On the Need of Precise Inter-App ICC Classification for Detecting Android

Malware collusion is a new threat against Android application security. It refers to the scenario where two or more applications interact with each other to perform malicious tasks. Most existing solutions assume the attack model of a standalone malicious application, and thus cannot detect collusion. The objective of this position paper is to point out the need for practical solutions for detecting malware collusion. We show experimental evidence on the technical challenges associated with classifying benign Android inter-component communication (ICC) flows from colluding ones. We statically construct ICC Maps to capture pairwise communicating ICC channels of 2,644 real benign apps. We find that existing permission-based collusion-detection policies trigger a large number of false alerts in benign apps pairs.

[1]  Fred Cohen,et al.  Computer viruses—theory and experiments , 1990 .

[2]  David W. Binkley,et al.  Interprocedural slicing using dependence graphs , 1988, SIGP.

[3]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[4]  David A. Wagner,et al.  Analyzing inter-application communication in Android , 2011, MobiSys '11.

[5]  Hubert Ritzdorf,et al.  Analysis of the communication between colluding applications on modern smartphones , 2012, ACSAC '12.

[6]  Wenke Lee,et al.  CHEX: statically vetting Android apps for component hijacking vulnerabilities , 2012, CCS.

[7]  Yajin Zhou,et al.  RiskRanker: scalable and accurate zero-day android malware detection , 2012, MobiSys '12.

[8]  Ahmad-Reza Sadeghi,et al.  Towards Taming Privilege-Escalation Attacks on Android , 2012, NDSS.

[9]  Jacques Klein,et al.  Effective inter-component communication mapping in Android with Epicc: an essential step towards holistic security analysis , 2013 .

[10]  Sankardas Roy,et al.  Amandroid: A Precise and General Inter-component Data Flow Analysis Framework for Security Vetting of Android Apps , 2014, CCS.

[11]  Naren Ramakrishnan,et al.  Detection of stealthy malware activities with traffic causality and scalable triggering relation discovery , 2014, AsiaCCS.

[12]  Karim O. Elish,et al.  Comprehensive Behavior Profiling for Proactive Android Malware Detection , 2014, ISC.

[13]  Isil Dillig,et al.  Apposcopy: semantics-based detection of Android malware through static analysis , 2014, SIGSOFT FSE.

[14]  Sam Blackshear,et al.  Android apps consistency scrutinized , 2014, CHI Extended Abstracts.

[15]  Xuxian Jiang,et al.  Profiling user-trigger dependence for Android malware detection , 2015, Comput. Secur..

[16]  Jeff H. Perkins,et al.  Information Flow Analysis of Android Applications in DroidSafe , 2015, NDSS.

[17]  Tao Xie,et al.  AppContext: Differentiating Malicious and Benign Mobile App Behaviors Using Context , 2015, 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering.