Resources

Alterdroid

Alterdroid

Alterdroid is a dynamic analysis tool that compares the behavioral differences between an original app and numerous automatically generated versions of it containing carefully injected modifications. Such modifications are designed to have no observable effect on the app execution, provided that the altered component is actually what it should be and does not have any hidden functionality.

At high level, Alterdroid has two differentiated major components: fault injection and differential analysis. The first one takes a candidate app –the entire package– as input and generates a fault-injected one. Both the original and the fault-injected apps are then executed under identical conditions (i.e., context and user inputs), and their behavior is monitored and recorded producing two activity signatures. The differential signature is finally analyzed through a pattern-matching process driven by rules that relate different types of hidden functionalities with elements found in the differential signature. Alterdroid is a good complement to static analysis tools that are focused on inspecting code components, hence possibly overlooking pieces of code hidden in data objects or just obfuscated.

Related publications

Downloads

See Alterdroid's page maintained by Guillermo Suarez-Tangil.

Dendroid

Dendroid

Dendroid is a system for the automatic classification of unknown smartphone malware samples into candidate families based on the similarity of their respective code structures. Dendroid involves a preparatory stage where the sample is transformed into a query in the text mining sense. Thus, a slight variation of this process can be used to search for a set of given code structures in a database of known specimens, a task that could be remarkably useful for malware analysts and app market operators. 

Dendroid also includes the ability to perform an evolutionary analysis of malware families based on the dendograms obtained after hierarchical clustering. The process is almost equivalent to the analysis of the phylogenetic trees for biological species, although using software code structures rather than physical and/or genetic features. This enables the analyst to conjecture about evolutionary relationships among the various malware families, including the identication of common ancestors and studying the diversication process that they may have gone through as a consequence of code reuse and malware re-engineering techniques.

Related publications

Downloads

A free Java implementation is availabe under request (email Juan Tapiador).

Stegomalware

Stegomalware

We have designed a class of smartphone malware that uses steganographic techniques to hide malicious executable components within an app's assets. We call this "stegomalware" and argue that steganographic algorithms provide malware writers with a mechanism for hiding malicious payloads more secure than obfuscation techniques currently in use. Our scheme support various architectures for stegomalware depending on the location of the asset with hidden capabilities and the algorithm required to extract it.

Current app markets may be vulnerable to stegomalware. Our prototype implementation of a stegomalware sample for Android platforms is available for download in Google Play (see link below). We have also designed a detection system for stegomalware that combines steganalysis techniques with the detection of steganographic algorithms in the app code.

Related publications

Downloads
  • LikeImage, a stegomalware PoC available for download in Google Play.
  • For a copy of the source code or the stegomalware detection system, please contact Guillermo Suarez-Tangil.