A Forensic Analysis of Android Malware -- How is Malware Written and How It Could Be Detected?

Allix, Kevin; Jerome, Quentin; Bissyande, Tegawendé François D Assise; Klein, Jacques; State, Radu; Le Traon, Yves

doi:10.1109/COMPSAC.2014.61

Download

Paper published in a book (Scientific congresses, symposiums and conference proceedings)

A Forensic Analysis of Android Malware -- How is Malware Written and How It Could Be Detected?

Allix, Kevin; Jerome, Quentin; Bissyande, Tegawendé François D Assise et al.

2014 • In Proceedings of the 2014 IEEE 38th Annual Computer Software and Applications Conference

Peer reviewed

Permalink
https://hdl.handle.net/10993/18702

DOI
10.1109/COMPSAC.2014.61

Files (1)Send to Details Statistics Bibliography Similar publications

Files

Full Text

A Forensic Analysis of Android Malware.pdf

Publisher postprint (252.97 kB)

Download

All documents in ORBilu are protected by a user license.

Send to

RIS BibTex APA Chicago Permalink X Linkedin

Details

Keywords :

Android Security; Digital Forensics; Malware Analysis; Malware development

Abstract :

[en] We consider in this paper the analysis of a large set of malware and benign applications from the Android ecosystem. Although a large body of research work has dealt with Android malware over the last years, none has addressed it from a forensic point of view. After collecting over 500,000 applications from user markets and research repositories, we perform an analysis that yields precious insights on the writing process of Android malware. This study also explores some strange artifacts in the datasets, and the divergent capabilities of state-of-the-art antivirus to recognize/define malware. We further highlight some major weak usage and misunderstanding of Android security by the criminal community and show some patterns in their operational flow. Finally, using insights from this analysis, we build a naive malware detection scheme that could complement existing anti virus software.

Disciplines :

Computer science

Author, co-author :

Allix, Kevin ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) ; University of Luxembourg > Faculty of Science, Technology and Communication (FSTC) > Computer Science and Communications Research Unit (CSC)

Jerome, Quentin ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)

Bissyande, Tegawendé François D Assise ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)

Klein, Jacques ; University of Luxembourg > Faculty of Science, Technology and Communication (FSTC) > Computer Science and Communications Research Unit (CSC)

State, Radu ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)

Le Traon, Yves ; University of Luxembourg > Faculty of Science, Technology and Communication (FSTC) > Computer Science and Communications Research Unit (CSC)

Language :

English

Title :

A Forensic Analysis of Android Malware -- How is Malware Written and How It Could Be Detected?

Publication date :

July 2014

Event name :

IEEE 38th Annual Computer Software and Applications Conference (COMPSAC 2014)

Event place :

Västerås, Sweden

Event date :

from 21-07-2014 to 25-07-2014

Audience :

International

Main work title :

Proceedings of the 2014 IEEE 38th Annual Computer Software and Applications Conference

Publisher :

IEEE Computer Society, Washington, DC, USA, Unknown/unspecified

ISBN/EAN :

978-1-4799-3575-8

Collection name :

COMPSAC '14

Pages :

384--393

Peer reviewed :

Peer reviewed

Additional URL :

http://dx.doi.org/10.1109/COMPSAC.2014.61

Available on ORBilu :

since 07 November 2014

Statistics

Number of views

333 (24 by Unilu)

Number of downloads

2354 (20 by Unilu)

