening [50] Modification of an application to make it more resistant against attacks, such as the obfuscation of the application code. ...
... We also propose using ML anomaly detection systems to identify potential malware threats [24] [141]. Finally, Chakkaravarty et al. [154] reviewed current persistent malware techniques able to bypass common countermeasures and proposed mitigation techniques, such as sandboxing [104], application hardening [50] and malware visualization [41]. It is essential to highlight that the countermeasures applicable for this phase highly depend on the device constraints that implement this phase, which is typically the BCI device (see Section 3). ...
Brain-Computer Interfaces (BCIs) have significantly improved the patientsfi quality of life by restoring damaged hearing, sight, and movement capabilities. After evolving their application scenarios, the current trend of BCI is to enable new innovative brain-to-brain and brain-to-the-Internet communication paradigms. This technological advancement generates opportunities for attackers since users’ personal information and physical integrity could be under tremendous risk. This work presents the existing versions of the BCI life-cycle and homogenizes them in a new approach that overcomes current limitations. After that, we offer a qualitative characterization of the security attacks affecting each phase of the BCI cycle to analyze their impacts and countermeasures documented in the literature. Finally, we reflect on lessons learned, highlighting research trends and future challenges concerning security on BCIs.
... In the ideal case, RASP agents can be deployed in a plug and play manner, requiring only an initial configuration as Haupert et al. [12] describes regarding the deployment of Promon SHIELD RASP [22]. In cases where an agent does not require any configuration or a learning phase, attacks are detected using techniques that, e.g., combine taint-tracking with lexical analysis [2] or that monitor common input sinks and output sources for known malicious behavior and signatures [23]. ...
... European researchers have also been looking into their banking systems and the security of mobile banking applications. European banking applications seem to adopt a by far stronger protection strategy, as evident by the measures the authors had to adopt to attempt an analysis [30,31]. Among others, the use of commercial protectors is employed to impede analysis by reverse engineers and provide a strong measure of integrity protection, as well as enhanced safeguards for data stored on the mobile device and transmitted through the network [30]. ...
... European banking applications seem to adopt a by far stronger protection strategy, as evident by the measures the authors had to adopt to attempt an analysis [30,31]. Among others, the use of commercial protectors is employed to impede analysis by reverse engineers and provide a strong measure of integrity protection, as well as enhanced safeguards for data stored on the mobile device and transmitted through the network [30]. Therefore, we advocate for other countries, including Brazil, to adopt similar rules towards establishing a more security environment for mobile banks apps operations. ...
Internet Banking have become the primary way of accessing banking services for most customers, but its security is still a constant concern, since million dollars are still lost every year due to frauds. Over time, banks and customers overcome the initial technology distrust and learned how to secure their operations. However, there are still many lessons to learn, mainly when looking to the upcoming technological developments. To understand the lessons learned over time and also to help shedding light on possible future developments, we review the past and the present of internet banking implementations in Brazil, a country widely adopting this type of service and an early adopter of new banking technologies, thus targeted by many threats. We show how Internet banking evolved from desktop software to mobile apps and how attackers also evolved from phishing mails to complete phishing applications to target Brazilian users. We also performed a detailed security analysis of Brazilian banking apps available in the Android app store and identified that developers still fail to follow secure development practices, thus causing banking apps to leak user's sensitive data. Moreover, we also looked to the future to present new attacks which can threat users in a short-term. In particular, we demonstrate an attack against a Whatsapp-based transaction mechanism implemented by some Brazilian banks
... Malicious or potentially unwanted applications are programs purposely designed to attack the security and privacy of the devices and their users. Moreover, Android apps are commonly hardened with advanced anti-analysis techniques, including obfuscation [3,6] and packing [7], which turn their analysis into a really challenging task. To cope with this challenge, Anti-Virus (AV) vendors and cyber security firms characterize newly discovered threats, label them with a family name, and share the specimens together with associated Indicators of Compromise (IoC) with the security community. ...
