Lei Xue,Yajin Zhou,Ting Chen,Xiapu Luo,Guofei Gu

2017-01-01

Abstract:It's an essential step to understand malware's behaviors for developing effective solutions. Though a number of systems have been proposed to analyze Android malware, they have been limited by incomplete view of inspection on a single layer. What's worse, various new techniques (e.g., packing, anti-emulator, etc.) employed by the latest malware samples further make these systems ineffective. In this paper, we propose Malton, a novel on-device non-invasive analysis platform for the new Android runtime (i.e., the ART runtime). As a dynamic analysis tool, Malton runs on real mobile devices and provides a comprehensive view of malware's behaviors by conducting multi-layer monitoring and information flow tracking, as well as efficient path exploration. We have carefully evaluated Malton using real-world malware samples. The experimental results showed that Malton is more effective than existing tools, with the capability to analyze sophisticated malware samples and provide a comprehensive view of malicious behaviors of these samples

Yajin Zhou,Xuxian Jiang

DOI: https://doi.org/10.1109/sp.2012.16

2012-01-01

Abstract:The popularity and adoption of smart phones has greatly stimulated the spread of mobile malware, especially on the popular platforms such as Android. In light of their rapid growth, there is a pressing need to develop effective solutions. However, our defense capability is largely constrained by the limited understanding of these emerging mobile malware and the lack of timely access to related samples. In this paper, we focus on the Android platform and aim to systematize or characterize existing Android malware. Particularly, with more than one year effort, we have managed to collect more than 1,200 malware samples that cover the majority of existing Android malware families, ranging from their debut in August 2010 to recent ones in October 2011. In addition, we systematically characterize them from various aspects, including their installation methods, activation mechanisms as well as the nature of carried malicious payloads. The characterization and a subsequent evolution-based study of representative families reveal that they are evolving rapidly to circumvent the detection from existing mobile anti-virus software. Based on the evaluation with four representative mobile security software, our experiments show that the best case detects 79.6% of them while the worst case detects only 20.2% in our dataset. These results clearly call for the need to better develop next-generation anti-mobile-malware solutions.

Hao Zhou,Shuohan Wu,Xiapu Luo,Ting Wang,Yajin Zhou,Chao Zhang,Haipeng Cai

DOI: https://doi.org/10.1145/3533767.3534410

2022-01-01

Abstract:More and more Android apps implement their functionalities in native code, so does malware. Although various approaches have been designed to analyze the native code used by apps, they usually generate incomplete and biased results due to their limitations in obtaining and analyzing high-fidelity execution traces and memory data with low overheads. To fill the gap, in this paper, we propose and develop a novel hardware-assisted analyzer for native code in apps. We leverage ETM, a hardware feature of ARM platform, and eBPF, a kernel component of Android system, to collect real execution traces and relevant memory data of target apps, and design new methods to scrutinize native code according to the collected data. To show the unique capability of NCScope, we apply it to four applications that cannot be accomplished by existing tools, including systematic studies on self-protection and anti-analysis mechanisms implemented in native code of apps, analysis of memory corruption in native code, and identification of performance differences between functions in native code. The results uncover that only 26.8% of the analyzed financial apps implement self-protection methods in native code, implying that the security of financial apps is far from expected. Meanwhile, 78.3% of the malicious apps under analysis have anti-analysis behaviors, suggesting that NCScope is very useful to malware analysis. Moreover, NCScope can effectively detect bugs in native code and identify performance differences.

Min Zheng,Mingshen Sun,John C.S. Lui

DOI: https://doi.org/10.1109/trustcom.2013.25

2013-07-01

Abstract:Smartphones and mobile devices are rapidly becoming indispensable devices for many users. Unfortunately, they also become fertile grounds for hackers to deploy malware. There is an urgent need to have a “security analytic & forensic system” which can facilitate analysts to examine, dissect, associate and correlate large number of mobile applications. An effective analytic system needs to address the following questions: How to automatically collect and manage a high volume of mobile malware? How to analyze a zeroday suspicious application, and compare or associate it with existing malware families in the database? How to reveal similar malicious logic in various malware, and to quickly identify the new malicious code segment? In this paper, we present the design and implementation of DroidAnalytics, a signature based analytic system to automatically collect, manage, analyze and extract android malware. The system facilitates analysts to retrieve, associate and reveal malicious logics at the “opcode level”. We demonstrate the efficacy of DroidAnalytics using 150,368 Android applications, and successfully determine 2,475 Android malware from 102 different families, with 327 of them being zero-day malware samples from six different families. To the best of our knowledge, this is the first reported case in showing such a large Android malware analysis/detection. The evaluation shows the DroidAnalytics is a valuable tool and is effective in analyzing malware repackaging and mutations.

