Demystifying Hidden Sensitive Operations in Android Apps

Security of Android devices is now paramount, given their wide adoption among consumers. As researchers develop tools for statically or dynamically detecting suspicious apps, malware writers regularly update their attack mechanisms to hide malicious behavior implementation. This poses two problems to current research techniques: static analysis approaches, given their over-approximations, can report an overwhelming number of false alarms, while dynamic approaches will miss those behaviors that are hidden through evasion techniques. We propose in this work a static approach specifically targeted at highlighting hidden sensitive operations (HSOs), mainly sensitive data flows. The prototype version of HiSenDroid has been evaluated on a large-scale dataset of thousands of malware and goodware samples on which it successfully revealed antianalysis code snippets aiming at evading detection by dynamic analysis. We further experimentally showthat, with FlowDroid, some of the hidden sensitive behaviors would eventually lead to private data leaks. Those leaks would have been hard to spot either manually among the large number of false positives reported by the state-of-the-art static analyzers, or by dynamic tools. Overall, by putting the light on hidden sensitive operations, HiSenDroid helps security analysts in validating potentially sensitive data operations, which would be previously unnoticed.

Automated summary

Given the wide adoption of Android devices among consumers, security has become a key concern. Malware writers regularly update their attack mechanisms to hide malicious behavior, posing problems to current research techniques. This work proposes a static approach called HiSenDroid that specifically targets hidden sensitive operations, successfully revealing code aiming to evade detection by dynamic analysis. Experimental results show that certain hidden sensitive behaviors can lead to private data leaks. Overall, HiSenDroid helps security analysts validate potentially sensitive data operations that would have otherwise been unnoticed.