Difuzer: Uncovering Suspicious Hidden Sensitive Operations in Android Apps

TL;DR

Difuzer is a hybrid static and anomaly detection tool that uncovers suspicious hidden sensitive operations in Android apps, effectively identifying logic bombs with high precision and outperforming existing methods.

Contribution

It introduces a novel approach combining static analysis and unsupervised learning to detect logic bombs in Android applications, improving accuracy and efficiency.

Findings

Achieves 99.02% precision in detecting SHSOs

Identifies 29.7% of SHSOs as logic bombs

Outperforms state-of-the-art in detection accuracy and speed

Abstract

One prominent tactic used to keep malicious behavior from being detected during dynamic test campaigns is logic bombs, where malicious operations are triggered only when specific conditions are satisfied. Defusing logic bombs remains an unsolved problem in the literature. In this work, we propose to investigate Suspicious Hidden Sensitive Operations (SHSOs) as a step towards triaging logic bombs. To that end, we develop a novel hybrid approach that combines static analysis and anomaly detection techniques to uncover SHSOs, which we predict as likely implementations of logic bombs. Concretely, Difuzer identifies SHSO entry-points using an instrumentation engine and an inter-procedural data-flow analysis. Then, it extracts trigger-specific features to characterize SHSOs and leverages One-Class SVM to implement an unsupervised learning model for detecting abnormal triggers. We evaluate our prototype and show that it yields a precision of 99.02% to detect SHSOs among which 29.7% are logic bombs. Difuzer outperforms the state-of-the-art in revealing more logic bombs while yielding less false positives in about one order of magnitude less time. All our artifacts are released to the community.