TRAPDROID: Bare-Metal Android Malware Behavior Analysis Framework

In the realm of mobile devices, malicious applications pose considerable threats to individuals, companies and governments. Cyber security researchers are in a constant race against malware developers and analyze their new methods to exploit them for better detection. In this paper, we present TRAPDROID, a dynamic malware analysis framework mostly focused on capturing unified behavior profiles of applications by analyzing them on physical devices in real-time. Our framework processes events, which are collected from system calls, binder communications, process stats, and hardware performance counters and combines them into a simple, yet meaningful behavior format. We evaluated our framework’s detection rate and performance by analyzing an up-to-date malware dataset, which also contains specially crafted applications with malicious intent. The framework is easy to use, fast and providing high accuracy in malware detection with relatively low overhead.

[1]  Heng Yin,et al.  DroidScope: Seamlessly Reconstructing the OS and Dalvik Semantic Views for Dynamic Android Malware Analysis , 2012, USENIX Security Symposium.

[2]  Christopher Krügel,et al.  BareDroid: Large-Scale Analysis of Android Apps on Real Devices , 2015, ACSAC 2015.

[3]  Qi Li,et al.  RealDroid: Large-Scale Evasive Malware Detection on "Real Devices" , 2017, 2017 26th International Conference on Computer Communication and Networks (ICCCN).

[4]  John C. S. Lui,et al.  DroidTrace: A ptrace based Android dynamic analysis system with forward execution capability , 2014, 2014 International Wireless Communications and Mobile Computing Conference (IWCMC).

[5]  Simin Nadjm-Tehrani,et al.  Crowdroid: behavior-based malware detection system for Android , 2011, SPSM '11.

[6]  Ziming Zhao,et al.  Morpheus: automatically generating heuristics to detect Android emulators , 2014, ACSAC '14.

[7]  Sankardas Roy,et al.  Deep Ground Truth Analysis of Current Android Malware , 2017, DIMVA.

[8]  Stefan Mangard,et al.  ARMageddon: Cache Attacks on Mobile Devices , 2015, USENIX Security Symposium.

[9]  Ulrich Flegel,et al.  Detection of Intrusions and Malware, and Vulnerability Assessment , 2012, Lecture Notes in Computer Science.

[10]  Bülent Yener,et al.  A Survey On Automated Dynamic Malware Analysis Evasion and Counter-Evasion: PC, Mobile, and Web , 2017, ROOTS.

[11]  Konrad Rieck,et al.  DREBIN: Effective and Explainable Detection of Android Malware in Your Pocket , 2014, NDSS.