Abstract
Android system versions update and iterate frequently with severe fragmentation. The distribution of the various Android versions’ market share is scattered, making system-level vulnerabilities’ risk extensive and serious. For the limitations of the present research, we design and implement a new comprehensive system-level vulnerability detection system VScanner. For the first time VScanner is based on Lua script engine as the core. It gives priority to dynamic detection by exploiting, and static detection by feature matching is complementary. Vulnerability trigger is developed by the form of plugins, and it bases on vulnerability taxonomy by POCAS, which shows good scalability. For system-level vulnerabilities, we have implemented 18 plugins, which all are system-level vulnerabilities in high risk. By experimental evaluation, VScanner has high efficiency, low false alarm rate, and good effects on vulnerability detection.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Wikipedia: Android version history, http://en.wikipedia.org/wiki/-Android, version history 13 Apr 2016
Mitre: Common Vulnerabilities and Exposures, https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2060, 08 Mar 2017
Minterest: Qualcomm Source Vulnerability Vulnerable to Hacker Attacks lead to Android, http://www.minterest.co/15065, 07 May 2016
NetMarketShare: Market share for Android mobile, https://www.net-marketshare.com/, 17 Apr 2017
Liu, J., Sun, K., Wang, S.: Vulnerability analysis of the Android operating system code based on control flow mining. J. Tsinghua Univ. Sci. Technol. 52(10), 1335–1339 (2012)
Kim, S.H., Han, D., Lee, D.H.: Predictability of android open-SSL’s pseudo random number generator. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security, pp. 659–668 (2013)
Sounthiraraj, D., Sahs, J., Greenwood, G., Lin, Z., Khan, L.: SMV-Hunter: large scale, automated detection of SSL/TLS man-in-the-middle vulnerabilities in android apps. In: Proceedings of the 21st Annual Network and Distributed System Security Symposium (NDSS 2014) (2014)
Yang, Z., Yang, M., Zhang, Y., Gu, G., Ning, P., Wang, X.S.: AppIntent: analyzing sensitive data transmission in android for privacy leakage detection. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security, pp. 1043–1054 (2013)
Yan, L.K., Yin, H.: DroidScope: seamlessly reconstructing the OS and Dalvik semantic views for dynamic android malware analysis. In: USENIX Security Symposium, pp. 569–584 (2012)
Miller, B.P., Fredriksen, L., So, B.: An empirical study of the reliability of UNIX utilities. Commun. ACM 33(12), 32–44 (1990)
Chin, E., Felt, A.P., Greenwood, K., Wagner, D.: Analyzing inter-application communication in Android. In: Proceedings of the 9th International Conference on Mobile Systems, Applications, and Services, pp. 239–252 (2011)
Chan, P.P., Hui, L.C., Yiu, S.M.: Droidchecker: analyzing android applications for capability leak. In: Proceedings of the Fifth ACM Conference on Security and Privacy in Wireless and Mobile Networks, pp. 125–136 (2012)
Lu, L., Li, Z., Wu, Z., Lee, W., Jiang, G.: Chex: statically vetting android apps for component hijacking vulnerabilities. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, pp. 229–240 (2012)
Egele, M., Brumley, D., Fratantonio, Y., Kruegel, C.: An empirical study of cryptographic misuse in android applications. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security, pp. 73–84 (2013)
Jiang, Y.Z.X., Xuxian, Z.: Detecting passive content leaks and pollution in android applications. In: Proceedings of the 20th Network and Distributed System Security Symposium (NDSS) (2013)
Gibler, C., Crussell, J., Erickson, J., Chen, H.: AndroidLeaks: automatically detecting potential privacy leaks in android applications on a large scale. In: Katzenbeisser, S., Weippl, E., Camp, L.Jean, Volkamer, M., Reiter, M., Zhang, X. (eds.) Trust 2012. LNCS, vol. 7344, pp. 291–307. Springer, Heidelberg (2012). doi:10.1007/978-3-642-30921-2_17
