The Android virtualization technique allows an app to create independent virtual environments running on top of the Android native one, where multiple apps can be executed simultaneously. While the technique has legitimate uses, attackers have identified ways to exploit it. According to the state-of-art, virtualization-based malware is a significant threat: researchers have found 71,303 malicious samples. Defence mechanisms have already been developed to find virtualization-based malware and to detect or prevent virtualization-based repackaging attacks. In this paper, we offer three key contributions. First, we experimentally evaluate the existing defence mechanisms by identifying their limitations and demonstrating how they can be bypassed. Second, we design and develop a new defence mechanism, called Matrioska, that overcomes the limitations of the state-of-art by detecting the intrinsic features of the virtualization technique. Third, we evaluate the effectiveness of Matrioska with respect to the state-of-art against two datasets of apps. Overall, Matrioska achieves a higher accuracy (99% vs. 71%) when searching for virtualization usage and a lower false positive (10 vs. 23) and false negative rate (14 vs. 39) when detecting a virtualization-based repackaging attack.
R+R: Matrioska: A User-Centric Defense Against Virtualization-Based Repackaging Malware on Android
Zerbini S.;Doria S.;Losiouk E.
2024
Abstract
The Android virtualization technique allows an app to create independent virtual environments running on top of the Android native one, where multiple apps can be executed simultaneously. While the technique has legitimate uses, attackers have identified ways to exploit it. According to the state-of-art, virtualization-based malware is a significant threat: researchers have found 71,303 malicious samples. Defence mechanisms have already been developed to find virtualization-based malware and to detect or prevent virtualization-based repackaging attacks. In this paper, we offer three key contributions. First, we experimentally evaluate the existing defence mechanisms by identifying their limitations and demonstrating how they can be bypassed. Second, we design and develop a new defence mechanism, called Matrioska, that overcomes the limitations of the state-of-art by detecting the intrinsic features of the virtualization technique. Third, we evaluate the effectiveness of Matrioska with respect to the state-of-art against two datasets of apps. Overall, Matrioska achieves a higher accuracy (99% vs. 71%) when searching for virtualization usage and a lower false positive (10 vs. 23) and false negative rate (14 vs. 39) when detecting a virtualization-based repackaging attack.
Pubblicazioni consigliate
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
