Lei Xue,Yajin Zhou,Ting Chen,Xiapu Luo,Guofei Gu

2017-01-01

Abstract:It's an essential step to understand malware's behaviors for developing effective solutions. Though a number of systems have been proposed to analyze Android malware, they have been limited by incomplete view of inspection on a single layer. What's worse, various new techniques (e.g., packing, anti-emulator, etc.) employed by the latest malware samples further make these systems ineffective. In this paper, we propose Malton, a novel on-device non-invasive analysis platform for the new Android runtime (i.e., the ART runtime). As a dynamic analysis tool, Malton runs on real mobile devices and provides a comprehensive view of malware's behaviors by conducting multi-layer monitoring and information flow tracking, as well as efficient path exploration. We have carefully evaluated Malton using real-world malware samples. The experimental results showed that Malton is more effective than existing tools, with the capability to analyze sophisticated malware samples and provide a comprehensive view of malicious behaviors of these samples

Sixian Sun,Xiao Fu,Hao Ruan,Xiaojiang Du,Bin Luo,Mohsen Guizani

DOI: https://doi.org/10.1109/access.2018.2853121

IF: 3.9

2018-01-01

IEEE Access

Abstract:The number of applications based on the Android platform is increasing rapidly now. However, as the supervision and review of Android applications are inadequate, a reasonable chance exists that users will download malware. This malware can lead to information leakage, monetary loss, and other damages. At present, a variety of applications exist for detecting malware, but most of these applications cannot show specific malicious behaviors. Moreover, the operation of this detection software is based on the database of viruses, and thus, it cannot identify unknown malware. To solve these problems, we implemented a system to detect the behaviors of Android applications and identify known or unknown malware. Our system can monitor specified applications utilizing loading a kernel module. After the detection process, the related documents are uploaded to the server, and the dynamic behaviors are reconstructed. As a result, a behavior diagram is generated. In addition, if the user needs to know whether the application is malware, the related Android package is sent to the server and analyzed. Then, the server calculates the results and the results are returned to the client.

Yajin Zhou,Xuxian Jiang

DOI: https://doi.org/10.1109/sp.2012.16

2012-01-01

Abstract:The popularity and adoption of smart phones has greatly stimulated the spread of mobile malware, especially on the popular platforms such as Android. In light of their rapid growth, there is a pressing need to develop effective solutions. However, our defense capability is largely constrained by the limited understanding of these emerging mobile malware and the lack of timely access to related samples. In this paper, we focus on the Android platform and aim to systematize or characterize existing Android malware. Particularly, with more than one year effort, we have managed to collect more than 1,200 malware samples that cover the majority of existing Android malware families, ranging from their debut in August 2010 to recent ones in October 2011. In addition, we systematically characterize them from various aspects, including their installation methods, activation mechanisms as well as the nature of carried malicious payloads. The characterization and a subsequent evolution-based study of representative families reveal that they are evolving rapidly to circumvent the detection from existing mobile anti-virus software. Based on the evaluation with four representative mobile security software, our experiments show that the best case detects 79.6% of them while the worst case detects only 20.2% in our dataset. These results clearly call for the need to better develop next-generation anti-mobile-malware solutions.

Hao Zhou,Shuohan Wu,Xiapu Luo,Ting Wang,Yajin Zhou,Chao Zhang,Haipeng Cai

DOI: https://doi.org/10.1145/3533767.3534410

2022-01-01

Abstract:More and more Android apps implement their functionalities in native code, so does malware. Although various approaches have been designed to analyze the native code used by apps, they usually generate incomplete and biased results due to their limitations in obtaining and analyzing high-fidelity execution traces and memory data with low overheads. To fill the gap, in this paper, we propose and develop a novel hardware-assisted analyzer for native code in apps. We leverage ETM, a hardware feature of ARM platform, and eBPF, a kernel component of Android system, to collect real execution traces and relevant memory data of target apps, and design new methods to scrutinize native code according to the collected data. To show the unique capability of NCScope, we apply it to four applications that cannot be accomplished by existing tools, including systematic studies on self-protection and anti-analysis mechanisms implemented in native code of apps, analysis of memory corruption in native code, and identification of performance differences between functions in native code. The results uncover that only 26.8% of the analyzed financial apps implement self-protection methods in native code, implying that the security of financial apps is far from expected. Meanwhile, 78.3% of the malicious apps under analysis have anti-analysis behaviors, suggesting that NCScope is very useful to malware analysis. Moreover, NCScope can effectively detect bugs in native code and identify performance differences.

