wip
This commit is contained in:
parent
243b9df134
commit
c060e88996
GPG key ID:
B66AEEDA9B645AD2
17 changed files with 264 additions and 96 deletions
179
bibliography.bib
179
bibliography.bib
|
|
@ -979,3 +979,182 @@ month = aug
|
|||
file = {IEEE Xplore Abstract Record:/home/histausse/Zotero/storage/RFUDH972/8023141.html:text/html;Qu et al. - 2017 - DyDroid Measuring Dynamic Code Loading and Its Se.pdf:/home/histausse/Zotero/storage/27Z9P5T4/Qu et al. - 2017 - DyDroid Measuring Dynamic Code Loading and Its Se.pdf:application/pdf},
|
||||
}
|
||||
|
||||
|
||||
@article{bernardi_dynamic_2019,
|
||||
title = {Dynamic malware detection and phylogeny analysis using process mining},
|
||||
volume = {18},
|
||||
issn = {1615-5270},
|
||||
url = {https://doi.org/10.1007/s10207-018-0415-3},
|
||||
doi = {10.1007/s10207-018-0415-3},
|
||||
abstract = {In the last years, mobile phones have become essential communication and productivity tools used daily to access business services and exchange sensitive data. Consequently, they also have become one of the biggest targets of malware attacks. New malware is created everyday, most of which is generated as variants of existing malware by reusing its malicious code. This paper proposes an approach for malware detection and phylogeny studying based on dynamic analysis using process mining. The approach exploits process mining techniques to identify relationships and recurring execution patterns in the system call traces gathered from a mobile application in order to characterize its behavior. The recovered characterization is expressed in terms of a set of declarative constraints between system calls and represents a sort of run-time fingerprint of the application. The comparison between the so defined fingerprint of a given application with those of known malware is used to verify: (1) if the application is malware or trusted, (2) in case of malware, which family it belongs to, and (3) how it differs from other known variants of the same malware family. An empirical study conducted on a dataset of 1200 trusted and malicious applications across ten malware families has shown that the approach exhibits a very good discrimination ability that can be exploited for malware detection and malware evolution studying. Moreover, the study has also shown that the approach is robust to code obfuscation techniques increasingly being used by nowadays malware.},
|
||||
language = {en},
|
||||
number = {3},
|
||||
urldate = {2025-07-28},
|
||||
journal = {International Journal of Information Security},
|
||||
author = {Bernardi, Mario Luca and Cimitile, Marta and Distante, Damiano and Martinelli, Fabio and Mercaldo, Francesco},
|
||||
month = jun,
|
||||
year = {2019},
|
||||
keywords = {Biometrics, Computational Anthropology, Data Mining, Declare, Lineage tracking, Linear temporal logic, Malware detection, Malware evolution, Malware phylogeny, Paleogenetics, Process mining, Security, Sequence Annotation},
|
||||
pages = {257--284},
|
||||
}
|
||||
|
||||
@inproceedings{Andriatsimandefitra2012,
|
||||
address = {Ottawa, Canada},
|
||||
title = {Designing information flow policies for {Android}'s operating system},
|
||||
isbn = {978-1-4577-2053-6},
|
||||
url = {http://ieeexplore.ieee.org/lpdocs/epic03/wrapper.htm?arnumber=6364161},
|
||||
doi = {10.1109/ICC.2012.6364161},
|
||||
booktitle = {{IEEE} {International} {Conference} on {Communications}},
|
||||
publisher = {IEEE Computer Society},
|
||||
author = {Andriatsimandefitra, Radoniaina and Geller, Stéphane and Viet Triem Tong, Valérie},
|
||||
month = jun,
|
||||
year = {2012},
|
||||
keywords = {★},
|
||||
pages = {976--981},
|
||||
file = {PDF:/home/histausse/Zotero/storage/5AD2IJP6/Andriatsimandefitra, Geller, Viet Triem Tong - 2012 - Designing information flow policies for Android's operating system.pdf:application/pdf},
|
||||
}
|
||||
|
||||
@inproceedings{andriatsimandefitra_detection_2015,
|
||||
title = {Detection and {Identification} of {Android} {Malware} {Based} on {Information} {Flow} {Monitoring}},
|
||||
url = {https://ieeexplore.ieee.org/abstract/document/7371481},
|
||||
doi = {10.1109/CSCloud.2015.27},
|
||||
