Anti-Plugin: Don't Let Your App Play as an Android Plugin

Presented at Black Hat Asia 2017, March 30, 2017, 11:45 a.m. (60 minutes).

The Android plugin technology is an innovative application-level virtualization framework that allows a mobile application to dynamically load and launch another app without installing the app. This technology was originally developed for purposes of hot patching and reducing the released APK size. The primary application of this technology is to satisfy the growing demand for launching multiple instances of a same app on the same device, such as log in two Twitter accounts for the personal and business simultaneously. The most popular app powered by this technology, Parallel Space, has been installed 50 million times in Google Play.<br><br> However, as we know, it never takes malware authors long to catch on to new mobile trends. In the wild, by applying the plugin technology, a newly discovered Android malware "Dual-instance" dynamically loads and launches the original Twitter app's APK file within itself and also hijacks user's inputs (e.g. password) to launch the phishing attack. Besides, after we have comprehensively analyzed security risks of the Android plugin technology, we find that the data stored by the plugin app can be stolen by the malicious host app or other plugin apps. In our Wildfire product, we have captured 64,058 samples using the Android plugin technology, among which 61,172 samples are malicious or grey. Thus, the Android plugin technology is becoming a new security threat to normal Android apps. <br><br> Our proposal demystifies the Android plugin technology in depth, explains the underlying attack vector and investigates fundamental security problems. We propose a lightweight defense mechanism and release a library, named "Plugin-Killer", which prevents an Android app from being launched by the host app using the Android plugin technology. Once a normal Android app embeds the library, the app can detect the Android plugin environment and terminates itself when it is launched.

Presenters:

  • Zhi Xu - Principal Malware Research Engineer, Palo Alto Networks
    Zhi Xu is a Researcher in the Security Research Group of Palo Alto Networks. He works on mobile security, mobile malware analysis, automatic app analysis, etc. Prior to joining the company, he received a Ph.D. degree in computer science from Pennsylvania State University in 2012.
  • Cong Zheng - Mobile Security Research Engineer, Palo Alto Networks
    Cong Zheng is a Mobile Security Researcher at Palo Alto Networks. His research mainly focuses on Android malware analysis and detection, program analysis, and system security. He has developed several Android security systems/tools including the SmartDroid, ARTDroid and APKInspector.
  • Tongbo Luo - Principle Security Engineer, Palo Alto Networks
    Tongbo Luo is a Principle Security Researcher at Palo Alto Networks. His current research interests include cybersecurity, mobile security and security data analysis. He obtained his M.S. and Ph.D. in computer science from Syracuse University in 2014.
  • Xin Ouyang - Sr Mgr, SW Engineering, Palo Alto Networks
    Xin Ouyang is a Sr Manager at Palo Alto Networks.

Links:

Similar Presentations: