Dual-Force: Understanding WebView Malware via Cross-Language Forced Execution

2018 33rd IEEE/ACM International Conference on Automated Software Engineering (ASE) Pub Date : 2018-09-01 DOI:10.1145/3238147.3238221

Zhenhao Tang, Juan Zhai, Minxue Pan, Yousra Aafer, Shiqing Ma, X. Zhang, Jianhua Zhao

{"title":"Dual-Force: Understanding WebView Malware via Cross-Language Forced Execution","authors":"Zhenhao Tang, Juan Zhai, Minxue Pan, Yousra Aafer, Shiqing Ma, X. Zhang, Jianhua Zhao","doi":"10.1145/3238147.3238221","DOIUrl":null,"url":null,"abstract":"Modern Android malwares tend to use advanced techniques to cover their malicious behaviors. They usually feature multi-staged, condition-guarded and environment-specific payloads. An increasing number of them utilize WebView, particularly the two-way communications between Java and JavaScript, to evade detection and analysis of existing techniques. We propose Dual-Force, a forced execution technique which simultaneously forces both Java and JavaScript code of WebView applications to execute along various paths without requiring any environment setup or providing any inputs manually. As such, the hidden payloads of WebView malwares are forcefully exposed. The technique features a novel execution model that allows forced execution to suppress exceptions and continue execution. Experimental results show that Dual-Force precisely exposes malicious payload in 119 out of 150 Web-View malwares. Compared to the state-of-the-art, Dual-Force can expose 23% more malicious behaviors.","PeriodicalId":6622,"journal":{"name":"2018 33rd IEEE/ACM International Conference on Automated Software Engineering (ASE)","volume":"161 1","pages":"714-725"},"PeriodicalIF":0.0000,"publicationDate":"2018-09-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"5","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2018 33rd IEEE/ACM International Conference on Automated Software Engineering (ASE)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3238147.3238221","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 5

Abstract

Modern Android malwares tend to use advanced techniques to cover their malicious behaviors. They usually feature multi-staged, condition-guarded and environment-specific payloads. An increasing number of them utilize WebView, particularly the two-way communications between Java and JavaScript, to evade detection and analysis of existing techniques. We propose Dual-Force, a forced execution technique which simultaneously forces both Java and JavaScript code of WebView applications to execute along various paths without requiring any environment setup or providing any inputs manually. As such, the hidden payloads of WebView malwares are forcefully exposed. The technique features a novel execution model that allows forced execution to suppress exceptions and continue execution. Experimental results show that Dual-Force precisely exposes malicious payload in 119 out of 150 Web-View malwares. Compared to the state-of-the-art, Dual-Force can expose 23% more malicious behaviors.

查看原文本刊更多论文

双重强制:通过跨语言强制执行理解WebView恶意软件

现代Android恶意软件倾向于使用先进的技术来掩盖其恶意行为。它们通常具有多级、条件保护和特定环境的有效载荷。他们中越来越多的人利用WebView，特别是Java和JavaScript之间的双向通信，来逃避现有技术的检测和分析。我们提出Dual-Force，一种强制执行技术，它同时强制WebView应用程序的Java和JavaScript代码沿着不同的路径执行，而不需要任何环境设置或手动提供任何输入。因此，WebView恶意软件的隐藏有效负载被强制暴露。该技术的特点是一种新颖的执行模型，允许强制执行以抑制异常并继续执行。实验结果表明，在150种Web-View恶意软件中，Dual-Force可以精确地暴露119种恶意负载。与最先进的技术相比，Dual-Force可以暴露23%的恶意行为。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2018 33rd IEEE/ACM International Conference on Automated Software Engineering (ASE)

自引率

0.00%

发文量