DINA: Detecting Hidden Android Inter-App Communication in Dynamic Loaded Code

Android inter-app communication (IAC) allows apps to request functionalities from other apps, which has been extensively used to provide a better user experience. However, IAC has also become an enticing target by attackers to launch malicious activities. Dynamic class loading (DCL) and reflection are effective features to enhance the functionality of the apps. In this paper, we expose a new attack that leverages these features in conjunction with inter-app communication to conceal malicious attacks with the ability to bypass existing security mechanisms. To counteract such attack, we present DINA, a novel hybrid analysis approach for identifying malicious IAC behaviors concealed within dynamically loaded code through reflective/DCL calls. DINA appends reflection and DCL invocations to control-flow graphs and continuously performs incremental dynamic analysis to detect the misuse of reflection and DCL that obfuscates malicious Intent communications. DINA utilizes string analysis and inter-procedural analysis to resolve hidden IAC and achieves superior detection performance. Our extensive evaluation on 49,000 real-world apps corroborates the prevalent usage of reflection and DCL, and reveals previously unknown and potentially harmful, hidden IAC behaviors in real-world apps.