Mingshen Sun
Min Zheng
John C. S. Lui
ABSTRACT
Android has a dominating share in the mobile market and there is a significant rise of mobile malware targeting Android devices. Android malware accounted for 97% of all mobile threats in 2013 [26]. To protect smartphones and prevent privacy leakage, companies have implemented various host-based intrusion prevention systems (HIPS) on their Android devices. In this paper, we first analyze the implementations, strengths and weaknesses of three popular HIPS architectures. We demonstrate a severe loophole and weakness of an existing popular HIPS product in which hackers can readily exploit. Then we present a design and implementation of a secure and extensible HIPS platform---"Patronus." Patronus not only provides intrusion prevention without the need to modify the Android system, it can also dynamically detect existing malware based on runtime information. We propose a two-phase dynamic detection algorithm for detecting running malware. Our experiments show that Patronus can prevent the intrusive behaviors efficiently and detect malware accurately with a very low performance overhead and power consumption.
- 360 one click root. http://shuaji.360.cn/root/index.html.Google Scholar
- Android Malware Genome Project. http://malgenomeproject.org.Google Scholar
- APKfuscator. https://github.com/strazzere/APKfuscator.Google Scholar
- Apktool. https://code.google.com/p/android-apktool/.Google Scholar
- App Shield. http://www.wandoujia.com/apps/com.gmail.exathink.appshield.Google Scholar
- Aurora Softworks quadrant standard edition. https://play.google.com/store/apps/details?id=com. aurorasoftworks.quadrant.ui.standard.Google Scholar
- cyanogenmod. http://www.cyanogenmod.org.Google Scholar
- DroidBox. https://code.google.com/p/droidbox/.Google Scholar
- Jinshan mobile duba. http://m.duba.net/.Google Scholar
- Lbe secrity guard. http://www.lbesec.com/.Google Scholar
- mobile malware mini dump. http://contagiominidump.blogspot.com/.Google Scholar
- monkey. http://developer.android.com/tools/help/monkey.html.Google Scholar
- Qihoo 360 mobile guard. http://shouji.360.cn/.Google Scholar
- smali/baksmali. https://code.google.com/p/smali/.Google Scholar
- K. W. Y. Au, Y. F. Zhou, Z. Huang, and D. Lie. Pscout: analyzing the android permission specification. In CCS, 2012. Google ScholarDigital Library
- S. Bugiel, L. Davi, A. Dmitrienko, T. Fischer, A.-R. Sadeghi, and B. Shastry. Towards taming privilege-escalation attacks on android. In NDSS, 2012.Google Scholar
- S. Bugiel, S. Heuser, and A.-R. Sadeghi. Flexible and fine-grained mandatory access control on android for diverse security and privacy policies. In USENIX Security, 2013. Google ScholarDigital Library
- I. Burguera, U. Zurutuza, and S. Nadjm-Tehrani. CrowDroid: behavior-based malware detection system for android. In Proc. of the 1st ACM workshop on Security and privacy in smartphones and mobile devices, 2011. Google ScholarDigital Library
- S. Chakradeo, B. Reaves, P. Traynor, and W. Enck. MAST: triage for market-scale mobile malware analysis. In ACM WiSec, 2013. Google ScholarDigital Library
- E. Chin, A. P. Felt, K. Greenwood, and D. Wagner. Analyzing inter-application communication in android. In MobiSys, 2011. Google ScholarDigital Library
- B. Davis and H. Chen. RetroSkeleton: retrofitting android apps. In MobiSys, 2013. Google ScholarDigital Library
- M. Dietz, S. Shekhar, Y. Pisetsky, A. Shu, and D. S. Wallach. QUIRE: Lightweight provenance for smart phone operating systems. In USENIX Security, 2011. Google ScholarDigital Library
- M. Egele, C. Kruegel, E. Kirda, and G. Vigna. PiOS: Detecting privacy leaks in ios applications. In NDSS, 2011.Google Scholar
- W. Enck, P. Gilbert, B.-G. Chun, L. P. Cox, J. Jung, P. McDaniel, and A. N. Sheth. TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones. In OSDI, 2010. Google ScholarDigital Library