Zhenyu Ni,Ming Yang,Zhen Ling,Jianan Wu,Junzhou Luo

DOI: https://doi.org/10.1109/CBD.2016.046

2016-01-01

Abstract:In recent years, with the growing popularity of smartphones, the number of Android malware shows explosive growth. As malicious apps may steal users' sensitive data and money from mobile and bank accounts, it's important to detect potential malicious behavior in real time. To achieve this goal, we propose a dynamic behavior inspection and analysis framework for malicious behavior detection in Android apps. A customized Android system is built to record apps' API (Application Programming Interface) calls, permission uses, and some other runtime features such as user operations. We also develop an automated testing platform to test massive samples so as to collect dynamic app behavior records. Then we exploit these records to extract apps' runtime features of both user interaction and app dynamic behavior for benign and malicious behavior classification. The experimental results show that the app behavior classification can reach an accuracy of 99.0%, identifying 71.8% instances of malware samples by running each app for only 18 minutes.

Shuaifu Dai,Tao Wei,Wei Zou

2012-01-01

Abstract:As the mobile devices increased rapidly in recent years, mobile malware is becoming a severe threat to users. Traditional malware detection uses signature-based methods, but these methods can be evaded by obfuscation or polymorphism. So the behavior-based detection techniques were proposed recently. To capture the apps' behavior, previous works either use OS level tool such as strace to capture system call, or intercept high level API by modifying the virtual machine. However, the information retrieved from the former method is too difficult to understand the program's behavior, and the technique used in latter method requires to modify the emulator, which it is not compatible when the Android version upgrade. In this paper, we proposed a new light-weight method to understand the applications' behavior by logging program's API and corresponding arguments. We build the logging system DroidLogger, which instruments the logging code into the application binary, and prints out the API usage information at run time. We analyzed several malware and show DroidLogger can reveal the malicious behavior effectively.

Min Zheng,Mingshen Sun,John C. S. Lui,John C.S. Lui

DOI: https://doi.org/10.48550/arXiv.1302.7212

2013-02-28

Cryptography and Security

Abstract:Smartphones and mobile devices are rapidly becoming indispensable devices for many users. Unfortunately, they also become fertile grounds for hackers to deploy malware and to spread virus. There is an urgent need to have a "security analytic & forensic system" which can facilitate analysts to examine, dissect, associate and correlate large number of mobile applications. An effective analytic system needs to address the following questions: How to automatically collect and manage a high volume of mobile malware? How to analyze a zero-day suspicious application, and compare or associate it with existing malware families in the database? How to perform information retrieval so to reveal similar malicious logic with existing malware, and to quickly identify the new malicious code segment? In this paper, we present the design and implementation of DroidAnalytics, a signature based analytic system to automatically collect, manage, analyze and extract android malware. The system facilitates analysts to retrieve, associate and reveal malicious logics at the "opcode level". We demonstrate the efficacy of DroidAnalytics using 150,368 Android applications, and successfully determine 2,494 Android malware from 102 different families, with 342 of them being zero-day malware samples from six different families. To the best of our knowledge, this is the first reported case in showing such a large Android malware analysis/detection. The evaluation shows the DroidAnalytics is a valuable tool and is effective in analyzing malware repackaging and mutations.

Min Zheng,Mingshen Sun,John C.S. Lui

DOI: https://doi.org/10.1109/trustcom.2013.25

2013-07-01

Abstract:Smartphones and mobile devices are rapidly becoming indispensable devices for many users. Unfortunately, they also become fertile grounds for hackers to deploy malware. There is an urgent need to have a “security analytic & forensic system” which can facilitate analysts to examine, dissect, associate and correlate large number of mobile applications. An effective analytic system needs to address the following questions: How to automatically collect and manage a high volume of mobile malware? How to analyze a zeroday suspicious application, and compare or associate it with existing malware families in the database? How to reveal similar malicious logic in various malware, and to quickly identify the new malicious code segment? In this paper, we present the design and implementation of DroidAnalytics, a signature based analytic system to automatically collect, manage, analyze and extract android malware. The system facilitates analysts to retrieve, associate and reveal malicious logics at the “opcode level”. We demonstrate the efficacy of DroidAnalytics using 150,368 Android applications, and successfully determine 2,475 Android malware from 102 different families, with 327 of them being zero-day malware samples from six different families. To the best of our knowledge, this is the first reported case in showing such a large Android malware analysis/detection. The evaluation shows the DroidAnalytics is a valuable tool and is effective in analyzing malware repackaging and mutations.

