Hey Malware, I Can Find You!

Android smartphones are the most widespread in the world. This is the reason why attackers write code more and more aggressive in order to steal data and other important information stored in the phone. One of the most representative malware that implements the typical trojan behaviour in Android environment is the so-called Fake Installer. In this paper we use formal methods, in particular model checking, in order to identify Fake Installer malware. We specify a set of formulae and then we check these on a designed application model, built in CCS, to recognize whether an application is a malware belonging to Fake Installer family or a legitimate sample. We experiment our methodology on 1125 real world samples obtaining very promising results.

[1]  Antonella Santone,et al.  State Space Reduction by Non-Standard Semantics for Deadlock Analysis , 1998, Sci. Comput. Program..

[2]  Antonella Santone,et al.  Abstract reduction in directed model checking CCS processes , 2012, Acta Informatica.

[3]  Radu Mateescu,et al.  CADP 2011: a toolbox for the construction and analysis of distributed processes , 2012, International Journal on Software Tools for Technology Transfer.

[4]  Maria Luisa Villani,et al.  Ant Colony Optimization for Deadlock Detection in Concurrent Systems , 2011, 2011 IEEE 35th Annual Computer Software and Applications Conference.

[5]  Radu Mateescu,et al.  CADP 2006: A Toolbox for the Construction and Analysis of Distributed Processes , 2007, CAV.

[6]  Rance Cleaveland,et al.  The NCSU Concurrency Workbench , 1996, CAV.

[7]  Colin Stirling,et al.  An Introduction to Modal and Temporal Logics for CCS , 1991, Concurrency: Theory, Language, And Architecture.

[8]  Konrad Rieck,et al.  DREBIN: Effective and Explainable Detection of Android Malware in Your Pocket , 2014, NDSS.

[9]  Eric Medvet,et al.  Acquiring and Analyzing App Metrics for Effective Mobile Malware Detection , 2016, IWSPA@CODASPY.

[10]  Gerardo Canfora,et al.  Composition-Malware: Building Android Malware at Run Time , 2015, 2015 10th International Conference on Availability, Reliability and Security.

[11]  Eric Medvet,et al.  Effectiveness of Opcode ngrams for Detection of Multi Family Android Malware , 2015, 2015 10th International Conference on Availability, Reliability and Security.

[12]  Gerardo Canfora,et al.  Mobile malware detection using op-code frequency histograms , 2015, 2015 12th International Joint Conference on e-Business and Telecommunications (ICETE).

[13]  Dan Arp,et al.  Drebin : � Efficient and Explainable Detection of Android Malware in Your Pocket , 2014 .

[14]  Antonella Santone,et al.  Identification of Android Malware Families with Model Checking , 2016, ICISSP.

[15]  Gerardo Canfora,et al.  Obfuscation Techniques against Signature-Based Detection: A Case Study , 2015, 2015 Mobile Systems Technologies Workshop (MST).

[16]  Xuxian Jiang,et al.  DroidChameleon: evaluating Android anti-malware against transformation attacks , 2013, ASIA CCS '13.

[17]  Eric Medvet,et al.  Detecting Android malware using sequences of system calls , 2015, DeMobile@SIGSOFT FSE.

[18]  Robin Milner,et al.  Communication and concurrency , 1989, PHI Series in computer science.

[19]  Antonella Santone,et al.  Download Malware? No, Thanks. How Formal Methods Can Block Update Attacks , 2016, 2016 IEEE/ACM 4th FME Workshop on Formal Methods in Software Engineering (FormaliSE).

[20]  Antonella Santone,et al.  Heuristic search for equivalence checking , 2014, Software & Systems Modeling.

[21]  Antonella Santone,et al.  Ransomware Steals Your Phone. Formal Methods Rescue It , 2016, FORTE.

[22]  Gerardo Canfora,et al.  A Classifier of Malicious Android Applications , 2013, 2013 International Conference on Availability, Reliability and Security.