- W. Enck, D. Octeau, P. McDaniel, and S. Chaudhuri. A study of android application security. In USENIX Security, 2011. Google ScholarDigital Library
- F-Secure. Threat report h2 2013.Google Scholar
- A. P. Felt, E. Chin, S. Hanna, D. Song, and D. Wagner. Android permissions demystified. In CCS, 2011. Google ScholarDigital Library
- A. P. Felt, H. J. Wang, A. Moshchuk, S. Hanna, and E. Chin. Permission re-delegation: attacks and defenses. In USENIX Security, 2011. Google ScholarDigital Library
- J. Forristal. Android: One root to own them all. In Blackhat USA 2013, 2013.Google Scholar
- Google. Platform versions. http://developer.android.com/about/dashboards/index.html.Google Scholar
- M. Grace, Y. Zhou, Z. Wang, and X. Jiang. Systematic detection of capability leaks in stock android smartphones. In NDSS, 2012.Google Scholar
- M. Grace, Y. Zhou, Q. Zhang, S. Zou, and X. Jiang. RiskRanker: scalable and accurate zero-day android malware detection. In MobiSys, 2012. Google ScholarDigital Library
- M. C. Grace, W. Zhou, X. Jiang, and A.-R. Sadeghi. Unsafe exposure analysis of mobile in-app advertisements. In WiSec, 2012. Google ScholarDigital Library
- N. Harbour. Win at reversing: Api tracing and sandboxing through inline hooking. In DEFCON, 2009.Google Scholar
- IDC. Apple cedes market share in smartphone operating system market as android surges and windows phone gains. http://www.idc.com/getdoc.jsp?containerId=prUS24257413.Google Scholar
- L. Lu, Z. Li, Z. Wu, W. Lee, and G. Jiang. CHEX: statically vetting android apps for component hijacking vulnerabilities. In CCS, 2012. Google ScholarDigital Library
- T. Luo, H. Hao, W. Du, Y. Wang, and H. Yin. Attacks on webview in the android system. In ACSAC, 2011. Google ScholarDigital Library
- W. Luo, S. Xu, and X. Jiang. Real-time detection and prevention of android sms permission abuses. In Proc. of the first international workshop on Security in embedded systems and smartphones, 2013. Google ScholarDigital Library
- McAfee Labs. McAfee threats report: Second quarter 2013. Technical report, McAfee Labs, 2013.Google Scholar
- C. Mulliner. Android DDI: Introduction to dynamic dalvik instrumentation. In The 11th Annual HITB Security Conference in ASIA, 2013.Google Scholar
- C. Mulliner, J. Oberheide, W. Robertson, and E. Kirda. Patchdroid: scalable third-party security patches for android devices. In ACSAC, 2013. Google ScholarDigital Library
- N. Nethercote and J. Seward. Valgrind: a framework for heavyweight dynamic binary instrumentation. ACM Sigplan Notices. Google ScholarDigital Library
- J. Newsome and D. Song. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. Internet Society, 2005.Google Scholar
- P. Olson. Your smartphone is hackers' next big target. http://edition.cnn.com/2013/08/26/opinion/olson-mobile-hackers, August 2013.Google Scholar
- A. Police. App Ops: Android 4.3's hidden app permission manager, control permissions for individual apps.Google Scholar
- N. Provos. Improving host security with system call policies. In USENIX Security, 2003. Google ScholarDigital Library
- V. Rastogi, Y. Chen, and W. Enck. AppsPlayground: automatic security analysis of smartphone applications. In CODASPY, 2013. Google ScholarDigital Library
- V. Rastogi, Y. Chen, and X. Jiang. DroidChameleon: evaluating android anti-malware against transformation attacks. In ASIACCS, 2013. Google ScholarDigital Library
- G. Russello, A. B. Jimenez, H. Naderi, and W. van der Mark. Firedroid: hardening security in almost-stock android. In ACSAC, 2013. Google ScholarDigital Library
- T. Strazzere. Dex education: Practicing safe dex. In Blackhat USA 2012, 2012.Google Scholar
- T. Wang, K. Lu, L. Lu, S. Chung, and W. Lee. Jekyll on iOS: when benign apps become evil. In USENIX Security, 2013. Google ScholarDigital Library
