androidmalwarecrypto
The analysis of cryptography in Android malicious applications
Science Score: 28.0%
This score indicates how likely this project is to be science-related based on various indicators:
-
✓CITATION.cff file
Found CITATION.cff file -
○codemeta.json file
-
○.zenodo.json file
-
○DOI references
-
✓Academic publication links
Links to: arxiv.org -
○Academic email domains
-
○Institutional organization owner
-
○JOSS paper metadata
-
○Scientific vocabulary similarity
Low similarity (12.4%) to scientific vocabulary
Keywords
Repository
The analysis of cryptography in Android malicious applications
Basic Info
- Host: GitHub
- Owner: adamjanovsky
- License: mit
- Language: Jupyter Notebook
- Default Branch: main
- Size: 91.6 MB
Statistics
- Stars: 5
- Watchers: 1
- Forks: 0
- Open Issues: 9
- Releases: 0
Topics
Metadata Files
README.md
AndroidMalwareCrypto
This tool allows for an analysis of cryptographic API in Android applications. The tool was developed specifically to compare cryptographic API usage in benign vs. malicious applications and contains (weak) malware classifier based purely on cryptographic API features. We strive to provide an end-to-end solution, delivering all steps in the analysis: 1. Decompilation of the APKs, 2. collection of cryptographic API usage in the decompiled binaries by regex matching, 3. exploratory data analysis of crypto API in your dataset, 4. training and evaluation of malware classifier based on crypto API features, 5. explanations of the classifier using SHAP.
We provide a Docker image to foster experiment reproducibility. Additionally, we describe our controlled environment and give guidance for anyone who wishes to fully replicate our research in our docs.
Paper
This repository accompanies the following paper
A Longitudinal Study of Cryptographic API: a Decade of Android Malware.
Conference: SECRYPT 2022
Paper pdf: arXiv:2205.05573
You can cite this research as follows.
https://github.com/adamjanovsky/AndroidMalwareCrypto/blob/4c749e3eabc8c0ec0373be9e3fc99d2c4b562a6e/CITATION.bib#L1-L12
Installation
The project is written and tested on Python 3.8. Apart from bare Python, the tool requires integration with some patched repositories. Due to complex installation process, we offer a Docker image of our tool that can be run interactively. In addition, the Dockerfile contains consise instructions on how to install our tool on vanilla Ubuntu.
Quickstart
You can run a complete analysis on a toy dataset (~100 APKs) in Docker using the following commands.
- Install Docker if you haven’t already,
- pull the image with
docker pull adamjanovsky/cryptomlw:latest, - run the image interactively with
docker run -it adamjanovsky/cryptomlw, - now you can run the experiment with
cd AndroidMalwareCrypto && ./examples/sample_experiment/execute_sample_experiment.sh - you can then view the output of the experiment in
/home/user/AndroidMalwareCrypto/AndroidMalwareCrypto/examples/sample_experiment/data. You can also compare the outputs that you achieved with a template output located at experiment_output and experiment_report.
It is recommended that you set up a Docker volume outside of the container and use it in combination with the image to produce results stored on your local folder outside of the docker container.
Analyze your own large dataset
Analyzing a large dataset (>100 APKs) in Docker can be slow. For that reason, we recommend that you visit our docs where the full protocol of how to replicate our research is written.
License
This project is licensed under the MIT license.
Project status & Contributing
We consider this project to be complete on the Android platform. Still, we plan to continue our exploration of cryptography in malware on other platforms. If you think of helping us with these efforts, you discovered a bug, or perhaps you want to enhance the functionality of androidcrypto, please do not hesitate to open an issue or contact the authors.
Authors
The study is a joint work of Center for Research on Cryptography and Security at MUNI and University of Cagliari.
Adam Janovsky, adamjanovsky@mail.muni.cz is a corresponding author.
Owner
- Login: adamjanovsky
- Kind: user
- Company: CRoCS @ Masaryk University
- Website: ajanovsky.cz
- Repositories: 3
- Profile: https://github.com/adamjanovsky
Trying to do phd, digging into applications of Machine Learning in computer security domain.