More statistics

Scopus citations^®

Scopus citations^®
without self-citations

Bibliography

K. Allix, T. F. Bissyandé, Q. Jerome, J. Klein, R. State, and Y. Le Traon, "Large-scale machine learning-based malware detection: Confronting the "10-fold cross validation scheme" with reality. in CODASPY '14, 2014
S. Arzt, S. Rasthofer, E. Bodden, A. Bartel, J. Klein, Y. Le Traon, D. Octeau, and P. McDaniel, "Flowdroid: Precise context, flow, field, object-sensitive and lifecycle-Aware taint analysis for android apps. in Conference on Programming Language Design and Implementation (PLDI), 2014
A. Bartel, J. Klein, M. Monperrus, K. Allix, and Y. Le Traon, "Improving privacy on android smartphones through in-vivo bytecode instrumentation," Technical Report, May 2012
A. Bartel, J. Klein, M. Monperrus, and Y. Le Traon, "Dexpler: Converting Android Dalvik Bytecode to Jimple for Static Analysis with Soot. in ACM Sigplan Workshop on the State Of The Art in Java Program Analysis (SOAP), 2012
J. Bickford, R. O'Hare, A. Baliga, V. Ganapathy, and L. Iftode, "Rootkits on smart phones: attacks, implications and opportunities. in HotMobile '10, Maryland, 2010
J. Brodkin, "On its 5th birthday, 5 things we love about android," Nov. 2012, http://arstechnica.com/gadgets/2012/11/.on-Androids-5th-birthday-5-Things-we-love-About-Android/.
S. Bugiel, L. Davi, A. Dmitrienko, T. Fischer, and A.-R. Sadeghi, "Xmandroid: A new android evolution to mitigate privilege escalation attacks," Technische Universität Darmstadt, Technical Report TR-2011-04, Apr. 2011
I. Burguera, U. Zurutuza, and S. Nadjm-Tehrani, "Crowdroid: behavior-based malware detection system for android. in SPSM '11, Chicago, Illinois, USA, 2011, pp. 15-26
P. P. Chan, L. C. Hui, and S. M. Yiu, "Droidchecker: analyzing android applications for capability leak. in WISEC '12. Tucson, Arizona, USA: ACM, 2012, pp. 125-136
L. Davi, A. Dmitrienko, A.-R. Sadeghi, and M. Winandy, "Privilege escalation attacks on android. in ISC'10. Boca Raton, FL, USA: Springer-Verlag, 2011, pp. 346-360
A. Desnos, "Android: Static analysis using similarity distance. in HICSS '12. Washington, DC, USA: IEEE Computer Society, 2012, pp. 5394-5403
W. Enck, P. Gilbert, B.-G. Chun, L. P. Cox, J. Jung, P. McDaniel, and A. N. Sheth, "Taintdroid: an information-flow tracking system for realtime privacy monitoring on smartphones. in OSDI'10. Vancouver, BC, Canada: USENIX Association, 2010, pp. 1-6
W. Enck, D. Octeau, P. McDaniel, and S. Chaudhuri, "A study of android application security. in SEC'11. San Francisco, CA: USENIX Association, 2011, pp. 21-21
W. Enck, M. Ongtang, and P. McDaniel, "On lightweight mobile phone application certification. in CCS '09. Chicago, Illinois, USA: ACM, 2009, pp. 235-245
A. P. Felt, M. Finifter, E. Chin, S. Hanna, and D. Wagner, "A survey of mobile malware in the wild. in SPSM '11. New York, NY, USA: ACM, 2011, pp. 3-14
S. Höbarth and R. Mayrhofer, "A framework for on-device privilege escalation exploit execution on android. in Proc. IWSSI/SPMU, June 2011
P. Hornyack, S. Han, J. Jung, S. Schechter, and D. Wetherall, "These aren't the droids you're looking for: Retrofitting android to protect data from imperious applications. in Proceedings of the 18th ACM Conference on Computer and Communications Security, ser. CCS '11. New York, NY, USA: ACM, 2011, pp. 639-652
ITU, "Information technology Open Systems Interconnection The Directory: Public-key and attribute certificate frameworks Technical Corrigendum 2," ITU, Genebra, Series X: Data Networks, Open System Communications and Security Directory, nov 2008, ITU-T Recommendation X.509
H. B. Mann and D. R. Whitney, "On a test of whether one of two random variables is stochastically larger than the other. The Annals of Mathematical Statistics, vol. 18, no. 1, pp. 50-60, 1947
M. Nauman, S. Khan, and X. Zhang, "Apex: extending android permission model and enforcement with user-defined runtime constraints. in ASIACCS '10, 2010, pp. 328-332
D. Octeau, P. McDaniel, S. Jha, A. Bartel, E. Bodden, J. Klein, and Y. Le Traon, "Effective inter-component communication mapping in android with epicc: An essential step towards holistic security analysis. in Proceedings of the 22nd USENIX Security Symposium, 2013
T. Vidas and N. Christin, "Sweetening android lemon markets: Measuring and combating malware in application marketplaces. in CODASPY '13, 2013
W. Zhou, Y. Zhou, X. Jiang, and P. Ning, "Detecting repackaged smartphone applications in third-party android marketplaces. in CODASPY '12. ACM, 2012, pp. 317-326
Y. Zhou, Z. Wang, W. Zhou, and X. Jiang, "Hey, you, get off of my market: Detecting malicious apps in official and alternative android markets. in NDSS'12, 2012
Y. Zhou and X. Jiang, "Dissecting android malware: Characterization and evolution. in SP '12, Washington, DC, USA, 2012, pp. 95-109
Y. Zhou, X. Zhang, X. Jiang, and V. W. Freeh, "Taming information-stealing smartphone applications (on android). in TRUST'11. Pittsburgh, PA: Springer-Verlag, 2011, pp. 93-107