Visual Analysis of Android Malware Behavior Profile Based on PMCG_droid : A Pruned Lightweight APP Call Graph

In recent years, there is a sharp increasing in the number of malicious APPs on the Android platform, so how to identify new type of Android malware and its malicious behaviors has been a hot research topic in the security community. This paper presents a visualization framework to help security analysts precisely distinguish malicious profiles of APPs. By labeling target nodes, adding implicit call edges, pruning harmless branches, and a few other operations, we generate a new kind of call graph: \(PMCG_{droid}\). This graph not only has a sharp decrease in size comparing to the original APP call graph but also preserves the malicious core of malware well. Based on \(PMCG_{droid}\), visual interfaces are designed to assist users in checking the malicious behavior profile of samples with rich user interactive operations. We study real world samples to prove the usability and efficiency of our approach.

[1]  Xiao Zhang,et al.  Hey, You, Get Off of My Image: Detecting Data Residue in Android Images , 2016, ESORICS.

[2]  Felix C. Freiling,et al.  Visual analysis of malware behavior using treemaps and thread graphs , 2009, 2009 6th International Workshop on Visualization for Cyber Security.

[3]  Simin Nadjm-Tehrani,et al.  Detection and Visualization of Android Malware Behavior , 2016, J. Electr. Comput. Eng..

[4]  Peng Liu,et al.  Call Me Back!: Attacks on System Server and System Apps in Android through Synchronous Callback , 2016, CCS.

[5]  Gregory J. Conti,et al.  Visual Reverse Engineering of Binary and Data Files , 2008, VizSEC.

[6]  Patrick D. McDaniel,et al.  On lightweight mobile phone application certification , 2009, CCS.

[7]  Konrad Rieck,et al.  DREBIN: Effective and Explainable Detection of Android Malware in Your Pocket , 2014, NDSS.

[8]  Christopher Krügel,et al.  EdgeMiner: Automatically Detecting Implicit Control Flow Transitions through the Android Framework , 2015, NDSS.

[9]  Jacques Klein,et al.  FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps , 2014, PLDI.

[10]  John C. S. Lui,et al.  TaintART: A Practical Multi-level Information-Flow Tracking System for Android RunTime , 2016, CCS.

[11]  Yajin Zhou,et al.  Hey, You, Get Off of My Market: Detecting Malicious Apps in Official and Alternative Android Markets , 2012, NDSS.

[12]  Mahamod Ismail,et al.  A static and dynamic visual debugger for malware analysis , 2012, 2012 18th Asia-Pacific Conference on Communications (APCC).

[13]  Alexander Pretschner,et al.  DAVAST: data-centric system level activity visualization , 2014, VizSec '14.

[14]  Lorie M. Liebrock,et al.  Reversing Compiled Executables for Malware Analysis via Visualization , 2011, Inf. Vis..

[15]  Jacques Klein,et al.  IccTA: Detecting Inter-Component Privacy Leaks in Android Apps , 2015, 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering.

[16]  Sencun Zhu,et al.  2016 Ieee International Conference on Big Data (big Data) Android Malware Development on Public Malware Scanning Platforms: a Large-scale Data-driven Study , 2022 .

[17]  Heng Yin,et al.  DroidScope: Seamlessly Reconstructing the OS and Dalvik Semantic Views for Dynamic Android Malware Analysis , 2012, USENIX Security Symposium.

[18]  Alastair R. Beresford,et al.  MockDroid: trading privacy for application functionality on smartphones , 2011, HotMobile '11.

[19]  Simin Nadjm-Tehrani,et al.  Crowdroid: behavior-based malware detection system for Android , 2011, SPSM '11.

[20]  Hao Chen,et al.  AndroidLeaks: Automatically Detecting Potential Privacy Leaks in Android Applications on a Large Scale , 2012, TRUST.

[21]  Rafael D. C. Santos,et al.  Visualization techniques for malware behavior analysis , 2011, Defense + Commercial Sensing.

[22]  Jacques Klein,et al.  Effective inter-component communication mapping in Android with Epicc: an essential step towards holistic security analysis , 2013 .

[23]  Avik Chaudhuri,et al.  SCanDroid: Automated Security Certification of Android , 2009 .

[24]  Gonzalo Álvarez,et al.  PUMA: Permission Usage to Detect Malware in Android , 2012, CISIS/ICEUTE/SOCO Special Sessions.

[25]  Patrick Traynor,et al.  MAST: triage for market-scale mobile malware analysis , 2013, WiSec '13.

[26]  Hahn-Ming Lee,et al.  DroidMat: Android Malware Detection through Manifest and API Calls Tracing , 2012, 2012 Seventh Asia Joint Conference on Information Security.

[27]  Lorie M. Liebrock,et al.  Visualizing compiled executables for malware analysis , 2009, 2009 6th International Workshop on Visualization for Cyber Security.

[28]  Álvaro Herrero,et al.  Neural Visualization of Android Malware Families , 2016, SOCO-CISIS-ICEUTE.

[29]  Ninghui Li,et al.  Using probabilistic generative models for ranking risks of Android apps , 2012, CCS.

[30]  Won Ryu,et al.  Analyzing and detecting method of Android malware via disassembling and visualization , 2014, 2014 International Conference on Information and Communication Technology Convergence (ICTC).

[31]  Daniel A. Keim,et al.  A Survey of Visualization Systems for Malware Analysis , 2015, EuroVis.

[32]  Srinivas Mukkamala,et al.  Visualization techniques for efficient malware detection , 2013, 2013 IEEE International Conference on Intelligence and Security Informatics.

[33]  Matthew Smith,et al.  SoK: Lessons Learned from Android Security Research for Appified Software Platforms , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[34]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[35]  Siu-Ming Yiu,et al.  DroidChecker: analyzing android applications for capability leak , 2012, WISEC '12.

[36]  Yajin Zhou,et al.  RiskRanker: scalable and accurate zero-day android malware detection , 2012, MobiSys '12.

[37]  Toshihiro Yamauchi,et al.  DroidTrack: Tracking and Visualizing Information Diffusion for Preventing Information Leakage on Android , 2014, J. Internet Serv. Inf. Secur..

[38]  Yacin Nadji,et al.  MalwareVis: entity-based visualization of malware network traces , 2012, VizSec '12.