使用反規避技術在靜態和動態分析中檢測安卓惡意軟體

陳允中; Yun-Chung Chen

請用此 Handle URI 來引用此文件： http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/96549

完整後設資料紀錄

DC 欄位	值	語言
dc.contributor.advisor	林宗男	zh_TW
dc.contributor.advisor	Tsung-Nan Lin	en
dc.contributor.author	陳允中	zh_TW
dc.contributor.author	Yun-Chung Chen	en
dc.date.accessioned	2025-02-19T16:28:26Z	-
dc.date.available	2025-02-20	-
dc.date.copyright	2025-02-19	-
dc.date.issued	2025	-
dc.date.submitted	2025-01-23	-
dc.identifier.citation	[1] Acecard Trojan: Android Users of Over 30 Banking and Payment Apps at Risk. [Online]. Available: https://www.kaspersky.es/about/pressreleases/2016_acecard-trojan-android-users-of-over-30-banking-and-payment-apps-at-risk. [Accessed on: Jul. 5, 2024]. [2] Android Platform Architecture. [Online]. Available: https://developer.android.com/guide/platform. [Accessed on: Aug. 5, 2022]. [3] APKHere. [Online]. Available: https://www.apkbe.com/. [Accessed on: Nov. 27, 2022]. [4] APKMirror. [Online]. Available: https://www.apkmirror.com/. [Accessed on: Nov. 27, 2022]. [5] APKMonk. [Online]. Available: https://www.apkmonk.com/. [Accessed on: Nov. 27, 2022]. [6] APKPure. [Online]. Available: https://m.apkpure.com/. [Accessed on: Nov. 27, 2022]. [7] Aptoide. [Online]. Available: https://en.aptoide.com/. [Accessed on: Nov. 27, 2022]. [8] Defense Evasion. [Online]. Available: https://attack.mitre.org/tactics/TA0030/. [Accessed on: Jun. 23, 2024]. [9] Detecting Debugger Evasion: Exception Flooding. [Online]. Available: https://www.reversinglabs.com/from-the-labs/hot-to-detect-debugger-evasion-exception-flooding. [Accessed on: Jul. 3, 2024]. [10] DoubleLocker: Innovative Android Ransomware. [Online]. Available: https://www.welivesecurity.com/2017/10/13/doublelocker-innovative-android-malware/. [Accessed on: Jul. 5, 2024]. [11] Ebowla: Framework for Making Environmental Keyed Payloads. [Online]. Available: https://github.com/Genetic-Malware/Ebowla. [Accessed on: Jul. 3, 2024]. [12] FakeAV. [Online]. Available: https://nordvpn.com/zh-tw/cybersecurity/threat-center/fakeav/. [Accessed on: Jul. 5, 2024]. [13] First Ever Android SMS Trojan Targeting U.S. Users (FakeInst). [Online]. Available: https://www.kaspersky.com/blog/fakeinst-targets-us-users/4601/. [Accessed on: Jul. 5, 2024]. [14] Format string vulnerability in OllyDbg 1.10. [Online]. Available: https://nvd.nist.gov/vuln/detail/CVE-2004-0733. [Accessed on: Jul. 3, 2024]. [15] Google explains how Android malware slips onto Google Play Store. [Online]. Available: https://www.bleepingcomputer.com/news/security/google-explains-how-android-malware-slips-onto-google-play-store/. [Accessed on: Jun. 18, 2024]. [16] Google Play Store Apps Infected by Joker Malware Subscribes Users Without Consent. [Online]. Available: https://blog.optickssecurity.com/google-play-store-apps-infected-by-joker-malware-subscribes-users-without-consent. [Accessed on: Jul. 5, 2024]. [17] Google Play Store Played Again – Tekya Clicker Hides in 24 Children’s Games and 32 Utility Apps. [Online]. Avail-able: https://research.checkpoint.com/2020/google-play-store-played-again-tekya-clicker-hides-in-24-childrens-games-and-32-utility-apps/. [Accessed on: Nov. 27, 2022]. [18] Mobile Operating System Market Share Worldwide. [Online]. Available: https://gs.statcounter.com/os-market-share/mobile/worldwide. [Accessed on: Dec. 9, 2024]. [19] More than 50 Android apps found infected with rootkit malware. [On-line]. Available: