Top

Published in:

2015 | OriginalPaper | Chapter

Monitoring Real Android Malware

Authors : Jan-Christoph Küster, Andreas Bauer

Published in: Runtime Verification

Publisher: Springer International Publishing

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

In the most comprehensive study on Android attacks so far (undertaken by the Android Malware Genome Project), the behaviour of more than 1, 200 malwares was analysed and categorised into common, recurring groups of attacks. Based on this work (and the corresponding actual malware files), we present an approach for specifying and identifying these (and similar) attacks using runtime verification.

While formally, our approach is based on a first-order logic abstraction of malware behaviour, it practically relies on our Android event interception tool, MonitorMe, which lets us capture almost any system event that can be triggered by apps on a user’s Android device.

This paper details on MonitorMe, our formal specification of malware behaviour and practical experiments, undertaken with various different Android devices and versions on a wide range of actual malware incarnations from the above study. In a nutshell, we were able to detect real malwares from 46 out of 49 different malware families, which strengthen the idea that runtime verification may, indeed, be a good choice for mobile security in the future.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

previous chapter Monitoring Electronic Exams

next chapter Time-Triggered Runtime Verification of Component-Based Multi-core Systems

http://kuester.multics.org/MonitorMe/.

http://kuester.multics.org/DroidTracer/.

https://github.com/jckuester/ltlfo2mon.

https://www.kernel.org/doc/Documentation/kprobes.txt.

http://developer.android.com/reference/android/os/Binder.html.

http://www.linuxfoundation.org/collaborate/workgroups/networking/generic_netlink_howto.

http://www.carisma.slowglass.com/~tgr/libnl/.

Traces are available at http://kuester.multics.org/DroidTracer/malware/traces.

UIDs below 10000 are reserved for system apps with higher privileges.

http://developer.android.com/training/articles/security-tips.html#UserData.

http://thehackernews.com/2014/11/ubers-android-app-is-literally-malware_28.html.

Backes, M., Gerling, S., Hammer, C., Maffei, M., von Styp-Rekowsky, P.: AppGuard – enforcing user requirements on Android apps. In: Piterman, N., Smolka, S.A. (eds.) TACAS 2013 (ETAPS 2013). LNCS, vol. 7795, pp. 543–548. Springer, Heidelberg (2013) CrossRef

Bauer, A., Küster, J.-C., Vegliach, G.: The ins and outs of first-order runtime verification. To appear in: Formal Methods in System Design (FMSD) (2015)

Bauer, A., Leucker, M., Schallhart, C.: Runtime verification for LTL and TLTL. ACM Trans. Softw. Eng. Methodol. 20(4), 14 (2011)CrossRef

Bugiel, S., Davi, L., Dmitrienko, A., Fischer, T., Sadeghi, A.-R., Shastry, B.: Towards taming privilege-escalation attacks on Android. In: NDSS (2012)

Dwyer, M.B., Avrunin, G.S., Corbett, J.C.: Patterns in property specifications for finite-state verification. In: ICSE, pp. 411–420. IEEE (1999)

Enck, W., Gilbert, P., Chun, B.-G., Cox, L.P., Jung, J., McDaniel, P., Sheth, A.N.: TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones. In: OSDI. USENIX (2010)

Halle, S., Villemaire, R.: Runtime monitoring of message-based workflows with data. In: EDOC, pp. 63–72. IEEE (2008)

Hornyack, P., Han, S., Jung, J., Schechter, S., Wetherall, D.: These aren’t the droids you’re looking for: retrofitting Android to protect data from imperious applications. In: CCS, pp. 639–652. ACM (2011)

Jin, D., Meredith, P.O., Lee, C., Rosu, G.: JavaMOP: efficient parametric runtime monitoring framework. In: ICSE, pp. 1427–1430. IEEE (2012)

10.

Küster, J.-C., Bauer, A.: Platform-centric Android monitoring–modular and efficient. Comp. Research Repository (CoRR) arXiv:1406.2041. ACM, June 2014

11.

Moser, A., Kruegel, C., Kirda, E.: Limits of static analysis for malware detection. In: ACSAC, pp. 421–430. IEEE (2007)

12.

Rasthofer, S., Arzt, S., Lovat, E., Bodden, E.: DroidForce: Enforcing complex, data-centric, system-wide policies in Android. In: ARES, pp. 40–49. IEEE (2014)

13.

Vidas, T., Christin, N.: Evading Android runtime analysis via sandbox detection. In: ASIACCS, pp. 447–458. ACM (2014)

14.

Xu, R., Saïdi, H., Anderson, R.: Aurasium: practical policy enforcement for Android applications. In: USENIX Security Symposium, pp. 27–27. USENIX (2012)

15.

Zhou, Y., Jiang, X.: Dissecting Android malware: characterization and evolution. In: S&P, pp. 95–109. IEEE (2012)

Title: Monitoring Real Android Malware
Authors: Jan-Christoph Küster
Andreas Bauer
Publisher: Springer International Publishing
Book: Runtime Verification
Print ISBN: 978-3-319-23819-7

Electronic ISBN: 978-3-319-23820-3

Copyright Year: 2015
DOI: https://doi.org/10.1007/978-3-319-23820-3_9

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Premium Partner