abstract = {Information flow monitoring has been mostly used to detect privacy leaks. In a previous work, we showed that they can also be used to characterize Android malware behaviours and in the current one we show that these flows can also be used to detect and identify Android malware. The characterization consists in computing automatically System Flow Graphs that describe how a malware disseminates its data in the system. In the current work, we propose a method that uses these SFG-based malware profile to detect the execution of Android malware by monitoring the information flows they cause in the system. We evaluated our method by monitoring the execution of 39 malware samples and 70 non malicious applications. Our results show that our approach detected the execution of all the malware samples and did not raise any false alerts for the 70 non malicious applications.},
|
||||
urldate = {2025-07-28},
|
||||
booktitle = {2015 {IEEE} 2nd {International} {Conference} on {Cyber} {Security} and {Cloud} {Computing}},
|
||||
author = {Andriatsimandefitra, Radoniaina and Tong, Valérie Viet Triem},
|
||||
month = nov,
|
||||
year = {2015},
|
||||
keywords = {android security, Androids, Containers, Humanoid robots, information flow, Java, Kernel, Malware, malware classification, malware detection, Monitoring},
|
||||
pages = {200--203},
|
||||
file = {Snapshot:/home/histausse/Zotero/storage/7FLAJ437/7371481.html:text/html;Submitted Version:/home/histausse/Zotero/storage/JR2N8XXZ/Andriatsimandefitra and Tong - 2015 - Detection and Identification of Android Malware Based on Information Flow Monitoring.pdf:application/pdf},
|
||||
}
|
||||
|
||||
|
||||
@inproceedings{yang_appspear_2015,
|
||||
address = {Cham},
|
||||
series = {Lecture {Notes} in {Computer} {Science}},
|
||||
title = {{AppSpear}: {Bytecode} {Decrypting} and {DEX} {Reassembling} for {Packed} {Android} {Malware}},
|
||||
isbn = {978-3-319-26362-5},
|
||||
shorttitle = {{AppSpear}},
|
||||
doi = {10.1007/978-3-319-26362-5_17},
|
||||
abstract = {As the techniques for Android malware detection are progressing, malware also fights back through deploying advanced code encryption with the help of Android packers. An effective Android malware detection therefore must take the unpacking issue into consideration to prove the accuracy. Unfortunately, this issue is not easily addressed. Android packers often adopt multiple complex anti-analysis defenses and are evolving frequently. Current unpacking approaches are either based on manual efforts, which are slow and tedious, or based on coarse-grained memory dumping, which are susceptible to a variety of anti-monitoring defenses.},
|
||||
language = {en},
|
||||
booktitle = {Research in {Attacks}, {Intrusions}, and {Defenses}},
|
||||
publisher = {Springer International Publishing},
|
||||
author = {Yang, Wenbo and Zhang, Yuanyuan and Li, Juanru and Shu, Junliang and Li, Bodong and Hu, Wenjun and Gu, Dawu},
|
||||
editor = {Bos, Herbert and Monrose, Fabian and Blanc, Gregory},
|
||||
year = {2015},
|
||||
keywords = {Android malware, Code protection, DEX reassembling},
|
||||
pages = {359--381},
|
||||
file = {Yang et al. - 2015 - AppSpear Bytecode Decrypting and DEX Reassembling.pdf:/home/histausse/Zotero/storage/HR2UALQW/Yang et al. - 2015 - AppSpear Bytecode Decrypting and DEX Reassembling.pdf:application/pdf},
|
||||
}
|
||||
|
||||
@article{cui_droidhook_2023,
|
||||
title = {{DroidHook}: a novel {API}-hook based {Android} malware dynamic analysis sandbox},
|
||||
volume = {30},
|
||||
issn = {1573-7535},
|
||||
shorttitle = {{DroidHook}},
|
||||
url = {https://doi.org/10.1007/s10515-023-00378-w},
|
||||
doi = {10.1007/s10515-023-00378-w},
|
||||
abstract = {With the popularity of Android devices, mobile apps are prevalent in our daily life, making them a target for attackers to steal private data and push advertisements. Dynamic analysis is an effective approach to detect runtime behavior of Android malware and can reduce the impact of code obfuscation. However, some dynamic sandboxes commonly used by researchers are usually based on emulators with older versions of Android, for example, the state-of-the-art sandbox, DroidBox. These sandboxes are vulnerable to evasion attacks and may not work with the latest apps. In this paper, we propose a prototype framework, DroidHook, as a novel automated sandbox for Android malware dynamic analysis. Unlike most existing tools, DroidHook has two obvious advantages. Firstly, the set of APIs to be monitored by DroidHook can be easily modified, so that DroidHook is ideally suitable for diverse situations, including the detection of a specific family of malware and unknown malware. Secondly, DroidHook does not depend on a specific Android OS but only on Xposed, so it can work with multiple Android versions and can perform normally on both emulators and real devices. Experiments show that DroidHook can provide more fine-grained and precise results than DroidBox. Moreover, with the support for real devices and new versions of Android, DroidHook can run most samples properly and acquire stronger detection results, compared to emulator-based tools.},