Min Huang,Kai Bu,Hanlin Wang,Kaiwen Zhu

DOI: https://doi.org/10.1109/cyberc.2016.14

2016-01-01

Abstract:Malware has started grabbing its undeserved share long before the blossom of Android ecosystem. Injected with malware, malicious applications (apps) may threat users in various ways like financial charges and information stealing. When the severity of a deluge of malware was first noticed, malware detectors delivered unsatisfactory detection accuracy, which further degenerated upon simple transformation of malicious apps. Now years later, we are eager to re-examine the robustness of malware detectors. A surprisingly disappointed finding is that even known malicious apps can evade quite a few detectors. We also find that repackaging with extracted exploitable code instead of readily available malware samples can evade more signature-based detectors. Furthermore, we find Android OS features of Service and Broadcast exploitable to enable malicious apps stealthily active on phones. We implement all these findings through DroidRide, a framework toward making Android malware less catchable to detectors and more active on phones. Our prototype based on two example apps-AndroRAT and MIUI Notes-demonstrates DroidRide's effectiveness in malware evasion. Toward defending against DroidRide alike evasion, we further suggest feasible design enhancements of malware detectors and Android OS.

Lang Liu,Yacong Gu,Qi Li,Purui Su

DOI: https://doi.org/10.1109/icccn.2017.8038419

2017-01-01

Abstract:In order to effectively detect malware in Android, dynamic analysis techniques with Android emulators are widely adopted. Emulators can be deployed for large-scale malware detection and restored to an ensured clean state in a short period after each app analysis process such that dynamic analysis upon emulators can effectively detect malware. Moreover, emulators significantly reduce the detection cost compared to real devices. However, emulator-based analysis has limited capability in detecting evasive malware that can detect the presence of the emulator-based environment and hide its malicious behaviors. In this paper, we propose RealDroid, a dynamic and emulator-based analysis system that can capture Android evasive malware and is capable of large-scale malware detection. RealDroid completely simulates a real device such that it can't be identified by evasive malware. Thereby, evasive malware can exhibit its malicious behaviors in RealDroid. Moreover, we propose an automated exploration mechanism, i.e., Android Test Engine (ATE), to improve the code coverage of dynamic analysis in RealDroid, such that it provides efficient and effective automatic detection of large-scale apps. Our experimental results demonstrate that ATE in RealDroid achieves much better exploration effects compared with state-of-the-art automatic exploration tools in large-scale malware detection. In particular, it can successfully detect evasive malware.

Fujia Cheng,Chengxiang Tan

DOI: https://doi.org/10.1109/SPAC46244.2018.8965577

2018-01-01

Abstract:Android is the mobile operating system with the highest market share, but it comes with the endless malicious code. Behavior forensics has an extremely important role in ensuring application security. However, most of the existing methods of forensic analysis work at the application layer, not universal and easily evaded by anti-forensics mechanisms. Therefore, we propose a behavior forensics method based on source code of Dalvik virtual machine and work at the kernel layer, which effectively improves the versatility and effectiveness of behavior forensics on Android.

Yang ZHAO,Long HU,Hu XIONG,Zhi-guang QIN

DOI: https://doi.org/10.3969/j.issn.1671-1122.2014.12.005

2014-01-01

Abstract:The popularity of smart phones have greatly stimulated the spread of malicious software, because of its huge market share and revenue characteristics, the Android platform has become the preferred target of attackers. Since the traditional signature-based antivirus software can effectively detect known malicious software, the unknown malware is powerless. In this paper, we proposed a novel dynamic analysis scheme of Android malware based on sandbox, which is used to analyze unknown malware effectively. The scheme implements the Android sandbox by installing Android x86 virtual machine in the virtualization software Oracle VM VirtualBox, while using a command-line tool provide by VirtualBox to control the Android sandbox. The Android application performs the corresponding action by calling the appropriate API. We determine the behavioral characteristics by monitoring the API information called by Android application. We make the Android application to run automatically by inserting monitoring codes in the application package and transmit different user lfow of events to simulate real operations of users on the application. Experiments show that the proposed scheme is feasible.