- L. Wu, M. Grace, Y. Zhou, C. Wu, and X. Jiang. The impact of vendor customizations on android security. In CCS, 2013. Google ScholarDigital Library
- xda-developers. PDroid. http://forum.xda-developers.com/showthread.php?t=1357056.Google Scholar
- R. Xu, H. Saïdi, and R. Anderson. Aurasium: practical policy enforcement for android applications. In USENIX Security, 2012. Google ScholarDigital Library
- L. K. Yan and H. Yin. DroidScope: seamlessly reconstructing the os and dalvik semantic views for dynamic android malware analysis. In USENIX Security, 2012. Google ScholarDigital Library
- Z. Yang, M. Yang, Y. Zhang, G. Gu, P. Ning, and X. S. Wang. AppIntent: Analyzing sensitive data transmission in android for privacy leakage detection. In CCS, 2013. Google ScholarDigital Library
- Y. Zhang, M. Yang, B. Xu, Z. Yang, G. Gu, P. Ning, X. Wang, and B. Zang. Vetting undesirable behaviors in android apps with permission use analysis. In CCS, 2013. Google ScholarDigital Library
- C. Zheng, S. Zhu, S. Dai, G. Gu, X. Gong, X. Han, and W. Zou. Smartdroid: an automatic system for revealing ui-based trigger conditions in android applications. In Proc. of the second ACM workshop on Security and privacy in smartphones and mobile devices, 2012. Google ScholarDigital Library
- M. Zheng, P. P. C. Lee, and J. C. S. Lui. ADAM: an automatic and extensible platform to stress test android anti-virus systems. In DIMVA, 2013. Google ScholarDigital Library
- M. Zheng, M. Sun, and J. Lui. DroidRay: a security evaluation system for customized android firmwares. In ASIACCS, 2014. Google ScholarDigital Library
- M. Zheng, M. Sun, and J. C. S. Lui. DroidAnalytics: A signature based analytic system to collect, extract, analyze and associate android malware. In TrustCom, 2013. Google ScholarDigital Library
- W. Zhou, Y. Zhou, X. Jiang, and P. Ning. Detecting repackaged smartphone applications in third-party android marketplaces. In Proc. of the second ACM conference on Data and Application Security and Privacy, 2012. Google ScholarDigital Library
- Y. Zhou and X. Jiang. Dissecting android malware: Characterization and evolution. In IEEE Symposium on Security and Privacy, 2012. Google ScholarDigital Library
- Y. Zhou and X. Jiang. Detecting passive content leaks and pollution in android applications. In NDSS, 2013.Google Scholar
- Y. Zhou, Z. Wang, W. Zhou, and X. Jiang. Hey, you, get off of my market: Detecting malicious apps in official and alternative android markets. In NDSS, 2012.Google Scholar
- Design and implementation of an Android host-based intrusion prevention system
Recommendations
Overview of intrusion detection and intrusion prevention
InfoSecCD '08: Proceedings of the 5th annual conference on Information security curriculum developmentThis report provides an overview of IPS systems. In the first section a comparison of IDS and IPS is made, where an IPS system is defined as an integration of IDS and a firewall. The second section describes what is needed to set up an IPS system. In ...
The Design and Implementation of Host-Based Intrusion Detection System
IITSI '10: Proceedings of the 2010 Third International Symposium on Intelligent Information Technology and Security InformaticsIntrusion detection is the process of identifying and responding to suspicious activities targeted at computing and communication resources, and it has become the mainstream of information assurance as the dramatic increase in the number of attacks. ...
A Survey on Intrusion Detection and Prevention Systems
AbstractIn the digital world, malicious activities that violate the confidentiality, integrity, or availability of data and devices are known as intrusions. An intrusion detection system (IDS) analyses the activities of a single system or a network to ...
Comments