https://www.theguardian.com/technology/blog/2011/mar/02/android-market-apps-malware. [Accessed on: Jul. 5, 2024]. [20] Nox Player, Android Systems, Bits, and their Differences. [Online]. Available: https://support.bignox.com/en/often/bit. [Accessed on: Jun. 27, 2024]. [21] Number of Android applications on Google Play (December 2024). [Online]. Available: https://www.appbrain.com/stats/number-of-android-apps. [Accessed on: Dec. 9, 2024]. [22] The DbgMsg.sys driver in Compuware SoftICE DriverStudio 3.1 and 3.2 allows remote attackers to cause a denial of service. [Online]. Available: https://nvd.nist.gov/vuln/detail/CVE-2005-1830. [Accessed on: Jul. 3, 2024]. [23] The mobile malware threat landscape in 2023. [Online]. Available: https://securelist.com/mobile-malware-report-2023/111964/. [Accessed on: Dec. 9, 2024]. [24] UI/Application Exerciser Monkey . [Online]. Available: https://developer.android.com/studio/test/other-testing-tools/monkey. [Accessed on: Jun. 22, 2024]. [25] Welcome to YARA’s documentation! [Online]. Available: https://yara.readthedocs.io/en/stable/. [Accessed on: Aug. 23, 2022]. [26] What is Pegasus spyware + how to remove it from your mobile device? [Online]. Available: https://us.norton.com/blog/emerging-threats/pegasus-spyware. [Accessed on: Jul. 5, 2024]. [27] Worm:Android/Samsapo. [Online]. Available: https://www.f-secure.com/v-descs/worm-android-samsapo.shtml. [Accessed on: Jul. 5, 2024]. [28] Droidapiminer: Mining api-level features for robust malware detection in android, author=Aafer, Yousra and Du, Wenliang and Yin, Heng. In International conference on security and privacy in communication systems, pages 86–103. Springer, 2013. [29] Android Developers > Android Studio > User guide: Shrink, obfuscate, and optimize your app. [Online]. Available: https://developer.android.com/studio/build/shrink-code, 2020. [Accessed on: Oct. 10, 2020]. [30] Apktool: A tool for reverse engineering Android apk files. [Online]. Available: https://ibotpeaches.github.io/Apktool/, 2020. [Accessed on: Oct. 10, 2020]. [31] jarsigner: Signs and verifies Java Archive (JAR) files. [Online]. Available: https://docs.oracle.com/javase/7/docs/technotes/tools/windows/jarsigner.html, 2020. [Accessed on: Oct. 10, 2020]. [32] ProGuard: Open Source Optimizer for Java and Kotlin. [Online]. Available: https://www.guardsquare.com/en/products/proguard, 2020. [Accessed on: Oct. 10, 2020]. [33] Distinguished Name. [Online]. Available: https://knowledge.digicert.com/generalinformation/INFO1745.html, 2022. [Accessed on: Aug. 18, 2022]. [34] A. Abraham, R. Andriatsimandefitra, A. Brunelat, J.-F. Lalande, and V. V. T. Tong. Grodddroid: a gorilla for triggering malicious behaviors. In 2015 10th international conference on malicious and unwanted software (MALWARE), pages 119–127. IEEE, 2015. [35] V. M. Afonso, M. F. de Amorim, A. R. A. Grégio, G. B. Junquera, and P. L. de Geus. Identifying android malware using dynamically obtained features. Journal of Computer Virology and Hacking Techniques, 11(1):9– 17, 2015. [36] K. Allix, T. F. Bissyandé, J. Klein, and Y. Le Traon. AndroZoo: Collecting Millions of Android Apps for the Research Community. In Proceedings of the 13th International Conference on Mining Software Repositories, MSR ’16, pages 468–471, New York, NY, USA, 2016. ACM. [37] A. Alotaibi. Identifying Malicious Software Using Deep Residual Long-Short Term Memory. IEEE Access, 7:163128–163137, 2019. [38] N. A. Anuar, M. Z. Mas’ud, N. Bahaman, and N. A. M. Ariff. Analysis of