Detecting evidence of steganography in android apps through program analysis

Abstract

Steganography is gaining popularity in recent years due to its strength in covert communication and information hiding. Image steganography apps in particular, has been steadily growing thanks to the processing power of modern smartphones that makes steganography easy to use for regular users. Although steganography is not malicious by nature, it can be a dangerous tool when used for illicit purposes such as malware, industrial espionage, or terrorist communications. Therefore it is important for digital forensics practitioners to have tools that can detect real world steganography apps and the stego images produced by such apps. However, large gap exists between academic research and practical forensics applications as existing research in steganography and malware detection has not paid attention to real world steganography apps.

In this work, we aim to fill the gap by studying real world Android stego apps and developing detection methods against them. Through a preliminary study, we find that it is feasible to reverse engineer real world stego apps and use the knowledge to improve existing stego detection methods. We conduct a large scale study on the existing Android stego apps available on Google Play Store, Github, and F-Droid repositories, and discover unique embedding characteristics and algorithms that are not seen in existing academic research. Using our stego app collection, we create the first mobile stego image benchmark database which greatly improves the effectiveness of existing machine learning steganalysis methods. We propose a signature-based stego image detection method which can be highly efficient and effective in utilizing the knowledge gained from reverse engineering Android stego apps. Lastly, we develop a behavior-based stego app detection framework that can effectively detect stego apps that implement common embedding algorithms.