Ming Yang,Shan Wang,Zhen Ling,Yaowen Liu,Zhenyu Ni

DOI: https://doi.org/10.1002/cpe.4172

2017-01-01

Concurrency and Computation Practice and Experience

Abstract:SummaryIn recent years, with the prevalence of smartphones, the number of Android malware shows explosive growth. As malicious apps may steal users' sensitive data and even money from mobile and bank accounts, it is important to detect potential malicious behaviors so as to block them. To achieve this goal, we propose a dynamic behavior inspection and analysis framework for malicious behavior detection. A customized Android system is built to record apps' API calls, permission uses, and some other runtime features. We also develop an automated app behavior inspection platform to install and inspect massive samples so as to collect apps' dynamic behavior records. Then these records are exploited to train a string subsequence kernel–based Support Vector Machine (SVM) model, which can be used to classify benign and malicious behaviors offline. To realize online detection, we further extract apps' runtime features including sensitive permission combination uses, sensitive behavior sequences, and user interactions for behavior classification. The classification results can reach an accuracy of 84.9% in offline phase and 99.0% in online phase. Besides, we verify our scheme for identifying malicious apps, and the results show that 71.8% instances of malware samples are identified by running each app for only 18 minutes.

Jingya YANG,Senlin LUO,Shuai ZHU,Lewei QU

DOI: https://doi.org/10.3969/j.issn.1671-1122.2016.07.007

2016-01-01

Abstract:The existing methods applying to behavior monitoring of Android system need to either recompile the system or alter the applications which is monitored. Most of them are not comprehensive enough and cannot identify the hidden behaviors of malicious codes. According to the problems raised before, this paper proposes a method of Android system malware behavior monitoring which bases on multi-level and cross-view analysis. The paper uses the technology of process injection and loadable kernel, which monitors malware behavior in Java level, Native level and Kernel level. Then this paper obtains the result of behavior monitoring and identiifes the hidden behaviors by cross-view analysis. Under Android simulator environment, the experiment uses 12 kinds of malware which can cover most of the malware behaviors. The results shows that the monitoring accuracy rate of malicious behavior reaches to 91.43%, and the method can detect the hidden behaviors effectively. So it has fine audit granularity and strong practicality.

LOU Yun-cheng,SHI Yong,XUE Zhi

DOI: https://doi.org/10.3969/j.issn.1009-8054.2015.04.018

2015-01-01

Abstract:The characteristics of application market for Android system would usually lead to the rapid spread of the malwares,thus cause tremendous harm to the useru0027s mobile phone and personal privacy. Firstly,the reverse technology of Android application is described,and then the code- behind technology used by Android malwares and the code characteristics of privacy access are analyzed.In light of this,a malicious behavior detection method based on the reverse engineering of Android and in combination with static detection and dynamic detection is proposed,and this method could detect malicious behavior more effectively. Finally,the analysis of Android sample application indicates the feasiblility and effectiveness of this method.

Shuying Liang,Matthew Might,David Van Horn

DOI: https://doi.org/10.1016/j.entcs.2015.02.002

2015-02-01

Electronic Notes in Theoretical Computer Science

Abstract:Today's mobile platforms provide only coarse-grained permissions to users with regard to how third-party applications use sensitive private data. Unfortunately, it is easy to disguise malware within the boundaries of legitimately-granted permissions. For instance, granting access to “contacts” and “internet” may be necessary for a text-messaging application to function, even though the user does not want contacts transmitted over the internet. To understand fine-grained application use of permissions, we need to statically analyze their behavior. Even then, malware detection faces three hurdles: (1) analyses may be prohibitively expensive, (2) automated analyses can only find behaviors that they are designed to find, and (3) the maliciousness of any given behavior is application-dependent and subject to human judgment. To remedy these issues, we propose semantic-based program analysis, with a human in the loop as an alternative approach to malware detection. In particular, our analysis allows analyst-crafted semantic predicates to search and filter analysis results. Human-oriented semantic-based program analysis can systematically, quickly and concisely characterize the behaviors of mobile applications. We describe a tool that provides analysts with a library of the semantic predicates and the ability to dynamically trade speed and precision. It also provides analysts the ability to statically inspect details of every suspicious state of (abstract) execution in order to make a ruling as to whether or not the behavior is truly malicious with respect to the intent of the application. In addition, permission and profiling reports are generated to aid analysts in identifying common malicious behaviors.

