VTDroid: Value-based Tracking for Overcoming Anti-Taint-Analysis Techniques in Android Apps

Bytecode-level taint tracking discovers suspicious apps on the Android platform; however, malicious apps can bypass it by transferring information via system layers in the Android. A context tainting countermeasure has been devised, but since it employs a list of flow-causing API methods, it will miss flows when unlisted methods are exploited and can also produce false positives. This paper presents a new taint-tracking technique operating value logging and matching based on the flows' characteristics to detect such flows without relying on lists of API methods. We implemented it into our taint-tracking system called VTDroid and confirmed its effectiveness with our test suite. We also evaluated it with popular apps collected from Google Play. The results show that the precision of VTDroid is 37 points higher than the context tainting.