How to Make Information-Flow Analysis Based Defense Ineffective: An ART Behavior-Mask Attack

Abstract

Android permission mechanism cannot resist permission abuse, the key of malware detection is to expose its malicious behavior. Although plentiful transformation attacks are used to bypass malware detection, the latest information-flow analysis based defenses claim that they can identify malicious flows with high accuracy. Nevertheless, in this paper, we expose a new attack surface known as Behavior-Mask attack in Android Runtime (ART), which can bypass most known information-flow analysis based defenses in practice. Our attack techniques can be utilized to hide Android applications’ actual behavior by only executing some irrelevant Java code in the normal way. We corrupt few runtime data through a small piece of JNI code to hijack the control flow and data flow of Java code dynamically in ART environment. Further, we implement an automatic development framework to demonstrate the viability of Behavior-Mask attack. We analyze the existing defenses on Android and traditional desktop operating systems, and put forward some new ideas for the design and implementation of future defenses against the proposed attack.