TriggerZoo: A Dataset of Android Applications Automatically Infected with Logic Bombs

TL;DR

TriggerZoo is a dataset of 406 real-world Android apps with automatically injected logic bombs, enabling researchers to evaluate and compare security analysis tools against realistic malicious behaviors.

Contribution

The paper introduces TriggerZoo, a ground truth dataset of infected Android apps with diverse logic bombs, facilitating rigorous assessment of detection techniques.

Findings

Provides a large, real-world dataset for logic bomb detection evaluation

Includes diverse types of logic bombs based on manual characterization

Enables fair comparison of security analysis tools

Abstract

Many Android apps analyzers rely, among other techniques, on dynamic analysis to monitor their runtime behavior and detect potential security threats. However, malicious developers use subtle, though efficient, techniques to bypass dynamic analyzers. Logic bombs are examples of popular techniques where the malicious code is triggered only under specific circumstances, challenging comprehensive dynamic analyses. The research community has proposed various approaches and tools to detect logic bombs. Unfortunately, rigorous assessment and fair comparison of state-of-the-art techniques are impossible due to the lack of ground truth. In this paper, we present TriggerZoo, a new dataset of 406 Android apps containing logic bombs and benign trigger-based behavior that we release only to the research community using authenticated API. These apps are real-world apps from Google Play that have been automatically infected by our tool AndroBomb. The injected pieces of code implementing the logic bombs cover a large pallet of realistic logic bomb types that we have manually characterized from a set of real logic bombs. Researchers can exploit this dataset as ground truth to assess their approaches and provide comparisons against other tools.