Dr. Lisa Luo has received a research award from the National Science Foundation (NSF) for her research project "A Malware-Inspired Approach to Mobile Application Repackaging and Tampering Detection." This project is looking at ways to add repackaging detection capability into Android and iOS apps, so that the phones will be able to detect if an installed app has been tampered with. Abstract
Mobile application ("app") repackaging is a severe threat to the flourishing mobile market and numerous users. 97% of the top paid Android apps and 87% of the iOS ones have been repackaged. Besides, it is one of the most common ways of propagating mobile malware. Existing countermeasures mostly detect repackaging based on app similarity measurement, which tends to be imprecise when obfuscations are applied to repackaged apps. Moreover, they rely on a centralized party, typically the hosting app store, to perform the detection, but many alternative app stores fail to commit proper effort to piracy detection. This research aims at an effective defense against app repackaging, and will result in substantial progress in tackling malware propagated via repackaged apps. It will help mitigate attacks such as ransomware or DDoS launched from repackaged apps. It will also help reduce the massive monetary loss of legitimate app developers. Industrial collaborations ensure rapidly translate scientific discovery and technical knowledge into beneficial commercial products. Educational resources from this project, including course modules on mobile security and malware detection, will be disseminated through a dedicated web site. This research will foster new research and education opportunities at University of South Carolina. Students from underrepresented groups will participate in the project. This research is to explore a decentralized scheme that adds repackaging detection capability into the app to be protected, such that the host devices are made use of to conduct detection when the app is running. The main challenge is how to protect the repackaging detection code from attacks. The team of research proposes a novel malware-inspired approach to handling the important mobile app repackaging problem. The team will explore a creative use of logic bombs, which are regularly used in malware: the trigger conditions are constructed to exploit the differences between the attacker and users (in terms of hardware, sensor values, and inputs), such that a bomb that lies dormant on the attacker side will be activated on the user side. The repackaging detection code, which is packed as the bomb payload, is executed only if the bomb is activated. (2) Unlike many conventional software tampering detection techniques that try to conceal the detection code, by leveraging various methods used in malware this design is non-stealthy, which means that the detection code is not hidden, yet still resilient to attacks. (3) The proposed system also aims to detect code tampering, which occurs when malicious code is inserted and hence implies extraordinary dangers. (4) The decentralized repackaging/tampering detection is proposed to be used for crowdsourced malware information collection to fight against malware propagation. (5) Finally, the team is to address how to prevent the proposed techniques from being abused by malware authors.