Covalent Bond Based Android Malware Detection Using Permission and System Call Pairs

The prevalence of smartphones is deeply embedded in modern society,impacting various aspects of our lives.Their versatility and functionalities have fundamentally changed how we communicate,work,seek entertainment,and access information.Among the many smartphones available,those operating on the Android platform dominate,being the most widely used type.This widespread adoption of the Android OS has significantly contributed to increased malware attacks targeting the Android ecosystem in recent years.Therefore,there is an urgent need to develop new methods for detecting Android malware.The literature contains numerous works related to Android malware detection.As far as our understanding extends,we are the first ones to identify dangerous combinations of permissions and system calls to uncover malicious behavior in Android applications.We introduce a novel methodology that pairs permissions and system calls to distinguish between benign and malicious samples.This approach combines the advantages of static and dynamic analysis,offering a more comprehensive understanding of an application’s behavior.We establish covalent bonds between permissions and system calls to assess their combined impact.We introduce a novel technique to determine these pairs’Covalent Bond Strength Score.Each pair is assigned two scores,one for malicious behavior and another for benign behavior.These scores serve as the basis for classifying applications as benign or malicious.By correlating permissions with system calls,the study enables a detailed examination of how an app utilizes its requested permissions,aiding in differentiating legitimate and potentially harmful actions.This comprehensive analysis provides a robust framework for Android malware detection,marking a significant contribution to the field.The results of our experiments demonstrate a remarkable overall accuracy of 97.5%,surpassing various state-of-the-art detection techniques proposed in the current literature.

Understanding Research Trends in Android Malware Research Using Information Modelling Techniques

Android has been dominating the smartphone market for more than a decade and has managed to capture 87.8%of the market share.Such popularity of Android has drawn the attention of cybercriminals and malware developers.The malicious applications can steal sensitive information like contacts,read personal messages,record calls,send messages to premium-rate numbers,cause financial loss,gain access to the gallery and can access the user’s geographic location.Numerous surveys on Android security have primarily focused on types of malware attack,their propagation,and techniques to mitigate them.To the best of our knowledge,Android malware literature has never been explored using information modelling techniques.Further,promulgation of contemporary research trends in Android malware research has never been done from semantic point of view.This paper intends to identify intellectual core from Android malware literature using Latent Semantic Analysis(LSA).An extensive corpus of 843 articles on Android malware and security,published during 2009–2019,were processed using LSA.Subsequently,the truncated singular Value Decomposition(SVD)technique was used for dimensionality reduction.Later,machine learning methods were deployed to effectively segregate prominent topic solutions with minimal bias.Apropos to observed term and document loading matrix values,this five core research areas and twenty research trends were identified.Further,potential future research directions have been detailed to offer a quick reference for information scientists.The study concludes to the fact that Android security is crucial for pervasive Android devices.Static analysis is the most widely investigated core area within Android security research and is expected to remain in trend in near future.Research trends indicate the need for a faster yet effective model to detect Android applications causing obfuscation,financial attacks and stealing user information.

A Novel Hybrid Method to Analyze Security Vulnerabilities in Android Applications

We propose a novel hybrid method to analyze the security vulnerabilities in Android applications.Our method combines static analysis,which consists of metadata and data flow analyses with dynamic analysis,which includes dynamic executable scripts and application program interface hooks.Our hybrid method can effectively analyze nine major categories of important security vulnerabilities in Android applications.We design dynamic executable scripts that record and perform manual operations to customize the execution path of the target application.Our dynamic executable scripts can replace most manual operations,simplify the analysis process,and further verify the corresponding security vulnerabilities.We successfully statically analyze 5547 malwares in Drebin and 10 151real-world applications.The average analysis time of each application in Drebin is 4.52 s,whereas it reaches 92.02 s for real-word applications.Our system can detect all the labeled vulnerabilities among 56 labeled applications.Further dynamic verification shows that our static analysis accuracy approximates 95%for real-world applications.Experiments show that our dynamic analysis can effectively detect the vulnerability named input unverified,which is difficult to be detected by other methods.In addition,our dynamic analysis can be extended to detect more types of vulnerabilities.

Droid Detector:Android Malware Characterization and Detection Using Deep Learning

Smartphones and mobile tablets are rapidly becoming indispensable in daily life. Android has been the most popular mobile operating system since 2012. However, owing to the open nature of Android, countless malwares are hidden in a large number of benign apps in Android markets that seriously threaten Android security. Deep learning is a new area of machine learning research that has gained increasing attention in artificial intelligence. In this study, we propose to associate the features from the static analysis with features from dynamic analysis of Android apps and characterize malware using deep learning techniques. We implement an online deep-learning-based Android malware detection engine（Droid Detector） that can automatically detect whether an app is a malware or not. With thousands of Android apps, we thoroughly test Droid Detector and perform an indepth analysis on the features that deep learning essentially exploits to characterize malware. The results show that deep learning is suitable for characterizing Android malware and especially effective with the availability of more training data. Droid Detector can achieve 96.76% detection accuracy, which outperforms traditional machine learning techniques. An evaluation of ten popular anti-virus softwares demonstrates the urgency of advancing our capabilities in Android malware detection.