Grace, M.C., Zhou, Y., Wang, Z., Jiang, X.: Systematic detection of capability leaks in stock android smartphones. In: NDSS 2012 (2012)
Guri, M., Poliak, Y., Shapira, B., Elovici, Y.: JoKER: trusted detection of kernel rootkits in android devices via JTAG interface. In: Trustcom-/BigDataSE/ISPA, pp. 65–73 (2015)
Wu, T., Yang, Y.: Crafting intents to detect ICC vulnerabilities of android apps. In Computational Intelligence and Security (CIS 2016), pp. 557–560 (2016)
Demissie, B.F., Ghio, D., Ceccato, M., Avancini, A.: Identifying Android inter app communication vulnerabilities using static and dynamic analysis. In: Proceedings of the International Workshop on Mobile Software Engineering and Systems, pp. 255–266 (2016)
Qian, C., Luo, X., Le, Y., Gu, G.: Vulhunter: toward discovering vulnerabilities in android applications. IEEE Micro 35(1), 44–53 (2015)
Xing, L., Pan, X., Wang, R., Yuan, K., Wang, X.: Upgrading your android, elevating my malware: Privilege escalation through mobile os updating. In: IEEE Symposium on Security and Privacy (S&P), pp. 393–408 (2014)
Yamaguchi, F., Golde, N., Arp, D., Rieck, K.: Modeling and discovering vulnerabilities with code property graphs. In: IEEE Symposium on Security and Privacy (S&P), pp. 590–604 (2014)
Thomas, D.R., Beresford, A.R., Rice, A.: Security metrics for the android ecosystem. In: Proceedings of the 5th Annual ACM CCS Workshop on Security and Privacy in Smartphones and Mobile Devices, pp. 87–98 (2015)
Deng, X., et al.: A general attack model based on Android system vulnerability. Telecommun. Sci. (2016)
Enck, W., Ongtang, M., McDaniel, P.: Understanding android security. IEEE Secur. Priv. 7(1), 50–57 (2009)
Drake, J.J., Lanier, Z., Mulliner, C., Fora, P.O., Ridley, S.A., Wicherski, G.: Android hacker’s handbook. Wiley, New York (2014)
Carnegie mellon university software engineering institute: Android secure coding standard, [Online]. Available: https://www.securecoding.cert.org/confluence-/pages/viewpage.action?pageId=111509535, 2016/04/13
JSSEC: Android application secure design/secure coding guidebook, Report (2014)
Mustafa, T., Sohr, K.: Understanding the implemented access control policy of android system services with slicing and extended static checking. Int. J. Inf. Secur. 14(4), 347–366 (2015)
Li, X., Liu, Q., Zhang, Q.: Kernel privilege escalation vulnerabilities automatically exploiting system based on imitating attack. J. Univ. Chin. Acad. Sci. 32(3), 384–390 (2015)
Microsoft: Microsoft exploitability index, https://technet.micro-soft.com/en-us/security/cc998259, 13 Apr 2016
Lua team: Lua, http://www.lua.org/, 13 Apr 2016
Xuxian, J.: Smishing vulnerability in multiple android platforms, https://www.csc2.ncsu.edu/faculty/xjiang4/smishing.html, 13 June 2017
Cannon, T., Android sms spoofer, https://github.com/thomascannon/android-sms-spoof, 13 June 2017
Schmidt, A.D., Bye, R., Schmidt, H.G., Clausen, J., Kiraz, O., Yuksel, K.A., Albayrak, S.: Static analysis of executables for collaborative malware detection on android. In: IEEE International Conference on Communications (ICC 2009), pp. 1–5 (2009)
Acknowledgements
This work is supported by The National Natural Science Foundation of China (No. 61602361).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Zhang, J., Yao, Y., Li, X., Xie, J., Wu, G. (2017). An Android Vulnerability Detection System. In: Yan, Z., Molva, R., Mazurczyk, W., Kantola, R. (eds) Network and System Security. NSS 2017. Lecture Notes in Computer Science(), vol 10394. Springer, Cham. https://doi.org/10.1007/978-3-319-64701-2_13
Download citation
DOI: https://doi.org/10.1007/978-3-319-64701-2_13
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-64700-5
Online ISBN: 978-3-319-64701-2
eBook Packages: Computer ScienceComputer Science (R0)