... Like in the previous section, we select two of the most popular families (i.e., Cvmtld and Rusms) and provide a qualitative evaluation or our findings. Cvmtld is an Android SMS Trojan which contains 19 different samples out of which: one sample is first detected in 2013, five samples are first detected in 2014, and the rest have been all detected in 2016 3 . We observe that 8 ensembles of API methods are shared among all samples in this family. ...
Assigning family labels to malicious apps is a common practice for grouping together malware with identical behavior. However, recent studies show that apps labeled as belonging to the same family do not necessarily behave similarly: one app may lack or have extra capabilities compared to others in the same family, and, conversely, two apps labeled as belonging to different families may exhibit close behavior. To reveal these inconsistencies, this paper presents AndrEnsemble, a characterization system for Android malware families based on ensembles of sensitive API calls extracted from aggregated call graphs of different families. Our method has several advantages over similar characterization approaches, including a greater reduction ratio with respect to original call graphs, robustness against transformation attacks, and flexibility to be applied at different granularity levels. We experimentally validate our approach and discuss three specific use cases: mobile ransomware, SMS Trojans and banking Trojans. This left us with some interesting findings. First of all, malicious operations in these types of malware are not necessarily exercised by using several sensitive API calls all together. Second, SMS Trojans have larger ensembles of API calls compared to the other types. Last but not least, we identified several samples with identical ensembles though being labeled as part of different families.
Digital intellectual property is often protected by encrypting the data up to the point of use. Whitebox cryptography is an attempt to provide users with the ability to decrypt that data without actually revealing the key by embedding the key inside a cryptographic implementation. In this work, we design and implement Whiteboxgrind, a fast, fully automated toolchain that obtains execution traces from whitebox implementations and applies DCA to recover the hidden embedded keys. To evaluate Whiteboxgrind, we analysed whiteboxes of the CHES WhibOx 2019 competition, and found Whiteboxgrind to provide a significant performance improvement over the state-of-the-art tooling, enabling attacks that were previously infeasible due to memory constraints. Furthermore, we provide Whiteboxgrind’s source code.KeywordsWhiteboxDifferential Computation AnalysisSide Channel AnalysisCHES WhibOx
Over the last few years, there has been a steady increase in smart home technology's pervasiveness, to the degree where consumer IoT is part of many homes. As our homes become complex cyber-physical spaces, the risk to our physical security from attacks originating in cyberspace becomes much more significant. Within the literature, there is much discussion about the technical vulnerabilities within the smart home. However, this is often not linked to a rich understanding of how an attacker could exploit them. In this paper, we focus on residential burglary and develop a rich understanding of the process by which residential burglary is committed and the effect of the smart home on this process. By combining two areas of the academic literature, residential burglary and smart-home security, this paper provides an academically grounded discussion that places the nascent vulnerabilities associated with the smart-home into the context of the process by which burglary is committed. The commission of residential burglary is a complex decision-making process, which the public often simplifies into planned or unplanned crimes; this is a dangerous oversimplification. The analysis identifies some increased risk during the target selection stage phase. However, in the short term, residential burglars are unlikely to exploit smart home technology routinely.
Android OS popularity has given significant rise to malicious apps targeting it. Malware use state of the art obfuscation methods to hide their functionality and evade anti-malware engines. We present BLADE, a novel obfuscation resilient system based on Opcode Segments for detection. It makes three contributions: Firstly, a novel Opcode Segment Document results in feature characterization resilient to obfuscation techniques. Secondly, we perform semantics based simplification of dalvik opcodes to enhance the resilience. Thirdly, we evaluate effectiveness of BLADE against different obfuscation techniques such as trivial obfuscation, string encryption, class encryption, reflection and their combinations. Our approach is found effective, accurate and resilient, when tested against benchmark datasets for malware detection, familial classification, malware type detection, obfuscation type detection and obfuscation resilient familial classification.
Dataset available on: https://www.kaggle.com/vikassihag/blade-dataset
