App-Virtualization is a technique that allows an application, called host or container, to create a virtual environment on top of the Android framework. In this virtual environment, other applications, called plugins, can be executed from their apk without being installed on the device. This technique can be used to offer some interesting features, but it can also be exploited for malicious purposes. For instance, it can be exploited to evade anti-malware detection by dynamically loading malicious code. Another common malicious use is to simplify the repackaging of an application: with the standard approach, an attacker must decompile the apk of the target application and then add the malicious payload before he can distribute the repackaged app, on the other hand, by exploiting virtualization it is enough to execute the target application as a plugin in a malicious container. Currently, the countermeasures at our disposal are Third-party Anti-Malware, Anti-Plugin techniques and the state-of-the-art tool VAHunt. Anti-Plugin techniques refer to a series of methods that a developer can implement in his application to ensure that it does not run in a virtual environment. Unfortunately, most of these techniques can be easily bypassed, but the major limitation is that they are rarely adopted by developers. VAHunt is a tool to check whether an app makes use of virtualization, additionally it is able to detect certain suspicious uses of the latter. It has been observed that this tool has some flaws. These are mainly due to the fact that it was built considering just the 2 main virtualization frameworks, namely VirtualApp and DroidPlugin. In this thesis, the behaviour of these malware was investigated in more detail. In particular, malwares were analyzed through both static and dynamic reverse engineering techniques. In addition, it has been proposed Matrioska, a new tool that exploits app-virtualisation itself to perform online a dynamic analysis of applications. This tool is able to detect the malicious use of app-virtualization as an alternative to repackaging with close to 100% accuracy.
App-Virtualization is a technique that allows an application, called host or container, to create a virtual environment on top of the Android framework. In this virtual environment, other applications, called plugins, can be executed from their apk without being installed on the device. This technique can be used to offer some interesting features, but it can also be exploited for malicious purposes. For instance, it can be exploited to evade anti-malware detection by dynamically loading malicious code. Another common malicious use is to simplify the repackaging of an application: with the standard approach, an attacker must decompile the apk of the target application and then add the malicious payload before he can distribute the repackaged app, on the other hand, by exploiting virtualization it is enough to execute the target application as a plugin in a malicious container. Currently, the countermeasures at our disposal are Third-party Anti-Malware, Anti-Plugin techniques and the state-of-the-art tool VAHunt. Anti-Plugin techniques refer to a series of methods that a developer can implement in his application to ensure that it does not run in a virtual environment. Unfortunately, most of these techniques can be easily bypassed, but the major limitation is that they are rarely adopted by developers. VAHunt is a tool to check whether an app makes use of virtualization, additionally it is able to detect certain suspicious uses of the latter. It has been observed that this tool has some flaws. These are mainly due to the fact that it was built considering just the 2 main virtualization frameworks, namely VirtualApp and DroidPlugin. In this thesis, the behaviour of these malware was investigated in more detail. In particular, malwares were analyzed through both static and dynamic reverse engineering techniques. In addition, it has been proposed Matrioska, a new tool that exploits app-virtualisation itself to perform online a dynamic analysis of applications. This tool is able to detect the malicious use of app-virtualization as an alternative to repackaging with close to 100% accuracy.
Virtualization-Based Malwares: Can We Defend Against Them?
ZERBINI, SIMONE
2021/2022
Abstract
App-Virtualization is a technique that allows an application, called host or container, to create a virtual environment on top of the Android framework. In this virtual environment, other applications, called plugins, can be executed from their apk without being installed on the device. This technique can be used to offer some interesting features, but it can also be exploited for malicious purposes. For instance, it can be exploited to evade anti-malware detection by dynamically loading malicious code. Another common malicious use is to simplify the repackaging of an application: with the standard approach, an attacker must decompile the apk of the target application and then add the malicious payload before he can distribute the repackaged app, on the other hand, by exploiting virtualization it is enough to execute the target application as a plugin in a malicious container. Currently, the countermeasures at our disposal are Third-party Anti-Malware, Anti-Plugin techniques and the state-of-the-art tool VAHunt. Anti-Plugin techniques refer to a series of methods that a developer can implement in his application to ensure that it does not run in a virtual environment. Unfortunately, most of these techniques can be easily bypassed, but the major limitation is that they are rarely adopted by developers. VAHunt is a tool to check whether an app makes use of virtualization, additionally it is able to detect certain suspicious uses of the latter. It has been observed that this tool has some flaws. These are mainly due to the fact that it was built considering just the 2 main virtualization frameworks, namely VirtualApp and DroidPlugin. In this thesis, the behaviour of these malware was investigated in more detail. In particular, malwares were analyzed through both static and dynamic reverse engineering techniques. In addition, it has been proposed Matrioska, a new tool that exploits app-virtualisation itself to perform online a dynamic analysis of applications. This tool is able to detect the malicious use of app-virtualization as an alternative to repackaging with close to 100% accuracy.| File | Dimensione | Formato | |
|---|---|---|---|
|
SimoneZerbiniThesis.pdf
accesso aperto
Dimensione
830.65 kB
Formato
Adobe PDF
|
830.65 kB | Adobe PDF | Visualizza/Apri |
The text of this website © Università degli studi di Padova. Full Text are published under a non-exclusive license. Metadata are under a CC0 License
https://hdl.handle.net/20.500.12608/42059