Demystifying Hidden Sensitive Operations in Android apps

TL;DR

This paper introduces HiSenDroid, a static analysis tool designed to detect hidden sensitive data operations in Android apps, addressing limitations of existing static and dynamic methods and aiding security analysts in identifying covert data leaks.

Contribution

The paper presents a novel static approach, HiSenDroid, that effectively uncovers hidden sensitive operations in Android malware, improving detection accuracy over existing tools.

Findings

HiSenDroid successfully revealed anti-analysis code snippets in malware samples.

Some hidden sensitive behaviors could lead to private data leaks detectable by FlowDroid.

HiSenDroid reduces false positives compared to traditional static analyzers.

Abstract

Security of Android devices is now paramount, given their wide adoption among consumers. As researchers develop tools for statically or dynamically detecting suspicious apps, malware writers regularly update their attack mechanisms to hide malicious behavior implementation. This poses two problems to current research techniques: static analysis approaches, given their over-approximations, can report an overwhelming number of false alarms, while dynamic approaches will miss those behaviors that are hidden through evasion techniques. We propose in this work a static approach specifically targeted at highlighting hidden sensitive operations, mainly sensitive data flows. The prototype version of HiSenDroid has been evaluated on a large-scale dataset of thousands of malware and goodware samples on which it successfully revealed anti-analysis code snippets aiming at evading detection by dynamic analysis. We further experimentally show that, with FlowDroid, some of the hidden sensitive behaviors would eventually lead to private data leaks. Those leaks would have been hard to spot either manually among the large number of false positives reported by the state of the art static analyzers, or by dynamic tools. Overall, by putting the light on hidden sensitive operations, HiSenDroid helps security analysts in validating potential sensitive data operations, which would be previously unnoticed.