Identification of Counterfeit Android Malware Apps using Hyperledger Fabric Blockchain

블록체인을 이용한 위변조 안드로이드 악성 앱 판별

Abstract

Although the number of smartphone users is continuously increasing due to the advantage of being able to easily use most of the Internet services, the number of counterfeit applications is rapidly increasing and personal information stored in the smartphone is leaked to the outside. Because Android app was developed with Java language, it is relatively easy to create counterfeit apps if attacker performs the de-compilation process to reverse app by abusing the repackaging vulnerability. Although an obfuscation technique can be applied to prevent this, but most mobile apps are not adopted. Therefore, it is fundamentally impossible to block repackaging attacks on Android mobile apps. In addition, personal information stored in the smartphone is leaked outside because it does not provide a forgery self-verification procedure on installing an app in smartphone. In order to solve this problem, blockchain is used to implement a process of certificated application registration and a fake app identification and detection mechanism is proposed on Hyperledger Fabric framework.

대부분의 인터넷 서비스를 손쉽게 이용할 수 있다는 장점으로 인해 스마트폰 사용자가 지속적으로 증가하고 있으나, 위조앱이 급증하고 있어 스마트폰 내부에 저장된 개인정보가 외부로 유출되는 문제점이 발생하고 있다. Android 앱은 자바 언어로 개발되었기 때문에 디컴파일 과정을 수행한 후 리패키징 취약점을 역이용할 경우 손쉽게 위조앱을 만들 수 있다. 물론 이를 방지하기 위해 난독화 기술을 적용할 수 있으나 대부분의 모바일 앱에는 미적용 상태로 배포되고 있으며, 안드로이드 모바일 앱에 대한 리패키징 공격을 근본적으로 차단하는 것은 불가능하다. 또한 스마트폰 내에 앱을 설치하는 과정에서 위조 여부를 자체 검증하는 기능을 제공하지 않아 스마트폰내 저장된 개인정보가 외부로 유출되고 있다. 따라서 이를 해결하기 위해 Hyperledger Fabric 블록 체인 프레임 워크를 사용하여 정상앱 등록 과정을 구현하고 이를 기반으로 효율적으로 위조앱을 식별 및 탐지할 수 있는 메커니즘을 제시하였다.

1. Introduction

As smartphone users have exploded in recent years, the stability and security of Android platform-based Applications should improve. Most users are using smartphone APP to perform mobile financial transactions, mobile stocks, SNS, e-mail, and document work. In particular, various Apps are installed in the terminal, so that it can conveniently performwork anywhere and anytime regardless of time and place. In addition, since important personal information is stored in the terminal, it is the most important device indispensable in modern society. However, Android Apps based on the Android platform are made based on Java, so it is easy toreverse engineering the Android APP, so counterfeit Appscan be made easily.

Currently, most Android platform-based smartphones d onot provide a mechanism to judge whether a mobile App iscounterfeited. It is reported that about 700,000 malicious Apps are blocked on 2017 from the Android Apps registered in the Google Play Store[1]. Especially, in case of amalicious fake App, which is similar to a normal App and looks and operates in a normal App, there is a problem that the user leaks personal information inside the mobile device without knowing it. This is thought as a very serioussecurity threat.

In this study, it is proposed to register normal Android Apps by using stability and integrity guarantee function provided by the Hyperledger Fabric[2] based consortium (Closed Type) blockchain platform[3] being developed by Linux Foundation and to judge whether it is malicious and counterfeit Android App System.

2. Existing Problems

2.1 VirusTotal [4] System-based Identification Process

Virus Total is a website created by the Ken Johnson Foundation. Launched in June 2004, it was acquired by Google Inc.in September 2012. VirusTotal aggregates many products and online scan engines to check forviruses that the user's own antivirus may have missed, or toverify against any Files up to 256 MB can be uploaded to the website or sent via email. Anti-virus software vendorscan receive copies of files that were flagged by other scans but passed by their own engine, to help improve theirsof tware and, by extension, VirusTotal's own capability. Users can also scan suspect and search through the Virus Total dataset. VirusTotal for dynamic analysis of uses Cuckoo sandbox. VirusTotal was selected by as one of the best 100 products of 2007.

