Identifying android malicious repackaged applications by thread-grained system call sequences

Android security has become highly desirable since adversaries can easily repackage malicious codes into various benign applications and spread these malicious repackaged applications (MRAs). Most MRA detection mechanisms on Android focus on detecting a specific family of MRAs or requiring the original benign application to compare with the malicious ones. This work proposes a new mechanism, SCSdroid (System Call Sequence Droid), which adopts the thread-grained system call sequences activated by applications. The concept is that even if MRAs can be camouflaged as benign applications, their malicious behavior would still appear in the system call sequences. SCSdroid extracts the truly malicious common subsequences from the system call sequences of MRAs belonging to the same family. Therefore, these extracted common subsequences can be used to identify any evaluated application without requiring the original benign application. Experimental results show that SCSdroid falsely detected only two applications among 100 evaluated benign applications, and falsely detected only one application among 49 evaluated malicious applications. As a result, SCSdroid achieved up to 95.97% detection accuracy, i.e., 143 correct detections among 149 applications.

[1]  Yuval Elovici,et al.  “Andromaly”: a behavioral malware detection framework for android devices , 2012, Journal of Intelligent Information Systems.

[2]  Avik Chaudhuri,et al.  SCanDroid: Automated Security Certification of Android , 2009 .

[3]  Yajin Zhou,et al.  Dissecting Android Malware: Characterization and Evolution , 2012, 2012 IEEE Symposium on Security and Privacy.

[4]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[5]  Yajin Zhou,et al.  Detecting repackaged smartphone applications in third-party android marketplaces , 2012, CODASPY '12.

[6]  John C. S. Lui,et al.  ADAM: An Automatic and Extensible Platform to Stress Test Android Anti-virus Systems , 2012, DIMVA.

[7]  Patrick D. McDaniel,et al.  Understanding Android Security , 2009, IEEE Security & Privacy Magazine.

[8]  Ehud Gudes,et al.  A Method for Detecting Unknown Malicious Executables , 2011, 2011IEEE 10th International Conference on Trust, Security and Privacy in Computing and Communications.

[9]  Ayumu Kubota,et al.  Kernel-based Behavior Analysis for Android Malware Detection , 2011, 2011 Seventh International Conference on Computational Intelligence and Security.

[10]  Simin Nadjm-Tehrani,et al.  Crowdroid: behavior-based malware detection system for Android , 2011, SPSM '11.

[11]  J. Foster,et al.  SCanDroid: Automated Security Certification of Android , 2009 .

[12]  Gary McGraw Silver Bullet Talks with Jeremiah Grossman , 2009, IEEE Security & Privacy Magazine.

[13]  John C. S. Lui,et al.  Droid Analytics: A Signature Based Analytic System to Collect, Extract, Analyze and Associate Android Malware , 2013, 2013 12th IEEE International Conference on Trust, Security and Privacy in Computing and Communications.

[14]  Christopher Krügel,et al.  Limits of Static Analysis for Malware Detection , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[15]  Patrick D. McDaniel,et al.  On lightweight mobile phone application certification , 2009, CCS.

[16]  Nicolas Christin,et al.  All Your Droid Are Belong to Us: A Survey of Current Android Attacks , 2011, WOOT.

[17]  Yajin Zhou,et al.  Hey, You, Get Off of My Market: Detecting Malicious Apps in Official and Alternative Android Markets , 2012, NDSS.

[18]  Sahin Albayrak,et al.  An Android Application Sandbox system for suspicious software detection , 2010, 2010 5th International Conference on Malicious and Unwanted Software.