Content uploaded by Mark Huasong Meng
Author content
All content in this area was uploaded by Mark Huasong Meng on Jun 22, 2018
Content may be subject to copyright.
A preview of the PDF is not available
A survey of Android exploits in the wild
Abstract and Figures
The Android operating system has been dominating the mobile device market in recent years. Although Android has actively strengthened its security mechanisms and fixed a great number of vulnerabilities as its version evolves, new vulnerabilities still keep emerging. Vulnerability exploitation is a common way to achieve privilege escalation on Android systems. In order to provide a holistic and comprehensive understanding of the exploits, we conduct a survey of publicly available 63 exploits for Android devices in this paper. Based on the analysis of the collected real-world exploits, we construct a taxonomy on Android exploitation and present the similarities/differences and strength/weakness of different types of exploits. On the other hand, we conduct an evaluation on a group of selected exploits on our test devices. Based on both the theoretical analysis and the experimental results of the evaluation, we present our insight into the Android exploitation. The growth of exploit categories along the timeline reflects three trends: (1) the individual exploits are more device specific and operating system version specific; (2) exploits targeting vendors’ customization grow steadily where the increase of other types of exploits slows down; and (3) memory corruption gradually becomes the primary approach to initiate exploitation.
Figures - uploaded by Mark Huasong Meng
Author content
All figure content in this area was uploaded by Mark Huasong Meng
Content may be subject to copyright.
... Nesse sentido, destaca-se o fato de que a maioria dos dispositivos móveis são equipados com o Sistema Operacional Android -cerca de 70% do mercado atual [STATCOUNTER 2023]. Contudo, junto com a sua popularidade, também cresce a preocupação quanto a privacidade dos usuários e a segurança da informação nos equipamentos Android; especialmente na academia e entre usuários corporativos [Meng et al. 2018]. Pois sua predominância também o torna o principal alvo de malwares e usuários mal-intencionados. ...
... Apesar de existirem estudos que categorizem e abordem os principais aspectos dos CVEs relacionados a dispositivos móveis equipados com Android [Jimenez et al. 2016, Joshi and Parekh 2016, Meng et al. 2018, Tiwari and Velayutham 2019, esses trabalhos não fazem nenhuma correlação entre essas vulnerabilidades conhecidas e as correções que vêm sendo implementadas pela indústria. ...
Catalogar Registros de Vulnerabilidades e Exposições Conhecidas (CVE) referentes a dispositivos Android e compreender como a indústria corrige tais falhas de segurança não é uma tarefa trivial. Isso porque cada fabricante de smartphone disponibiliza seus relatórios em um formato distinto e a base do CVE contém registros que não dizem respeito a smartphones Android. Por isto, este trabalho apresenta uma ferramenta baseada em camadas, onde cada uma das camadas realiza parte do trabalho repetitivo e cansativo de coletar, tratar, relacionar e disponibilizar essas informações em uma nova base. Para que, então, esses dados possam ser consumidos por outros serviços e aplicações.
... Most of the Android TV devices on the market are not rooted out of the box, but attackers can exploit their vulnerabilities to gain root privileges. Meterpreter can be used with vulnerabilities like Dirty Cow, Zygote, or Stagefright in older Android versions to escalate privileges [27]. If attackers gain root access, they can modify system applications to include the Meterpreter payload and enable the malware to launch when a system application is launched. ...
The smart TV ecosystem is rapidly expanding, allowing developers to publish their applications on TV markets to provide a wide array of services to TV users. However, this open nature can lead to significant cybersecurity concerns by bringing unauthorized access to home networks or leaking sensitive information. In this study, we focus on the security of Android TVs by developing a lightweight malware detection model specifically for these devices. We collected various Android TV applications from different markets and injected malicious payloads into benign applications to create Android TV malware, which is challenging to find on the market. We proposed a machine learning approach to detecting malware and evaluated our model. We compared the performance of nine classifiers and optimized the hyperparameters. Our findings indicated that the model performed well in rare malware cases on Android TVs. The most successful model classified malware with an F1-Score of 0.9789 in 0.1346 milliseconds per application.
