ANDRUBIS -- 1,000,000 Apps Later: A View on Current Android Malware Behaviors

Android is the most popular smartphone operating system with a market share of 80%, but as a consequence, also the platform most targeted by malware. To deal with the increasing number of malicious Android apps in the wild, malware analysts typically rely on analysis tools to extract characteristic information about an app in an automated fashion. While the importance of such tools has been addressed by the research community, the resulting prototypes remain limited in terms of analysis capabilities and availability. In this paper we present ANDRUBIS, a fully automated, publicly available and comprehensive analysis system for Android apps. ANDRUBIS combines static analysis with dynamic analysis on both Dalvik VM and system level, as well as several stimulation techniques to increase code coverage. With ANDRUBIS, we collected a dataset of over 1,000,000 Android apps, including 40% malicious apps. This dataset allows us to discuss trends in malware behavior observed from apps dating back as far as 2010, as well as to present insights gained from operating ANDRUBIS as a publicly available service for the past two years.

[1]  Yajin Zhou,et al.  Detecting repackaged smartphone applications in third-party android marketplaces , 2012, CODASPY '12.

[2]  Zhen Huang,et al.  PScout: analyzing the Android permission specification , 2012, CCS.

[3]  John C. S. Lui,et al.  DroidRay: a security evaluation system for customized android firmwares , 2014, AsiaCCS.

[4]  Nicolas Christin,et al.  Evading android runtime analysis via sandbox detection , 2014, AsiaCCS.

[5]  Sahin Albayrak,et al.  An Android Application Sandbox system for suspicious software detection , 2010, 2010 5th International Conference on Malicious and Unwanted Software.

[6]  Andrea Valdi,et al.  AndroTotal: a flexible, scalable toolbox and service for testing mobile malware detectors , 2013, SPSM '13.

[7]  Hubert Ritzdorf,et al.  Analysis of the communication between colluding applications on modern smartphones , 2012, ACSAC '12.

[8]  Steve Hanna,et al.  A survey of mobile malware in the wild , 2011, SPSM '11.

[9]  Thomas Schreck,et al.  Mobile-sandbox: having a deeper look into android applications , 2013, SAC '13.

[10]  Yajin Zhou,et al.  Hey, You, Get Off of My Market: Detecting Malicious Apps in Official and Alternative Android Markets , 2012, NDSS.

[11]  Konrad Rieck,et al.  DREBIN: Effective and Explainable Detection of Android Malware in Your Pocket , 2014, NDSS.

[12]  P. Saxena,et al.  Anti-Taint-Analysis : Practical Evasion Techniques Against Information Flow Based Malware Defense , 2007 .

[13]  Yung Ryn Choe,et al.  Andlantis: Large-scale Android Dynamic Analysis , 2014, ArXiv.

[14]  Christian Platzer,et al.  A View to a Kill: WebView Exploitation , 2013, LEET.

[15]  Dan Arp,et al.  Drebin : � Efficient and Explainable Detection of Android Malware in Your Pocket , 2014 .

[16]  L. Cavallaro,et al.  A System Call-Centric Analysis and Stimulation Technique to Automatically Reconstruct Android Malware Behaviors , 2013 .

[17]  Eemil Lagerspetz,et al.  The company you keep: mobile malware infection rates and inexpensive risk indicators , 2013, WWW.

[18]  Yanick Fratantonio,et al.  Andrubis: Android Malware Under the Magnifying Glass , 2014 .

[19]  Steve Hanna,et al.  Android permissions demystified , 2011, CCS '11.

[20]  Jeremy Clark,et al.  Understanding and improving app installation security mechanisms through empirical analysis of android , 2012, SPSM '12.

[21]  Edgar R. Weippl,et al.  Enter Sandbox: Android Sandbox Comparison , 2014, ArXiv.

[22]  William Enck,et al.  AppsPlayground: automatic security analysis of smartphone applications , 2013, CODASPY.

[23]  Guofei Gu,et al.  SmartDroid: an automatic system for revealing UI-based trigger conditions in android applications , 2012, SPSM '12.

[24]  Yajin Zhou,et al.  Fast, scalable detection of "Piggybacked" mobile applications , 2013, CODASPY.

[25]  Carsten Willems,et al.  Measurement and Analysis of Autonomous Spreading Malware in a University Environment , 2007, DIMVA.

[26]  Christopher Krügel,et al.  Scalable, Behavior-Based Malware Clustering , 2009, NDSS.

[27]  Christopher Krügel,et al.  Execute This! Analyzing Unsafe and Malicious Dynamic Code Loading in Android Applications , 2014, NDSS.

[28]  Sotiris Ioannidis,et al.  Rage against the virtual machine: hindering dynamic analysis of Android malware , 2014, EuroSec '14.

[29]  Engin Kirda,et al.  A View on Current Malware Behaviors , 2009, LEET.

[30]  Yajin Zhou,et al.  Dissecting Android Malware: Characterization and Evolution , 2012, 2012 IEEE Symposium on Security and Privacy.

[31]  Sotiris Ioannidis,et al.  AndRadar: Fast Discovery of Android Applications in Alternative Markets , 2014, DIMVA.

[32]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[33]  Heng Yin,et al.  DroidScope: Seamlessly Reconstructing the OS and Dalvik Semantic Views for Dynamic Android Malware Analysis , 2012, USENIX Security Symposium.

[34]  Herbert Bos,et al.  Dynamic Analysis of Android Malware , 2013 .

[35]  Markus Zeilinger,et al.  ANANAS - A Framework for Analyzing Android Applications , 2013, 2013 International Conference on Availability, Reliability and Security.

[36]  Wenke Lee,et al.  The Core of the Matter: Analyzing Malicious Traffic in Cellular Carriers , 2013, NDSS.

[37]  U. Bayer,et al.  TTAnalyze: A Tool for Analyzing Malware , 2006 .