machine learning classifier in android malware detection through opcode. In 2020 IEEE Conference on Application, Information and Network Security (AINS), pages 7–11. IEEE, 2020. [39] A. Arora, S. Garg, and S. K. Peddoju. Malware detection using network traﬀic analysis in android based mobile devices. In 2014 Eighth International Conference on Next Generation Mobile Apps, Services and Technologies, pages 66–71. IEEE, 2014. [40] D. Arp, M. Spreitzenbarth, M. Hubner, H. Gascon, K. Rieck, and C. Siemens. Drebin: Effective and explainable detection of Android malware in your pocket. In Ndss, volume 14, pages 23–26, 2014. [41] A. I. Aysan and S. Sen. ” Do You Want to Install an Update of This Application?” A Rigorous Analysis of Updated Android Applications. In 2015 IEEE 2nd International Conference on Cyber Security and Cloud Computing, pages 181–186. IEEE, 2015. [42] T. Ban, T. Takahashi, S. Guo, D. Inoue, and K. Nakao. Integration of multi-modal features for android malware detection using linear svm. In 2016 11th Asia Joint Conference on Information Security (AsiaJCIS), pages 141–146. IEEE, 2016. [43] L. Bello and M. Pistoia. Ares: triggering payload of evasive android malware. In Proceedings of the 5th International Conference on Mobile Software Engineering and Systems, pages 2–12, 2018. [44] B. Bencsáth, G. Pék, L. Buttyán, and M. Felegyhazi. The cousins of stuxnet: Duqu, flame, and gauss. Future Internet, 4(4):971–1003, 2012. [45] B. Bichsel, V. Raychev, P. Tsankov, and M. Vechev. Statistical deobfuscation of android applications. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pages 343–355, 2016. [46] L. Breiman. Random forests. Machine learning, 45(1):5–32, 2001. [47] C. J. Burges. A tutorial on support vector machines for pattern recognition. Data mining and knowledge discovery, 2(2):121–167, 1998. [48] K. Dillon. Feature-level Malware Obfuscation in Deep Learning. arXiv preprint arXiv:2002.05517, 2020. [49] B. Dixon, Y. Jiang, A. Jaiantilal, and S. Mishra. Location based power analysis to detect malicious code in smartphones. In Proceedings of the 1st ACM workshop on Security and privacy in smartphones and mobile devices, pages 27–32, 2011. [50] S. Dong, M. Li, W. Diao, X. Liu, J. Liu, Z. Li, F. Xu, K. Chen, X. Wang, and K. Zhang. Understanding android obfuscation techniques: A large-scale investigation in the wild. In R. Beyah, B. Chang, Y. Li, and S. Zhu, editors, Security and Privacy in Communication Networks, pages 172– 192, Cham, 2018. Springer International Publishing. [51] Z. Dong, M. Böhme, L. Cojocaru, and A. Roychoudhury. Time-travel testing of android apps. In Proceedings of the ACM/IEEE 42nd International Conference on Software Engineering, pages 481–492, 2020. [52] A. V. Dorogush, V. Ershov, and A. Gulin. Catboost: gradient boosting with categorical features support. arXiv preprint arXiv:1810.11363, 2018. [53] F. Faghihi, M. Zulkernine, and S. Ding. Camodroid: An android application analysis environment resilient against sandbox evasion. Journal of Systems Architecture, 125:102452, 2022. [54] N. Falliere, L. O. Murchu, E. Chien, et al. W32. stuxnet dossier. White paper, symantec corp., security response, 5(6):29, 2011. [55] W. Fan, E. Zhong, J. Peng, O. Verscheure, K. Zhang, J. Ren, R. Yan, and Q. Yang. Generalized and heuristic-free feature construction for improved accuracy. In Proceedings of the 2010 SIAM International Conference on Data Mining, pages 629–640. SIAM, 