论文信息 - Automated identification of installed malicious Android applications

Automated identification of installed malicious Android applications

Increasingly, Android smartphones are becoming more pervasive within the government and industry, despite the limited ways to detect malicious applications installed to these phones' operating systems. Although enterprise security mechanisms are being developed for use on Android devices, these methods cannot detect previously unknown malicious applications. As more sensitive enterprise information becomes available and accessible on these smartphones, the risk of data loss inherently increases. A malicious application's actions could potentially leave sensitive data exposed with little recourse. Without an effective corporate monitoring solution in place for these mobile devices, organizations will continue to lack the ability to determine when a compromise has occurred. This paper presents research that applies traditional digital forensic techniques to remotely monitor and audit Android smartphones. The smartphone sends changed file system data to a remote server, allowing for expensive forensic processing and the offline application of traditional tools and techniques rarely applied to the mobile environment. The research aims at ascertaining new ways of identifying malicious Android applications and ultimately attempts to improve the state of enterprise smartphone monitoring. An on-phone client, server, database, and analysis framework was developed and tested using real mobile malware. The results are promising that the developed detection techniques identify changes to important system partitions; recognize file system changes, including file deletions; and find persistence and triggering mechanisms in newly installed applications. It is believed that these detection techniques should be performed by enterprises to identify malicious applications affecting their phone infrastructure.

[1] Bill Hill,et al. Teleporter: An analytically and forensically sound duplicate transfer system , 2009, Digit. Investig..

[2] Yajin Zhou,et al. Dissecting Android Malware: Characterization and Evolution , 2012, 2012 IEEE Symposium on Security and Privacy.

[3] Andrew Hoog. Android forensics : investigation, analysis, and mobile security for Google Android / Andrew Hoog ; John McCash, technical editor. , 2011 .

[4] Simson L. Garfinkel,et al. A general strategy for differential forensic analysis , 2012, Digit. Investig..

[5] Sylvain Ratabouil. Android NDK Beginner’s Guide , 2012 .

[6] Nicolas Christin,et al. Toward a general collection methodology for Android devices , 2011, Digit. Investig..

[7] Kevin D. Fairbanks. An analysis of Ext4 for digital forensics , 2012 .

[8] Angelos Stavrou,et al. Exploiting smart-phone USB connectivity for fun and profit , 2010, ACSAC '10.

[9] Brian D. Carrier,et al. File System Forensic Analysis , 2005 .

[10] Nicolas Christin,et al. All Your Droid Are Belong to Us: A Survey of Current Android Attacks , 2011, WOOT.

[11] Gary C. Kessler,et al. Android forensics: Simplifying cell phone examinations , 2010 .

[12] Paul Ferrill. Pro Android Python with SL4A , 2011 .

[13] Simson L. Garfinkel,et al. Digital forensics XML and the DFXML toolset , 2012, Digit. Investig..

[14] David Weinstein. A Security Hygienic Smart Charger for Mobile Devices , 2012 .