VAHunt: Warding Off New Repackaged Android Malware in App-Virtualization's Clothing

Repackaging popular benign apps with malicious payload used to be the most common way to spread Android malware. Nevertheless, since 2016, we have observed an alarming new trend to Android ecosystem: a growing number of Android malware samples abuse recent app-virtualization innovation as a new distribution channel. App-virtualization enables a user to run multiple copies of the same app on a single device, and tens of millions of users are enjoying this convenience. However, cybercriminals repackage various malicious APK files as plugins into an app-virtualization platform, which is flexible to launch arbitrary plugins without the hassle of installation. This new style of repackaging gains the ability to bypass anti-malware scanners by hiding the grafted malicious payload in plugins, and it also defies the basic premise embodied by existing repackaged app detection solutions. As app-virtualization-based apps are not necessarily malware, in this paper, we aim to make a verdict on them prior to run time. Our in-depth study results in two key observations: 1) the proxy layer between plugin apps and the Android framework is the core of app-virtualization mechanism, and it reveals the feature of finite state transitions; 2) malware typically loads plugins stealthily and hides malicious behaviors. These insights motivate us to develop a two-layer detection approach, called VAHunt. First, we design a stateful detection model to identify the existence of an app-virtualization engine in APK files. Second, we perform data flow analysis to extract fingerprinting features to differentiate between malicious and benign loading strategies. Since October 2019, we have tested VAHunt in Antiy AVL Mobile Security, a leading mobile security company, to detect more than 139K app-virtualization-based samples. Compared with the ground truth, VAHunt achieves 0.7% false negatives and zero false positive. Our automated detection frees security analysts from the burden of reverse engineering.