ABSTRACT
Dynamic analysis is an important technique to reveal sensitive behavior of Android apps. Current works require access to the code-level and system-level events (e.g., API calls and system calls) triggered by the running apps and consequently they can only be conducted on in-lab running environments (e.g., emulators and modified OS). The strict requirement of running environment hinders their deployment in scale and makes them vulnerable to anti-analysis techniques. Furthermore, current dynamic analysis of Android apps exploits input generators to invoke app behavior, which, however, cannot provide sufficient code coverage.
We propose to dynamically analyze app behavior on non-rooted devices used by the public so that it is possible to analyze dynamically in scale without input generators. By doing so, we also maximize the code coverage since the app behavior is invoked by real users of the apps. To achieve such a goal, we build UpDroid, a system for detecting sensitive behavior without modifying Android OS, rooting the device, or leveraging emulators. UpDroid detects sensitive events by monitoring the changing of public resources on the device, instead of accessing low-level events that require rooting or system modification. To identify the apps that trigger the detected events, UpDroid formulates the identification as a ranking problem and adopts learning to rank technique to solve it. Our experimental results demonstrate that UpDroid can successfully detect the use of 15 out of 26 permissions that are labeled dangerous in the official Android documentation. We also compare UpDroid with API hooking which can theoretically capture all sensitive behavior but requires root permission and system modifications. Results show that UpDroid can still achieve 70% coverage of API hooking even without root permission or any system modifications.
- Saswat Anand, Mayur Naik, Mary Jean Harrold, and Hongseok Yang. 2012. Automated concolic testing of smartphone apps. In Proceedings of the ACM SIGSOFT 20th International Symposium on the Foundations of Software Engineering (FSE '12). ACM, 59. Google ScholarDigital Library
- AppBrain. 2018. Top Android SDK versions. Retrieved April 14, 2018 from https://www.appbrain.com/stats/top-android-sdk-versionsGoogle Scholar
- Kathy Wain Yee Au, Yi Fan Zhou, Zhen Huang, and David Lie. 2012. Pscout: analyzing the android permission specification. In Proceedings of the 2012 ACM conference on Computer and communications security (CCS '12). ACM, 217--228. Google ScholarDigital Library
- Michael Backes, Sven Bugiel, Erik Derr, Patrick McDaniel, Damien Octeau, and Sebastian Weisgerber. 2016. On Demystifying the Android Application Framework: Re-Visiting Android Permission Specification Analysis. In Proceedings of 25th USENIX Security Symposium (USENIX Security '16). USENIX Association, 1101--1118.Google Scholar
- Antonio Bianchi, Yanick Fratantonio, Christopher Kruegel, and Giovanni Vigna. 2015. Njas: Sandboxing unmodified applications in non-rooted devices running stock android. In Proceedings of the 5th Annual ACM CCS Workshop on Security and Privacy in Smartphones and Mobile Devices (SPSM '15). ACM, 27--38. Google ScholarDigital Library
- Thomas Bläsing, Leonid Batyuk, Aubrey-Derrick Schmidt, Seyit Ahmet Camtepe, and Sahin Albayrak. 2010. An android application sandbox system for suspicious software detection. In Proceedings of the 5th International Conference on Malicious and Unwanted Software (MALWARE '10). IEEE, 55--62.Google ScholarCross Ref
- Denis Bogdanas. 2017. DPerm: Assisting the Migration of Android Apps to Runtime Permissions. arXiv preprint arXiv: 1706.05042 (2017).Google Scholar
- Iker Burguera, Urko Zurutuza, and Simin Nadjm-Tehrani. 2011. Crowdroid: behavior-based malware detection system for android. In Proceedings of the 1st ACM workshop on Security and privacy in smartphones and mobile devices (SPSM '11). ACM, 15--26. Google ScholarDigital Library
- Zhe Cao, Tao Qin, Tie-Yan Liu, Ming-Feng Tsai, and Hang Li. 2007. Learning to rank: from pairwise approach to listwise approach. In Proceedings of the 24th international conference on Machine learning (ICML '07). ACM, 129--136. Google ScholarDigital Library
- Shauvik Roy Choudhary, Alessandra Gorla, and Alessandro Orso. 2015. Automated test input generation for android: Are we there yet?. In Proceedings of the 30th IEEE/ACM International Conference on Automated Software Engineering (ASE '15). IEEE, 429--440.Google ScholarDigital Library