... contain an actual AV) makes it more difficult for the current detection system to identify it as malicious. Although many studies on Android malware [7,9,10,11] are being actively developed recently, research efforts focused on Android scareware are still inadequate. This is due to the lack of understanding of mobile scareware. ...
This paper spotlights Android scareware, relating its deceptive behavior to the dual personality syndrome of Jekyll and Hyde, as described in The Strange Case of Dr. Jekyll and Mr. Hyde. Modern scareware employs sophisticated evasion techniques, including metamorphic and polymorphic obfuscation, enabling it to alter its code structure during propagation. Additionally, anti-emulator techniques allow scareware to detect emulation environments and conceal malicious activities. To address these challenges, we propose a hybrid approach that combines static and dynamic analysis, leveraging features derived from unreferenced strings and network flow. This method enhances detection by uncovering scareware's dual behaviors. Using five classifiers, we construct models to address three detection scenarios: identifying malicious Android apps, categorizing apps by scareware type, and classifying apps into scareware families. Tested on a dataset of 1,350 samples, the proposed method outperforms existing approaches, achieving over 90% accuracy across all scenarios with an average false positive rate of just 0.04
... The program asks for various permissions (such as SMS, call, contact permissions, and many more) during installation that essentially gives it power over the device. (Meng et al., 2018) Android quickly surpassed other operating systems in popularity, rendering it vulnerable to attacks because hackers are constantly on the lookout for weaknesses to exploit. The fact that several suppliers offer services that are marketed without well-established security measures makes defending the Android OS the most challenging issue. ...
Android operating systems have swiftly outpaced other operating systems (OS) in popularity, making them vulnerable to assaults since hackers are continuously looking for flaws to exploit. This is why several organisations have long been plagued by various types of mobile security threats. Utilizing a cyber-threat intelligence tool to evaluate, track, and prevent planned attacks is one crucial strategy to combat this effect. This paper discusses and investigates the FluBot malware, using the Dagah tool and Android Studio to phish, harvest and exploit malicious applications over SMS on Android devices. The Capability Maturity Model (CMM) was adopted and used for the investigation. The methodology adopted describes the operation of the FluBot malware through a cloned website, and demonstrates how FluBot is used to share a malicious link through the short message service (SMS), which is then used to grab a victim’s credentials. The outcome of the study displayed the information on the FluBot malware, including its source, domain, and destination. Similar malware analysis and assessments of cyber threat intelligence may be conducted using the techniques used in this study.
... Due to the end-requirement users for privacy protection, it may take into account the central system protection for machine-to-machine communication depending on the privacy level [55]. Regarding IoT web application attacks, there have been several exploitations in the past with Android systems which were released in 2008 [56]. As a result, data storage should be secured to avoid any threats that may cause attacks. ...
Detecting cyber security vulnerabilities in the Internet of Things (IoT) devices before they are exploited is increasingly challenging and is one of the key technologies to protect IoT devices from cyber attacks. This work conducts a comprehensive survey to investigate the methods and tools used in vulnerability detection in IoT environments utilizing machine learning techniques on various datasets, i.e., IoT23. During this study, the common potential vulnerabilities of IoT architectures are analyzed on each layer and the machine learning workflow is described for detecting IoT vulnerabilities. A vulnerability detection and mitigation framework was proposed for machine learning-based vulnerability detection in IoT environments, and a review of recent research trends is presented.
... Their paper was limited to the analysis of Qualcomm 1 , Trustonic, Huawei, Nvidia ( Corporation, 2015 ) and Linaro OP-TEE Brand TEE systems. Finally, other works, such as Busch et al. (2020) and Meng et al. (2018) also provide a thorough critical review, although limited to Huawei's TEE and Android vulnerabilities, respectively. This paper includes an exhaustive analysis of the security limitations and associated countermeasures of TrustZone-based TEEs. ...
