Tsung-Hsuan Ho
William Enck
ABSTRACT
Application markets such as the Google Play Store and the Apple App Store have become the de facto method of distributing software to mobile devices. While official markets dedicate significant resources to detecting malware, state-of-the-art malware detection can be easily circumvented using logic bombs or checks for an emulated environment. We present a Practical Root Exploit Containment (PREC) framework that protects users from such conditional malicious behavior. PREC can dynamically identify system calls from high-risk components (e.g., third-party native libraries) and execute those system calls within isolated threads. Hence, PREC can detect and stop root exploits with high accuracy while imposing low interference to benign applications. We have implemented PREC and evaluated our methodology on 140 most popular benign applications and 10 root exploit malicious applications. Our results show that PREC can successfully detect and stop all the tested malware while reducing the false alarm rates by more than one order of magnitude over traditional malware detection algorithms. PREC is light-weight, which makes it practical for runtime on-device root exploit detection and containment.
- Android Security Overview. Android Source. http://source.android.com/devices/tech/security/.Google Scholar
- Antutu Benchmark. https://play.google.com/store/apps/details?id=com.antutu.ABenchMark.Google Scholar
- DTrace. http://docs.oracle.com/javase/6/docs/technotes/guides/vm/dtrace.html.Google Scholar
- DWARF Debugging Standard. http://www.dwarfstd.org/.Google Scholar
- Exception Handling ABI for ARM Architecture. http://infocenter.arm.com/help/topic/com.arm.doc.ihi0038a/IHI0038A_ehabi.pdf.Google Scholar
- Ice Cream Sandwich. Android Developer. http://developer.android.com/about/versions/android-4.0-highlights.html.Google Scholar
- Linux man page - pTrace - process trace. http://linux.die.net/man/2/ptrace.Google Scholar
- Linux Trace Toolkit - next generation. https://lttng.org.Google Scholar
- Security-Enhanced Linux. Android Developer. http://source.android.com/devices/tech/security/selinux.html.Google Scholar
- SystemTap. http://sourceware.org/systemtap/.Google Scholar
- UI/Application Exerciser Mokey. http://developer.android.com/tools/help/monkey.html.Google Scholar
- Vulnerabilities. X-Ray. http://www.xray.io/#vulnerabilities.Google Scholar
- Apple. Apple Updates iOS to 6.1. Apple. http://www.apple.com/pr/library/2013/01/28Apple-Updates-iOS-to-6-1.html.Google Scholar
- I. Balepin, S. Maltsev, J. Rowe, and K. Levitt. Using specification-based intrusion detection for automated response. In Proc. of RAID, 2003.Google ScholarCross Ref
- U. Bayer, P. Milani, C. Hlauschek, C. Kruegel, and E. Kirda. Scalable, Behavior-Based Malware Clustering. In Proc. of NDSS, 2009.Google Scholar
- C. M. Bishop. Neural Networks for Pattern Recognition. Oxford University Press, Inc., New York, NY, USA, 1995. Google ScholarDigital Library
- I. Burguera, U. Zurutuza, and S. Nadjm-Tehrani. Crowdroid: Behavior-Based Malware Detection System for Android. In Proc. of CCS-SPSM, 2011. Google ScholarDigital Library
- D. Canali, A. Lanzi, D. Balzarotti, C. Kruegel, M. Christodorescu, and E. Kirda. A Quantitative Study of Accuracy in System Call-Based Malware Detection. In Proc. of ISSTA, 2012. Google ScholarDigital Library
- S. Chakradeo, B. Reaves, P. Traynor, and W. Enck. MAST: Triage for Market-scale Mobile Malware Analysis. In Proc. of WiSec, 2013. Google ScholarDigital Library
- X. Chen, J. Andersen, Z. M. Mao, M. Bailey, and J. Nazario. Towards an Understanding of Anti-virtualization and Anti-debugging Behavior in Modern Malware. In Proc. of DSN, 2008.Google Scholar
- J. Cheng, S. H. Wong, H. Yang, and S. Lu. SmartSiren: Virus Detection and Alert for Smartphones. In Proc. of MobiSys, 2007. Google ScholarDigital Library
