Abstract
Evolution of mobile devices, availability of additional resources coupled with enhanced functionality has leveraged smartphone to substitute the conventional computing devices. Mobile device users have adopted smartphones for online payments, sending emails, social networking, and stores the user sensitive information. The ever increasing mobile devices has attracted malware authors and cybercriminals to target mobile platforms. Android, the most popular open source mobile OS is being targeted by the malware writers. In particular, less monitored third party markets are being used as infection and propagation sources. Given the threats posed by the increasing number of malicious apps, security researchers must be able to analyze the malware quickly and efficiently; this may not be feasible with the manual analysis. Hence, automated analysis techniques for app vetting and malware detection are necessary. In this chapter, we present DroidAnalyst, a novel automated app vetting and malware analysis framework that integrates the synergy of static and dynamic analysis to improve accuracy and efficiency of analysis. DroidAnalyst generates a unified analysis model that combines the strengths of the complementary approaches with multiple detection methods, to increase the app code analysis. We have evaluated our proposed solution DroidAnalyst against a reasonable dataset consisting real-world benign and malware apps.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Android tools: ADB, emulator, AVD manager, android, mksdcard, monkey, logcat. http://developer.android.com/tools/help
Andrubis: a tool for analyzing unknown android applications. http://anubis.iseclab.org/ (2014). Accessed July 2014
F-secure malware threat report 2012 q4. http://www.f-secure.com/static/doc/labs_global/Research/Mobile%20Threat%20Report%20Q4%202012.pdf (2014). Accessed November 2014
F-secure malware threat report 2013 q3. http://www.f-secure.com/static/doc/labs_global/Research/Mobile_Threat_Report_Q3_2013.pdf (2014). Accessed July 2014
F-secure malware threat report 2014 q1. http://www.f-secure.com/static/doc/labs_global/Research/Mobile_Threat_Report_Q1_2014_print.pdf (2014). Accessed June 2014
First Sms Trojan for Android. http://www.securelist.com/en/blog/2254/First_SMS_Trojan_for_Android (2014). Accessed 2013
Minimum redundancy feature selection-wiki. https://en.wikipedia.org/wiki/Minimum_redundancy_feature_selection (2014). Accessed August 2014
Tcpdump/libcap public repository. http://www.tcpdump.org/ (2014). Accessed July 2014
Android Malware Genome Project. http://www.malgenomeproject.org/ (2014). Accessed 11 February 2014
VirusTotal. https://www.virustotal.com/ (2014). Accessed 11 February 2014
APKTool. Reverse Engineering with ApkTool. https://code.google.com/android/apk-tool (2012. Accessed 20 March 2012
BakSmali. Reverse Engineering with Smali/Baksmali. https://code.google.com/smali (2014). Accessed 20 March 2014
BlackHat. Reverse Engineering with Androguard. https://code.google.com/androguard (2013). Accessed 29 March 2013
Bläsing, T., Batyuk, L., Schmidt, A.-D., Çamtepe, S.A., Albayrak, S.: An android application sandbox system for suspicious software detection. In: MALWARE, pp. 55–62 (2010)
Breiman, L.: Random forests. Mach. Learn. 45(1), 5–32 (2001)
Burguera, I., Zurutuza, U., Nadjm-Tehrani, S.: Crowdroid: behavior-based malware detection system for android. In: Proceedings of the 1st ACM Workshop on Security and Privacy in Smartphones and Mobile Devices, SPSM’11, pp. 15–26, New York. ACM (2011)
Conti, M., Dragoni, N., Gottardo, S.: Mithys: mind the hand you shake - protecting mobile devices from SSL usage vulnerabilities. CoRR, abs/1306.6729 (2013)
Cousot, P., Cousot, R.: Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints. In: Proceedings of the 4th ACM SIGACT-SIGPLAN Symposium on Principles of Programming Languages, pp. 238–252. ACM (1977)
Desnos, A., Lantz, P.: Droidbox: an android application sandbox for dynamic analysis (2011)
Faruki, P., Bharmal, A., Laxmi, V., Ganmoor, V., Gaur, M., Conti, M., Rajarajan, M.: Android security: a survey of issues, malware penetration, and defenses. Commun. Surv. Tutor. IEEE 17(2), 998–1022, Secondquarter (2015)
Faruki, P., Bharmal, A., Laxmi, V., Gaur, M.S., Conti, M., Rajarajan, M.: Evaluation of android anti-malware techniques against dalvik bytecode obfuscation. In: 13th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, TrustCom 2014, Beijing, China, 24–26 September 2014, pp. 414–421 (2014)