VenomAttack: automated and adaptive activity hijacking in Android

Activity hijacking is one of the most powerful attacks in Android. Though promising, all the prior activity hijacking attacks suffer from some limitations and have limited attack capabilities. They no longer pose security threats in recent Android due to the presence of effective defense mechanisms. In this work, we propose the first automated and adaptive activity hijacking attack, named VenomAttack, enabling a spectrum of customized attacks (e.g., phishing, spoofing, and DoS) on a large scale in recent Android, even the state-of-the-art defense mechanisms are deployed. Specifically, we propose to use hotpatch techniques to identify vulnerable devices and update attack payload without re-installation and re-distribution, hence bypassing offline detection. We present a newly-discovered flaw in Android and a bug in derivatives of Android, each of which allows us to check if a target app is running in the background or not, by which we can determine the right attack timing via a designed transparent activity. We also propose an automated fake activity generation approach, allowing large-scale attacks. Requiring only the common permission INTERNET, we can hijack activities at the right timing without destroying the GUI integrity of the foreground app. We conduct proof-of-concept attacks, showing that VenomAttack poses severe security risks on recent Android versions. The user study demonstrates the effectiveness of VenomAttack in real-world scenarios, achieving a high success rate (95%) without users’ awareness. That would call more attention to the stakeholders like Google.

Towards Fast Repackaging and Dynamic Authority Management on Android

In order to enhance the security of Android applications, we propose a repackaging and dynamic authority management scheme based on Android application reinforcement methods Instead of using root privileges and system modification, we introduce a user-level sandbox, which utilizes the native C-level interception mechanism, to further reinforce the risk applications and improve the entire security of Android system. Additionally, by importing and improving the repackaging features, this proposed scheme reduces the potential risks of applications and achieves the goal of the dynamic monitoring of permissions. Finally, a comprehensive evaluation, including efficiency analysis and detection evaluation with 1 000 malwares, whose overall average success rate is about 96%, shows the feasibility and univer- sality of the proposed scheme.

AppChainer:investigating the chainability among payloads in android applications

Statistics show that more than 80 applications are installed on each android smartphone.Vulnerability research on Android applications is of critical importance.Recently,academic researchers mainly focus on single bug patterns,while few of them investigate the relations between multiple bugs.Industrial researchers proposed a series of logic exploit chains leveraging multiple logic bugs.However,there is no general model to evaluate the chaining abilities between bugs.This paper presents a formal model to elucidate the relations between multiple bugs in Android applications.To prove the effectiveness of the model,we design and implement a prototype system named AppChainer.AppChainer automatically identifies attack surfaces of Android applications and investigates whether the payloads entering these attack surfaces are“chainable”.Experimental results on 2138 popular Android applications show that AppChainer is effective in identifying and chaining attacker-controllable payloads.It identifies 14467 chainable payloads and constructs 5458 chains both inside a single application and among various applications.The time cost and resource consumption of AppChainer are also acceptable.For each application,the average analysis time is 317 s,and the average memory consumed is 2368 MB.Compared with the most relevant work Jandroid,the experiment results on our custom DroidChainBench show that AppChainer outperforms Jandroid at the precision rate and performs equally with Jandroid at the recall rate.

Using IM-Visor to stop untrusted IME apps from stealing sensitive keystrokes

Third-party IME(Input Method Editor)apps are often the preference means of interaction for Android users’input.In this paper,we first discuss the insecurity of IME apps,including the Potentially Harmful Apps(PHAs)and malicious IME apps,which may leak users’sensitive keystrokes.The current defense system,such as I-BOX,is vulnerable to the prefix substitution attack and the colluding attack due to the post-IME nature.We provide a deeper understanding that all the designs with the post-IME nature are subject to the prefix-substitution and colluding attacks.To remedy the above post-IME system’s flaws,we propose a new idea,pre-IME,which guarantees that“Is this touch event a sensitive keystroke?”analysis will always access user touch events prior to the execution of any IME app code.We design an innovative TrustZone-based framework named IM-Visor which has the pre-IME nature.Specifically,IM-Visor creates the isolation environment named STIE as soon as a user intends to type on a soft keyboard,then the STIE intercepts,Android event sub translates and analyzes the user’s touch input.If the input is sensitive,the translation of keystrokes will be delivered to user apps through a trusted path.Otherwise,IM-Visor replays non-sensitive keystroke touch events for IME apps or replays non-keystroke touch events for other apps.A prototype of IM-Visor has been implemented and tested with several most popular IMEs.The experimental results show that IM-Visor has small runtime overheads.