Interactive visualization toolbox to detect sophisticated android malware

Detecting zero-day sophisticated malware is like searching for a needle in the haystack, not knowing what the needle looks like. This paper describes Android Malicious Flow Visualization Toolbox that empowers a human analyst to detect such malware. Detecting sophisticated malware requires systematic exploration of the code to identify potentially malignant code, conceiving plausible malware hypotheses, and gathering evidence from the code to prove or refute each hypothesis. We describe interactive visualizations of program artifacts to understand and analyze complex Android semantics used by an app. The toolbox incorporates visualization capabilities that work together cohesively, and provides a mechanism to easily add new capabilities. We present case studies of detecting Android malware with confidentiality and integrity breaches. We report the accuracy and efficiency achieved by our team of analysts by using the toolbox, while auditing 77 sophisticated Android apps provided by Defense Advanced Research Projects Agency (DARPA). Toolbox URL·: https://kcsl.github.io/AMFVT/.

[1]  Suresh Kothari,et al.  Atlas: a new way to explore software, build analysis tools , 2014, ICSE Companion.

[2]  Jacques Klein,et al.  Empirical assessment of machine learning-based malware detectors for Android , 2014, Empirical Software Engineering.

[3]  Alireza Sadeghi,et al.  Analysis of Android Inter-App Security Vulnerabilities Using COVERT , 2015, 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering.

[4]  Akshay Deepak,et al.  A “Human-in-the-loop” approach for resolving complex software anomalies , 2014, 2014 IEEE International Conference on Systems, Man, and Cybernetics (SMC).

[5]  Gonzalo Álvarez,et al.  MAMA: MANIFEST ANALYSIS FOR MALWARE DETECTION IN ANDROID , 2013, Cybern. Syst..

[6]  Muttukrishnan Rajarajan,et al.  Android Security: A Survey of Issues, Malware Penetration, and Defenses , 2015, IEEE Communications Surveys & Tutorials.

[7]  Simin Nadjm-Tehrani,et al.  Crowdroid: behavior-based malware detection system for Android , 2011, SPSM '11.

[8]  Bart Reed,et al.  Security Program and Policies: Principles and Practices, Second Edition , 2014 .

[9]  Matthew Might,et al.  AnaDroid: Malware Analysis of Android with User-supplied Predicates , 2015, Electron. Notes Theor. Comput. Sci..

[10]  Patrick D. McDaniel,et al.  Understanding Android Security , 2009, IEEE Security & Privacy Magazine.

[11]  Frederick P. Brooks,et al.  The computer scientist as toolsmith II , 1996, CACM.

[12]  Alessandra Gorla,et al.  Checking app behavior against app descriptions , 2014, ICSE.

[13]  Suresh Kothari,et al.  Security Toolbox for Detecting Novel and Sophisticated Android Malware , 2015, 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering.

[14]  Zhen Huang,et al.  PScout: analyzing the Android permission specification , 2012, CCS.

[15]  Tao Xie,et al.  WHYPER: Towards Automating Risk Assessment of Mobile Applications , 2013, USENIX Security Symposium.

[16]  Rudolf K. Keller,et al.  Software visualization tools: survey and analysis , 2001, Proceedings 9th International Workshop on Program Comprehension. IWPC 2001.

[17]  Ahmad-Reza Sadeghi,et al.  Towards Taming Privilege-Escalation Attacks on Android , 2012, NDSS.

[18]  Kate Munro,et al.  Deconstructing Flame: the limitations of traditional defences , 2012 .

[19]  Michael D. Ernst,et al.  Collaborative Verification of Information Flow for a High-Assurance App Store , 2014, Software Engineering & Management.

[20]  Alfred V. Aho,et al.  Android Malware Static Analysis Techniques , 2015, CISR.