Android Malware Detection Mechanisms
17 likes4,987 views
The document discusses Android malware detection mechanisms. It outlines the major types of Android malware like backdoors and spyware. It then describes several approaches to malware detection like static analysis of APK files to examine permissions, activities, and API calls. Signature-based analysis uses a signature database to classify apps as benign or malware. Tools for static analysis like apktool, aapt, and dex2jar are also mentioned. The document concludes with comparisons of different Android malware detection systems and their abilities.
Android Malware Detection Mechanisms
- 1. Android Malware Detection Mechanisms Talha KABAKUŞ talhakabakus@gmail.com
- 2. Agenda ● Android Market Share ● Malware Types ● Android Security Mechanism ● User Profiles ● Static Analysis ● Signature Based Analysis & Protection ● Encrypted Data Communication
- 3. Android Users more than 1 billion users Surdar Pichai Q4 2013
- 4. Applications more than 1 million applications Hugo Barra Temmuz 2013
- 5. Android Market Share Source: Strategy Analytics 81.3% Q3 2013
- 6. Why Android is so popular? ● Open source ● Google support ● Free ● Linux based ● Java ● Rich SDK ● Strong third party community ve support ○ Sony, Motorola, HTC, Samsung
- 7. Malware Market 99%Source: CISCO 2014 Security Report
- 8. Malware Stats Source: Sophos Labs 1 million
- 9. Malware Types ● Backdoor ○ Access to a computer system that bypasses security mechanisms ● Exploit ○ Modifications on operating system ○ User interface modifications ● Spyware ○ Unauthorized advertising ○ Private data collection, transmission ○ Unauthorized operations (SMS, calls)
- 10. Android Security Mechanism ● Permission based ○ Accept / Reject ● Public, indefensible market ○ Everyone can upload any application ● Passive protection - feedback based ○ Applications are removed through negative feedbacks
- 11. User Profiles 42% Unaware about permissions 83% do not interest in permissions Source: Felt, A.P., Ha, E., Egelman, S., Haney, A., Chin, E., Wagner, D.: Android permissions: User Attention, Comprehension, and Behavior. Proceedings of the Eighth Symposium on Usable Privacy and Security - SOUPS ’12. p. 1 (2012).
- 12. Static Analysis Approach ● Inspection of APK files using reverse engineering ● Manifest file ○ Permissions ○ Activities ○ Services ○ Receives ● API calls ● Source code inspection
- 13. Static Analysis Tools ● apktool ○ Extracts .apk archives ● aapt ○ Lists .apk archive contents ● dex2jar ○ Converts .dex files into .jar ● jd-gui ○ Converts .class files into Java sources
- 14. ● Equality checks ● Type conversion controls ● Static updates ● Dead code detection ● Inconsistent hashCode and equals definitions ● null pointer controls ● Termination controls Source Code Inspection
- 15. Type Conversion Sample <EditText android:layout_width="fill_parent" android:layout_height="wrap_content" android: id="@+id/username"/> EditText editText = (EditText) findViewById(R. id.username); XML Java
- 16. null pointer control sample Java Activity Class Layout definition
- 17. Dead Code Detection Sample Never be executed Unreachable code
- 18. Signature Based Analysis & Control ● Signature database ● Smartphone client ● Central server ● Learning based ● Classification Bening Malware
- 19. Encrypted Data Communication ● All valuable data is encrypted and stored in SQLite database; decrypted when it is required. ● SMS ● Email ● Sensitive files ● Password ● Personal information Pocatilu, 2011
- 20. System Comparisons Ability MADAM DroidMat Julia Manifest inspection Var Var Var API call trace Var Var Var Signature database Var Var Yok Encrypted communication Yok Yok Yok Machine learning Var Var Yok
- 21. References I ● Bicheno, S.: Android Captures Record 81 Percent Share of Global Smartphone Shipments in Q3 2013, http://blogs.strategyanalytics.com/WSS/post/2013/10/31/Android-Captures- Record-81-Percent-Share-of-Global-Smartphone-Shipments-in-Q3-2013.aspx. ● Rowinski, D.: Google Play Hits One Million Android Apps, http://readwrite. com/2013/07/24/google-play-hits-one-million-android-apps. ● Cisco 2014 Annual Security Report, https://www.cisco. com/web/offer/gist_ty2_asset/Cisco_2014_ASR.pdf. ● Felt, A.P., Finifter, M., Chin, E., Hanna, S., Wagner, D.: A survey of mobile malware in the wild. SPSM ’11 Proceedings ● Zhou, Y., Wang, Z., Zhou, W., Jiang, X.: Hey, You, Get Off of My Market: Detecting Malicious Apps in Official and Alternative Android Markets. Proceedings of the 19th Annual Network and Distributed System Security Symposium (NDSS) (2012). ● Felt, A.P., Ha, E., Egelman, S., Haney, A., Chin, E., Wagner, D.: Android permissions: User Attention, Comprehension, and Behavior. Proceedings of the Eighth Symposium on Usable Privacy and Security - SOUPS ’12. p. 1 (2012). ● Felt, A.P., Greenwood, K., Wagner, D.: The effectiveness of application permissions. Proceeding of the WebApps’11 Proceedings of the 2nd USENIX conference on Web application development. p. 7. USENIX Association, Berkeley, CA, USA (2011). ● Enck, W., Ongtang, M., Mcdaniel, P.: On Lightweight Mobile Phone Application Certification. ACM conference on Computer and communications security. pp. 235–245 (2009).
- 22. References II ● Android Architecture, http://www.tutorialspoint. com/android/android_architecture.htm. ● Wu, D.-J., Mao, C.-H., Wei, T.-E., Lee, H.-M., Wu, K.-P.: DroidMat: Android Malware Detection through Manifest and API Calls Tracing. 2012 Seventh Asia Joint Conference on Information Security. pp. 62–69 (2012). ● Payet, É., Spoto, F.: Static analysis of Android programs, (2012). ● Guido, M., Ondricek, J., Grover, J., Wilburn, D., Nguyen, T., Hunt, A.: Automated identification of installed malicious Android applications. Digital Investigation (2013). ● Dini, G., Martinelli, F., Saracino, A., Sgandurra, D.: MADAM: A Multi-level Anomaly Detector for Android Malware. In: Kotenko, I. and Skormin, V. (eds.) Computer Network Security. pp. 240–253. Springer Berlin Heidelberg, Berlin, Heidelberg (2012). ● Pocatilu, P.: Android applications security. Inform. Econ. 15, 163–171. Retrieved from http://revistaie.ase.ro (2011).