A Forensic Analysis of Android Malware -- How is Malware Written and How it Could Be Detected?

We consider in this paper the analysis of a large set of malware and benign applications from the Android ecosystem. Although a large body of research work has dealt with Android malware over the last years, none has addressed it from a forensic point of view. After collecting over 500,000 applications from user markets and research repositories, we perform an analysis that yields precious insights on the writing process of Android malware. This study also explores some strange artifacts in the datasets, and the divergent capabilities of state-of-the-art antivirus to recognize/define malware. We further highlight some major weak usage and misunderstanding of Android security by the criminal community and show some patterns in their operational flow. Finally, using insights from this analysis, we build a naive malware detection scheme that could complement existing anti virus software.

[1]  H. B. Mann,et al.  On a Test of Whether one of Two Random Variables is Stochastically Larger than the Other , 1947 .

[2]  X Itu,et al.  Information technology-open systems interconnection-the directory: Public-key and attribute certific , 2000 .

[3]  Patrick D. McDaniel,et al.  On lightweight mobile phone application certification , 2009, CCS.

[4]  Ahmad-Reza Sadeghi,et al.  Privilege Escalation Attacks on Android , 2010, ISC.

[5]  Arati Baliga,et al.  Rootkits on smart phones: attacks, implications and opportunities , 2010, HotMobile '10.

[6]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[7]  Xinwen Zhang,et al.  Apex: extending Android permission model and enforcement with user-defined runtime constraints , 2010, ASIACCS '10.

[8]  Ahmad-Reza Sadeghi,et al.  XManDroid: A New Android Evolution to Mitigate Privilege Escalation Attacks , 2011 .

[9]  Rene Mayrhofer,et al.  A framework for on-device privilege escalation exploit execution on Android , 2011 .

[10]  Yajin Zhou,et al.  Taming Information-Stealing Smartphone Applications (on Android) , 2011, TRUST.

[11]  Swarat Chaudhuri,et al.  A Study of Android Application Security , 2011, USENIX Security Symposium.

[12]  Steve Hanna,et al.  A survey of mobile malware in the wild , 2011, SPSM '11.

[13]  Seungyeop Han,et al.  These aren't the droids you're looking for: retrofitting android to protect data from imperious applications , 2011, CCS '11.

[14]  Simin Nadjm-Tehrani,et al.  Crowdroid: behavior-based malware detection system for Android , 2011, SPSM '11.

[15]  Yajin Zhou,et al.  Dissecting Android Malware: Characterization and Evolution , 2012, 2012 IEEE Symposium on Security and Privacy.

[16]  Jacques Klein,et al.  Improving Privacy on Android Smartphones Through In-Vivo Bytecode Instrumentation , 2012, ArXiv.

[17]  Siu-Ming Yiu,et al.  DroidChecker: analyzing android applications for capability leak , 2012, WISEC '12.

[18]  Anthony Desnos,et al.  Android: Static Analysis Using Similarity Distance , 2012, 2012 45th Hawaii International Conference on System Sciences.

[19]  Yajin Zhou,et al.  Detecting repackaged smartphone applications in third-party android marketplaces , 2012, CODASPY '12.

[20]  Jacques Klein,et al.  Dexpler: converting Android Dalvik bytecode to Jimple for static analysis with Soot , 2012, SOAP '12.

[21]  Yajin Zhou,et al.  Hey, You, Get Off of My Market: Detecting Malicious Apps in Official and Alternative Android Markets , 2012, NDSS.

[22]  Jacques Klein,et al.  Effective inter-component communication mapping in Android with Epicc: an essential step towards holistic security analysis , 2013 .

[23]  Nicolas Christin,et al.  Sweetening android lemon markets: measuring and combating malware in application marketplaces , 2013, CODASPY '13.

[24]  Jacques Klein,et al.  Large-scale machine learning-based malware detection: confronting the "10-fold cross validation" scheme with reality , 2014, CODASPY '14.

[25]  Jacques Klein,et al.  FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps , 2014, PLDI.