|
||||
language = {en},
|
||||
number = {1},
|
||||
urldate = {2023-03-17},
|
||||
journal = {Automated Software Engineering},
|
||||
author = {Cui, Yuning and Sun, Yi and Lin, Zhaowen},
|
||||
month = feb,
|
||||
year = {2023},
|
||||
keywords = {Android, Dynamic analysis, Mobile malware, Sandbox},
|
||||
pages = {10},
|
||||
file = {Cui et al. - 2023 - DroidHook a novel API-hook based Android malware .pdf:/home/histausse/Zotero/storage/I3BLZDLC/Cui et al. - 2023 - DroidHook a novel API-hook based Android malware .pdf:application/pdf},
|
||||
}
|
||||
|
||||
@article{faghihi_camodroid_2022,
|
||||
title = {{CamoDroid}: {An} {Android} application analysis environment resilient against sandbox evasion},
|
||||
volume = {125},
|
||||
issn = {1383-7621},
|
||||
shorttitle = {{CamoDroid}},
|
||||
url = {https://www.sciencedirect.com/science/article/pii/S1383762122000467},
|
||||
doi = {10.1016/j.sysarc.2022.102452},
|
||||
abstract = {In the past few years, numerous attempts have been made to mitigate evasive Android malware. However, it remains one of the challenges in smartphone security. Evasive malware can dodge dynamic analysis by detecting execution in sandboxes and hiding its malicious behaviors during the investigation. In this work, we present CamoDroid, an open-source and extendable dynamic analysis environment resilient against detection by state-of-the-art evasive Android malware. Our technique mimics data, sensors, user input, static and network features of actual devices and cloaks the existence of the analysis environment. It further improves dynamic analysis and provides a broad view of an application’s behavior by monitoring and logging the dangerous Application Programming Interface (API) calls executed by applications. We implement CamoDroid and assess its resiliency to sandbox detection. We first demonstrate that our sandbox cannot be detected using modern existing academic and commercial applications that can distinguish analysis environments from real devices. We also assess the dependability of CamoDroid against real-world evasive malware and show that it can successfully cloak the existence of the analysis environment to more than 96 percent of evasive Android malware. Moreover, we investigate other popular Android sandboxes and show that they are vulnerable to at least one type of sandbox detection heuristic.},
|
||||
urldate = {2025-07-28},
|
||||
journal = {Journal of Systems Architecture},
|
||||
author = {Faghihi, Farnood and Zulkernine, Mohammad and Ding, Steven},
|
||||
month = apr,
|
||||
year = {2022},
|
||||
keywords = {Android, Dynamic analysis, Malware detection},
|
||||
pages = {102452},
|
||||
file = {ScienceDirect Snapshot:/home/histausse/Zotero/storage/36WARYCE/S1383762122000467.html:text/html},
|
||||
}
|
||||
|
||||
@article{sutter_dynamic_2024,
|
||||
title = {Dynamic {Security} {Analysis} on {Android}: {A} {Systematic} {Literature} {Review}},
|
||||
volume = {12},
|
||||
issn = {2169-3536},
|
||||
shorttitle = {Dynamic {Security} {Analysis} on {Android}},
|
||||
url = {https://ieeexplore.ieee.org/abstract/document/10504267},
|
||||
doi = {10.1109/ACCESS.2024.3390612},
|
||||
