Automatic Detection of Android Steganography Apps via Symbolic Execution and Tree Matching

Chen, Wenhao; Lin, Li; Newman, Jennifer; Guan, Yong

Automatic Detection of Android Steganography Apps via Symbolic Execution and Tree Matching

File

2021-Chen-AutomaticDetectionManuscript.pdf (1.32 MB)

Date

2021

Authors

Chen, Wenhao

Lin, Li

Newman, Jennifer

Guan, Yong

Publisher

© 2021 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works.

Organizational Units

Organizational Unit

Center for Statistics and Applications in Forensic Evidence

Department

Center for Statistics and Applications in Forensic Evidence

Abstract

The recent focus of cyber security on automated detection of malware for Android apps has omitted the study of some apps used for "legitimate" purposes, such as steganography apps. Mobile steganography apps can be used for delivering harmful messages, and while current research on steganalysis targets the detection of stego images using academic algorithms and well-built benchmarking image data sets, the community has overlooked uncovering a mobile app itself for its ability to perform steganographic embedding. Developing automatic tools for identifying the code in a suspect app as a stego app can be very challenging: steganography algorithms can be represented in a variety of ways, and there exists many image editing algorithms which appear similar to steganography algorithms. This paper proposes the first automated approach to detect Android steganography apps. We use symbolic execution to summarize an app’s image operation behavior into expression trees, and match the extracted expression trees with reference trees that represents the expected behavior of a steganography embedding process. We use a structural feature based similarity measure to calculate the similarity between expression trees. Our experiments show that, the propose approach can detect real world Android stego apps that implement common spatial domain and frequency domain embedding algorithms with a high degree of accuracy. Furthermore, our procedure describes a general framework that has the potential to be applied to other similar questions when studying program behaviors.

Comments

This is a manuscript of a proceeding published as W. Chen, L. Lin, J. Newman and Y. Guan, "Automatic Detection of Android Steganography Apps via Symbolic Execution and Tree Matching," 2021 IEEE Conference on Communications and Network Security (CNS), 2021, pp. 254-262, doi: 10.1109/CNS53000.2021.9705047. Posted with permission of CSAFE.