AndroidMalwareCrypto

This tool allows for an analysis of cryptographic API in Android applications. The tool was developed specifically to compare cryptographic API usage in benign vs. malicious applications and contains (weak) malware classifier based purely on cryptographic API features. We strive to provide an end-to-end solution, delivering all steps in the analysis:

1. Decompilation of the APKs,
2. collection of cryptographic API usage in the decompiled binaries by regex matching,
3. exploratory data analysis of crypto API in your dataset,
4. training and evaluation of malware classifier based on crypto API features,
5. explanations of the classifier using SHAP.

We provide a Docker image to foster experiment reproducibility. Additionally, we describe our controlled environment and give guidance for anyone who wishes to fully replicate our research in our docs.

Paper

This repository accompanies the following paper

A Longitudinal Study of Cryptographic API: a Decade of Android Malware.
Conference: SECRYPT 2022
Paper pdf: arXiv:2205.05573

You can cite this research as follows.

AndroidMalwareCrypto/CITATION.bib

Lines 1 to 12 in 4c749e3

	@inproceedings{2022-secrypt-janovsky,
	title = {{A Longitudinal Study of Cryptographic API: A Decade of Android Malware}},
	author = {Adam Janovsky and Davide Maiorca and Dominik Macko and Vashek Matyas and Giorgio Giacinto},
	booktitle = {Proceedings of the 19th International Conference on Security and Cryptography},
	pages = {121--133},
	year = {2022},
	isbn = {978-989-758-590-6},
	issn = {2184-7711},
	doi = {10.5220/0011265300003283},
	url = {https://github.com/adamjanovsky/AndroidMalwareCrypto},
	keywords = {cryptolibs, malware, Android}
	}

Installation

The project is written and tested on Python 3.8. Apart from bare Python, the tool requires integration with some patched repositories. Due to complex installation process, we offer a Docker image of our tool that can be run interactively. In addition, the Dockerfile contains consise instructions on how to install our tool on vanilla Ubuntu.

Quickstart

You can run a complete analysis on a toy dataset (~100 APKs) in Docker using the following commands.

1. Install Docker if you haven’t already,
2. pull the image with docker pull adamjanovsky/cryptomlw:latest,
3. run the image interactively with docker run -it adamjanovsky/cryptomlw,
4. now you can run the experiment with cd AndroidMalwareCrypto && ./examples/sample_experiment/execute_sample_experiment.sh
5. you can then view the output of the experiment in /home/user/AndroidMalwareCrypto/AndroidMalwareCrypto/examples/sample_experiment/data. You can also compare the outputs that you achieved with a template output located at experiment_output and experiment_report.

It is recommended that you set up a Docker volume outside of the container and use it in combination with the image to produce results stored on your local folder outside of the docker container.

Analyze your own large dataset

Analyzing a large dataset (>100 APKs) in Docker can be slow. For that reason, we recommend that you visit our docs where the full protocol of how to replicate our research is written.

License

This project is licensed under the MIT license.

Project status & Contributing

We consider this project to be complete on the Android platform. Still, we plan to continue our exploration of cryptography in malware on other platforms. If you think of helping us with these efforts, you discovered a bug, or perhaps you want to enhance the functionality of androidcrypto, please do not hesitate to open an issue or contact the authors.

Authors

The study is a joint work of Center for Research on Cryptography and Security at MUNI and University of Cagliari.

Adam Janovsky, adamjanovsky@mail.muni.cz is a corresponding author.