The Analysis And Detection Of Android Malicious App-virtualization Loading Behavior

Repackaging popular benign apps with malicious payload used to be the most common way to spread Android malware.By using decompilation software,APK files can be converted into middle language Smali files,in which malicious code can be added,the logic of the original application can be changed,and then are recompiled to new malware,which is the way based on repackaged taken by malware.This kind of malware has high concealment and deception to users,but with the development of packing,confusion and other technologies,repackaging becomes more and more difficult.Nevertheless,our longitudinal study since 2016 has observed an alarming new trend to Android ecosystem: a growing number of Android malware abuse recent app-virtualization innovation as a stealthy distribution channel.App-virtualization supports to run multiple copies of the same app on a single device,and tens of millions of users are enjoying this convenience.However,cybercriminals repackage various malicious APK files as plugins into an app-virtualization platform,which is flexible to launch arbitrary plugins without the hassle of installation.This new style of repackaging gains the ability to bypass antimalware scanners by hiding the grafted malicious payload in plugins,and it also defies the basic premise embodied by existing repackaged app detection solutions.This paper analyzes the existing app-virtualization loading technology,summarizes the security threats of malware based on this technology,studies its malicious loading behavior,and proposes fingerprint features to detect abnormal loading behavior without analyzing malicious plugin code.The specific work is as follows:(1)This paper studies the security threats of app-virtualization and its principle.Combined with the existing researches of Android app-virtualization technology,we analyze the existing app-virtualization frameworks and related samples,the principle and security threats of app-virtualization technology are studied.(2)This paper analyzes the differences and application scenarios between malicious appvirtualization loading behaviors and benign ones.Since the applications using app-virtualization technology are not necessarily malware,we study the benign software and malware based on app-virtualization technology and found two key features: 1)The core techinique of app-virtualization is the proxy layer between plugins and Android system,which has finite state transitions;2)malware usually hides its behavior by stealthily loading plugins.(3)We implement and evaluate static analysis based detection scheme for malicious appvirtualization loading behaviors.Based on the uniqueness of malicious app-virtualization loading behavior,we design a twolayer detection scheme on 78 K real-world app-virtualization based samples.We prove that the two-layer detection scheme is effective and has good compatibility and low performance loss,which makes security professionals get rid of the complexity of manual reverse engineering.