- G. Creech and J. Hu. A Semantic Approach to Host-based Intrusion Detection Systems Using Contiguous and Discontiguous System Call Patterns. IEEE Transactions on Computers, 2013.Google Scholar
- D. Dean, H. Nguyen, and X. Gu. UBL: Unsupervised behavior learning for predicting performance anomalies in virtualized cloud systems. In Proc. of ICAC, 2012. Google ScholarDigital Library
- M. Egele, T. Scholte, E. Kirda, and C. Kruegel. A Survey on Automated Dyanmic Malware-Analysis Techniques and Tools. ACM Computing Surveys, 44(2), Feb. 2012. Google ScholarDigital Library
- L. Feinstein, D. Schnackenberg, R. Balupari, and D. Kindred. Statistical approaches to ddos attack detection and response. In Proc. of the DARPA Information Survivability Conference and Exposition, 2003.Google ScholarCross Ref
- S. Forrest, S. A. Hofmeyr, A. Somayaji, and T. A. Longstaff. A Sense of Self for Unix Processes. In Proc. of IEEE Symposium on Security and Privacy, 1996. Google ScholarDigital Library
- D. Gao, M. K. Reiter, and D. Song. Gray-box extraction of execution graphs for anomaly detection. In Proc. of CCS, 2004. Google ScholarDigital Library
- D. Gao, M. K. Reiter, and D. Song. Behavioral Distance for Intrusion Detection. In Proc. of RAID, 2005. Google ScholarDigital Library
- T. Garfinkel. Traps and pitfalls: Practical problems in system call interposition based security tools. In Proc. of NDSS, 2003.Google Scholar
- L. Girardin and D. Brodbeck. A visual approach for monitoring logs. In Proc. of LISA, 1998. Google ScholarDigital Library
- M. Grace, Y. Zhou, Q. Zhang, S. Zou, and X. Jiang. RiskRanker: Scalable and Accurate Zero-day Android Malware Detection. In Proc. of MobiSys, 2012. Google ScholarDigital Library
- W. Hu, Y. Liao, and V. R. Vemuri. Robust anomaly detection using support vector machines. In Proc. of ICML, 2003.Google Scholar
- T. Isohara, K. Takemori, and A. Kubota. Kernel-based Behavior Analysis for Android Malware Detection. In Proc. of CIS, 2011. Google ScholarDigital Library
- H. Jiang and J. Ruan. The application of genetic neural network in network intrusion detection. Journal of Computers, 2009.Google Scholar
- T. Kohonen, J. Tan, and T. Huang. Self-Organizing Maps. Springer, 3rd edition, 2001. Google ScholarDigital Library
- C. Kolbitsch, P. M. Comparetti, C. Kruegel, E. Kirda, X. Zhou, and X. Wang. Effective and Efficient Malware Detection at the End Host. In Proc. of USENIX Security, 2009. Google ScholarDigital Library
- C. Kruegel, D. Mutz, F. Valeur, and G. Vigna. On the detection of anomalous system call arguments. In Proc. of ESORICS, 2003.Google ScholarCross Ref
- P. Lichodzijewski, A. Nur Zincir-Heywood, and M. Heywood. Host-based intrusion detection using self-organizing maps. In Proc. of IJCNN, 2002.Google ScholarCross Ref
- H. Lockheimer. Android and Security. Google Mobile Blog. http://googlemobile.blogspot.com/2012/02/androidand-security.html.Google Scholar
- F. Maggi, M. Matteucci, and S. Zanero. Detecting intrusions through system call sequence and argument analysis. IEEE TODS, 2008.Google Scholar
- R. Mahmood, N. Esfahani, T. Kacem, N. Mirzaei, S. Malek, and A. Stavrou. A whitebox approach for automated security testing of android applications on the cloud. In Proc. of AST, 2013.Google Scholar
- C. Michael and A. Ghosh. Using Finite Automata to Mine Execution Data for Intrusion Detection: A Preliminary Report. In Proc. of RAID, 2000. Google ScholarDigital Library
- A. Moser, C. Kruegel, and E. Kirda. Exploring Multiple Execution Paths for Malware Analysis. In Proc. of IEEE Symposium on Security and Privacy, 2007. Google ScholarDigital Library
- J. Oberheide. Dissecting Android's Bouncer. The Duo Bulletin. https://blog.duosecurity.com/2012/06/dissecting-androids-bouncer/.Google Scholar
- J. Oberheide, E. Cooke, and F. Jahanian. CloudAV: N-Version Antivirus in the Network Cloud. In Proc. of USENIX Security, 2008. Google ScholarDigital Library
- C. Peng, C. yu Li, G. hua Tu, S. Lu, and L. Zhang. Mobile Data Charging: New Attacks and Countermeasures. In Proc. of CCS, 2012. Google ScholarDigital Library