English Else

Dakshinamoorthy Karthikeyan,Arun Sivakumar,Chamundeswari Arumugam

DOI: https://doi.org/10.37394/23209.2022.19.27

2022-11-07

WSEAS TRANSACTIONS ON INFORMATION SCIENCE AND APPLICATIONS

Abstract:In recent years, mobile malware takes anywhere between several hours to several days to screen an app for malicious activity. More than 6000 apps are added to the Google Play Store everyday on average. Security analysts face an uphill battle against malware developers as the complexity of malware and code obfuscation techniques are constantly increasing. Currently, most research focuses on the development and application of machine learning techniques for malware detection. However, their success has been limited due to a lack of depth in the data sets available for training models. This paper uses a new method of Dynamic Analysis for Android apps to extract large amounts of information on the behavior of any app which can then be used for training models or to enable security analysts to take an informed decision quickly.

Juanru Li,Dawu Gu,Yuhao Luo

DOI: https://doi.org/10.1109/ICDCSW.2012.33

2012-01-01

Abstract:Smart mobile devices have been widely used and the contained sensitive information is endangered by malwares. The malicious events caused by malwares are crucial evidences for digital forensic analysis, and the main task of mobile forensic analysis is to reconstruct these events. However, the reconstruction heavily relies on the code analysis of the malware. The difficulties and challenges include how to quickly identify the suspicious programs, how to defeat the anti-forensics tricks of malicious code, and how to deduce the malicious behaviors according to the code. To address this issue, we propose systematic procedures of analyzing typical malware behaviors on the popular mobile operating system Android. Based on the procedures we discuss the deduction of Android malicious events. We also give a real malware forensic case as a reference.

Yuan Zhang,Min Yang,Bingquan Xu,Zhemin Yang,Guofei Gu,Peng Ning,Xiaoyang Sean Wang,Binyu Zang

DOI: https://doi.org/10.1145/2508859.2516689

2013-01-01

Abstract:Android platform adopts permissions to protect sensitive resources from untrusted apps. However, after permissions are granted by users at install time, apps could use these permissions (sensitive resources) with no further restrictions. Thus, recent years have witnessed the explosion of undesirable behaviors in Android apps. An important part in the defense is the accurate analysis of Android apps. However, traditional syscall-based analysis techniques are not well-suited for Android, because they could not capture critical interactions between the application and the Android system. This paper presents VetDroid, a dynamic analysis platform for reconstructing sensitive behaviors in Android apps from a novel permission use perspective. VetDroid features a systematic framework to effectively construct permission use behaviors, i.e., how applications use permissions to access (sensitive) system resources, and how these acquired permission-sensitive resources are further utilized by the application. With permission use behaviors, security analysts can easily examine the internal sensitive behaviors of an app. Using real-world Android malware, we show that VetDroid can clearly reconstruct fine-grained malicious behaviors to ease malware analysis. We further apply VetDroid to 1,249 top free apps in Google Play. VetDroid can assist in finding more information leaks than TaintDroid, a state-of-the-art technique. In addition, we show how we can use VetDroid to analyze fine-grained causes of information leaks that TaintDroid cannot reveal. Finally, we show that VetDroid can help identify subtle vulnerabilities in some (top free) applications otherwise hard to detect.

Yuan Zhang,Min Yang,Zhemin Yang,Guofei Gu,Peng Ning,Binyu Zang

DOI: https://doi.org/10.1109/TIFS.2014.2347206

IF: 7.231

2014-01-01

IEEE Transactions on Information Forensics and Security

Abstract:The android platform adopts permissions to protect sensitive resources from untrusted apps. However, after permissions are granted by users at install time, apps could use these permissions (sensitive resources) with no further restrictions. Thus, recent years have witnessed the explosion of undesirable behaviors in Android apps. An important part in the defense is the accurate analysis of Android apps. However, traditional syscall-based analysis techniques are not well-suited for Android, because they could not capture critical interactions between the application and the Android system. This paper presents VetDroid, a dynamic analysis platform for generally analyzing sensitive behaviors in Android apps from a novel permission use perspective. VetDroid proposes a systematic permission use analysis technique to effectively construct permission use behaviors, i.e., how applications use permissions to access (sensitive) system resources, and how these acquired permission-sensitive resources are further utilized by the application. With permission use behaviors, security analysts can easily examine the internal sensitive behaviors of an app. Using real-world Android malware, we show that VetDroid can clearly reconstruct fine-grained malicious behaviors to ease malware analysis. We further apply VetDroid to 1249 top free apps in Google Play. VetDroid can assist in finding more information leaks than TaintDroid, a state-of-the-art technique. In addition, we show how we can use VetDroid to analyze fine-grained causes of information leaks that TaintDroid cannot reveal. Finally, we show that VetDroid can help to identify subtle vulnerabilities in some (top free) applications otherwise hard to detect.