... For example, Park et al. [69] combined machine learning to evaluate the potential threat of apps installed in Android. Meng et al. [178] performed a comprehensive analysis of 63 disclosed vulnerabilities in Android, discussed their features and taxonomy, and tested a group of selected vulnerabilities through practical cases. There are many OSs used in sensing devices, including Android-based Brillo, ARM Mbed OS, QNX, Windows 10 IoT core, and FreeRTOS. ...
The rapid development and wide application of the Internet of Things (IoT) and sensor technologies have produced good opportunities for the development of IoT-based smart home systems (SHSs). However, during the rapid market expansion of SHSs, security challenges associated with SHSs have become a primary concern of people because they are so closely related to people’s daily lives. These security problems may damage information assets and pose a serious threat to people’s health and life. This study investigates security issues in SHSs and provides a comprehensive overview of research to date. In this review, after analyzing the existing definition and concept of SHSs proposed by authoritative encyclopedias and academic literature, we propose a more accurate, elaborated definition of SHSs, analyze their architecture, extract six natural and contextual features, and summarize spears (cyber-attack means) vs. shields (countermeasures) in detail in the context of SHSs. Then, the security frameworks and evaluation technologies in SHSs are discussed. Different scenarios for technology integration and the practical research results in SHSs, such as blockchain, cloud computing, Internet of Vehicles, and AI are presented meticulously. After that, two special issues related to security are discussed. We believe that future research on SHS security should focus on four aspects: the unification of architecture, resource limitation, fragmentation, and code and firmware security. In addition, research on SHS security should be given priority over its commercialization process.
Son zamanlarda dünyada olduğu gibi ülkemizde de bilgi teknolojilerinin kullanımı yaygınlaşmakta ve siber güvenliğin önemi artmaktadır. Bilgi teknolojileri kullanıcıya çeşitli faydalar sağlayan karmaşık yapılara sahip yazılımlar sunmakta ve yapısı gereği güvenlik açıklarına da sebep olmaktadır. Bu durum çeşitli kurum ve kuruluşları, bireysel kullanıcıları, kurumsal web sitelerini ve sistemlerini kötü niyetli şahısların (hacker) saldırılarına açık hale getirmektedir. Bilgi güvenliği bu saldırıları önlemek adına dijital ortamda depolanan bilgilerin güvenliğini sağlamak için yapılan tüm çalışmaları kapsamaktadır.
This paper provides an overview of the mobile device security ecosystem and identifies the top security challenges.
Google's Android is one of the most popular mobile operating system platforms today, being deployed on a wide range of mobile devices from various manufacturers. It is termed as a privilege-separated operating system which implements some novel security mechanisms. Recent research and security attacks on the platform, however, have shown that the security model of Android is flawed and is vulnerable to transitive usage of privileges among applications. Privilege escalation attacks have been shown to be malicious and with the wide spread and growing use of the system, the platform for these attacks is also growing wider. This provides a motivation to design and implement better security frameworks and mechanisms to mitigate these attacks. This paper discusses; 1 the security features currently provided by the Android platform; 2 a definition, few working examples and classifications of privilege escalation attacks in Android applications; 3 a classification and comparison of different frameworks and security extensions proposed in recent research.
Mobile malware is rapidly becoming a serious threat. In this paper, we survey the current state of mobile malware in the wild. We analyze the incentives behind 46 pieces of iOS, Android, and Symbian malware that spread in the wild from 2009 to 2011. We also use this data set to evaluate the effectiveness of techniques for preventing and identifying mobile malware. After observing that 4 pieces of malware use root exploits to mount sophisticated attacks on Android phones, we also examine the incentives that cause non-malicious smartphone tinkerers to publish root exploits and survey the availability of root exploits.
