Automatic Detection of Android Steganography Apps via Symbolic Execution and Tree Matching

Thumbnail Image
Chen, Wenhao
Lin, Li
Newman, Jennifer
Guan, Yong
Major Professor
Committee Member
Journal Title
Journal ISSN
Volume Title
© 2021 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works.
Research Projects
Organizational Units
Organizational Unit
Center for Statistics and Applications in Forensic Evidence
The Center for Statistics and Applications in Forensic Evidence (CSAFE) carries out research on the scientific foundations of forensic methods, develops novel statistical methods and transfers knowledge and technological innovations to the forensic science community. We collaborate with more than 80 researchers and across six universities to drive solutions to support our forensic community partners with accessible tools, open-source databases and educational opportunities.
Journal Issue
Is Version Of
The recent focus of cyber security on automated detection of malware for Android apps has omitted the study of some apps used for "legitimate" purposes, such as steganography apps. Mobile steganography apps can be used for delivering harmful messages, and while current research on steganalysis targets the detection of stego images using academic algorithms and well-built benchmarking image data sets, the community has overlooked uncovering a mobile app itself for its ability to perform steganographic embedding. Developing automatic tools for identifying the code in a suspect app as a stego app can be very challenging: steganography algorithms can be represented in a variety of ways, and there exists many image editing algorithms which appear similar to steganography algorithms. This paper proposes the first automated approach to detect Android steganography apps. We use symbolic execution to summarize an app’s image operation behavior into expression trees, and match the extracted expression trees with reference trees that represents the expected behavior of a steganography embedding process. We use a structural feature based similarity measure to calculate the similarity between expression trees. Our experiments show that, the propose approach can detect real world Android stego apps that implement common spatial domain and frequency domain embedding algorithms with a high degree of accuracy. Furthermore, our procedure describes a general framework that has the potential to be applied to other similar questions when studying program behaviors.
This is a manuscript of a proceeding published as W. Chen, L. Lin, J. Newman and Y. Guan, "Automatic Detection of Android Steganography Apps via Symbolic Execution and Tree Matching," 2021 IEEE Conference on Communications and Network Security (CNS), 2021, pp. 254-262, doi: 10.1109/CNS53000.2021.9705047. Posted with permission of CSAFE.