- V Dang. 2013. RankLib. (2013). Retrieved April 14, 2018 from http://sourceforge.net/p/lemur/wiki/RankLibGoogle Scholar
- Santanu Kumar Dash, Guillermo Suarez-Tangil, Salahuddin Khan, Kimberly Tarn, Mansour Ahmadi, Johannes Kinder, and Lorenzo Cavallaro. 2016. Droid-Scribe: Classifying Android Malware Based on Runtime Behavior. Mobile Security Technologies (MoST 2016) 7148 (2016), 1--12.Google Scholar
- Wenrui Diao, Xiangyu Liu, Zhou Li, and Kehuan Zhang. 2016. No pardon for the interruption: New inference attacks on android through interrupt timing analysis. In Proceedings of the 2016 IEEE Symposium on Security and Privacy (S&P '16). IEEE, 414--432.Google ScholarCross Ref
- fgwei. 2017. Android API to Permission Mapping Extractor. Retrieved April 14, 2018 from https://github.com/fgwei/android-a2pGoogle Scholar
- Google. 2017. Application security. Retrieved April 14, 2018 from https://source.android.com/security/Google Scholar
- Google. 2017. FileObserver. Retrieved April 14, 2018 from https://developer.android.com/reference/Google Scholar
- Google. 2017. UI/Application Exerciser Monkey. Retrieved April 14, 2018 from https://developer.android.com/studio/test/monkey.htmlGoogle Scholar
- Heqing Huang, Kai Chen, Chuangang Ren, Peng Liu, Sencun Zhu, and Dinghao Wu. 2015. Towards discovering and understanding unexpected hazards in tailoring antivirus software for android. In Proceedings of the 10th ACM SIGSAC Symposium on Information, Computer and Communications Security (AsiaCCS '15). ACM, 7--18. Google ScholarDigital Library
- International Data Corporation (IDC). 2017. Smartphone OS Market Share, 2017 Q1. Retrieved April 14, 2018 from https://www.idc.com/promo/smartphone-market-share/osGoogle Scholar
- Yiming Jing, Ziming Zhao, Gail-Joon Ahn, and Hongxin Hu. 2014. Morpheus: automatically generating heuristics to detect Android emulators. In Proceedings of the 30th Annual Computer Security Applications Conference (ACSAC '14). ACM, 216--225. Google ScholarDigital Library
- Mohammad Karami, Mohamed Elsabagh, Parnian Najafiborazjani, and Angelos Stavrou. 2013. Behavioral analysis of android applications using automated instrumentation. In Proceedings of the 2013 IEEE 7th International Conference on Software Security and Reliability-Companion (SERE-C '13). IEEE, 182--187. Google ScholarDigital Library
- P Lantz, A Desnos, and K Yang. 2017. DroidBox: Android application sandbox. Retrieved April 14, 2018 from https://github.com/pjlantz/droidboxGoogle Scholar
- Aravind Machiry, Rohan Tahiliani, and Mayur Naik. 2013. Dynodroid: An input generation system for android apps. In Proceedings of the 9th Joint Meeting on Foundations of Software Engineering (ESEC/FSE '13). ACM, 224--234. Google ScholarDigital Library
- MindMac. 2016. Android EagleEye. Retrieved April 14, 2018 from https://github.com/MindMac/AndroidEagleEyeGoogle Scholar
- Simone Mutti, Yanick Fratantonio, Antonio Bianchi, Luca Invernizzi, Jacopo Corbetta, Dhilung Kirat, Christopher Kruegel, and Giovanni Vigna. 2015. Baredroid: Large-scale analysis of android apps on real devices. In Proceedings of the 31th Annual Computer Security Applications Conference (ACSAC '15). ACM, 71--80. Google ScholarDigital Library
- Zhenyu Ning and Fengwei Zhang. 2017. Ninja: Towards transparent tracing and debugging on arm. In Proceedings of 26th USENIX Security Symposium (USENIX Security '17). USENIX Association, 33--49.Google Scholar
- Thanasis Petsas, Giannis Voyatzis, Elias Athanasopoulos, Michalis Polychronakis, and Sotiris Ioannidis. 2014. Rage against the virtual machine: hindering dynamic analysis of android malware. In Proceedings of the 7th European Workshop on System Security (EuroSec '14). ACM, Article 5, 5:1--5:6 pages. Google ScholarDigital Library
- Asaf Shabtai, Uri Kanonov, Yuval Elovici, Chanan Glezer, and Yael Weiss. 2012. "Andromaly": a behavioral malware detection framework for android devices. Journal of Intelligent Information Systems 38, 1 (2012), 161--190. Google ScholarDigital Library
- Michael Spreitzenbarth, Felix Freiling, Florian Echtler, Thomas Schreck, and Johannes Hoffmann. 2013. Mobile-sandbox: having a deeper look into android applications. In Proceedings of the 28th Annual ACM Symposium on Applied Computing (SAC '13). ACM, 1808--1815. Google ScholarDigital Library