Faruki, P., Ganmoor, V., Laxmi, V., Gaur, M.S., Bharmal, A.: Androsimilar: robust statistical feature signature for android malware detection. In: Proceedings of the 6th International Conference on Security of Information and Networks, SIN’13, pp. 152–159, New York. ACM (2013)
Faruki, P., Ganmoor, V., Vijay, L., Gaur, M., Conti, M.: Android platform invariant sandbox for analyzing malware and resource hogger apps. In: Proceedings of the 10th IEEE International Conference on Security and Privacy in Communication Networks (SecureComm 2014), Beijing China, 26–28 September 2014. Securecomm (2014)
Faruki, P., Laxmi, V., Bharmal, A., Gaur, M., Ganmoor, V.: Androsimilar: robust signature for detecting variants of android malware. J. Inf. Secur. Appl. (2014)
Felt, A.P., Chin, E., Hanna, S., Song, D., Wagner, D.: Android permissions demystified. In : Proceedings of the 18th ACM Conference on Computer and Communications Security, CCS’11, pp. 627–638, New York. ACM (2011)
Fernandes, E., Crispo, B., Conti, M.: FM 99.9, radio virus: exploiting FM radio broadcasts for malware deployment. IEEE Trans. Inf. Forensics Secur. 8(6), 1027–1037 (2013)
Fritz, C., Arzt, S., Rasthofer, S., Bodden, E., Bartel, A., Klein, J., le Traon, Y., Octeau, D., McDaniel, P.: Highly precise taint analysis for android applications. Technical Report EC SPRIDE, TU Darmstadt (2013)
Grace, M.C., Zhou, W., Jiang, X., Sadeghi, A.-R.: Unsafe exposure analysis of mobile in-app advertisements. In: Proceedings of the Fifth ACM Conference on Security and Privacy in Wireless and Mobile Networks, WISEC’12, pp. 101–112, New York. ACM (2012)
Grace, M.C., Zhou, Y., Wang, Z., Jiang, X.: Systematic detection of capability leaks in stock android smartphones. In: NDSS. The Internet Society (2012)
Kelley, P.G., Consolvo, S., Cranor, L.F., Jung, J., Sadeh, N.M., Wetherall, D.: A conundrum of permissions: installing applications on an android smartphone. In: Blythe, J., Dietrich, S., Camp, L.J. (eds.) Financial Cryptography Workshops, Lecture Notes in Computer Science, vol. 7398, pp. 68–79. Springer (2012)
Kildall, G.A.: A unified approach to global program optimization. In: Proceedings of the 1st annual ACM SIGACT-SIGPLAN symposium on Principles of programming languages, pp. 194–206. ACM (1973)
Kim, J., Yoon, Y., Yi, K., Shin, J., Center, S.: ScanDal: static analyzer for detecting privacy leaks in android applications. In: Proceedings of the Workshop on Mobile Security Technologies (MoST), in Conjunction with the IEEE Symposium on Security and Privacy (2012)
Lindorfer, M.: Andrubis: a tool for analyzing unknown android applications. http://blog.iseclab.org/2012/06/04/andrubis-a-tool-for-analyzing-unknown-android-applications-2/ (2012)
Lindorfer, M., Neugschwandtner, M., Weichselbaum, L., Fratantonio, Y., van der Veen, V., Platzer, C.: Andrubis—1,000,000 apps later: a view on current android malware behaviors. In: Proceedings of the the 3rd International Workshop on Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS) (2014)
MSWG. Department of computer science and engineering, malaviya national institute of technology, Jaipur. https://www.droidanalyst.org (2014). Accessed July 2014
Mulliner, C.: Dalvik dynamic instrumentation. http://www.mulliner.org/android/feed/mulliner_dbi_hitb_kul2013.pdf (2013). Accessed October 2013
Neuner, S., Van der Veen, V., Lindorfer, M., Huber, M., Merzdovnik, G., Mulazzani, M., Weippl, E.: Enter sandbox: android sandbox comparison. In: Proceedings of the IEEE Mobile Security Technologies Workshop (MoST), vol. 5. IEEE (2014)
Peng, H., Long, F., Ding, C.: Feature selection based on mutual information criteria of max-dependency, max-relevance, and min-redundancy. IEEE Trans. Pattern Anal. Mach. Intell. 27(8), 1226–1238 (2005)
Petsas, T., Voyatzis, G., Athanasopoulos, E., Polychronakis, M., Ioannidis, S.: Rage against the virtual machine: hindering dynamic analysis of android malware. In: Proceedings of the Seventh European Workshop on System Security, p. 5. ACM (2014)
Play, G.: Official Android Market. https://market.android.com/ (2013). Accessed 17 June 2013
Rasthofer, S., Arzt, S., Miltenberger, M., Bodden, E.: Harvesting runtime data in android applications for identifying malware and enhancing code analysis. Technical Report TUD-CS-2015-0031, EC SPRIDE, February (2015)
Reina, A., Fattori, A., Cavallaro, L.: A system call-centric analysis and stimulation technique to automatically reconstruct android malware behaviors. In: Proceedings of the 6th European Workshop on System Security (EUROSEC 2013), Prague, Czech Republic (2013)
