Skip to main content
SpringerLink
Log in

Reducing the window of opportunity for Android malware Gotta catch ’em all

  • Original Paper
  • Published:
Journal in Computer Virology Aims and scope Submit manuscript

Abstract

Spotting malicious samples in the wild has always been difficult, and Android malware is no exception. Actually, the fact Android applications are (usually) not directly accessible from market places hardens the task even more. For instance, Google enforces its own communication protocol to browse and download applications from its market. Thus, an efficient market crawler must reverse and implement this protocol, issue appropriate search requests and take necessary steps so as not to be banned. From end-users’ side, having difficulties spotting malicious mobile applications results in most Android malware remaining unnoticed up to 3 months before a security researcher finally stumbles on it. To reduce this window of opportunity, this paper presents a heuristics engine that statically pre-processes and prioritizes samples. The engine uses 39 different flags of different nature such as Java API calls, presence of embedded executables, code size, URLs… Each flag is assigned a different weight, based on statistics we computed from the techniques mobile malware authors most commonly use in their code. The engine outputs a risk score which highlights samples which are the most likely to be malicious. The engine has been tested over a set of clean applications and malicious ones. The results show a strong difference in the average risk score for both sets and in its distribution, proving its use to spot malware.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Anderson, C., Wolff, M.: The web is dead. Long live the internet. (2010). http://www.wired.com/magazine/2010/08/ff_webrip/all/1

  2. Apvrille, A., Zhang, J.: Four malware and a funeral. In: 5th Conf. on Network architectures and information systems security (SAR-SSI) (2010)

  3. Armstrong, T., Maslennikov, D.: Android malware is on the rise. In: Virus bulletin conference (2011)

  4. Bläsing, T., Schmidt, A.-D., Batyuk, L., Camtepe, S.A., Albayrak, S.: An Android application sandbox system for suspicious software detection. In: 5th international conference on malicious and unwanted software (MALWARE’2010). Nancy, France (2010)

  5. Cannon, T.: No-permission Android App Gives Remote Shell. (2011). http://viaforensics.com/security/nopermission-android-app-remote-shell.html

  6. Ikinci, A., Holz, T., Freiling, F.C.: Monkey-spider: detecting malicious websites with low-interaction honeyclients. In: Sicherheit, pp. 407–421 (2008)

  7. Logan, R., Desnos, A., Smith, R.: The Android marketplace Crawler (2011). http://www.honeynet.org/gsoc/ideas

  8. Lookout mobile security: lookout mobile threat report (2011)

  9. Ma, J., Saul, L.K., Savage, S., Voelker, G.M.: Beyond blacklists: learning to detect malicious web sites from suspicious urls. In: Proceedings of the 15th acm sigkdd international conference on knowledge discovery and data mining, pp. 1245–1254. ACM, New York (2009)

  10. McAffee Labs.: Mc Affee threats report: third quarter 2011 (2011). http://www.mcafee.com/us/resources/reports/rp-quarterly-threat-q3-2011.pdf

  11. Pišljar, P.: Reversing Android market protocol (2010). http://peter.pisljar.si/

  12. de Pontevès, K.: Android Malware Surges in 2011  (2011). https://blog.fortinet.com/android-malware-surges-in-2011

  13. Protocol Buffers.: (n.d.). http://code.google.com/p/protobuf/

  14. Schmidt, A.-D., Schmidt, H.-G., Batyuk, L., Clausen, J.H., Camtepe, S.A., Albayrak, S.: Smartphone malware evolution revisited: Android next target? In: 4th international conference on malicious and unwanted software (malware), IEEE, pp. 1–7 (2009)

  15. Smali.: (n.d.). https://code.google.com/p/smali

  16. Strazzere, T.: Downloading market applications without the Vending app. (2009). http://strazzere.com/blog/?p=293

  17. Teufl, P., Kraxberger, S., Orthacker, C., Lackner, G., Gissing, M., Marsalek, A., et al.: Android market analysis with activation patterns. In: Proceedings of the international ICST conference on security and privacy in mobile information and communication (MobiSec) (2011)

  18. Wang, Y.-M., Beck, D., Jiang, X., Roussev, R., Verbowski, C., Chen, S., et al.: Automated web patrol with strider honeymonkeys: finding web sites that exploit browser vulnerabilities. In: Proceedings of the network and distributed system security symposium, NDSS 2006, San Diego, California, USA. The Internet Society (2006)

  19. Wikipedia: Android Market (2011). https://en.wikipedia.org/wiki/Android_Market

  20. Zhou, Y., Wang, Z., Zhou, W., Jiang, X.: Hey, you, get off of my market: detecting malicious apps in official and alternative android markets. In: Proceedings of the 19th network and distributed system security symposium (NDSS 2012), San Diego, CA (2012)

Download references

Author information

Authors and Affiliations

  1. Fortinet, EMEA AV Team, 120, rue Albert Caquot, 06410, Biot, France

    Axelle Apvrille

  2. Lookout Mobile Security, 1 Front Street, Suite 2700, San Francisco, CA, 94111, USA

    Tim Strazzere

Authors
  1. Axelle Apvrille
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Tim Strazzere
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Axelle Apvrille.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Apvrille, A., Strazzere, T. Reducing the window of opportunity for Android malware Gotta catch ’em all. J Comput Virol 8, 61–71 (2012). https://doi.org/10.1007/s11416-012-0162-3

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11416-012-0162-3

Keywords

Search

Navigation