In this paper, we propose a new method to detect malicious activities on mobile devices by examining an application's runtime behavior. To this end, we use the Xposed framework to build a monitoring module that generates behavior profiles for applications. The module integrates with our intrusion detection system which then analyzes and reports on the profiles. We use this tool to detect malicious behavior patterns using both a custom-written malware and a real one. We also detect behavior patterns for some popular applications from the Google Play Store to expose their functionality. The results show that standard techniques that are used to evade static analysis are not effective against our monitoring approach. This approach can also be generalized to detect unknown malware or expose exact application behavior to the user.
[1]
Yajin Zhou,et al.
Hey, You, Get Off of My Market: Detecting Malicious Apps in Official and Alternative Android Markets
,
2012,
NDSS.
[2]
Jean-François Lalande,et al.
Repackaging Android Applications for Auditing Access to Private Data
,
2012,
2012 Seventh International Conference on Availability, Reliability and Security.
[3]
Veelasha Moonsamy,et al.
Analysis of malicious and benign android applications
,
2012,
2012 32nd International Conference on Distributed Computing Systems Workshops.
[4]
Ayman I. Kayssi,et al.
DAIDS: An Architecture for Modular Mobile IDS
,
2014,
2014 28th International Conference on Advanced Information Networking and Applications Workshops.
[5]
Steve Hanna,et al.
Android permissions demystified
,
2011,
CCS '11.