Min Zheng,Mingshen Sun,John C. S. Lui,John C.S. Lui

DOI: https://doi.org/10.48550/arXiv.1302.7212

2013-02-28

Cryptography and Security

Abstract:Smartphones and mobile devices are rapidly becoming indispensable devices for many users. Unfortunately, they also become fertile grounds for hackers to deploy malware and to spread virus. There is an urgent need to have a "security analytic & forensic system" which can facilitate analysts to examine, dissect, associate and correlate large number of mobile applications. An effective analytic system needs to address the following questions: How to automatically collect and manage a high volume of mobile malware? How to analyze a zero-day suspicious application, and compare or associate it with existing malware families in the database? How to perform information retrieval so to reveal similar malicious logic with existing malware, and to quickly identify the new malicious code segment? In this paper, we present the design and implementation of DroidAnalytics, a signature based analytic system to automatically collect, manage, analyze and extract android malware. The system facilitates analysts to retrieve, associate and reveal malicious logics at the "opcode level". We demonstrate the efficacy of DroidAnalytics using 150,368 Android applications, and successfully determine 2,494 Android malware from 102 different families, with 342 of them being zero-day malware samples from six different families. To the best of our knowledge, this is the first reported case in showing such a large Android malware analysis/detection. The evaluation shows the DroidAnalytics is a valuable tool and is effective in analyzing malware repackaging and mutations.

Yibing Zhongyang,Zhi Xin,Bing Mao,Li Xie

DOI: https://doi.org/10.1145/2484313.2484359

2013-01-01

Abstract:ABSTRACTSince smartphones have stored diverse sensitive privacy information, including credit card and so on, a great deal of malware are desired to tamper them. As one of the most prevalent platforms, Android contains sensitive resources that can only be accessed via corresponding APIs, and the APIs can be invoked only when user has authorized permissions in the Android permission model. However, a novel threat called privilege escalation attack may bypass this watchdog. It's presented as that an application with less permissions can access sensitive resources through public interfaces of a more privileged application, which is especially useful for malware to hide sensitive functions by dispersing them into multiple programs. We explore privilege-escalation malware evolution techniques on samples from Android Malware Genome Project. And they have showed great effectiveness against a set of powerful antivirus tools provided by VirusTotal. The detection ratios present different and distinguished reduction, compared to an average 61% detection ratio before transformation. In order to conquer this threat model, we have developed a tool called DroidAlarm to conduct a full-spectrum analysis for identifying potential capability leaks and present concrete capability leak paths by static analysis on Android applications. And we can still alarm all these cases by exposing capability leak paths in them.

Xiao Fu,Hao Ruan,Xuanyu Liu,Xiaojiang Du,B. Luo

DOI: https://doi.org/10.1109/ICCCN.2017.8038362

2017-07-01

Abstract:The wide spread of mobile devices has also caused the explosive growth of malwares. Application behavior analysis is a popular technique to fight against malwares. However current app behavior analysis methods still have some limitations. For example, many popular dynamic analysis methods are built on Dalvik virtual machines. They cannot disclose the behavior of native code. VMI based methods can overcome this limitation but they're executed in simulated environments. Now malwares can detect where they are running so as to hide the illegal behaviors by anti-forensic techniques. Considering these, we present the DroidRevealer. It is based on kernel-level system calls monitoring and it's running on real android devices. By intercepting and interpreting certain file/network related and android-specific system calls, it can reconstruct app behaviors in real-time. It's difficult to evade as it runs in the kernel. And its results do not simply focus on a single kind of behavior or a single app. Instead it is data oriented, i.e. it monitors how the target data source is used. The result is presented as an intelligible graph which can provide both a good basis for detection and crucial evidence for forensics. Experiments have proved that the performance of our method is acceptable.