abstract = {Dynamic analysis is a technique that is used to fully understand the internals of a system at runtime. On Android, dynamic security analysis involves real-time assessment and active adaptation of an app’s behaviour, and is used for various tasks, including network monitoring, system-call tracing, and taint analysis. The research on dynamic analysis has made significant progress in the past years. However, to the best of our knowledge, there is a lack in secondary studies that analyse the novel ideas and common limitations of current security research. The main aim of this work is to understand dynamic security analysis research on Android to present the current state of knowledge, highlight research gaps, and provide insights into the existing body of work in a structured and systematic manner. We conduct a systematic literature review (SLR) on dynamic security analysis for Android. The systematic review establishes a taxonomy, defines a classification scheme, and explores the impact of advanced Android app testing tools on security solutions in software engineering and security research. The study’s key findings centre on tool usage, research objectives, constraints, and trends. Instrumentation and network monitoring tools play a crucial role, with research goals focused on app security, privacy, malware detection, and software testing automation. Identified limitations include code coverage constraints, security-related analysis obstacles, app selection adequacy, and non-deterministic behaviour. Our study results deepen the understanding of dynamic analysis in Android security research by an in-depth review of 43 publications. The study highlights recurring limitations with automated testing tools and concerns about detecting or obstructing dynamic analysis.},
|
||||
urldate = {2025-07-28},
|
||||
journal = {IEEE Access},
|
||||
author = {Sutter, Thomas and Kehrer, Timo and Rennhard, Marc and Tellenbach, Bernhard and Klein, Jacques},
|
||||
year = {2024},
|
||||
keywords = {Android, Androids, Codes, dynamic analysis, fuzzing, Fuzzing, instrumentation, Instrumentation and measurement, machine learning, Machine learning, monitoring, Monitoring, Operating systems, security, Security, software testing, Software testing, Systematics, Taxonomy, tracing, vulnerabilities},
|
||||
pages = {57261--57287},
|
||||
file = {Full Text PDF:/home/histausse/Zotero/storage/RGVZFQY8/Sutter et al. - 2024 - Dynamic Security Analysis on Android A Systematic Literature Review.pdf:application/pdf},
|
||||
}
|
||||
|
||||
|
||||
@inproceedings{mao_sapienz_2016,
|
||||
address = {New York, NY, USA},
|
||||
series = {{ISSTA} 2016},
|
||||
title = {Sapienz: multi-objective automated testing for {Android} applications},
|
||||
isbn = {978-1-4503-4390-9},
|
||||
shorttitle = {Sapienz},
|
||||
url = {https://doi.org/10.1145/2931037.2931054},
|
||||
doi = {10.1145/2931037.2931054},
|
||||
abstract = {We introduce Sapienz, an approach to Android testing that uses multi-objective search-based testing to automatically explore and optimise test sequences, minimising length, while simultaneously maximising coverage and fault revelation. Sapienz combines random fuzzing, systematic and search-based exploration, exploiting seeding and multi-level instrumentation. Sapienz significantly outperforms (with large effect size) both the state-of-the-art technique Dynodroid and the widely-used tool, Android Monkey, in 7/10 experiments for coverage, 7/10 for fault detection and 10/10 for fault-revealing sequence length. When applied to the top 1,000 Google Play apps, Sapienz found 558 unique, previously unknown crashes. So far we have managed to make contact with the developers of 27 crashing apps. Of these, 14 have confirmed that the crashes are caused by real faults. Of those 14, six already have developer-confirmed fixes.},
|
||||
urldate = {2025-07-29},
|
||||
booktitle = {Proceedings of the 25th {International} {Symposium} on {Software} {Testing} and {Analysis}},
|
||||
publisher = {Association for Computing Machinery},
|
||||
author = {Mao, Ke and Harman, Mark and Jia, Yue},
|
||||
month = jul,
|
||||
year = {2016},
|
||||
pages = {94--105},
|
||||
file = {Submitted Version:/home/histausse/Zotero/storage/BXPWWPAU/Mao et al. - 2016 - Sapienz multi-objective automated testing for Android applications.pdf:application/pdf},
|
||||
}
|
||||
|
||||
@inproceedings{su_guided_2017,
|
||||
address = {New York, NY, USA},
|
||||
series = {{ESEC}/{FSE} 2017},
|
||||
title = {Guided, stochastic model-based {GUI} testing of {Android} apps},
|
||||
isbn = {978-1-4503-5105-8},
|
||||
url = {https://doi.org/10.1145/3106237.3106298},
|
||||
doi = {10.1145/3106237.3106298},
|
||||
