Dual-force: Understanding webview malware via cross-language forced execution

Zhenhao Tang; Juan Zhai; Minxue Pan; Yousra Aafer; Shiqing Ma; Xiangyu Zhang; Jianhua Zhao

doi:10.1145/3238147.3238221

Dual-force: Understanding webview malware via cross-language forced execution

Zhenhao Tang, Juan Zhai, Minxue Pan, Yousra Aafer, Shiqing Ma, Xiangyu Zhang, Jianhua Zhao

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

2 Scopus citations

Abstract

Modern Android malwares tend to use advanced techniques to cover their malicious behaviors. They usually feature multi-staged, condition-guarded and environment-specific payloads. An increasing number of them utilize WebView, particularly the two-way communications between Java and JavaScript, to evade detection and analysis of existing techniques. We propose Dual-Force, a forced execution technique which simultaneously forces both Java and JavaScript code of WebView applications to execute along various paths without requiring any environment setup or providing any inputs manually. As such, the hidden payloads of WebView malwares are forcefully exposed. The technique features a novel execution model that allows forced execution to suppress exceptions and continue execution. Experimental results show that Dual-Force precisely exposes malicious payload in 119 out of 150 WebView malwares. Compared to the state-of-the-art, Dual-Force can expose 23% more malicious behaviors.

Original language	English (US)
Title of host publication	ASE 2018 - Proceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering
Editors	Christian Kastner, Marianne Huchard, Gordon Fraser
Publisher	Association for Computing Machinery, Inc
Pages	714-725
Number of pages	12
ISBN (Electronic)	9781450359375
DOIs	https://doi.org/10.1145/3238147.3238221
State	Published - Sep 3 2018
Externally published	Yes
Event	33rd IEEE/ACM International Conference on Automated Software Engineering, ASE 2018 - Montpellier, France Duration: Sep 3 2018 → Sep 7 2018

Publication series

Name	ASE 2018 - Proceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering

Conference

Conference	33rd IEEE/ACM International Conference on Automated Software Engineering, ASE 2018
Country/Territory	France
City	Montpellier
Period	9/3/18 → 9/7/18

All Science Journal Classification (ASJC) codes

Computational Theory and Mathematics
Human-Computer Interaction
Software

Keywords

Dynamic analysis
Forced execution
WebView malware

Access to Document

10.1145/3238147.3238221

Cite this

Tang, Z., Zhai, J., Pan, M., Aafer, Y., Ma, S., Zhang, X., & Zhao, J. (2018). Dual-force: Understanding webview malware via cross-language forced execution. In C. Kastner, M. Huchard, & G. Fraser (Eds.), ASE 2018 - Proceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering (pp. 714-725). (ASE 2018 - Proceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering). Association for Computing Machinery, Inc. https://doi.org/10.1145/3238147.3238221

Tang, Zhenhao ; Zhai, Juan ; Pan, Minxue et al. / Dual-force : Understanding webview malware via cross-language forced execution. ASE 2018 - Proceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering. editor / Christian Kastner ; Marianne Huchard ; Gordon Fraser. Association for Computing Machinery, Inc, 2018. pp. 714-725 (ASE 2018 - Proceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering).

@inproceedings{db80d0614dc1467c9073561ac40f93f9,

title = "Dual-force: Understanding webview malware via cross-language forced execution",

abstract = "Modern Android malwares tend to use advanced techniques to cover their malicious behaviors. They usually feature multi-staged, condition-guarded and environment-specific payloads. An increasing number of them utilize WebView, particularly the two-way communications between Java and JavaScript, to evade detection and analysis of existing techniques. We propose Dual-Force, a forced execution technique which simultaneously forces both Java and JavaScript code of WebView applications to execute along various paths without requiring any environment setup or providing any inputs manually. As such, the hidden payloads of WebView malwares are forcefully exposed. The technique features a novel execution model that allows forced execution to suppress exceptions and continue execution. Experimental results show that Dual-Force precisely exposes malicious payload in 119 out of 150 WebView malwares. Compared to the state-of-the-art, Dual-Force can expose 23% more malicious behaviors.",

keywords = "Dynamic analysis, Forced execution, WebView malware",

author = "Zhenhao Tang and Juan Zhai and Minxue Pan and Yousra Aafer and Shiqing Ma and Xiangyu Zhang and Jianhua Zhao",

note = "Funding Information: We thank the anonymous reviewers for their constructive comments. This research is supported, in part, by DARPA under contract FA8650-15-C-7562, NSF under awards 1748764 and 1409668, ONR under contracts N000141410468 and N000141712947, and Sandia National Lab under award 1701331. It is also supported partially by the National Natural Science Foundation of China ?No. 61690204, No. 61632015, No. 6156111146394, No. 61502228?, the National Key R?D Program ?Grant #2016YFB1000802?, the Collaborative Innovation Center of Novel Software Technology and Industrialization, and the Fundamental Research Funds for the Central Universities ?021714380015?. Any opinions, findings, and conclusions in this paper are those of the authors only and do not necessarily reflect the views of our sponsors. Publisher Copyright: {\textcopyright} 2018 Association for Computing Machinery.; 33rd IEEE/ACM International Conference on Automated Software Engineering, ASE 2018 ; Conference date: 03-09-2018 Through 07-09-2018",

year = "2018",

month = sep,

day = "3",

doi = "10.1145/3238147.3238221",

language = "English (US)",

series = "ASE 2018 - Proceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering",

publisher = "Association for Computing Machinery, Inc",

pages = "714--725",

editor = "Christian Kastner and Marianne Huchard and Gordon Fraser",

booktitle = "ASE 2018 - Proceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering",

