Abstract |
Smartphones are used by millions of users, while the mobile markets
are being flooded with new software every day. Recent studies attempt to
estimate the amount of illegitimate software for Android { one of the two
most popular mobile architectures { with insufficient results. Unfortunately,
there is Android malware out there, which seeks to compromise or take advantage
of end-users. Malware performs malicious activities, without the
user knowing, such as exfiltrating sensitive information (e.g. the user's address
book) or stealing money (e.g. forcing a mobile phone to call premium
numbers). The research community has identified the threat and has proposed
many static-based techniques for malware identification. While this
is a step forward there are difficulties in handling code obfuscation or native
code embedded in proprietary libraries.
In this work, we observe that Android is service oriented, that is, applications
exchange Interprocess Communication (IPC) messages for accessing
the system's resources. For example, an application sends an SMS by making
an IPC call to the telephony service. We argue that the IPC traffic, which is
sent and received by a particular Android application can be useful enough
for creating an accurate profile of the high-level actions performed by the
under analysis application. We create a system that passively monitors all
IPC activity exports application profiles based solely on that information.
We analyze known malware and legitimate applications, and store their profiles in a library. We finally use the library to classify unknown software.
Our classifier successfully distinguishes legitimate applications from malware
with low false positive and false negative rates. However, we stress that our
main goal in this work is to develop a system that assists the security analyst,
rather than creating a purely unsupervised detector.
Apart from malware identification, our system can be also used for
generic application profiling and data tracking. For example, we can passively
identify premium numbers or address book information in IPC messages.
Finally, we can graphically visualize all collected IPC activity in application
graphlets; graphs depicting how an Android application is communicating
with other applications and services. In this way, our system can be
utilized for discovering colluding applications, which try exfiltrate sensitive
information by evading Android's permission model by permission-sharing
among many collaborating applications.
|