2010. [56] A. Feizollah, N. B. Anuar, R. Salleh, F. Amalina, S. Shamshirband, et al. A study of machine learning classifiers for anomaly-based mobile botnet detection. Malaysian Journal of Computer Science, 26(4):251–265, 2013. [57] Y. Fratantonio, A. Bianchi, W. Robertson, E. Kirda, C. Kruegel, and G. Vigna. Triggerscope: Towards detecting logic bombs in android applications. In 2016 IEEE symposium on security and privacy (SP), pages 377–396. IEEE, 2016. [58] J. Garcia, M. Hammad, and S. Malek. Lightweight, obfuscation-resilient detection and family identification of android malware. ACM Transactions on Software Engineering and Methodology (TOSEM), 26(3):1–29, 2018. [59] S. Garg, S. K. Peddoju, and A. K. Sarje. Network-based detection of android malicious apps. International Journal of Information Security, 16(4):385–400, 2017. [60] P. Geurts, D. Ernst, and L. Wehenkel. Extremely randomized trees. Machine learning, 63(1):3–42, 2006. [61] H. Hasan, B. T. Ladani, and B. Zamani. Megdroid: A model-driven event generation framework for dynamic android malware analysis. Information and Software Technology, 135:106569, 2021. [62] H. Hasan, B. T. Ladani, and B. Zamani. Maaker: A framework for detecting and defeating evasion techniques in android malware. Journal of Information Security and Applications, 78:103617, 2023. [63] J. Heaton. An empirical analysis of feature engineering for predictive modeling. In SoutheastCon 2016, pages 1–6. IEEE, 2016. [64] P. Junod, J. Rinaldini, J. Wehrli, and J. Michielin. Obfuscator-LLVM– software protection for the masses. In 2015 IEEE/ACM 1st International Workshop on Software Protection, pages 3–9. IEEE, 2015. [65] Z. Kan, H. Wang, L. Wu, Y. Guo, and D. X. Luo. Automated deobfuscation of Android native binary code. arXiv preprint arXiv:1907.06828, 2019. [66] G. Ke, Q. Meng, T. Finley, T. Wang, W. Chen, W. Ma, Q. Ye, and T.-Y. Liu. Lightgbm: A highly eﬀicient gradient boosting decision tree. In I. Guyon, U. V. Luxburg, S. Bengio, H. Wallach, R. Fergus, S. Vishwanathan, and R. Garnett, editors, Advances in Neural Information Processing Systems, volume 30. Curran Associates, Inc., 2017. [67] H. Kim, J. Smith, and K. G. Shin. Detecting energy-greedy anomalies and mobile malware variants. In Proceedings of the 6th international conference on Mobile systems, applications, and services, pages 239–252, 2008. [68] D. Kirat, J. Jang, and M. Stoecklin. Deeplocker concealing targeted attacks with ai locksmithing. Blackhat USA, 1:1–29, 2018. [69] A. Küchler, A. Mantovani, Y. Han, L. Bilge, and D. Balzarotti. Does every second count? time-based evolution of malware behavior in sandboxes. In NDSS 2021, Network and Distributed Systems Security Symposium. Internet Society, 2021. [70] J. Li, L. Sun, Q. Yan, Z. Li, W. Srisa-An, and H. Ye. Significant permission identification for machine-learning-based android malware detection. IEEE Transactions on Industrial Informatics, 14(7):3216–3225, 2018. [71] T. Li, Y. Luo, X. Wan, Q. Li, Q. Liu, R. Wang, C. Jia, and Y. Xiao. A malware detection model based on imbalanced heterogeneous graph embeddings. Expert Systems with Applications, 246:123109, 2024. [72] L. Liu, G. Yan, X. Zhang, and S. Chen. Virusmeter: Preventing your cellphone from spies. In International workshop on recent advances in intrusion detection, pages 244–264. Springer, 2009. [73] G. Louppe, L. Wehenkel, A. Sutera, and P. Geurts. Understanding variable importances in forests of randomized trees. Advances in neural information processing