The characteristics of the existing system to determinemalicious / counterfeit for Android App are as follows. Typically, VirusTotal system, if users want to determine whether they are malicious, user upload suspicious file to the VirusTotal system as shown in the picture below. And thenk VirusTotal system uses normal DB, static and dynamic analysis method to judge whether or not it ismalicious. The malicious measurement of the uploaded file is provided as shown in the figure below.

(Figure 1) Identifying Malicious Apps based on VirusTotal [4]

Therefore, VirusTotal system stores the hash value of each App in the system, and checks the suspicious filesusing the virus scanning software engine. Up to 70 different virus scanning software and URL/domain blacklisting services can be used to determine whether viruses have been uploaded to the user's files. Any user can select a file from their computer using their browser and send it to Virus Total. It offers a number of file submission methods, including the primary public web interface, desktop uploaders, browserextensions and a programmatic API. The web interface has the highest scanning priority among the publicly availablesubmission methods. Submissions may be scripted in any programming language using the HTTP-based public API[4]. In addition, the system performs static / dynamicanalysis on the Android App to detect existing malicious app database information. And the results are presented by measuring the similarity with malicious code.

2.2 Problems of VirusTotal System-based Discrimination

However, since the files uploaded by each user are shared with other users in the course of using VirusTotal service, e-mail including confidential information of company is publicly leaked to others. The corporate security administrator first uploads suspicious e-mail or files to VirusTotal and determines whether it is malicious. As a result, there is a problem that e-mail contents uploaded to other users in Virus Total are publicly shared to identify malicious code. Also, in case of some security equipments, there is a case where confidential information of the company is exposed to the outside without being noticed by the person who is automatically linked with VirusTotal.

Recently, Android apps developed by each company are increasing, and counterfeit apps are increasing rapidly. Therefore, in order to determine whether the Android App is normal, the authorized nodes are not dependent on thespecific site like the existing VirusTotal service, and it is required to develop a way to judge whether the authorized application is falsified or not.

3. Blockchain Mechanism

3.1 Blockchain[5,6,7]

The blockchain provides a decentralized grid systemusing P2P networks, and its own integrity and stability areensured by using block-chain technology. Basically, the block chain generates small-sized data called 'block' of the management data and stores it as chain-like distributed datain the form of a chain formed by the P2P method. It is adistributed computing technology that can not be arbitrarilymodified by anyone and can be read by everyone. Therefore, we can prevent falsification and tampering of data by using block-chain technology. If stored and managed as ablock chain for normal Android App, it can provide a function to discriminate malicious / fake apps.

(Figure 2) Difference Between Existing System and Block chain System [8]

3.2 Public vs Consortium(Private)

Commonly used blockchain techniques correspond topublic blockchains. In the case of a public block chain, any one can join the network and perform roles such as read, verify, and transaction creation. In addition, since the public block chain uses a consensus algorithm that allows partial branching, the processing speed is also very slow.

Consortium(private) blockchains, on the other hand, can be restricted using the membership function to participate in the network. Not everyone is involved, but the authorized body is responsible for verification, transaction creation, and so on. In addition, the consensus algorithm also has the advantage of fast processing speed by using fast BFT(Byzantine Fault Tolerance) based algorithm without partial branching [9].

To implement a mechanism to judge whether a normalapplication is registered and to compare APK, authorized organizations only have the ability to register and verify normal apps. As a the processing speed should be fast, proposed system was developed based on Linux Foundation 's Hyperledger Fabric, which is one of Consotium blockchain method.

