臺灣博碩士論文加值系統

近年來,隨著Android智慧型裝置和應用程式急遽地增加,惡意程式也以
驚人的速度增長當中。雖然Android系統上存在著許多防毒軟體,但惡意程
式會試著使用各種多變的技倆來隱藏自己以迴避偵測。
Android系統上的程序自修改正是一個用來隱藏自己代碼的新技術。在這
篇論文中,我們提出一個偵測方法來協助偵測這種類型的惡意程式,並根
據偵測的結果發展了一套保護機制來避免執行到修改後代碼的風險。
我們自動測試了73,754個從Google Play上下載的應用程式和44,315個已
知的惡意程式,發現有了大約0.07%的應用程式含有程序自修改的行為,而
其中最可疑的一群應用程式被判定含有廣告。雖然到目前為止我們並未偵
測到任何利用程序自修改隱藏自己的惡意程式,但我們希望這份研究在未
來能幫助偵測新類型的程序自修改的惡意程式。

The numbers of Android mobile devices and applications are both increased dramatically these years, but unfortunately, so are malwares. While there are a lot of anti-virus applications on Android systems, malwares usually use various tricks to prevent themselves from being detected.
Self-modification is a novel technique on Android system which allows applications to hide its actual code. In this paper, we propose a detection method to help detect this type of malware, and based on the detection result, we further developed a mechanism to protect users from the risk of executing modified code.
We evaluate 73,754 applications downloaded from Google Play and 44,315 known malwares with our detection mechanism. In the result, there are about 0.07% applications have self-modification behavior, and the most suspicious ones are measured as adwares. Although we haven’t encountered any self-modifying malware yet, hopefully, this work serves to help detect new types of self-modifying malware in the future.

Acknowledgments . . .i
中文 摘要 . . .ii
Abstract . . .iii
1 Introduction . . .1
1.1 Thesis Organization . . .2
2 Background and Related Work . . .3
2.1 Dalvik Virtual Machine . . .3
2.2 Malware Analysis . . .3
2.3 APE . . .4
2.4 Java Native Interface . . .5
2.5 Dynamic Code Loading . . .6
2.5.1 Problems with loading external code . . .6
2.5.2 Techniques of dynamic code loading . . .6
2.6 Related Work . . .8
3 Mechanism . . .10
3.1 Detect Self-modifying Code . . .10
3.1.1 How Self-modification Works . . .10
3.1.2 How to Detect Self-modification . . .12
3.1.3 When to Detect Self-modification . . .12
3.1.4 Tracing the Caller . . .14
3.1.5 Revealing Modified Codes . . .14
3.2 Protect from Self-modifying Code . . .15
3.2.1 Execution of Modified Code before Return of Native Code . . .15
3.2.2 How to Prompt a Dialog . . .16
4 Evaluation . . .17
4.1 Experimental Setup . . .17
4.2 Verifying Functional Correctness . . .18
4.3 Performance Overhead . . .18
4.4 Massive Testing . . .19
4.4.1 Malware Testing . . .20
4.4.2 Trigger Points Analysis . . .20
4.4.3 Libraries Analysis . . .21
4.5 Case Study . . .22
5 Limitation and Future Work . . .23
6 Conclusion . . .24
Bibliography . . .25

[1] “Self-modifying code,” http://en.wikipedia.org/wiki/Self-modifying_code.
[2] “Android,” http://developer.android.com/.
[3] S.-J. Chang, “Ape: A smart automatic testing environment for android malware,” Master’s
thesis, National Taiwan University, 2013.
[4] S. Poeplau, Y. Fratantonio, A. Bianchi, C. Kruegel, and G. Vigna, “Execute this! an-
alyzing unsafe and malicious dynamic code loading in android applications,” in NDSS,
vol. 14, 2014, pp. 23–26.
[5] J. Maebe and K. D. Bosschere, “Instrumenting self-modifying code,” CoRR, vol.
cs.SE/0309029, 2003.
[6] X. Martin, “Nifty stuff that you can still do with android,” in Hackito Ergo Sum, ser. HES,
2013.
[7] P. Schulz, “Code protection in android,” Insititute of Computer Science, Rheinische
Friedrich-Wilhelms-Universitgt Bonn, Germany, 2012.
[8] bluebox, “Android security analysis challenge tampering dalvik bytecode during run-
time,” Tech. Rep., March 2013.
[9] T. Strazzere, “Dex education: Practicing safe dex,” in Blackhat USA, 2012.
[10] bluebox, “Android emulator detection by observing low-level caching behavior,” Tech.
Rep., December 2013.