RiskRanker: scalable and accurate zero-day android malware detection

Smartphone sales have recently experienced explosive growth. Their popularity also encourages malware authors to penetrate various mobile marketplaces with malicious applications (or apps). These malicious apps hide in the sheer number of other normal apps, which makes their detection challenging. Existing mobile anti-virus software are inadequate in their reactive nature by relying on known malware samples for signature extraction. In this paper, we propose a proactive scheme to spot zero-day Android malware. Without relying on malware samples and their signatures, our scheme is motivated to assess potential security risks posed by these untrusted apps. Specifically, we have developed an automated system called RiskRanker to scalably analyze whether a particular app exhibits dangerous behavior (e.g., launching a root exploit or sending background SMS messages). The output is then used to produce a prioritized list of reduced apps that merit further investigation. When applied to examine 118,318 total apps collected from various Android markets over September and October 2011, our system takes less than four days to process all of them and effectively reports 3281 risky apps. Among these reported apps, we successfully uncovered 718 malware samples (in 29 families) and 322 of them are zero-day (in 11 families). These results demonstrate the efficacy and scalability of RiskRanker to police Android markets of all stripes.

[1]  Norman Hardy,et al.  The Confused Deputy: (or why capabilities might have been invented) , 1988, OPSR.

[2]  Helen J. Wang,et al.  Shield: vulnerability-driven network filters for preventing known vulnerability exploits , 2004, SIGCOMM '04.

[3]  Patrick D. McDaniel,et al.  Semantically Rich Application-Centric Security in Android , 2009, 2009 Annual Computer Security Applications Conference.

[4]  Zhi Wang,et al.  ReFormat: Automatic Reverse Engineering of Encrypted Messages , 2009, ESORICS.

[5]  Patrick D. McDaniel,et al.  On lightweight mobile phone application certification , 2009, CCS.

[6]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[7]  Xinwen Zhang,et al.  Apex: extending Android permission model and enforcement with user-defined runtime constraints , 2010, ASIACCS '10.

[8]  Shashi Shekhar,et al.  QUIRE: Lightweight Provenance for Smart Phone Operating Systems , 2011, USENIX Security Symposium.

[9]  Matthias Lange,et al.  L4Android: a generic operating system framework for secure smartphones , 2011, SPSM '11.

[10]  Helen J. Wang,et al.  Permission Re-Delegation: Attacks and Defenses , 2011, USENIX Security Symposium.

[11]  David A. Wagner,et al.  Analyzing inter-application communication in Android , 2011, MobiSys '11.

[12]  Jeremy Andrus,et al.  Cells: a virtual mobile smartphone architecture , 2011, SOSP '11.

[13]  Yajin Zhou,et al.  Taming Information-Stealing Smartphone Applications (on Android) , 2011, TRUST.

[14]  Swarat Chaudhuri,et al.  A Study of Android Application Security , 2011, USENIX Security Symposium.

[15]  Alastair R. Beresford,et al.  MockDroid: trading privacy for application functionality on smartphones , 2011, HotMobile '11.

[16]  Steve Hanna,et al.  A survey of mobile malware in the wild , 2011, SPSM '11.

[17]  Seungyeop Han,et al.  These aren't the droids you're looking for: retrofitting android to protect data from imperious applications , 2011, CCS '11.

[18]  Steve Hanna,et al.  Android permissions demystified , 2011, CCS '11.

[19]  Christopher Krügel,et al.  PiOS: Detecting Privacy Leaks in iOS Applications , 2011, NDSS.

[20]  Vitaly Shmatikov,et al.  Proceedings of the 18th ACM Conference on Computer and Communications Security, CCS 2011, Chicago, Illinois, USA, October 17-21, 2011 , 2011, CCS.

[21]  Yajin Zhou,et al.  Dissecting Android Malware: Characterization and Evolution , 2012, 2012 IEEE Symposium on Security and Privacy.

[22]  Ahmad-Reza Sadeghi,et al.  MoCFI: A Framework to Mitigate Control-Flow Attacks on Smartphones , 2012, NDSS.

[23]  Xuxian Jiang,et al.  Unsafe exposure analysis of mobile in-app advertisements , 2012, WISEC '12.

[24]  Edgar R. Weippl,et al.  Guess Who's Texting You? Evaluating the Security of Smartphone Messaging Applications , 2012, NDSS.

[25]  Yajin Zhou,et al.  Systematic Detection of Capability Leaks in Stock Android Smartphones , 2012, NDSS.

[26]  Ahmad-Reza Sadeghi,et al.  Towards Taming Privilege-Escalation Attacks on Android , 2012, NDSS.

[27]  Yajin Zhou,et al.  Detecting repackaged smartphone applications in third-party android marketplaces , 2012, CODASPY '12.

[28]  Yajin Zhou,et al.  Hey, You, Get Off of My Market: Detecting Malicious Apps in Official and Alternative Android Markets , 2012, NDSS.