- Kimberly Tarn, Salahuddin J Khan, Aristide Fattori, and Lorenzo Cavallaro. 2015. CopperDroid: Automatic Reconstruction of Android Malware Behaviors.. In Proceedings of the 22nd Annual Network and Distributed System Security Symposium (NDSS '15).Google Scholar
- Timothy Vidas and Nicolas Christin. 2014. Evading android runtime analysis via sandbox detection. In Proceedings of the 9th ACM SIGSAC Symposium on Information, Computer and Communications Security (AsiaCCS '14). ACM, 447--458. Google ScholarDigital Library
- Xiaolei Wang, Sencun Zhu, Dehua Zhou, and Yuexiang Yang. 2017. Droid-AntiRM: Taming Control Flow Anti-analysis to Support Automated Dynamic Analysis of Android Malware. In Proceedings of the 33rd Annual Computer Security Applications Conference (ACSAC '17). ACM, 350--361. Google ScholarDigital Library
- Fengguo Wei, Yuping Li, Sankardas Roy, Xinming Ou, and Wu Zhou. 2017. Deep Ground Truth Analysis of Current Android Malware. In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA '17). Springer, 252--276.Google Scholar
- Michelle Y Wong and David Lie. 2016. IntelliDroid: A Targeted Input Generator for the Dynamic Analysis of Android Malware.. In Proceedings of the 23nd Annual Network and Distributed System Security Symposium (NDSS '16).Google ScholarCross Ref
- Daoyuan Wu, Rocky K. C. Chang, Weichao Li, Eric K. T. Cheng, and Debin Gao. 2017. MopEye: Opportunistic Monitoring of Per-app Mobile Network Performance. In 2017 USENIX Annual Technical Conference (USENIX ATC 17). USENIX Association, Santa Clara, CA, 445--457. https://www.usenix.org/conference/atcl7/technical-sessions/presentation/wu Google ScholarDigital Library
- Xposed. 2017. Welcome to the Xposed Module Repository! Retrieved April 14, 2018 from http://repo.xposed.info/Google Scholar
- Lok-Kwong Yan and Heng Yin. 2012. DroidScope: Seamlessly Reconstructing the OS and Dalvik Semantic Views for Dynamic Android Malware Analysis.. In Proceedings of 21th USENIX Security Symposium (USENIX Security '12). USENLX Association, 569--584. Google ScholarDigital Library
- Chao Yang, Zhaoyan Xu, Guofei Gu, Vinod Yegneswaran, and Phillip Porras. 2014. Droidminer: Automated mining and characterization of fine-grained malicious behaviors in android applications. In Proceedings of the 2014 European symposium on research in computer security (ESORICS '14). Springer, 163--182.Google ScholarCross Ref
- Nan Zhang, Kan Yuan, Muhammad Naveed, Xiaoyong Zhou, and XiaoFeng Wang. 2015. Leave me alone: App-level protection against runtime information gathering on android. In Proceedings of the 2015 IEEE Symposium on Security and Privacy (S&P '15). IEEE, 915--930. Google ScholarDigital Library
- Yuan Zhang, Min Yang, Bingquan Xu, Zhemin Yang, Guofei Gu, Peng Ning, X Sean Wang, and Binyu Zang. 2013. Vetting undesirable behaviors in android apps with permission use analysis. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security (CCS '13). ACM, 611--622. Google ScholarDigital Library
- Wu Zhou, Xinwen Zhang, and Xuxian Jiang. 2013. AppInk: watermarking android apps for repackaging deterrence. In Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security (AsiaCCS '13). ACM, 1--12. Google ScholarDigital Library
- Yajin Zhou and Xuxian Jiang. 2012. Dissecting android malware: Characterization and evolution. In Proceedings of the 2012 IEEE Symposium on Security and Privacy (S&P '12). IEEE, 95--109. Google ScholarDigital Library
Recommendations
Android Applications Repackaging Detection Techniques for Smartphone Devices
The problem of malwares affecting Smartphones has been widely recognized by the researchers across the world. Majority of these malwares target Android OS. Studies have found that most of the Android malwares hide inside repackaged apps to get inside ...
Detecting repackaged smartphone applications in third-party android marketplaces
CODASPY '12: Proceedings of the second ACM conference on Data and Application Security and PrivacyRecent years have witnessed incredible popularity and adoption of smartphones and mobile devices, which is accompanied by large amount and wide variety of feature-rich smartphone applications. These smartphone applications (or apps), typically organized ...
Android: Changing the Mobile Landscape
The mobile phone landscape changed last year with the introduction of smart phones running Android, a platform marketed by Google. Android phones are the first credible threat to the iPhone market. Not only did Google target the same consumers as iPhone,...
Comments