systems, 26:431–439, 2013. [74] K. Mao, M. Harman, and Y. Jia. Sapienz: Multi-objective automated testing for android applications. In Proceedings of the 25th international symposium on software testing and analysis, pages 94–105, 2016. [75] S. Markovitch and D. Rosenstein. Feature generation using general constructor functions. Machine Learning, 49(1):59–98, 2002. [76] L. Massarelli, L. Aniello, C. Ciccotelli, L. Querzoni, D. Ucci, and R. Baldoni. Android malware family classification based on resource consumption over time. In 2017 12th International Conference on Malicious and Unwanted Software (MALWARE), pages 31–38. IEEE, 2017. [77] F. Mohsen, H. Bisgin, Z. Scott, and K. Strait. Detecting android malwares by mining statically registered broadcast receivers. In 2017 IEEE 3rd International Conference on Collaboration and Internet Computing (CIC), pages 67–76. IEEE, 2017. [78] F. Nargesian, H. Samulowitz, U. Khurana, E. B. Khalil, and D. S. Turaga. Learning feature engineering for classification. In Ijcai, pages 2529–2535, 2017. [79] M. Pan, A. Huang, G. Wang, T. Zhang, and X. Li. Reinforcement learning based curiosity-driven testing of android applications. In Proceedings of the 29th ACM SIGSOFT International Symposium on Software Testing and Analysis, pages 153–164, 2020. [80] Y. Pan, X. Ge, C. Fang, and Y. Fan. A Systematic Literature Review of Android Malware Detection Using Static Analysis. IEEE Access, 8:116363–116379, 2020. [81] H. Peng, F. Long, and C. Ding. Feature selection based on mutual information criteria of max-dependency, max-relevance, and min-redundancy. IEEE Transactions on pattern analysis and machine intelligence, 27(8):1226–1238, 2005. [82] S. S. M. M. Rahman and S. K. Saha. Stackdroid: evaluation of a multi-level approach for detecting the malware on android using stacked generalization. In International Conference on Recent Trends in Image Processing and Pattern Recognition, pages 611–623. Springer, 2018. [83] A. Romdhana, A. Merlo, M. Ceccato, and P. Tonella. Deep reinforcement learning for black-box testing of android apps. ACM Transactions on Software Engineering and Methodology (TOSEM), 31(4):1–29, 2022. [84] M. Ryo and M. C. Rillig. Statistically reinforced machine learning for nonlinear patterns and variable interactions. Ecosphere, 8(11):e01976, 2017. [85] J. Samhi, T. F. Bissyandé, and J. Klein. Triggerzoo: a dataset of android applications automatically infected with logic bombs. In Proceedings of the 19th International Conference on Mining Software Repositories, pages 459–463, 2022. [86] R. B. Sarean, A. B. Jeng, and H.-M. Lee. Larbac: enforcement of location constraints for location-aware rbac system in mobile environment. In 2013 International Conference on Machine Learning and Cybernetics, volume 3, pages 1195–1200. IEEE, 2013. [87] S. Sen, A. I. Aysan, and J. A. Clark. SAFEDroid: using structural features for detecting android malwares. In International Conference on Security and Privacy in Communication Systems, pages 255–270. Springer, 2017. [88] A. Shabtai, Y. Fledel, and Y. Elovici. Automated static code analysis for classifying android applications using machine learning. In 2010 international conference on computational intelligence and security, pages 329–333. IEEE, 2010. [89] L. K. Shar, B. F. Demissie, M. Ceccato, and W. Minn. Experimental comparison of features and classifiers for android malware detection. In Proceedings of the IEEE/ACM 7th international conference on mobile software engineering and systems, pages 50–60, 2020. [90] A. Shishkin, A. Bezzubtseva, A. Drutsa, I. Shishkov, E. Gladkikh, G. Gusev, and P. Serdyukov. Eﬀicient high-order interaction-aware feature selection based on conditional mutual information. Advances in neural information processing systems, 29, 2016. [91] R. G. Steadman. A universal scale of apparent temperature. Journal of Applied Meteorology and Climatology, 23(12):1674–1687, 1984. [92] T. Su, G. Meng, Y. Chen, K. Wu, W. Yang, Y. Yao, G. Pu, Y. Liu, and Z. Su. Guided, stochastic model-based gui testing of android apps. In Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering, pages 245–256, 2017. [93] G. Suarez-Tangil, S. K. Dash, M. Ahmadi, J. Kinder, G. Giacinto, and L. Cavallaro. Droidsieve: Fast and accurate classification of obfuscated android malware. In Proceedings of the Seventh ACM on Conference on Data and Application Security and Privacy, pages 309–320, 2017. [94] X. Sun, X. Chen, L. Li, H. Cai, J. Grundy, J. Samhi, T. Bissyandé, and J. Klein. Demystifying hidden sensitive operations in android apps. ACM Transactions on Software Engineering and Methodology, 32(2):1– 30, 2023. [95] T. Sutter, T. Kehrer, M. Rennhard, B. Tellenbach, and J. Klein. Dynamic security analysis on android: A systematic literature review. IEEE Access, 12:57261–57287, 2024. [96] L. Van der Maaten and G. Hinton. Visualizing data using t-sne. Journal of machine learning research, 9(11), 2008. [97] L. N. Vu and S. Jung. Admat: A cnn-on-matrix approach to android malware detection and classification. IEEE Access, 9:39680–39694, 2021. [98] D. Wang, F. Nie, and H. Huang. Feature selection via global redundancy minimization. IEEE transactions on Knowledge and data engineering, 27(10):2743–2755, 2015. [99] W. Wang, W. Lam, and T. Xie. An infrastructure approach to improving effectiveness of android ui testing tools. In Proceedings of the 30th ACM SIGSOFT International Symposium on Software Testing and Analysis, pages 165–176, 2021. [100] F. Wei, Y. Li, S. Roy, X. Ou, and W. Zhou. Deep ground truth analysis of current android malware. In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, pages 252–276. Springer, 2017. [101] T.-E. Wei, C.-H. Mao, A. B. Jeng, H.-M. Lee, H.-T. Wang, and D.-J. Wu. Android malware detection via a latent network behavior analysis. In 2012 IEEE 11th international conference on trust, security and privacy in computing and communications, pages 1251–1258. IEEE, 2012. [102] D. Wermke, N. Huaman, Y. Acar, B. Reaves, P. Traynor, and S. Fahl. A large scale investigation of obfuscation use in Google Play. In Proceedings of the 34th Annual Computer Security Applications Conference, pages 222–235, 2018. [103] S. Y. Yerima, M. K. Alzaylaee, and S. Sezer. Machine learning-based dynamic analysis of android apps with improved code coverage. EURASIP Journal on Information Security, 2019(1):4, 2019. [104] W. Yoo, M. Ji, M. Kang, and J. H. Yi. String deobfuscation scheme based on dynamic code extraction for mobile malwares. IT Convergence Practice, 4(2):1–8, 2016. [105] L. Yu and H. Liu. Eﬀicient feature selection via analysis of relevance and redundancy. The Journal of Machine Learning Research, 5:1205–1224, 2004. [106] H. Zheng, D. Li, B. Liang, X. Zeng, W. Zheng, Y. Deng, W. Lam, W. Yang, and T. Xie. Automated test input generation for android: Towards getting there in an industrial case. In 2017 IEEE/ACM 39th International Conference on Software Engineering: Software Engineering in Practice Track (ICSE-SEIP), pages 253–262. IEEE, 2017.	-