Computer Science

Sunjun Lee Sunjun Lee,Yonggu Shin Sunjun Lee,Minseong Choi Yonggu Shin,Haehyun Cho Minseong Choi,Jeong Hyun Yi Haehyun Cho

DOI: https://doi.org/10.53106/160792642024032502003

2024-03-01

網際網路技術學刊

Abstract:A lot of the recently reported malware is equipped with the anti-analysis techniques (e.g., anti-emulation, anti-debugging, etc.) for preventing from being the analyzed, which can delay detection and make malware alive for a longer period. Therefore, it is of the great importance of developing automated approaches to defeat such anti-analysis techniques so that we can handle and effectively mitigate numerous malware. In this paper, by analyzing 1,535 malicious applications, we found that 18.31% of them equipped with anti-analysis techniques. Next, we propose a novel, dynamic analyzer, named DOOLDA, for automatically invalidating anti-analysis techniques through dynamic instrumentation. DOOLDA monitors executions of Android applications’ entire code layers (i.e., bytecode and native code). Based on monitoring results, DOOLDA finds the code related to anti-analysis techniques and invalidates the anti-analysis techniques by instrumenting it. To demonstrate the effectiveness of DOOLDA, we show that it can invalidate all known anti-analysis techniques. Also, we compare DOOLDA with other dynamic analyzers.  

computer science, information systems,telecommunications

Sixian Sun,Xiao Fu,Hao Ruan,Xiaojiang Du,Bin Luo,Mohsen Guizani

DOI: https://doi.org/10.1109/access.2018.2853121

IF: 3.9

2018-01-01

IEEE Access

Abstract:The number of applications based on the Android platform is increasing rapidly now. However, as the supervision and review of Android applications are inadequate, a reasonable chance exists that users will download malware. This malware can lead to information leakage, monetary loss, and other damages. At present, a variety of applications exist for detecting malware, but most of these applications cannot show specific malicious behaviors. Moreover, the operation of this detection software is based on the database of viruses, and thus, it cannot identify unknown malware. To solve these problems, we implemented a system to detect the behaviors of Android applications and identify known or unknown malware. Our system can monitor specified applications utilizing loading a kernel module. After the detection process, the related documents are uploaded to the server, and the dynamic behaviors are reconstructed. As a result, a behavior diagram is generated. In addition, if the user needs to know whether the application is malware, the related Android package is sent to the server and analyzed. Then, the server calculates the results and the results are returned to the client.

Yuan Zhang,Min Yang,Zhemin Yang,Guofei Gu,Peng Ning,Binyu Zang

DOI: https://doi.org/10.1109/TIFS.2014.2347206

IF: 7.231

2014-01-01

IEEE Transactions on Information Forensics and Security

Abstract:The android platform adopts permissions to protect sensitive resources from untrusted apps. However, after permissions are granted by users at install time, apps could use these permissions (sensitive resources) with no further restrictions. Thus, recent years have witnessed the explosion of undesirable behaviors in Android apps. An important part in the defense is the accurate analysis of Android apps. However, traditional syscall-based analysis techniques are not well-suited for Android, because they could not capture critical interactions between the application and the Android system. This paper presents VetDroid, a dynamic analysis platform for generally analyzing sensitive behaviors in Android apps from a novel permission use perspective. VetDroid proposes a systematic permission use analysis technique to effectively construct permission use behaviors, i.e., how applications use permissions to access (sensitive) system resources, and how these acquired permission-sensitive resources are further utilized by the application. With permission use behaviors, security analysts can easily examine the internal sensitive behaviors of an app. Using real-world Android malware, we show that VetDroid can clearly reconstruct fine-grained malicious behaviors to ease malware analysis. We further apply VetDroid to 1249 top free apps in Google Play. VetDroid can assist in finding more information leaks than TaintDroid, a state-of-the-art technique. In addition, we show how we can use VetDroid to analyze fine-grained causes of information leaks that TaintDroid cannot reveal. Finally, we show that VetDroid can help to identify subtle vulnerabilities in some (top free) applications otherwise hard to detect.