abstract = {Mobile apps are ubiquitous, operate in complex environments and are developed under the time-to-market pressure. Ensuring their correctness and reliability thus becomes an important challenge. This paper introduces Stoat, a novel guided approach to perform stochastic model-based testing on Android apps. Stoat operates in two phases: (1) Given an app as input, it uses dynamic analysis enhanced by a weighted UI exploration strategy and static analysis to reverse engineer a stochastic model of the app's GUI interactions; and (2) it adapts Gibbs sampling to iteratively mutate/refine the stochastic model and guides test generation from the mutated models toward achieving high code and model coverage and exhibiting diverse sequences. During testing, system-level events are randomly injected to further enhance the testing effectiveness. Stoat was evaluated on 93 open-source apps. The results show (1) the models produced by Stoat cover 17{\textasciitilde}31\% more code than those by existing modeling tools; (2) Stoat detects 3X more unique crashes than two state-of-the-art testing tools, Monkey and Sapienz. Furthermore, Stoat tested 1661 most popular Google Play apps, and detected 2110 previously unknown and unique crashes. So far, 43 developers have responded that they are investigating our reports. 20 of reported crashes have been confirmed, and 8 already fixed.},
|
||||
urldate = {2025-07-29},
|
||||
booktitle = {Proceedings of the 2017 11th {Joint} {Meeting} on {Foundations} of {Software} {Engineering}},
|
||||
publisher = {Association for Computing Machinery},
|
||||
author = {Su, Ting and Meng, Guozhu and Chen, Yuting and Wu, Ke and Yang, Weiming and Yao, Yao and Pu, Geguang and Liu, Yang and Su, Zhendong},
|
||||
month = aug,
|
||||
year = {2017},
|
||||
pages = {245--256},
|
||||
}
|
||||
|
||||
|
||||
@inproceedings{abraham_grodddroid_2015,
|
||||
title = {{GroddDroid}: a gorilla for triggering malicious behaviors},
|
||||
shorttitle = {{GroddDroid}},
|
||||
url = {https://ieeexplore.ieee.org/abstract/document/7413692},
|
||||
doi = {10.1109/MALWARE.2015.7413692},
|
||||
abstract = {Android malware authors use sophisticated techniques to hide the malicious intent of their applications. They use cryptography or obfuscation techniques to avoid detection during static analysis. They can also avoid detection during a dynamic analysis. Frequently, the malicious execution is postponed as long as the malware is not convinced that it is running in a real smartphone of a real user. However, we believe that dynamic analysis methods give good results when they really monitor the malware execution. In this article1, we propose a method to enhance the execution of the malicious code of unknown malware. We especially target malware that have triggering protections, for example branching conditions that wait for an event or expect a specific value for a variable before triggering malicious execution. In these cases, solely executing the malware is far from being sufficient. We propose to force the triggering of the malicious code by combining two contributions. First, we define an algorithm that automatically identifies potentially malicious code. Second, we propose an enhanced monkey called GroddDroid, that stimulates the GUI of an application and forces the execution of some branching conditions if needed. The forcing is used by GroddDroid to push the execution flow towards the previously identified malicious parts of the malware and execute it. The source code for our experiments with GroddDroid is released as free software2. We have verified on a malware dataset that we investigated manually that the malicious code is accurately executed by GroddDroid. Additionally, on a large dataset of 100 malware we precisely identify the nature of the suspicious code and we succeed to execute it at 28\%.},
|
||||
urldate = {2025-07-29},
|
||||
booktitle = {2015 10th {International} {Conference} on {Malicious} and {Unwanted} {Software} ({MALWARE})},
|
||||
author = {Abraham, A. and Andriatsimandefitra, R. and Brunelat, A. and Lalande, J.-F. and Viet Triem Tong, V.},
|
||||
month = oct,
|
||||
year = {2015},
|
||||
keywords = {Androids, Force, Graphical user interfaces, Humanoid robots, Java, Malware, Monitoring},
|
||||
pages = {119--127},
|
||||
file = {Snapshot:/home/histausse/Zotero/storage/E4949JUV/7413692.html:text/html;Submitted Version:/home/histausse/Zotero/storage/CPJLKBNJ/Abraham et al. - 2015 - GroddDroid a gorilla for triggering malicious behaviors.pdf:application/pdf},
|
||||
}
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue