Enhancing Accuracy of Android Malware Detection using Intent Instrumentation

Shahrooz Pooryousef, Morteza Amini

2017

Abstract

Event-driven actions in Android malwares and complexity of extracted profiles of applications’ behaviors are two challenges in dynamic malware analysis tools to find malicious behaviors. Thanks to ability of event-driven actions in Android applications, malwares can trigger their malicious behaviors at specific conditions and evade from detection. In this paper, we propose a framework for instrumenting Intents in Android applications’ source code in a way that different parts of the application be triggered automatically at runtime. Our instrumented codes force the application to exhibit its behaviors and so we can have a more complete profile of the application’s behaviors. Our framework, which is implemented as a tool, first uses static analysis to extract an application’s structure and components and then, instruments Intents inside the application’s Smali codes. Experimental results show that applying our code instrumentation framework on applications help exhibiting more data leakage behaviors such as disclosing Android ID in 79 more applications in a data set containing 6,187 malwares in comparison to using traditional malware analysis tools.

References

  1. Bartel, A., Klein, J., Monperrus, M., and Le Traon, Y. (2014). Static analysis for extracting permission checks of a large scale framework: The challenges and solutions for analyzing android. In IEEE Transactions on Software Engineering, volume 40, pages 617-632. IEEE.
  2. Bugiel, S., Heuser, S., and Sadeghi, A.-R. (2013). Flexible and fine-grained mandatory access control on android for diverse security and privacy policies. In Presented as part of the 22nd USENIX Security Symposium (USENIX Security 13), pages 131-146.
  3. Burguera, I., Zurutuza, U., and Nadjm-Tehrani, S. (2011). Crowdroid: behavior-based malware detection system for android. In Proceedings of the 1st ACM workshop on Security and privacy in smartphones and mobile devices, pages 15-26. ACM.
  4. Chen, J., Chen, H., Bauman, E., Lin, Z., Zang, B., and Guan, H. (2015). You shouldn't collect my secrets: Thwarting sensitive keystroke leakage in mobile ime apps. In Proceedings of 24th USENIX Security Symposium (USENIX Security 15), pages 657- 690. USENIX Association.
  5. Chin, E., Felt, A. P., Greenwood, K., and Wagner, D. (2011). Analyzing inter-application communication in android. In Proceedings of the 9th international conference on Mobile systems, applications, and services, pages 239-252. ACM.
  6. Corporation, I. D. (2014). Android market share reached 75% worldwide in q3 2012. http://techcrunch.com/2012/11/02/idcandroidmarket-share-reached-75-worldwidein-q3- 2012 Access time: May 7,2013.
  7. Desnos, A. (2014). Androguard-reverse engineering, malware and goodware analysis of android applications. https: code.google.com/p/androguard Access time: 2013, May.
  8. Enck, W., Gilbert, P., Han, S., Tendulkar, V., Chun, B.-G., Cox, L. P., Jung, J., McDaniel, P., and Sheth, A. N. (2014). Taintdroid: An information-flow tracking system for realtime privacy monitoring on smartphones. In ACM Transactions on Computer Systems (TOCS), volume 32, pages 5:1-5:29. ACM.
  9. Felt, A. P., Chin, E., Hanna, S., Song, D., and Wagner, D. (2011a). Android permissions demystified. In Proceedings of the 18th ACM conference on Computer and communications security, pages 627-638. ACM.
  10. Felt, A. P., Finifter, M., Chin, E., Hanna, S., and Wagner, D. (2011b). A survey of mobile malware in the wild. In Proceedings of the 1st ACM workshop on Security and privacy in smartphones and mobile devices, pages 3-14. ACM.
  11. Fuzz (2014). Fuzz. http://pages.cs.wisc.edu/bart/fuzz/ Access time: 2008, May.
  12. Gilbert, P., Chun, B.-G., Cox, L. P., and Jung, J. (2011). Vision: automated security validation of mobile apps at app markets. In Proceedings of the second international workshop on Mobile cloud computing and services, pages 21-26. ACM.
  13. Google (2014). Apktool. https:code.google.compandroidapktool Access time: 2016, May.
  14. Grace, M. C., Zhou, Y., Wang, Z., and Jiang, X. (2012). Systematic detection of capability leaks in stock android smartphones. In Proceedings of the Network and Distributed System Security Symposium (NDSS), volume 14, page 19. Internet Society.
  15. Hoffmann, J., Ussath, M., Holz, T., and Spreitzenbarth, M. (2013). Slicing droids: program slicing for smali code. In Proceedings of the 28th Annual ACM Symposium on Applied Computing, pages 1844-1851. ACM.
  16. IDC (2014). Android and ios continue to dominate the worldwide smartphone market with android shipments just shy of 800 million in 2013. http://www.idc.com/getdoc.jsp Access time: February 2014.
  17. ISBX (2014). An online data set of malwares. http://www.unb.ca/research/iscx/dataset/ Access time: 2015, May.
  18. Jeon, J., Micinski, K. K., Vaughan, J. A., Fogel, A., Reddy, N., Foster, J. S., and Millstein, T. (2012). Dr. android and mr. hide: fine-grained permissions in android applications. In Proceedings of the second ACM workshop on Security and privacy in smartphones and mobile devices, pages 3-14. ACM.
  19. Karami, M., Elsabagh, M., Najafiborazjani, P., and Stavrou, A. (2013). Behavioral analysis of android applications using automated instrumentation. In Proceedings of the IEEE 7th International Conference on Software Security and Reliability-Companion (SERE-C), pages 182-187. IEEE.
  20. Li, L., Bartel, A., Bissyandé, T. F., Klein, J., and Le Traon, Y. (2015). Apkcombiner: Combining multiple android apps to support inter-app analysis. In Proceedings of the IFIP International Information Security Conference, pages 513-527. Springer.
  21. Peiravian, N. and Zhu, X. (2013). Machine learning for android malware detection using permission and api calls. In Proceedings of the IEEE 25th International Conference on Tools with Artificial Intelligence , pages 300-305. IEEE.
  22. Pooryousef, S. and Amini, M. (2016). Fine-grained access control for hybrid mobile applications in android using restricted paths. In Information Security and Cryptology (ISCISC), 2016 13th International Iranian Society of Cryptology Conference on, pages 85-90. IEEE.
  23. Rastogi, V., Chen, Y., and Enck, W. (2013). Appsplayground: automatic security analysis of smartphone applications. In Proceedings of the 3rd ACM conference on Data and application security and privacy, pages 209-220. ACM.
  24. Rastogi, V., Chen, Y., and Jiang, X. (2014). Catch me if you can: Evaluating android anti-malware against transformation attacks. In IEEE Transactions on Information Forensics and Security, volume 9, pages 99-108. IEEE.
  25. Report, M. T. (2014). Third quarter 2012. http://www.mcafee.com/ca/resources/reports/rpquarterly-threat-q3-2012.pdf Access time: May 7, 2013.
  26. Sahs, J. and Khan, L. (2012). A machine learning approach to android malware detection. In Proceedings of the Intelligence and Security Informatics Conference (EISIC), 2012 European, pages 141-147. IEEE.
  27. Tam, K., Khan, S. J., Fattori, A., and Cavallaro, L. (2015). Copperdroid: Automatic reconstruction of android malware behaviors. In Proceedings of the Network and Distributed System Security Symposium (NDSS). Internet Society.
  28. VirusShare (2014). An online data set of malwares. https:virusshare.com Access time: 2015, May.
  29. Wong, M. Y. and Lie, D. (2016). Intellidroid: A targeted input generator for the dynamic analysis of android malware. In Proceedings of the Annual Symposium on Network and Distributed System Security (NDSS), pages 1-15. The Internet Society.
  30. Xu, R., Saïdi, H., and Anderson, R. (2012). Aurasium: Practical policy enforcement for android applications. In Proceedings of the 21st USENIX Security Symposium (USENIX Security 12), pages 539-552. USENIX Association.
  31. Yang, W., Xiao, X., Andow, B., Li, S., Xie, T., and Enck, W. (2015). Appcontext: Differentiating malicious and benign mobile app behaviors using context. In 37th IEEE International Conference on Software Engineering, volume 1, pages 303-313. IEEE.
  32. Zhang, Y., Yang, M., Xu, B., Yang, Z., Gu, G., Ning, P., Wang, X. S., and Zang, B. (2013). Vetting undesirable behaviors in android apps with permission use analysis. In Proceedings of the ACM SIGSAC conference on Computer & communications security, pages 611-622. ACM.
  33. Zheng, C., Zhu, S., Dai, S., Gu, G., Gong, X., Han, X., and Zou, W. (2012a). Smartdroid: an automatic system for revealing ui-based trigger conditions in android applications. In Proceedings of the 2nd ACM workshop on Security and privacy in smartphones and mobile devices, pages 93-104. ACM.
  34. Zheng, M., Lee, P. P., and Lui, J. C. (2012b). Adam: an automatic and extensible platform to stress test android anti-virus systems. In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, pages 82-101. Springer.
  35. Zhou, W., Zhang, X., and Jiang, X. (2013). Appink: watermarking android apps for repackaging deterrence. In Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security, pages 1-12. ACM.
  36. Zhou, Y., Wang, Z., Zhou, W., and Jiang, X. (2012a). Hey, you, get off of my market: Detecting malicious apps in official and alternative android markets. In Proceedings of the Network and Distributed System Security Symposium (NDSS), volume 25, pages 50-52.
  37. Zhou, Y., Wang, Z., Zhou, W., and Jiang, X. (2012b). Hey, you, get off of my market: Detecting malicious apps in official and alternative android markets. In Proceedings of the Network and Distributed System Security Symposium (NDSS), volume 25, pages 50-52.
Download


Paper Citation


in Harvard Style

Pooryousef S. and Amini M. (2017). Enhancing Accuracy of Android Malware Detection using Intent Instrumentation . In Proceedings of the 3rd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP, ISBN 978-989-758-209-7, pages 380-388. DOI: 10.5220/0006195803800388


in Bibtex Style

@conference{icissp17,
author={Shahrooz Pooryousef and Morteza Amini},
title={Enhancing Accuracy of Android Malware Detection using Intent Instrumentation},
booktitle={Proceedings of the 3rd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,},
year={2017},
pages={380-388},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0006195803800388},
isbn={978-989-758-209-7},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 3rd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,
TI - Enhancing Accuracy of Android Malware Detection using Intent Instrumentation
SN - 978-989-758-209-7
AU - Pooryousef S.
AU - Amini M.
PY - 2017
SP - 380
EP - 388
DO - 10.5220/0006195803800388