On The (In)Effectiveness of Static Logic Bomb Detector for Android Apps

TL;DR

This study evaluates the scalability and limitations of static logic bomb detection in Android apps, revealing low false positives but significant sensitivity loss, and provides a new ground-truth database for research.

Contribution

It introduces TSOPEN, an open-source large-scale static analysis tool, and TRIGDB, a database of trigger-based Android apps, highlighting the approach's strengths and limitations.

Findings

Scales to over 500k apps efficiently

Achieves a false-positive rate of 0.3%

Removes 90% of sensitive methods, limiting detection

Abstract

Android is present in more than 85% of mobile devices, making it a prime target for malware. Malicious code is becoming increasingly sophisticated and relies on logic bombs to hide itself from dynamic analysis. In this paper, we perform a large scale study of TSOPEN, our open-source implementation of the state-of-the-art static logic bomb scanner TRIGGERSCOPE, on more than 500k Android applications. Results indicate that the approach scales. Moreover, we investigate the discrepancies and show that the approach can reach a very low false-positive rate, 0.3%, but at a particular cost, e.g., removing 90% of sensitive methods. Therefore, it might not be realistic to rely on such an approach to automatically detect all logic bombs in large datasets. However, it could be used to speed up the location of malicious code, for instance, while reverse engineering applications. We also present TRIGDB a database of 68 Android applications containing trigger-based behavior as a ground-truth to the research community.