Due to openness and accessibility of Android, adversaries can repackage malicious code into the malicious applications as the benign applications. For users, the outward appearance of repackaged applications is like a normal application, and they are prone to distribute on marketplaces. Over the past few years, most of related works detect repackaged applications by comparing them with the original benign applications. However, it is computational infeasible to search all original applications in the Internet. To overcome this drawback, we present an approach with the concept on extracting the common behaviors of repackaged applications in system call sequences. The detection only requires a few repackaged applications with the same type to extract the common system call subsequences. In addition, our approach does not need to collect and compare the original benign applications with the repackages applications. We take those extracted common system call subsequences as the behavior patterns to detect repackaged applications.
In our experiment, we use five different types of repackaged applications to evaluate the accuracy rate. Our approach extracts 238 common system call subsequences from training samples, and the detection result demonstrates that our approach has higher true positive rate in detecting most repackaged applications. We evaluate 25 repackaged applications and only miss one evaluated target. Our approach also has higher true negative rate in verifying benign applications. The accuracy of detection rate is 97.6% in all of evaluation applications.
However, the evasion is still possible in the system call sequences detection. For example, the attacker can insert some system calls which are no effect to its behavior but can change the combination of system call sequences. To prevent this situation, we should allow some gaps exist in the sequence. For our LMTC algorithm, the
32
repackaged applications can produce the same thread into different layers to escape from our sequences extraction since our approach only compare between the sequences of same layers. But we still can compare between all of the sequences rather than only the same layers to prevent this scenario.
In the future, we hope to study application behaviors analysis. We only can record the behaviors which are automatically generated from applications. However, applications have more behaviors when users perform the related operations.
Therefore, we need to design a tool to grab the complete behaviors in the applications when they are triggered. Moreover, we also hope to develop an on-device detector of system call sequences detection which can work like the anti-virus software that directly detects repackaged applications on mobile devices.
33
Reference
[1] W. Enck, M. Ongtang, and P. McDaniel, “Understanding Android security,”
IEEE Security & Privacy Magazine, vol. 7, no. 1, pp. 10–17, 2009.
[2] T. Vidas, D. Votipka, and N. Christin, “All your droid are belong to us: A survey of current android attacks,” Proceedings of the 5th USENIX conference on Offensive technologies, San Francisco, CA, USA, August 2011.
[3] Y. Zhou, and X. Jiang, “Dissecting Android Malware: Characterization and Evolution,” Proceedings of the 33rd IEEE Symposium on Security and Privacy, San Francisco, CA, May 2012.
[4] M. Zheng, P. P.C. Lee, and J. C.S. Lui, "ADAM: An Automatic and Extensible Platform to Stress Test Android Anti-Virus Systems,“ Proceedings of the 9th Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA'12), Heraklion, Crete, Greece, July 2012
[5] W. Enck, P. Gilbert, B.-G. Chun, L. P. Cox, J. Jung, P. McDaniel, and A. N.
Sheth, “TaintDroid: An information-flow tracking system for realtime privacy monitoring on smartphones,” Proceedings of the 9th USENIX conference on Operating systems design and implementation, Vancouver, BC, Canada, pp.
393–407, October 2010.
[6] W. Enck, M. Ongtang, and P. McDaniel, “On lightweight mobile phone application certification,” Proceedings of the 16th ACM conference on Computer and communications security, Chicago, IL, USA, pp. 235–245, November 2009.
[7] A. P. Fuchs, A. Chaudhuri, and J. S. Foster, “SCanDroid: Automated security certification of Android applications,” Technical report, University of Maryland, 2009.
[8] T. l sing, . atyuk, A.-D. Schmidt, S. A. Camtepe, and S. Albayrak, “An android application sandbox system for suspicious software detection,”
Proceedings of the 5th International Conference on Malicious and Unwanted Software (Malware 2010), Nancy, France, pp. 55–62, 2010.
[9] T. Isohara, K. Takemori, and A. Kubota, “Kernel-based behavior analysis for Android malware detection,” Proceedings of the 7th International Conference on Computational Intelligence and Security, Sanya, Hainan, China, pp. 1011–1015, December 2011.
[10] I. Burguera, U. Zurutuza, and N. T. Simin, “Crowdroid: ehavior-based malware detection system for Android,” Proceedings of the 1st ACM workshop on Security and privacy in smartphones and mobile devices, Chicago, IL, USA, pp.
15–25, October 2011.
34
[11] S. Forrest, S. A. Hofmeyr, A. Somayaji, and T. A. Longstaff, “A sense of self for Unix process,” Proceedings of the 1996 IEEE Symposium on Security and Privacy, Oakland, CA, USA, pp. 120–128, May 1996.
[12] C.Warrender, S. Forrest, and B. Pearlmutter, “Detecting intrusions using system calls: Alternative data models,” Proceedings of the 1999 IEEE Symposium on Security and Privacy, Oakland, CA, USA, pp. 133–145,May 1999.
[13] K. Wee, and B. Moon, “Automatic generation of finite state automata for detecting intrusions using system call sequences,” Proceedings of International Workshop on Mathematical Methods, Models, and Architectures for Computer Network Security, St. Petersburg, Russia, 2003.
[14] D. Mutz, F. Valeur, G. Vigna, and C. Kruegel, “Anomalous system call detection,” ACM Transactions on Information and System Security, vol. 9, no. 1, pp. 61–93, February 2006.
[15] M. Christodorescu, S. Jha, and C. Kruegel, “Mining specifications of malicious behavior,” Proceedings of the the 6th joint meeting of the European software engineering conference and the ACM SIGSOFT symposium on The foundations of software engineering, Dubrovnik, Croatia, pp.5–14, September 2007.
[16] B. Rozenberg, E. Gudes, Y. Elovici, and Y. Fledel, “A Method for Detecting Unknown Malicious Executables,” Proceedings of the 2011 IEEE 10th International Conference on Trust, Security and Privacy in Computing and Communications, Changsha, China, pp. 190–196, November 2011.
[17] W. Zhou, Y. Zhou, X. Jiang, and P. Ning, “DroidMOSS: Detecting repackaged smartphone applications in third-party Android marketplaces,” Proceedings of the 2nd ACM Conference on Data and Application Security and Privacy, San Antonio, TX, USA, February 2012.
[18] “strace,” available at: http://sourceforge.net/projects/strace/
[19] “Encyclopedia entry: Trojan:AndroidOS/Kmin.A,” available at:
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Nam e=Trojan%3AAndroidOS%2FKmin.A .
[20] T. Strazzere, and T. Wyatt, “Geinimi Trojan Technical Teardown,” Lookout Mobile Security, 2011.
[21] “ ookout Mobile Security Technical Tear Down,” ookout Mobile Security.
[22] “Android.Basebridge,” available at:
http://www.symantec.com/security_response/writeup.jsp?docid=2011-060915-4 938-99 .
[23] “Security Alert: New DroidDream Light Variant Published to Android Market,”
available at:
http://blog.mylookout.com/blog/2011/07/08/security-alert-new-droiddream-light-35
variant-published-to-android-market/ .
[24] “VirusTotal - Free Online Virus, Malware and URL Scanner,” available at:
https://www.virustotal.com/ .