DroidAnalyst: Synergic App Framework for Static and Dynamic App Analysis

Evolution of mobile devices, availability of additional resources coupled with enhanced functionality has leveraged smartphone to substitute the conventional computing devices. Mobile device users have adopted smartphones for online payments, sending emails, social networking, and stores the user sensitive information. The ever increasing mobile devices has attracted malware authors and cybercriminals to target mobile platforms. Android, the most popular open source mobile OS is being targeted by the malware writers. In particular, less monitored third party markets are being used as infection and propagation sources. Given the threats posed by the increasing number of malicious apps, security researchers must be able to analyze the malware quickly and efficiently; this may not be feasible with the manual analysis. Hence, automated analysis techniques for app vetting and malware detection are necessary. In this chapter, we present DroidAnalyst, a novel automated app vetting and malware analysis framework that integrates the synergy of static and dynamic analysis to improve accuracy and efficiency of analysis. DroidAnalyst generates a unified analysis model that combines the strengths of the complementary approaches with multiple detection methods, to increase the app code analysis. We have evaluated our proposed solution DroidAnalyst against a reasonable dataset consisting real-world benign and malware apps.

[1]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[2]  Fuhui Long,et al.  Feature selection based on mutual information criteria of max-dependency, max-relevance, and min-redundancy , 2003, IEEE Transactions on Pattern Analysis and Machine Intelligence.

[3]  John C. S. Lui,et al.  ADAM: An Automatic and Extensible Platform to Stress Test Android Anti-virus Systems , 2012, DIMVA.

[4]  Guofei Gu,et al.  SmartDroid: an automatic system for revealing UI-based trigger conditions in android applications , 2012, SPSM '12.

[5]  Sotiris Ioannidis,et al.  Rage against the virtual machine: hindering dynamic analysis of Android malware , 2014, EuroSec '14.

[6]  Yanick Fratantonio,et al.  ANDRUBIS -- 1,000,000 Apps Later: A View on Current Android Malware Behaviors , 2014, 2014 Third International Workshop on Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS).

[7]  Thomas Schreck,et al.  Mobile-sandbox: having a deeper look into android applications , 2013, SAC '13.

[8]  Yajin Zhou,et al.  Hey, You, Get Off of My Market: Detecting Malicious Apps in Official and Alternative Android Markets , 2012, NDSS.

[9]  Nicolas Christin,et al.  Evading android runtime analysis via sandbox detection , 2014, AsiaCCS.

[10]  Vassil Roussev,et al.  Data Fingerprinting with Similarity Digests , 2010, IFIP Int. Conf. Digital Forensics.

[11]  Vijay Laxmi,et al.  AndroSimilar: Robust signature for detecting variants of Android malware , 2015, J. Inf. Secur. Appl..

[12]  Jacques Klein,et al.  Highly precise taint analysis for Android applications , 2013 .

[13]  Leo Breiman,et al.  Random Forests , 2001, Machine Learning.

[14]  Mauro Conti,et al.  FM 99.9, Radio Virus: Exploiting FM Radio Broadcasts for Malware Deployment , 2013, IEEE Transactions on Information Forensics and Security.

[15]  Mauro Conti,et al.  MITHYS: Mind The Hand You Shake - Protecting mobile devices from SSL usage vulnerabilities , 2013, STM.

[16]  Gary A. Kildall,et al.  A unified approach to global program optimization , 1973, POPL.

[17]  Sandro Etalle,et al.  Hybrid Static-Runtime Information Flow and Declassification Enforcement , 2013, IEEE Transactions on Information Forensics and Security.

[18]  Muttukrishnan Rajarajan,et al.  Android Security: A Survey of Issues, Malware Penetration, and Defenses , 2015, IEEE Communications Surveys & Tutorials.

[19]  Simin Nadjm-Tehrani,et al.  Crowdroid: behavior-based malware detection system for Android , 2011, SPSM '11.

[20]  Vijay Laxmi,et al.  AndroSimilar: robust statistical feature signature for Android malware detection , 2013, SIN.

[21]  Sahin Albayrak,et al.  An Android Application Sandbox system for suspicious software detection , 2010, 2010 5th International Conference on Malicious and Unwanted Software.

[22]  Eric Bodden,et al.  Harvesting Runtime Data in Android Applications for Identifying Malware and Enhancing Code Analysis , 2015 .

[23]  Gonzalo Álvarez,et al.  PUMA: Permission Usage to Detect Malware in Android , 2012, CISIS/ICEUTE/SOCO Special Sessions.

[24]  Yanick Fratantonio,et al.  Andrubis: Android Malware Under the Magnifying Glass , 2014 .

[25]  Vassil Roussev Building a Better Similarity Trap with Statistically Improbable Features , 2009 .

[26]  Heng Yin,et al.  DroidScope: Seamlessly Reconstructing the OS and Dalvik Semantic Views for Dynamic Android Malware Analysis , 2012, USENIX Security Symposium.

[27]  Yajin Zhou,et al.  Systematic Detection of Capability Leaks in Stock Android Smartphones , 2012, NDSS.

[28]  Muttukrishnan Rajarajan,et al.  Evaluation of Android Anti-malware Techniques against Dalvik Bytecode Obfuscation , 2014, 2014 IEEE 13th International Conference on Trust, Security and Privacy in Computing and Communications.

[29]  Vassil Roussev,et al.  An evaluation of forensic similarity hashes , 2011, Digit. Investig..

[30]  Steve Hanna,et al.  Android permissions demystified , 2011, CCS '11.

[31]  Edgar R. Weippl,et al.  Enter Sandbox: Android Sandbox Comparison , 2014, ArXiv.

[32]  Patrick Cousot,et al.  Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints , 1977, POPL.

[33]  Xuxian Jiang,et al.  Unsafe exposure analysis of mobile in-app advertisements , 2012, WISEC '12.

[34]  Yajin Zhou,et al.  Dissecting Android Malware: Characterization and Evolution , 2012, 2012 IEEE Symposium on Security and Privacy.

[35]  Lorrie Faith Cranor,et al.  A Conundrum of Permissions: Installing Applications on an Android Smartphone , 2012, Financial Cryptography Workshops.