Min Huang,Kai Bu,Hanlin Wang,Kaiwen Zhu

DOI: https://doi.org/10.1109/cyberc.2016.14

2016-01-01

Abstract:Malware has started grabbing its undeserved share long before the blossom of Android ecosystem. Injected with malware, malicious applications (apps) may threat users in various ways like financial charges and information stealing. When the severity of a deluge of malware was first noticed, malware detectors delivered unsatisfactory detection accuracy, which further degenerated upon simple transformation of malicious apps. Now years later, we are eager to re-examine the robustness of malware detectors. A surprisingly disappointed finding is that even known malicious apps can evade quite a few detectors. We also find that repackaging with extracted exploitable code instead of readily available malware samples can evade more signature-based detectors. Furthermore, we find Android OS features of Service and Broadcast exploitable to enable malicious apps stealthily active on phones. We implement all these findings through DroidRide, a framework toward making Android malware less catchable to detectors and more active on phones. Our prototype based on two example apps-AndroRAT and MIUI Notes-demonstrates DroidRide's effectiveness in malware evasion. Toward defending against DroidRide alike evasion, we further suggest feasible design enhancements of malware detectors and Android OS.

Jianfei Tang,Hui Zhao

DOI: https://doi.org/10.3233/jifs-220567

2022-09-22

Journal of Intelligent & Fuzzy Systems

Abstract:The focus of a large amount of research on malware detection is currently working on proposing and improving neural network structures, but with the constant updates of Android, the proposed detection methods are more like a race against time. Through the analysis of these methods, we found that the basic processes of these detection methods are roughly the same, and these methods rely on professional reverse engineering tools for malware analysis and feature extraction. These tools generally have problems such as high time-space cost consumption, difficulty in achieving concurrent analysis of a large number of Apk, and the output results are not convenient for feature extraction. Is it possible to propose a general malware detection process implementation platform that optimizes each process of existing malware detection methods while being able to efficiently extract various features on malware datasets with a large number of APK? To solve this problem, we propose an automated platform, AmandaSystem, that highly integrates the various processes of deep learning-based malware detection methods. At the same time, the problem of over privilege due to the openness of Android system and thus the problem of excessive privileges has always required the accurate construction of mapping relationships between privileges and API calls, while the current methods based on function call graphs suffer from inefficiency and low accuracy. To solve this problem, we propose a new bottom-up static analysis method based on AmandaSystem to achieve an efficient and complete tool for mapping relationships between Android permissions and API calls, PerApTool. Finally, we conducted tests on three publicly available malware datasets, CICMalAnal2017, CIC-AAGM2017, and CIC-InvesAndMal2019, to evaluate the performance of AmandaSystem in terms of time efficiency of APK parsing, space occupancy, and comprehensiveness of extracted features, respectively, compared with existing methods were compared.

Thomas Eder,Michael Rodler,Dieter Vymazal,Markus Zeilinger

DOI: https://doi.org/10.1109/ARES.2013.93

2013-07-20

Abstract:Android is an open software platform for mobile devices with a large market share in the smartphone sector. The openness of the system as well as its wide adoption lead to an increasing amount of malware developed for this platform. ANANAS is an expandable and modular framework for analyzing Android applications. It takes care of common needs for dynamic malware analysis and provides an interface for the development of plugins. Adaptability and expandability have been main design goals during the development process. An abstraction layer for simple user interaction and phone event simulation is also part of the framework. It allows an analyst to script the required user simulation or phone events on demand or adjust the simulation to his needs. Six plugins have been developed for ANANAS. They represent well known techniques for malware analysis, such as system call hooking and network traffic analysis. The focus clearly lies on dynamic analysis, as five of the six plugins are dynamic analysis methods.

Cryptography and Security

Yuan Zhang,Min Yang,Bingquan Xu,Zhemin Yang,Guofei Gu,Peng Ning,Xiaoyang Sean Wang,Binyu Zang