(Figure 3) Hyperledger Fabric vs Ethereum

3.3 Blockchain with Hyperledger Fabric [9,10]

In general, blockchain technology is applied tocryptographic payment techniques. Overall status of the virtual currency are stored in the block of blockchain foreach transaction[6,11].

The Linux Foundation's Hyperledger project is ablock chain consortium designed to implement standard block chain technologies that are applicable to enterprises. Hyperledger Fabric [10] is a framework for developing block chain applications and solutions based on modulararchitecture, and supports membership services in aplug-and-play format. Hyperledger Fabric allows access todata only for authorized licensees on the network without the need for a cryptographic payment process, provides asmart contract [12] setting function called Chaincode, and it provides confidentiality, flexibility and security for transactions.

(Figure 4) Block of Blockchain [9]

(Figure 5) Blockchain on Hyperledger Fabric [10]

Therefore, we need to be able to identify the forgery and alteration of the Android App by using the existing Hyperledger blockchain structure. However, if you registerthe entire APP for certification transaction, it is impossible to utilize the storage space efficiently. Therefore, to solvethis problem, we adopted a method of registering the hash value of certified app in the blockchain transaction and comparing its hash value on each determination transaction. With this method, the comparison time required to determine whether the APP is normal or falsified can be minimized, and the transaction size also can be reduced.

4. Proposed Mechanism

4.1 Determination of Malicious Counterfeit Apps with Blockchain

First, a normal APP registration process must be performed using a blockchain structure. At this time, if all the nodes (users) can perform the registration process in the block chain, the forged or modulated application can beregistered. In this case, the distinction between the malicious app and the normal app becomes ambiguous, and an errormay be caused that the malicious app is determined as anormal APP.

In order to prevent this problem, the proposed system is designed so that only the trust authority can register the normal APP by authorizing each node using the function of the Hyperledger Fabric consortium blockchain as follow Fig. 6. (1) If normal APK is uploaded, (2) we exract key features from certified APK with its hash value on enrollment process, and invoke register process in the blockchain. And then, (3) user request to determine app, (4) we invoke query for app whether it is enrolled on Hyperledger Fabric block chain. (5) If the invoked hash value is matched with the record in the blockchain, it is determined as a certified app by returning query state value. If the hash value differs from the hash value in the blockchain, it can be identified as a counterfeit app. (6) Based on this verification process, we can provide the reliability of the Android mobile apps with its integrity functionality using the Hyperleger Fabric block chain.

(Figure 6) Determination of Malicious Counterfeit Apps based on Blockchain System Structure

 

4.2 Blockchain Based Malicious Apps Identification Mechanism

Android smartphone users download APP through the Internet, such as the Web, the Play Store, and others. Before installing the downloaded application, a hash value of the APK file is generated through the client program of the present system. The hash value is then compared with the normal APK hash value stored in the distribution ledger todetermine whether the app is a normal APP, a fake, or amodified APP, according to whether the downloaded appand hash value match or not.

(Figure 7) Detailed System Flow

From an APP developer's point of view, the developed orupdated APP is transfered to the trusted entity and the trusted entity performs the verification. If there is noproblem on APP, a hash value is created for the corresponding APK file, and the hash value is registered in the transaction on the blockchain network. If the APP has a problem, it provides a function to notify the developerwithout registering the hash value of the APK into the internal block of blockchain.

App Developer (blue line)

1. Transfer the developed or updated APK file to the trusted authority.
2. The trusted authority verifies the APK and determines whether it is a proper App.
3. If it turns out that it is not a normal app, discard the APK file and notify to the App developer.
4. If it is a certified normal app, execute the hash function to the APK file to obtain the hash value, register it in the blockchain ledger, and notify to the developer.

Also, it is possible to download the Android appuploaded to the Play Store for each trusted authority withoutregistering the APP directly, and register the hash value of the APP determined to be normal through the verification.

Trusted Authority

1. Download the APK registered on the Internet (Play Store, etc.) to verify whether the app is forged and register it on the blockchain ledger.

User (black line)

1. Download the APK through the Internet.
2. Apply a hash function to the downloaded APK file to obtain the hash value.
3.  Read the hash values ​of the APK file registered as a normal app in the blockchain ledger.
4. Compare each hash value of the normal app with the hash value of the downloaded APK file to check if the same hash value exists.
5. Determine whether there is a normal app, a counterfeit, or a threat of tampering as a result of the presence or absence, and notify the user of the result.

5. Experiment

5.1 Blockchain based Malicious Counterfeit Apps Identification

We applied the mechanism implemented in this study to the certified commercial Android app and registered it in the Hyperledger Fabric. And then we tested whether it candetermine if it is normal or forged through the inquiry request. The following five steps were performed to providea function to identify and register for normal Android mobile apps. After registering the Kakao Talk app in Hyperledger Fabric, which is one of the most used apps forexperiment, we extract the internal information of the appthrough static analysis and store them in the block chainstructure together with its hash value.

The information extracted from the application is stored and registered in the blockchain using the invoke.js moduleas shown in the figure below. We implemented a smart contract to transmit the extracted information to the block chain by transmitting chaincode written in the 'go ' language using the Node.js based Web interface with Hyperledger Fabric.

(Figure 8) Detection Experiment Procedures and Experiment Applications

(Figure 9) Registration Invoke for Certified App with Hyperledger Fabric

If a mobile user uploads an app to a Web page in order to check forgery, it is possible to check whether a normalapp is registered by returning a True value in a hyperledgerfabric blockchain as shown below. If it is an unregistered app, it will return False and it will be judged as a fake app.

(Figure 10) Mobile App Identification Results using Block chain on Hyperledger Fabric

(Figure 11) Implementation of Web Interface for Fake App Identification

5.2 Malicious Counterfeit Apps Identification Result

Android App is vulnerable to reverse engineering. Any one can perform de-compile & re-packaging procedures. Therefore, anyone(especially for attacker) can create a counterfeit app easily. Existing system like VirusTotal has weakness in detecting fake Android mobile apps. And Android platform does not support determination proceduresagainst the counterfeit Applications. Therefore, we proposed an Android counterfeit mobile Application identificationmechanism using Hyperledger Fabric blockchain framework. In order to enhance the convenience of users, we implemented a function to easily upload the mobile apps to be identified by implementing Node.js and HTML5 based web interfacethrough web page as shown below. In addition, it provides a function to check the discrimination result immediately based on the analysis result of the Android apps.

5.3 Comparison

The results of comparative analysis of the serviceproviding the fake discrimination function by applying the block chain technique are shown in the following table. As shown in the table, a private block chain technology is applied to detect whether or not a product is falsified, or todetect falsification of a digital file or a document. However, we can confirm that there is no system available to detectand identify forgery of Android mobile apps.

(Table 1) Fraud Detection Service Comparison

6. Conclusions

A blockchain is a continuously growing list of records, called blocks, which are linked and secured using cryptography. Each block typically contains a cryptographichash of the previous block, a timestamp and transaction data. By design, a blockchain is inherently resistant to modification of the data for providing advanced services in [15,16, 17, 18]. It is an open, distributed ledger that can record transactions between two parties efficiently and in averifiable and permanent way. For use as a distributed ledger, a blockchain is typically managed by a peer-to-peernetwork collectively adhering to a protocol for validatingnew blocks. Once recorded, the data in any given blockcannot be altered retroactively without the alteration of allsubsequent blocks, which requires collusion of the networkmajority. Therefore, it is possible to check whether or not the Android-based mobile App is falsified by Applying the block chain technology. After recording and storing the certified apps in the blockchain, it is possible to determinethe possibility of forgery whether it is included in the block chain or not. As a result, we can design and implementa discrimination and verification mechanism against mobile fake Android mobile App by applying blockchain on Hypberledger Fabric.