Cryptography has been extensively used in Android applications to guarantee secure communications, conceal critical data from reverse engineering, or ensure mobile users' privacy. Various system-based and third-party libraries for Android provide cryptographic functionalities, and previous works mainly explored the misuse of cryptographic API in benign applications. However, the role of cryptographic API has not yet been explored in Android malware. This paper performs a comprehensive, longitudinal analysis of cryptographic API in Android malware. In particular, we analyzed $603\,937$ Android applications (half of them malicious, half benign) released between $2012$ and $2020$, gathering more than 1 million cryptographic API expressions. Our results reveal intriguing trends and insights on how and why cryptography is employed in Android malware. For instance, we point out the widespread use of weak hash functions and the late transition from insecure DES to AES. Additionally, we show that cryptography-related characteristics can help to improve the performance of learning-based systems in detecting malicious applications.
翻译:Android应用中广泛使用了加密法,以保证通信安全,从逆向工程中隐藏关键数据,或确保移动用户的隐私。Android的各种系统图书馆和第三方图书馆提供加密功能,以前的工作主要探索了在良性应用中滥用加密API的情况。然而,在Android恶意软件中尚未探索加密API的作用。本文对Android恶意软件中的加密API进行了全面纵向分析。特别是,我们分析了603\ 937美元和机器人应用(其中半数为恶意,半良性)在2012万美元和2020万美元之间释放,收集了100多万个加密API表达方式。我们的结果揭示了在Android恶意软件中如何和为什么使用加密法的趋势和洞察力。例如,我们指出,虚弱的功能被广泛使用,以及从不安全的DES向AES的延迟过渡。此外,我们表明,与加密有关的特性有助于改进基于学习的系统在检测恶意应用方面的性能。