dc.identifier.uri	http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/96549	-
dc.description.abstract	隨著 Play 商店中有超過 150 萬個應用程式，Android 已成為網路犯罪分子的首要攻擊目標。傳統的惡意軟體檢測方法經常難以應對諸如程式碼混淆、定時炸彈和環境檢查等複雜的檢測規避技術。本論文通過提出靜態和動態分析策略，用以偵測具備規避檢測能力的 Android 惡意軟體，來應對這些挑戰。我們的方法包括使用程式碼反混淆工具、交互項以減少應用程式大小所造成的干擾，以及一個動態反定時炸彈框架。我們的靜態分析方法利用程式碼反混淆工具從混淆過的 API 調用中還原原始 API 調用。實驗結果顯示，部分還原的 API 調用被惡意軟體檢測模型識別為重要特徵。此外，我們提出了幾個對混淆具有不變性的特徵，這些特徵也被識別為重要特徵。我們的靜態惡意軟體檢測模型在 Drebin 資料集上表現優於現有方法，實現了 99.55% 的準確率和 94.61% 的 F1-score。我們的動態分析框架專為對抗與時間相關的觸發機制（通常稱為定時炸彈）而設計，透過攔截時間相關的 API 呼叫進行處理。為了推進該領域的研究，我們提出了一個針對 Android 定時炸彈分析的基準應用數據集，涵蓋八種常見的定時炸彈技術。我們的方法成功解除其中五種技術的影響，其中包括兩種現有方法未能處理的技術。基於 Drebin 數據集的實驗結果顯示，我們的框架顯著提升了動態 Android 惡意軟件檢測系統的性能。	zh_TW
dc.description.abstract	With over 1.5 million applications available on Google Play, Android has become a prime target for cybercriminals. Traditional malware detection methods often fail against sophisticated evasive techniques such as code obfuscation, timebombs, and environment checks. This dissertation addresses these challenges by proposing a static and a dynamic analysis strategy to detect evasive Android malware. Our approach includes the use of code deobfuscation tools, interaction terms to mitigate interference caused by application size, and a dynamic anti-timebomb framework. Our static analysis approach utilizes a code deobfuscation tool to recover original API calls from obfuscated ones. The experimental results show that some recovered API calls are identified as important features by the malware detection models. Additionally, we propose several obfuscation-invariant features, which also have been identified as important features. Our static malware detection model achieves 99.55% accuracy and a 94.61% F1-score on the Drebin dataset, outperforming existing methods. Our dynamic analysis framework is specifically designed to counteract time-related triggers, commonly known as TimeBombs, by intercepting time-related API calls. To advance research in this area, we propose a benchmark application dataset for Android TimeBomb analysis, encompassing eight common TimeBomb techniques. Our approach successfully defuses five out of the eight techniques, including two that previous methods failed to address. Experimental results using the Drebin dataset demonstrate that our framework significantly enhances the performance of dynamic Android malware detection systems.	en
dc.description.provenance	Submitted by admin ntu (admin@lib.ntu.edu.tw) on 2025-02-19T16:28:26Z No. of bitstreams: 0	en
dc.description.provenance	Made available in DSpace on 2025-02-19T16:28:26Z (GMT). No. of bitstreams: 0	en
dc.description.tableofcontents	摘要 iii Abstract v Contents vii List of Figures xiii List of Tables xvii Chapter 1 Introduction 1 1.1 Motivations of the Dissertation 1 1.2 Contribution of the Dissertation 3 1.3 Dissertation Organization 5 Chapter 2 Background Information: Android Malware Detection and Defense Evasion Tactics 7 2.1 Android Platform 7 2.1.1 Android Operating System 7 2.1.2 Android Package 9 2.1.3 Android Application Build Process 17 2.2 Android Malware 20 2.2.1 Android Malware Detection Approaches 23 2.3 Defense Evasion Tactics against Static Analysis 26 2.4 Defense Evasion Tactics against Dynamic Analysis 29 2.4.1 Anti-Debugger 31 2.4.2 Anti-Sandbox 36 2.5 Supervised Machine Learning 42 2.5.1 Feature Relevance and Feature Redundancy 44 2.5.2 Feature Engineering 