Abstract
At present, Android malwares become more and more subtle and intelligent, after their invasion, they often detect whether the running environment is a real environment, to decide whether to perform their malicious behavior. Therefore, malware tend to execute different behavior when running in different environments. Benign applications will perform the same functions in different environments, their behaviors have a strong consistency. Based on this basic idea, we design an Android malware detection method based on behavior comparison analysis. First, design and development a number of specific different running environments, and then execute application in these environments. With the same event input, record and compare the behaviors of this application, calculate the difference, determine whether it is malicious. Under the guidance of this thought, we design and development the Android malware detection system EmuProtect. We evaluate EmuProtect system from the aspects of accuracy and validity, the results show that this system can effectively detect Android malicious applications.
Keywords
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Lau, B., Svajcer, V.: Measuring virtual machine detection in malware using DSD tracer. J. Comput. Virol. 6(3), 181–195 (2008)
Raffetseder, T., Kruegel, C., Kirda, E.: Detecting System Emulators. In: Garay, J.A., Lenstra, A.K., Mambo, M., Peralta, R. (eds.) ISC 2007. LNCS, vol. 4779, pp. 1–18. Springer, Heidelberg (2007). doi:10.1007/978-3-540-75496-1_1
Paleari, R., Martignoni, L., Roglia, G., Bruschi, D.: A fistful of red-pills: how to automatically generate procedures to detect CPU emulators. In: The 3rd USENIX Conference on Offensive Technologies (WOOT 2009), Berkeley, CA, USA (2009)
Vidas, T., Christin, N.: Evading android runtime analysis via sandbox detection. In: Proceedings of the 9th ACM Symposium on Information, Computer and Communications Security (ASIA CCS 2014), Kyoto Garden Palace, Kyoto, Japan, pp. 447–458 (2014)
Jing, Y., Zhao, Z., Ahn, G., Hu, H.: Morpheus: automatically generating heuristics to detect android emulators. In: Annual Computer Security Applications Conference (ACSAC 2014), New Orleans, Louisiana, USA, pp. 216–225 (2014)
Neuner, S., Veen, V.V.D., Lindorfer, M., et al.: Enter Sandbox: Android sandbox comparison. In: Proceedings of the IEEE Mobile Security Technologies workshop (MoST), San Jose, California, USA (2014)
Tam, K., Khan, S., Fattori, A., Cavallaro, L.: CopperDroid: automatic reconstruction of Android Malware behaviors. In: The Network and Distributed System Security Symposium (NDSS), San Diego, California, USA, pp. 8–11 (2015)
Spreitzenbarth, M., Freiling, F., Echtler, F., Schreck, T., et al.: Mobile-Sandbox: having a deeper look into Android applications. In: ACM Symposium on Applied Computing (SAC), New York, NY, USA, pp. 1808–1815 (2013)
Gajrani, J., Sarswat, J., Tripathi, M., et al.: A robust dynamic analysis system preventing SandBox detection by Android malware. In: Proceedings of the 8th International Conference on Security of Information and Networks (SIN 2015), New York, NY, USA, pp. 290–295 (2015)
Tal, G., Keith, A., Andrew, W., and Jason, F.: Compatibility is not transparency: VMM detection myths and realities. In: Proceedings of the 11th USENIX Workshop on Hot Topics in Operating Systems (HOTOS 2007), Berkeley, California, USA, pp. 6:1–6:6 (2007)
Petsas, T., Voyatzis, G., Athanasopoulos, E., Polychronakis, M., Ioannidis, S.: Rage against the virtual machine: hindering dynamic analysis of Android malware. In: Proceedings of the Seventh European Workshop on System Security (EuroSec 2014), Amsterdam, Netherlands, pp. 5:1–5:6 (2014)
Enck, W., Gilbert, P., Chun, B., et al.: TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones. ACM Trans. Comput. Syst. (TOCS) 32(2), 5 (2014)
Yan, L., Yin, H.: Droidscope: seamlessly reconstructing the OS and Dalvik semantic views for dynamic android malware analysis. In: Proceedings of the 21st USENIX Security Symposium, Berkeley, California, USA, p. 29 (2012)
Dhilung, K., Giovanni, V., Christopher, K.: BareCloud: bare-metal analysis-based evasive malware detection. In: 23rd USENIX Security Symposium (USENIX Security 2014), San Diego, California, USA, pp. 287–301 (2014)
Simone, M., Christopher, K. et al.: BareDroid: large-scale analysis of Android apps on real devices. In: Annual Computer Security Applications Conference (ACSAC 2015), Los Angeles, California, USA (2015)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Tao, J., Zhang, Y., Cao, P., Wang, Z., Zhao, Q. (2017). An Android Malware Detection System Based on Behavior Comparison Analysis. In: Ibrahim, S., Choo, KK., Yan, Z., Pedrycz, W. (eds) Algorithms and Architectures for Parallel Processing. ICA3PP 2017. Lecture Notes in Computer Science(), vol 10393. Springer, Cham. https://doi.org/10.1007/978-3-319-65482-9_26
Download citation
DOI: https://doi.org/10.1007/978-3-319-65482-9_26
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-65481-2
Online ISBN: 978-3-319-65482-9
eBook Packages: Computer ScienceComputer Science (R0)