DOI: https://doi.org/10.1145/2508859.2516689

2013-01-01

Abstract:Android platform adopts permissions to protect sensitive resources from untrusted apps. However, after permissions are granted by users at install time, apps could use these permissions (sensitive resources) with no further restrictions. Thus, recent years have witnessed the explosion of undesirable behaviors in Android apps. An important part in the defense is the accurate analysis of Android apps. However, traditional syscall-based analysis techniques are not well-suited for Android, because they could not capture critical interactions between the application and the Android system. This paper presents VetDroid, a dynamic analysis platform for reconstructing sensitive behaviors in Android apps from a novel permission use perspective. VetDroid features a systematic framework to effectively construct permission use behaviors, i.e., how applications use permissions to access (sensitive) system resources, and how these acquired permission-sensitive resources are further utilized by the application. With permission use behaviors, security analysts can easily examine the internal sensitive behaviors of an app. Using real-world Android malware, we show that VetDroid can clearly reconstruct fine-grained malicious behaviors to ease malware analysis. We further apply VetDroid to 1,249 top free apps in Google Play. VetDroid can assist in finding more information leaks than TaintDroid, a state-of-the-art technique. In addition, we show how we can use VetDroid to analyze fine-grained causes of information leaks that TaintDroid cannot reveal. Finally, we show that VetDroid can help identify subtle vulnerabilities in some (top free) applications otherwise hard to detect.

Luoshi Zhang,Yan Niu,Xiao Wu,Zhaoguo Wang,Yibo Xue

DOI: https://doi.org/10.2991/ccis-13.2013.22

2013-01-01

Abstract:Recently, Android malware is spreading rapidly. Although static or dynamic analysis techniques for detecting Android malware can provide a comprehensive view, it is still subjected to time consuming and high cost in deployment and manual efforts. In this paper, we propose A3, an Automatic Analysis of Android malware, to detect Android malware automatically. Unlike traditional reverse-engineering methods, A3 looks for Command & Control (C&C) Server), monitors the sensitive API invoking, and declares Intent-filter automatically. Then it constructs the relationship graph of the function calls and key contexts or paths for detecting Android malware. The experimental results show that A3 can do an effective automatic analysis for Android malware and has a good performance.

Long Chen,Chunhe Xia,Shengwei Lei,Tianbo Wang

DOI: https://doi.org/10.1109/access.2021.3049819

IF: 3.9

2021-01-01

IEEE Access

Abstract:In recent years, the application of smartphones, Android operating systems and mobile applications have become more prevalent worldwide. To study the traceability, propagation, and detection of the threats, we perform research on all aspects of the end-to-end environment. With machine learning based on the mobile malware detection algorithms that integrate the dynamic and static research of the identification algorithm, application software samples are collected to study sentences. Through knowledge labeling and knowledge construction, the association relationship of knowledge is extracted to realize the research of knowledge map construction. Flooding is closely correlated with the complexity of the Android mobile version of the kernel and malicious programs. A static dynamic analysis of the mobile malicious program is carried out, and the social network social diagram is constructed to model the propagation of the mobile malicious program. We extended the approach of deriving common malware behavior through graph clustering. On this basis, Android behavior analysis is performed through our virtual machine execution engine. We extend the family characteristics to the concept of DNA race genes. By studying SMS/MMS, Bluetooth, 5G base station networks, metropolitan area networks, social networks, homogeneous communities, telecommunication networks, and application market ecosystem propagation scenarios, we discovered the law of propagation. In addition, we studied the construction of the mobile Internet big data knowledge graph. Quantitative data for the main family chronology of mobile malware are obtained. We conducted detailed research and comprehensive analysis of Android application package (APK) details and behavior, relationship, resource-centric, and syntactic aspects. Furthermore, we summarized the architecture of mobile malware security analysis. We also discuss encryption of malware traffic discrimination. These precise modeling and quantified research re-ults constitute the architecture of mobile malware analysis.

computer science, information systems,telecommunications,engineering, electrical & electronic

Lucky Onwuzurike,Mario Almeida,Enrico Mariconti,Jeremy Blackburn,Gianluca Stringhini,Emiliano De Cristofaro