- H. Pilz. Building a Test Environment for Android Anti-malware Tests. In Proc. of VB, 2012.Google Scholar
- G. Portokalidis, P. Homburg, K. Anagnostakis, and H. Bos. Paranoid Android: Versatile Protection For Smartphones. In Proc. of ACSAC, 2010. Google ScholarDigital Library
- V. Rastogi, Y. Chen, and W. Enck. Appsplayground: automatic security analysis of smartphone applications. In Proc. of CODASPY, 2013. Google ScholarDigital Library
- B. P. Sarma, N. Li, C. Gates, R. Potharaju, C. Nita-Rotaru, and I. Molloy. Android permissions: a perspective combining risks and benefits. In Proc. of SACMAT, 2012. Google ScholarDigital Library
- A. Somayaji and S. Forrest. Automated response using system-call delays. In Proc. of the USENIX Security, 2000. Google ScholarDigital Library
- A. M. R. Tahiliani and M. Naik. Dynodroid: An input generation system for android apps. Technical report, Georgia Institute of Technology, 2012.Google Scholar
- C. Warrender, S. Forrest, and B. Pearlmutter. Detecting Intrusions Using System Calls: Alternative Data Models. In Proc. of IEEE Symposium on Security and Privacy, 1999.Google ScholarCross Ref
- B. Womack. Google Says 700,000 Applications Available for Android. Bloomberg Businessweek, Oct. 2012. http://www.businessweek.com/news/2012-10-29/google-says-700-000-applications-available-forandroid-devices.Google Scholar
- L. Xie, X. Zhang, J.-P. Seifert, and S. Zhu. pBMDS: A Behavior-based Malware Detection System for Cellphone Devices. In Proc. of WiSec, 2010. Google ScholarDigital Library
- W. Yang, M. Prasad, and T. Xie. A Grey-box Approach for Automated GUI-Model Generation of Mobile Applications. In Proc. of FASE, 2013. Google ScholarDigital Library
- B. Yee, D. Sehr, G. Dardyk, J. B. Chen, R. Muth, T. Ormandy, S. Okasaka, N. Narula, and N. Fullagar. Native Client: A Sandbox for Portable, Untrusted x86 Native Code. In Proc. of IEEE Symposium on Security and Privacy, 2009. Google ScholarDigital Library
- C. Zheng, S. Zhu, S. Dai, G. Gu, X. Gong, X. Han, and W. Zou. SmartDroid: an Automatic System for Revealing UI-based Trigger Conditions in Android Applications. In Proc. of CCS-SPSM, 2012. Google ScholarDigital Library
- Y. Zhou and X. Jiang. Dissecting Android Malware: Characterization and Evolution. In Proc. of IEEE Symposium on Security and Privacy, 2012. Google ScholarDigital Library
- Y. Zhou, Z. Wang, W. Zhou, and X. Jiang. Hey, You, Get Off of My Market: Detecting Malicious Apps in Official and Alternative Android Markets. In Proc. of NDSS, 2012.Google Scholar
Index Terms
- PREC: practical root exploit containment for android devices
Recommendations
RiskRanker: scalable and accurate zero-day android malware detection
MobiSys '12: Proceedings of the 10th international conference on Mobile systems, applications, and servicesSmartphone sales have recently experienced explosive growth. Their popularity also encourages malware authors to penetrate various mobile marketplaces with malicious applications (or apps). These malicious apps hide in the sheer number of other normal ...
DroidDolphin: a dynamic Android malware detection framework using big data and machine learning
RACS '14: Proceedings of the 2014 Conference on Research in Adaptive and Convergent SystemsSmartphones are getting more and more popular nowadays with various kinds of applications to make our lives more convenient. Unfortunately, malicious applications, also known as malware, arises as well. A user is often tempted into install a malware ...
Detecting Android malware using sequences of system calls
DeMobile 2015: Proceedings of the 3rd International Workshop on Software Development Lifecycle for MobileThe increasing diffusion of smart devices, along with the dynamism of the mobile applications ecosystem, are boosting the production of malware for the Android platform. So far, many different methods have been developed for detecting Android malware, ...
Comments