UniLU's TSOPEN



Functional Components Description

Logic bombs are mechanisms used by malicious apps to evade detection techniques. Typically, an attacker uses logic bomb to trigger the malicious code only under certain chosen circumstances (e.g. only at a given date) to avoid being detected by the analysis. The goal of TSOpen is to detect such logic bombs. The approach used to perform the detection is fully static and combine multiple techniques such as symbolic execution, path predicate reconstruction, path predicate minimization, and inter-procedural control-dependency analysis. In a first version, TSOpen will focus on detecting triggers related to time, location and SMS.

TSOpen is developed over Flowdroid which provides a useful model of the Android Framework on which one can easily apply algorithms. Figure 3.16 provides an overview of the tool. First, an inter-procedural control flow graph from Flowdroid is retrieved on which TSOpen applies a symbolic execution in order to retrieve the semantic of objects of interest. Then simple predicates are retrieved during the block predicate recovery to annotate the ICFG. The annotated ICFG is then used to retrieve the full path predicate of every instructions. A predicate minimization algorithm is then applied in order to rule out false dependencies. Afterwards, a first decision is taken during the predicate classification step to get suspicious predicates. Finally, a control dependency step is applied in order to take the decision regarding the suspiciousness of the potential logic bomb under study.


Services provided

Support platform for R + D + I projects

TSOpen tool has been developed under an internal project at The University of Luxembourg. It is to be used in order to detect so-called logic bombs in potential new Android Malware. If precision is proven to be effective, the tool could be leveraged on Android applications before entering a store.

Benchmarking, evaluation and / or certification of products and / or services

It has been evaluated on several hundred of thousands applications.

Training

The approaches used for building this tool could be used as a support for training to Android Applications Static Analysis methods.

Support for awareness actions or generation of Functional Safety culture in different domains

Currently, Anti-Malware companies have increasing concerns with respect to the growing number of new malware and new malicious techniques used in Applications. Security threats are ubiquitous in nowadays mobiles. Therefore, new approaches could be leveraged in order to appease those threats.


Keywords

Logic bomb detection, Android Security


Services

  • Support platform for R + D + I projects: detects so-called logic bombs in potential new Android Malware. If precision is proven to be effective, the tool could be leveraged on Android applications before entering a store.

  • Training: The approaches used for building this tool could be used as a support for training to Android Applications Static Analysis methods.

  • Support for awareness actions or generation of Functional Safety culture in different domains: Currently, Anti-Malware companies have increasing concerns with respect to the growing number of new malware and new malicious techniques used in Applications. Security threats are ubiquitous in nowadays mobiles. Therefore, new approaches could be leveraged in order to appease those threats.


Technical equipment

-


Use request

Non-profit