DOI: https://doi.org/10.48550/arXiv.1803.03448

2018-07-13

Abstract:Following the increasing popularity of mobile ecosystems, cybercriminals have increasingly targeted them, designing and distributing malicious apps that steal information or cause harm to the device's owner. Aiming to counter them, detection techniques based on either static or dynamic analysis that model Android malware, have been proposed. While the pros and cons of these analysis techniques are known, they are usually compared in the context of their limitations e.g., static analysis is not able to capture runtime behaviors, full code coverage is usually not achieved during dynamic analysis, etc. Whereas, in this paper, we analyze the performance of static and dynamic analysis methods in the detection of Android malware and attempt to compare them in terms of their detection performance, using the same modeling approach. To this end, we build on MaMaDroid, a state-of-the-art detection system that relies on static analysis to create a behavioral model from the sequences of abstracted API calls. Then, aiming to apply the same technique in a dynamic analysis setting, we modify CHIMP, a platform recently proposed to crowdsource human inputs for app testing, in order to extract API calls' sequences from the traces produced while executing the app on a CHIMP virtual device. We call this system AuntieDroid and instantiate it by using both automated (Monkey) and user-generated inputs. We find that combining both static and dynamic analysis yields the best performance, with F-measure reaching 0.92. We also show that static analysis is at least as effective as dynamic analysis, depending on how apps are stimulated during execution, and, finally, investigate the reasons for inconsistent misclassifications across methods.

Cryptography and Security

Alain Menelet,Charles-Edmond Bichot

DOI: https://doi.org/10.48550/arXiv.2104.03586

2021-04-08

Abstract:The Android operating system is the most spread mobile platform in the world. Therefor attackers are producing an incredible number of malware applications for Android. Our aim is to detect Android's malware in order to protect the user. To do so really good results are obtained by dynamic analysis of software, but it requires complex environments. In order to achieve the same level of precision we analyze the machine code and investigate the frequencies of ngrams of opcodes in order to detect singular code blocks. This allow us to construct a database of infected code blocks. Then, because attacker may modify and organized differently the infected injected code in their new malware, we perform not only a semantic comparison of the tested software with the database of infected code blocks but also a structured comparison. To do such comparison we compute subgraph isomorphism. It allows us to characterize precisely if the tested software is a malware and if so in witch family it belongs. Our method is tested both on a laboratory database and a set of real data. It achieves an almost perfect detection rate.

Cryptography and Security

Dakshinamoorthy Karthikeyan,Arun Sivakumar,Chamundeswari Arumugam

DOI: https://doi.org/10.37394/23209.2022.19.27

2022-11-07

WSEAS TRANSACTIONS ON INFORMATION SCIENCE AND APPLICATIONS

Abstract:In recent years, mobile malware takes anywhere between several hours to several days to screen an app for malicious activity. More than 6000 apps are added to the Google Play Store everyday on average. Security analysts face an uphill battle against malware developers as the complexity of malware and code obfuscation techniques are constantly increasing. Currently, most research focuses on the development and application of machine learning techniques for malware detection. However, their success has been limited due to a lack of depth in the data sets available for training models. This paper uses a new method of Dynamic Analysis for Android apps to extract large amounts of information on the behavior of any app which can then be used for training models or to enable security analysts to take an informed decision quickly.

Rahul Gupta,Kapil Sharma,R. K. Garg

DOI: https://doi.org/10.32604/cmc.2024.046890

2024-01-01

Abstract:The prevalence of smartphones is deeply embedded in modern society, impacting various aspects of our lives. Their versatility and functionalities have fundamentally changed how we communicate, work, seek entertainment, and access information. Among the many smartphones available, those operating on the Android platform dominate, being the most widely used type. This widespread adoption of the Android OS has significantly contributed to increased malware attacks targeting the Android ecosystem in recent years. Therefore, there is an urgent need to develop new methods for detecting Android malware. The literature contains numerous works related to Android malware detection. As far as our understanding extends, we are the first ones to identify dangerous combinations of permissions and system calls to uncover malicious behavior in Android applications. We introduce a novel methodology that pairs permissions and system calls to distinguish between benign and malicious samples. This approach combines the advantages of static and dynamic analysis, offering a more comprehensive understanding of an application’s behavior. We establish covalent bonds between permissions and system calls to assess their combined impact. We introduce a novel technique to determine these pairs’ Covalent Bond Strength Score. Each pair is assigned two scores, one for malicious behavior and another for benign behavior. These scores serve as the basis for classifying applications as benign or malicious. By correlating permissions with system calls, the study enables a detailed examination of how an app utilizes its requested permissions, aiding in differentiating legitimate and potentially harmful actions. This comprehensive analysis provides a robust framework for Android malware detection, marking a significant contribution to the field. The results of our experiments demonstrate a remarkable overall accuracy of 97.5%, surpassing various state-of-the-art detection techniques proposed in the current literature.

computer science, information systems,materials science, multidisciplinary