FlowMine: Android app analysis via data flow

The demeanor towards sensitive data is an important factor to differentiate malicious apps from benign apps in Android platform. In this work, we consider the data flow path from a data source to a data sink, where `source' is a non-constant data that marks the beginning of the path, and `sink' is the resource where the data reaches. To accurately identify the behavioral differences, we analyzed the data flow paths in 2800 benign apps against 15000 malicious apps. We assigned weights to each path which is the absolute difference between its use in benign and malicious samples. If a path is more used by malicious apps, then weight becomes negative otherwise positive. We assigned rankings according to the popularity of the path. If the benignity rank of a path is higher than its malignity rank, then it can be inferred that the path is more used by benign application. We cover all possible paths in an application based on context-sensitivity, flow-sensitivity, and object-sensitivity of data. We name our proposed solution FlowMine. FlowMine takes these rankings and weights as its contrivance and evaluates the behavior of any test application towards maliciousness or benignity. For evaluation purpose, we took 5000 benign and 10000 malware samples. To the best of our knowledge, FlowMine is the first approach that finds the degree of similarity of an unknown sample app with known benign and malware samples for the classification of app. Our prototype excelled and correctly classified 96% of all benign apps and 98% of all novel malware leaking sensitive data.

[1]  Roksana Boreli,et al.  On the effectiveness of dynamic taint analysis for protecting against private information leaks on Android-based devices , 2013, 2013 International Conference on Security and Cryptography (SECRYPT).

[2]  Thomas W. Reps,et al.  Precise interprocedural dataflow analysis via graph reachability , 1995, POPL '95.

[3]  Yajin Zhou,et al.  Dissecting Android Malware: Characterization and Evolution , 2012, 2012 IEEE Symposium on Security and Privacy.

[4]  Yuan-Cheng Lai,et al.  Evasion Techniques: Sneaking through Your Intrusion Detection/Prevention Systems , 2012, IEEE Communications Surveys & Tutorials.

[5]  Jacques Klein,et al.  FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps , 2014, PLDI.

[6]  Isil Dillig,et al.  Apposcopy: semantics-based detection of Android malware through static analysis , 2014, SIGSOFT FSE.

[7]  Zhemin Yang,et al.  LeakMiner: Detect Information Leakage on Android with Static Taint Analysis , 2012, 2012 Third World Congress on Software Engineering.

[8]  Zhen Huang,et al.  PScout: analyzing the Android permission specification , 2012, CCS.

[9]  Mu Zhang,et al.  Semantics-Aware Android Malware Classification Using Weighted Contextual API Dependency Graphs , 2014, CCS.

[10]  Sandro Etalle,et al.  Hybrid Static-Runtime Information Flow and Declassification Enforcement , 2013, IEEE Transactions on Information Forensics and Security.

[11]  Eric Bodden,et al.  A Machine-learning Approach for Classifying and Categorizing Android Sources and Sinks , 2014, NDSS.

[12]  Simin Nadjm-Tehrani,et al.  Crowdroid: behavior-based malware detection system for Android , 2011, SPSM '11.

[13]  Vijay Laxmi,et al.  AndroSimilar: robust statistical feature signature for Android malware detection , 2013, SIN.

[14]  Somesh Jha,et al.  Semantics-aware malware detection , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[15]  Hao Chen,et al.  AndroidLeaks: Automatically Detecting Potential Privacy Leaks in Android Applications on a Large Scale , 2012, TRUST.

[16]  Jacques Klein,et al.  IccTA: Detecting Inter-Component Privacy Leaks in Android Apps , 2015, 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering.

[17]  Christopher Krügel,et al.  Cross Site Scripting Prevention with Dynamic Data Tainting and Static Analysis , 2007, NDSS.

[18]  Xu Chen,et al.  Towards an understanding of anti-virtualization and anti-debugging behavior in modern malware , 2008, 2008 IEEE International Conference on Dependable Systems and Networks With FTCS and DCC (DSN).

[19]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.