The recent focus of cyber security on automated detection of malware for Android apps has omitted the study of some apps used for “legitimate” purposes, such as steganography apps. Mobile steganography apps can be used for delivering harmful messages, and while current research on steganalysis targets the detection of stego images using academic algorithms and well-built benchmarking image data sets, the community has overlooked uncovering a mobile app itself for its ability to perform steganographic embedding. Developing automatic tools for identifying the code in a suspect app as a stego app can be very challenging: steganography algorithms can be represented in a variety of ways, and there exists many image editing algorithms which appear similar to steganography algorithms.This paper proposes the first automated approach to detect Android steganography apps. We use symbolic execution to summarize an app’s image operation behavior into expression trees, and match the extracted expression trees with reference trees that represents the expected behavior of a steganography embedding process. We use a structural feature based similarity measure to calculate the similarity between expression trees. Our experiments show that, the propose approach can detect real world Android stego apps that implement common spatial domain and frequency domain embedding algorithms with a high degree of accuracy. Furthermore, our procedure describes a general framework that has the potential to be applied to other similar questions when studying program behaviors.
Automatic Detection of Android Steganography Apps via Symbolic Execution and Tree Matching
Conference/Workshop:
IEEE Conference on Communications and Network Security (CNS)
IEEE Conference on Communications and Network Security (CNS)
Published: 2021
Primary Author: Wenhao Chen
Secondary Authors: Li Lin, Jennifer Newman, Yong Guan
Type: Publication
Research Area: Digital
Related Resources
Forensic Analysis of Android Cloud SDKs
This presentation is from the 76th Annual Conference of the American Academy of Forensic Sciences (AAFS), Denver, Colorado, February 19-24, 2024.
The Impact of Multi-Camera Smart Phones on Source Camera Identification
An investigator has a questioned image from an unknown source and wants to determine whether it came from a camera on a person of interest’s smartphone. This scenario is referred…
Likelihood ratios for changepoints in categorical event data with applications in digital forensics
We investigate likelihood ratio models motivated by digital forensics problems involving time-stamped user-generated event data from a device or account. Of specific interest are scenarios where the data may have…
Producing Datasets: Capturing Images on Multi-Camera Smartphones for Source Camera Identification
This poster introduces the new CSAFE Multi-camera Smartphone Image Database and describes how the image were collected and reviewed.