Rocha, B.P.S., Conti, M., Etalle, S., Crispo, B.: Hybrid static-runtime information flow and declassification enforcement. IEEE Trans. Inf. Forensics Secur. 99(8) (2013)
Roussev, V.: Building a better similarity trap with statistically improbable features. In: 42nd Hawaii International Conference on System Sciences, 2009. HICSS’09, pp. 1–10. IEEE (2009)
Roussev, V.: An evaluation of forensic similarity hashes. Dig. Investig. 8, S34–S41 (2011). Aug
Roussev, V.: Data fingerprinting with similarity hashes. Adv. Dig. Forensics (2011)
Sanz, B., Santos, I., Laorden, C., Ugarte-Pedrero, X., Bringas, P.G., Álvarez, G.: Puma: permission usage to detect malware in android. In: International Joint Conference CISIS12-ICEUTE’ 12-SOCO’12 Special Sessions, pp. 289–298. Springer (2013)
Spreitzenbarth, M., Freiling, F.: Android Malware on the Rise. Technical report (2012)
Spreitzenbarth, M., Freiling, F., Echtler, F., Schreck, T., Hoffmann, J.: Mobile-sandbox: having a deeper look into android applications. In: Proceedings of the 28th Annual ACM Symposium on Applied Computing, SAC’13, pp. 1808–1815, New York. ACM (2013)
Vidas, T., Christin, N.: Evading android runtime analysis via sandbox detection. In: Proceedings of the 9th ACM Symposium on Information, Computer and Communications Security, ASIA CCS’14, pp. 447–458, New York. ACM (2014)
Weichselbaum, L., Neugschwandtner, M., Lindorfer, M., Fratantonio, Y., van der Veen, V., Platzer, C.: Andrubis: Android Malware Under The Magnifying Glass. Technical Report TR-ISECLAB-0414-001, Vienna University of Technology (2014)
William, E., Peter, G., Byunggon, C., Landon, C.: TaintDroid: an information flow tracking system for realtime privacy monitoring on smartphones. In: USENIX Symposium on Operating Systems Design and Implementation, USENIX (2011)
Yan, L.K., Yin, H.: Droidscope: seamlessly reconstructing the OS and dalvik semantic views for dynamic android malware analysis. In: Proceedings of the 21st USENIX Security Symposium (2012)
Zheng, C., Zhu, S., Dai, S., Gu, G., Gong, X., Han, X., Zou, W.: Smartdroid: an automatic system for revealing UI-based trigger conditions in android applications. In: Proceedings of the Second ACM Workshop on Security and Privacy in Smartphones and Mobile Devices, SPSM’12, pp. 93–104, New York. ACM (2012)
Zheng, M., Lee, P.P.C., Lui, J.C.S.: ADAM: an automatic and extensible platform to stress test android anti-virus systems. In: DIMVA, pp. 82–101 (2012)
Zhou, Y., Jiang, X.: Dissecting android malware: characterization and evolution. In: Proceedings of the 33rd IEEE Symposium on Security and Privacy, Oakland 2012. IEEE (2012)
Zhou, Y., Wang, Z., Zhou, W., Jiang, X.: Hey, you, get off of my market: Detecting malicious apps in official and alternative android markets. In: NDSS. The Internet Society (2012)
Acknowledgments
The work of Parvez Faruki, Manoj Singh Gaur, and Vijay Laxmi was partially supported by Department of Information Technology, Government of India project grant “SAFAL-Security Analysis Framework for Android pLatform vide grant number: 12(7)/2014-ESD”. Mauro Conti was supported by the Marie Curie Fellowship PCIG11-GA-2012-321980, funded by the European Commission for the PRISM-CODE project. This work has been partially supported by the TENACE PRIN Project 20103P34XC funded by the Italian MIUR, and by the Project Tackling Mobile Malware with Innovative Machine Learning Techniques funded by the University of Padua. We thank Ammar Bharmal and Vijay Kumar for their contributions in the development of “www.droidanalyst.org” as M.Tech scholars at the Computer science and engineering department, MNIT Jaipur. We appreciate the efforts made by Rohit Gupta, Jitendra Saraswat, and Lovely Sinha for their contributions in maintaining the DroidAnalyst.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this chapter
Cite this chapter
Faruki, P., Bhandari, S., Laxmi, V., Gaur, M., Conti, M. (2016). DroidAnalyst: Synergic App Framework for Static and Dynamic App Analysis. In: Abielmona, R., Falcon, R., Zincir-Heywood, N., Abbass, H. (eds) Recent Advances in Computational Intelligence in Defense and Security. Studies in Computational Intelligence, vol 621. Springer, Cham. https://doi.org/10.1007/978-3-319-26450-9_20
Download citation
DOI: https://doi.org/10.1007/978-3-319-26450-9_20
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-26448-6
Online ISBN: 978-3-319-26450-9
eBook Packages: EngineeringEngineering (R0)