45 Chapter 3 Obfuscation-resilient Malware Detection: Detecting Android Malware Using Code De-obfuscation and Obfuscation-invariant Features 47 3.1 Introduction 47 3.2 Related Work 49 3.2.1 Malware Detection Approaches 49 3.2.1.1 Signature-Based Detection Approach 50 3.2.1.2 Static Analysis Approach 50 3.2.1.3 Dynamic Analysis Approach 54 3.2.2 Code Obfuscation and Deobfuscation 56 3.3 Methodology: Obfuscation-resilient Malware Detection 58 3.3.1 Feature Extraction 58 3.3.2 API Deobfuscation and API Reverse Mapping 68 3.3.3 Feature Embedding 71 3.3.4 Supervised Learning 71 3.4 Experiment Results 72 3.4.1 Datasets 72 3.4.2 Analysis Setup 73 3.4.3 RQ1: How does the proposed system perform when using original API calls? 75 3.4.4 RQ2: What is the impact of the deobfuscation technique on the system's performance? 78 3.4.5 RQ3: Are the interaction-based features more effective than traditional structural features? 82 3.4.6 Performance evaluation and comparison 87 3.5 Case Study: Obfuscation-resilient Malware Detection on Modern Malware 91 3.5.1 Datasets 91 3.5.2 Experiment Results 92 3.5.3 Discussion: Tekya malware’s behavior and technique 95 Chapter 4 Android Timebomb Defuser: An Android Dynamic Anti-Timebomb Framework 97 4.1 Introduction 97 4.2 Motivation example: Timebomb 100 4.3 Related Work 105 4.4 Methodology: Android Dynamic Anti-Timebomb Framework 107 4.4.1 Timestamp-APIs 107 4.4.2 Delay-APIs 109 4.5 Experiment Results 110 4.5.1 Analysis Setup 110 4.5.2 RQ: What is the effectiveness of our proposed framework compared to previous methods? 112 4.6 Case Study: Dynamic Anti-Timebomb Malware Detection on Drebin Dataset 115 4.6.1 Dataset 115 4.6.2 Analysis Setup 116 4.6.3 Experiment Results 117 Chapter 5 Conclusion and Future Work 119 5.1 Conclusion 119 5.2 Future Work 121 5.2.1 Integrating Different De-obfuscation Methods 121 5.2.2 Validate Meaningful Words in RDNs as Features 121 5.2.3 Integrate Static and Dynamic Anti-Timebomb Techniques 122 References 123 Appendix A — APK Collection 143 Appendix B — Example of Timebomb technique 157	-
dc.language.iso	en	-
dc.subject	安卓惡意軟體檢測	zh_TW
dc.subject	時間炸彈	zh_TW
dc.subject	特徵交互作用	zh_TW
dc.subject	程式碼去混淆	zh_TW
dc.subject	反規避技術	zh_TW
dc.subject	安卓動態分析	zh_TW
dc.subject	安卓靜態分析	zh_TW
dc.subject	Anti-Evasive Technique	en
dc.subject	Timebomb	en
dc.subject	Feature Interaction	en
dc.subject	Code Deobfuscation	en
dc.subject	Android Dynamic Analysis	en
dc.subject	Android Static Analysis	en
dc.subject	Android Malware Detection	en
dc.title	使用反規避技術在靜態和動態分析中檢測安卓惡意軟體	zh_TW
dc.title	Anti-Evasion Techniques for Static and Dynamic Android Malware Detection	en
dc.type	Thesis	-
dc.date.schoolyear	113-1	-
dc.description.degree	博士	-
dc.contributor.oralexamcommittee	鄧惟中;蔡子傑;陳俊良;郭斯彥;雷欽隆;陳孟彰	zh_TW
dc.contributor.oralexamcommittee	Wei-Chung Teng;Tzu-Chieh Tsai;Jiann-Liang Chen;Sy-Yen Kuo;Chin-Laung Lei;Meng-Chang Chen	en
dc.subject.keyword	安卓惡意軟體檢測,安卓靜態分析,安卓動態分析,反規避技術,程式碼去混淆,特徵交互作用,時間炸彈,	zh_TW
dc.subject.keyword	Android Malware Detection,Android Static Analysis,Android Dynamic Analysis,Anti-Evasive Technique,Code Deobfuscation,Feature Interaction,Timebomb,	en
dc.relation.page	163	-
dc.identifier.doi	10.6342/NTU202500248	-
dc.rights.note	同意授權(全球公開)	-
dc.date.accepted	2025-01-25	-
dc.contributor.author-college	電機資訊學院	-
dc.contributor.author-dept	電機工程學系	-
dc.date.embargo-lift	2025-02-20	-
顯示於系所單位：	電機工程學系

文件中的檔案：

檔案	大小	格式
ntu-113-1.pdf	7.65 MB	Adobe PDF	檢視/開啟

顯示文件簡單紀錄

系統中的文件，除了特別指名其著作權條款之外，均受到著作權保護，並且保留所有的權利。