Citation (CITATION.bib)
@inproceedings{2022-secrypt-janovsky,
title = {{A Longitudinal Study of Cryptographic API: A Decade of Android Malware}},
author = {Adam Janovsky and Davide Maiorca and Dominik Macko and Vashek Matyas and Giorgio Giacinto},
booktitle = {Proceedings of the 19th International Conference on Security and Cryptography},
pages = {121--133},
year = {2022},
isbn = {978-989-758-590-6},
issn = {2184-7711},
doi = {10.5220/0011265300003283},
url = {https://github.com/adamjanovsky/AndroidMalwareCrypto},
keywords = {cryptolibs, malware, Android}
}
GitHub Events
Total
Last Year
Dependencies
- myst-parser *
- sphinx *
- sphinx-rtd-theme *
- Boruta ==0.3
- Bottleneck ==1.3.2
- Brotli ==1.0.9
- Flask ==2.0.1
- Flask-Compress ==1.10.1
- GitPython ==3.1.18
- ImageHash ==4.2.1
- Jinja2 ==3.0.1
- Mako ==1.1.4
- MarkupSafe ==2.0.1
- Pillow ==9.0.1
- PyJWT ==2.4.0
- PyWavelets ==1.1.1
- PyYAML ==5.4.1
- Pygments ==2.9.0
- SALib ==1.4.0.2
- SQLAlchemy ==1.4.22
- Werkzeug ==2.0.1
- alembic ==1.6.5
- androguard *
- appnope ==0.1.2
- asn1crypto ==1.4.0
- attrs ==21.2.0
- backcall ==0.2.0
- bravado ==11.0.3
- bravado-core ==5.17.0
- certifi ==2021.5.30
- charset-normalizer ==2.0.4
- click ==8.0.1
- cliff ==3.8.0
- cloudpickle ==1.6.0
- cmaes ==0.8.2
- cmd2 ==2.1.2
- colorama ==0.4.4
- colorlog ==5.0.1
- cycler ==0.10.0
- dash ==1.21.0
- dash-core-components ==1.17.1
- dash-cytoscape ==0.3.0
- dash-html-components ==1.1.4
- dash-table ==4.12.0
- debugpy ==1.4.1
- decorator ==5.0.9
- dill ==0.3.4
- future ==0.18.2
- gevent ==21.8.0
- gitdb ==4.0.7
- greenlet ==1.1.0
- htmlmin ==0.1.12
- idna ==3.2
- imageio ==2.9.0
- imbalanced-learn ==0.8.0
- imblearn ==0.0
- ipykernel ==6.0.3
- ipython ==7.31.1
- ipython-genutils ==0.2.0
- itsdangerous ==2.0.1
- jedi ==0.18.0
- joblib ==1.0.1
- jsonpointer ==2.1
- jsonref ==0.2
- jsonschema ==3.2.0
- jupyter-client ==6.1.12
- jupyter-core ==4.7.1
- kiwisolver ==1.3.1
- lightgbm ==3.2.1
- lime ==0.2.0.1
- llvmlite ==0.36.0
- lxml ==4.6.5
- matplotlib ==3.4.2
- matplotlib-inline ==0.1.2
- missingno ==0.5.0
- monotonic ==1.6
- msgpack ==1.0.2
- multimethod ==1.4
- multiprocess ==0.70.12.2
- neptune-client ==0.10.3
- networkx ==2.6.2
- numba ==0.53.1
- numpy ==1.22.0
- oauthlib ==3.1.1
- optuna ==2.9.1
- packaging ==21.0
- pandas ==1.3.1
- pandas-profiling ==3.0.0
- parso ==0.8.2
- pathos ==0.2.8
- pbr ==5.6.0
- pexpect ==4.8.0
- phik ==0.12.0
- pickleshare ==0.7.5
- plotly ==5.1.0
- pox ==0.3.0
- ppft ==1.6.6.4
- prettytable ==2.1.0
- prompt-toolkit ==3.0.19
- psutil ==5.8.0
- ptyprocess ==0.7.0
- pydantic ==1.8.2
- pydot ==1.4.2
- pyparsing ==2.4.7
- pyperclip ==1.8.2
- pyrsistent ==0.18.0
- python-dateutil ==2.8.2
- python-editor ==1.0.4
- pytz ==2021.1
- pyzmq ==22.2.1
- requests ==2.26.0
- requests-oauthlib ==1.3.0
- rfc3987 ==1.3.8
- scikit-image ==0.18.2
- scikit-learn ==0.24.2
- scipy ==1.7.1
- seaborn ==0.11.1
- shap *
- simplejson ==3.17.3
- six ==1.16.0
- sklearn ==0.0
- sklearn_pandas *
- slicer ==0.0.7
- smmap ==4.0.0
- stevedore ==3.3.0
- stopit ==1.1.2
- strict-rfc3339 ==0.7
- swagger-spec-validator ==2.7.3
- tangled-up-in-unicode ==0.1.0
- tenacity ==8.0.1
- threadpoolctl ==2.2.0
- tifffile ==2021.7.30
- tornado ==6.1
- tqdm ==4.62.0
- traitlets ==5.0.5
- typing-extensions ==3.10.0.0
- urllib3 ==1.26.6
- visions ==0.7.1
- wcwidth ==0.2.5
- webcolors ==1.11.1
- websocket-client ==1.1.1
- zope.event ==4.5.0
- zope.interface ==5.4.0
- docker/build-push-action v2 composite
- docker/login-action v1 composite
- docker/metadata-action 98669ae865ea3cffbcbaa878cf57c20bbf1c6c38 composite
- docker/setup-buildx-action v1 composite
- docker/setup-qemu-action v1 composite
- ubuntu 22.04 build