To build effective malware analysis techniques and to evaluate new detection tools, up-to-date datasets reflecting the current Android malware landscape are essential. For such datasets to be maximally useful, they need to contain reliable and complete information on malware’s behaviors and techniques used in the malicious activities. Such a dataset shall also provide a comprehensive coverage of a large number of types of malware. The Android Malware Genome created circa 2011 has been the only well-labeled and widely studied dataset the research community had easy access to (As of 12/21/2015 the Genome authors have stopped supporting the dataset sharing due to resource limitation). But not only is it outdated and no longer represents the current Android malware landscape, it also does not provide as detailed information on malware’s behaviors as needed for research. Thus it is urgent to create a high-quality dataset for Android malware. While existing information sources such as VirusTotal are useful, to obtain the accurate and detailed information for malware behaviors, deep manual analysis is indispensable. In this work we present our approach to preparing a large Android malware dataset for the research community. We leverage existing anti-virus scan results and automation techniques in categorizing our large dataset (containing 24,650 malware app samples) into 135 varieties (based on malware behavioral semantics) which belong to 71 malware families. For each variety, we select three samples as representatives, for a total of 405 malware samples, to conduct in-depth manual analysis. Based on the manual analysis result we generate detailed descriptions of each malware variety’s behaviors and include them in our dataset. We also report our observations on the current landscape of Android malware as depicted in the dataset. Furthermore, we present detailed documentation of the process used in creating the dataset, including the guidelines for the manual analysis. We make our Android malware dataset available to the research community.
The openness and extensibility of Android have made it a popular platform for mobile devices and a strong candidate to drive the Internet-of-Things. Unfortunately, these properties also leave Android vulnerable, attracting attacks for profit or fun. To mitigate these threats, numerous issue-specific solutions have been proposed. With the increasing number and complexity of security problems and solutions, we believe this is the right moment to step back and systematically re-evaluate the Android security architecture and security practices in the ecosystem. We organize the most recent security research on the Android platform into two categories: the software stack and the ecosystem. For each category, we provide a comprehensive narrative of the problem space, highlight the limitations of the proposed solutions, and identify open problems for future research. Based on our collection of knowledge, we envision a blueprint for engineering a secure, next-generation Android ecosystem.
Android root is the voluntary and legitimate process of gaining the highest privilege and full control over a user's Android device. To facilitate the popular demand, a unique Android root ecosystem has formed where a variety of root providers begin to offer root as a service. Even though legitimate, many convenient one-click root methods operate by exploiting vulnerabilities in the Android system. If not carefully controlled, such exploits can be abused by malware author to gain unauthorized root privilege. To understand such risks, we undertake a study on a number of popular yet mysterious Android root providers focusing on 1) if their exploits are adequately protected. 2) the relationship between their proprietary exploits and publicly available ones. We find that even though protections are usually employed, the effort is substantially undermined by a few systematic and sometimes obvious weaknesses we discover. From one large provider, we are able to extract more than 160 exploit binaries that are well-engineered and up-to date, corresponding to more than 50 families, exceeding the number of exploits we can find publicly. We are able to identify at least 10 device driver exploits that are never reported in the public. Besides, for a popular kernel vulnerability (futex bug), the provider has engineered 89 variants to cover devices with different Android versions and configurations. Even worse, we find few of the exploit binaries can be detected by mobile antivirus software.
Dalvik Virtual Machine is Open Source Software and an important part of the Android OS and its better understanding and energy optimization can significantly contribute to the overall greenness of the mobile environment. With the introduction of the OSS solution, named Android Runtime (ART) an attempt of performance and energy consumption optimization was made. In this paper we investigate and compare the performance of the Dalvik virtual and ART from energy perspective. In order to answer our research questions we executed a set of benchmarks in identical experimental setup for both runtimes, while measuring the energy spent and percentage of battery discharge. The results showed that in most of the use case scenarios Ahead-Of-Time compilation process of ART is overall more energy efficient than the Just-In- Time one of Dalvik.
