Conditional Context-Aware Detection for Android Malicious Virtualization Apps

Android virtualization applications is host applications and support dynamic loading of functional modules required by users in the form of plugins. Malicious developers use the above application features to hide their real attack intents in plugin applications for avoiding detection against the host applications. However, plugins are numerous and difficult to obtain and analyze, and existing pattern-based Android malicious virtualization application detection solutions have the problem of limited detectable application types. We propose a method based on contexts of conditional statements for detecting Android malicious virtualization applications and implement a prototype tools named MVFinder. The method takes the contextual environment in the Android virtualized application code that triggers loading or calling behaviors of plugin programs as the entry point to uncover the hidden maliciousness, for avoiding the need to consume a large amount of resources to try to obtain different kinds of plugin programs in real time or to parse the loading and running mode of the plugins one by one. At the same time, the method leverages the anomaly detection technique to discover data samples that differ significantly from the conditional contexts of most benignware, and thus identify the targeted malware, for avoiding the limitations of detecting with predefined rules. The experimental results show that this method outperforms the current representative schemes including VAHunt, Drebin, and Difuzer, in terms of accuracy and F1 score for detecting Android malicious virtualization application. Compared to VAHunt, MVFinder achieves identification of variants of HummingBad and PluginPhantom malicious application families. © 2024 Chinese Institute of Electronics. All rights reserved.