AnaDroid: Malware Analysis of Android with User-supplied Predicates

Abstract Today's mobile platforms provide only coarse-grained permissions to users with regard to how third-party applications use sensitive private data. Unfortunately, it is easy to disguise malware within the boundaries of legitimately-granted permissions. For instance, granting access to “contacts” and “internet” may be necessary for a text-messaging application to function, even though the user does not want contacts transmitted over the internet. To understand fine-grained application use of permissions, we need to statically analyze their behavior. Even then, malware detection faces three hurdles: (1) analyses may be prohibitively expensive, (2) automated analyses can only find behaviors that they are designed to find, and (3) the maliciousness of any given behavior is application-dependent and subject to human judgment. To remedy these issues, we propose semantic-based program analysis, with a human in the loop as an alternative approach to malware detection. In particular, our analysis allows analyst-crafted semantic predicates to search and filter analysis results. Human-oriented semantic-based program analysis can systematically, quickly and concisely characterize the behaviors of mobile applications. We describe a tool that provides analysts with a library of the semantic predicates and the ability to dynamically trade speed and precision. It also provides analysts the ability to statically inspect details of every suspicious state of (abstract) execution in order to make a ruling as to whether or not the behavior is truly malicious with respect to the intent of the application. In addition, permission and profiling reports are generated to aid analysts in identifying common malicious behaviors.

[1]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[2]  Helen J. Wang,et al.  Permission Re-Delegation: Attacks and Defenses , 2011, USENIX Security Symposium.

[3]  Zhen Huang,et al.  PScout: analyzing the Android permission specification , 2012, CCS.

[4]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[5]  Ahmad-Reza Sadeghi,et al.  Towards Taming Privilege-Escalation Attacks on Android , 2012, NDSS.

[6]  Andrew C. Myers,et al.  JFlow: practical mostly-static information flow control , 1999, POPL '99.

[7]  Olin Shivers,et al.  Control-flow analysis of higher-order languages of taming lambda , 1991 .

[8]  Matthew Might,et al.  Abstracting abstract machines , 2010, ICFP '10.

[9]  Shashi Shekhar,et al.  QUIRE: Lightweight Provenance for Smart Phone Operating Systems , 2011, USENIX Security Symposium.

[10]  Steve Hanna,et al.  Android permissions demystified , 2011, CCS '11.

[11]  Matthew Might,et al.  Environment Analysis of Higher-Order Languages , 2007 .

[12]  Matthew Might,et al.  Improving flow analyses via ΓCFA: abstract garbage collection and counting , 2006, ICFP '06.

[13]  Todd D. Millstein,et al.  Dr. Android and Mr. Hide: fine-grained permissions in android applications , 2012, SPSM '12.

[14]  Aske Simon Christensen,et al.  Precise Analysis of String Expressions , 2003, SAS.

[15]  Andrew C. Myers,et al.  Protecting privacy using the decentralized label model , 2000, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[16]  Wenke Lee,et al.  CHEX: statically vetting Android apps for component hijacking vulnerabilities , 2012, CCS.

[17]  Agostino Cortesi,et al.  Static Analysis of String Values , 2011, ICFEM.