}

Tang, Z, Zhai, J, Pan, M, Aafer, Y, Ma, S, Zhang, X & Zhao, J 2018, Dual-force: Understanding webview malware via cross-language forced execution. in C Kastner, M Huchard & G Fraser (eds), ASE 2018 - Proceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering. ASE 2018 - Proceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering, Association for Computing Machinery, Inc, pp. 714-725, 33rd IEEE/ACM International Conference on Automated Software Engineering, ASE 2018, Montpellier, France, 9/3/18. https://doi.org/10.1145/3238147.3238221

Dual-force : Understanding webview malware via cross-language forced execution. / Tang, Zhenhao; Zhai, Juan; Pan, Minxue et al.

ASE 2018 - Proceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering. ed. / Christian Kastner; Marianne Huchard; Gordon Fraser. Association for Computing Machinery, Inc, 2018. p. 714-725 (ASE 2018 - Proceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

TY - GEN

T1 - Dual-force

T2 - 33rd IEEE/ACM International Conference on Automated Software Engineering, ASE 2018

AU - Tang, Zhenhao

AU - Zhai, Juan

AU - Pan, Minxue

AU - Aafer, Yousra

AU - Ma, Shiqing

AU - Zhang, Xiangyu

AU - Zhao, Jianhua

N1 - Funding Information: We thank the anonymous reviewers for their constructive comments. This research is supported, in part, by DARPA under contract FA8650-15-C-7562, NSF under awards 1748764 and 1409668, ONR under contracts N000141410468 and N000141712947, and Sandia National Lab under award 1701331. It is also supported partially by the National Natural Science Foundation of China ?No. 61690204, No. 61632015, No. 6156111146394, No. 61502228?, the National Key R?D Program ?Grant #2016YFB1000802?, the Collaborative Innovation Center of Novel Software Technology and Industrialization, and the Fundamental Research Funds for the Central Universities ?021714380015?. Any opinions, findings, and conclusions in this paper are those of the authors only and do not necessarily reflect the views of our sponsors. Publisher Copyright: © 2018 Association for Computing Machinery.

PY - 2018/9/3

Y1 - 2018/9/3

N2 - Modern Android malwares tend to use advanced techniques to cover their malicious behaviors. They usually feature multi-staged, condition-guarded and environment-specific payloads. An increasing number of them utilize WebView, particularly the two-way communications between Java and JavaScript, to evade detection and analysis of existing techniques. We propose Dual-Force, a forced execution technique which simultaneously forces both Java and JavaScript code of WebView applications to execute along various paths without requiring any environment setup or providing any inputs manually. As such, the hidden payloads of WebView malwares are forcefully exposed. The technique features a novel execution model that allows forced execution to suppress exceptions and continue execution. Experimental results show that Dual-Force precisely exposes malicious payload in 119 out of 150 WebView malwares. Compared to the state-of-the-art, Dual-Force can expose 23% more malicious behaviors.

AB - Modern Android malwares tend to use advanced techniques to cover their malicious behaviors. They usually feature multi-staged, condition-guarded and environment-specific payloads. An increasing number of them utilize WebView, particularly the two-way communications between Java and JavaScript, to evade detection and analysis of existing techniques. We propose Dual-Force, a forced execution technique which simultaneously forces both Java and JavaScript code of WebView applications to execute along various paths without requiring any environment setup or providing any inputs manually. As such, the hidden payloads of WebView malwares are forcefully exposed. The technique features a novel execution model that allows forced execution to suppress exceptions and continue execution. Experimental results show that Dual-Force precisely exposes malicious payload in 119 out of 150 WebView malwares. Compared to the state-of-the-art, Dual-Force can expose 23% more malicious behaviors.

KW - Dynamic analysis

KW - Forced execution

KW - WebView malware

UR - http://www.scopus.com/inward/record.url?scp=85056499855&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85056499855&partnerID=8YFLogxK

U2 - 10.1145/3238147.3238221

DO - 10.1145/3238147.3238221

M3 - Conference contribution

AN - SCOPUS:85056499855

T3 - ASE 2018 - Proceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering

SP - 714

EP - 725

BT - ASE 2018 - Proceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering

A2 - Kastner, Christian

A2 - Huchard, Marianne

A2 - Fraser, Gordon

PB - Association for Computing Machinery, Inc

Y2 - 3 September 2018 through 7 September 2018

ER -

Tang Z, Zhai J, Pan M, Aafer Y, Ma S, Zhang X et al. Dual-force: Understanding webview malware via cross-language forced execution. In Kastner C, Huchard M, Fraser G, editors, ASE 2018 - Proceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering. Association for Computing Machinery, Inc. 2018. p. 714-725. (ASE 2018 - Proceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering). doi: 10.1145/3238147.3238221

Dual-force: Understanding webview malware via cross-language forced execution

Abstract

Publication series

Conference

All Science Journal Classification (ASJC) codes

Keywords

Access to Document

Other files and links

Fingerprint

Cite this