ABSTRACT
Smartphone sales have recently experienced explosive growth. Their popularity also encourages malware authors to penetrate various mobile marketplaces with malicious applications (or apps). These malicious apps hide in the sheer number of other normal apps, which makes their detection challenging. Existing mobile anti-virus software are inadequate in their reactive nature by relying on known malware samples for signature extraction. In this paper, we propose a proactive scheme to spot zero-day Android malware. Without relying on malware samples and their signatures, our scheme is motivated to assess potential security risks posed by these untrusted apps. Specifically, we have developed an automated system called RiskRanker to scalably analyze whether a particular app exhibits dangerous behavior (e.g., launching a root exploit or sending background SMS messages). The output is then used to produce a prioritized list of reduced apps that merit further investigation. When applied to examine 118,318 total apps collected from various Android markets over September and October 2011, our system takes less than four days to process all of them and effectively reports 3281 risky apps. Among these reported apps, we successfully uncovered 718 malware samples (in 29 families) and 322 of them are zero-day (in 11 families). These results demonstrate the efficacy and scalability of RiskRanker to police Android markets of all stripes.
- 260,000 Android users infected with malware. http://www.infosecurity-magazine.com/view/16526/260000-android-users-infected-with-malware/.Google Scholar
- adb trickery#2. http://c-skills.blogspot.com/2011/01/adb-trickery-again.html.Google Scholar
- Adobe AIR 3. http://www.adobe.com/products/air.html.Google Scholar
- AdTouch. http://www.adtouchnetwork.com/adtouch/sdk/SDK.html.Google Scholar
- An Analysis of the AnserverBot Trojan. http://www.csc.ncsu.edu/faculty/jiang/pubs/AnserverBot_Analysis.pdf.Google Scholar
- Android and Security. http://googlemobile.blogspot.com/2012/02/android-and-security.html.Google Scholar
- Android Market Statistic. http://www.androlib.com/appstats.aspx.Google Scholar
- android trickery. http://c-skills.blogspot.com/2010/07/android-trickery.html.Google Scholar
- Asroot. http://milw0rm.com/sploits/android-root-20090816.tar.gz.Google Scholar
- Contagio mobile malware mini dump. http://contagiominidump.blogspot.com/.Google Scholar
- DexClassLoader. http://developer.android.com/reference/dalvik/system/DexClassLoader.html.Google Scholar
- Droid2. http://c-skills.blogspot.com/2010/08/droid2.html.Google Scholar
- Gartner Says Sales of Mobile Devices Grew 5.6 Percent in Third Quarter of 2011; Smartphone Sales Increased 42 Percent. http://www.gartner.com/it/page.jsp?id=1848514.Google Scholar
- GingerMaster: First Android Malware Utilizing a Root Exploit on Android 2.3 (Gingerbread). http://www.csc.ncsu.edu/faculty/jiang/GingerMaster/.Google Scholar
- iBuildApp. http://ibuildapp.com/.Google Scholar
- LeNa (Legacy Native) Teardown_Lookout Mobile Security. http://blog.mylookout.com/wp-content/uploads/2011/10/LeNa-Legacy-Native-Teardown_Lookout-Mobile-Security1.pdf.Google Scholar
- Manifest.permission_group definitions. http://developer.android.com/reference/android/Manifest.permission_group.html.Google Scholar
- New DroidKungFu Variant - DroidKungFuSapp - Emerges! http://www.csc.ncsu.edu/faculty/jiang/DroidKungFuSapp/.Google Scholar
- ProGuard. http://developer.android.com/guide/developing/tools/proguard.html.Google Scholar
- Revolutionary - zergRush local root 2.2/2.3. http://forum.xda-developers.com/showthread.php?t=1296916.Google Scholar
- Security Alert: AnserverBot, New Sophisticated Android Bot Found in Alternative Android Markets. http://www.csc.ncsu.edu/faculty/jiang/AnserverBot/.Google Scholar
- Security Alert: Geinimi, Sophisticated New Android Trojan Found in Wild. http://blog.mylookout.com/2010/12/geinimi_trojan/.Google Scholar
- Security Alert: New Android Malware - DroidCoupon - Found in Alternative Android Markets. http://www.csc.ncsu.edu/faculty/jiang/DroidCoupon/.Google Scholar
- Security Alert: New DroidKungFu Variant - AGAIN! - Found in Alternative Android Markets. http://www.csc.ncsu.edu/faculty/jiang/DroidKungFu3/.Google Scholar
- Security Alert: New DroidKungFu Variants Found in Alternative Chinese Android Markets. http://www.csc.ncsu.edu/faculty/jiang/DroidKungFu2/.Google Scholar
- Security Alert: New Sophisticated Android Malware DroidKungFu Found in Alternative Chinese App Markets. http://www.csc.ncsu.edu/faculty/jiang/DroidKungFu.html.Google Scholar
- Security Alert: New Stealthy Android Spyware - Plankton - Found in Official Android Market. http://www.csc.ncsu.edu/faculty/jiang/Plankton/.Google Scholar
- Smartphone shipments tripled since '08. Dumb phones are flat. http://tech.fortune.cnn.com/2011/11/01/smartphone-shipments-tripled-since-08-dumb-phones-are-flat/.Google Scholar
- yummy yummy, GingerBreak! http://c-skills.blogspot.com/2011/04/yummy-yummy-gingerbreak.html.Google Scholar
- Zimperlich sources. http://c-skills.blogspot.com/2011/02/zimperlich-sources.html.Google Scholar
- Andrus, J., Dall, C., Van't Hof, A., Laadan, O., and Nieh, J. Cells: A Virtual Mobile Smartphone Architecture. In Proceedings of the 23rd ACM Symposium on Operating Systems Principles (2011), SOSP '11. Google ScholarDigital Library
- Beresford, A. R., Rice, A., Skehin, N., and Sohan, R. MockDroid: Trading Privacy for Application Functionality on Smartphones. In Proceedings of the 12th International Workshop on Mobile Computing System and Applications (2011), HotMobile '11. Google ScholarDigital Library
- Bugiel, S., Davi, L., Dmitrienko, A., Fischer, T., Sadeghi, A.-R., and Shastry, B. Towards Taming Privilege-Escalation Attacks on Android. In Proceedings of the 19th Annual Symposium on Network and Distributed System Security (2012), NDSS '12.Google Scholar
- Chin, E., Felt, A. P., Greenwood, K., and Wagner, D. Analyzing Inter-Application Communication in Android. In Proceedings of the 9th Annual International Conference on Mobile Systems, Applications, and Services (2011), MobiSys 2011. Google ScholarDigital Library
- Davi, L., Dmitrienko, A., Egele, M., Fischer, T., Holz, T., Hund, R., Nurnberger, S., and Sadeghi, A.-R. MoCFI: A Framework to Mitigate Control-Flow Attacks on Smartphones. In Proceedings of the 19th Annual Symposium on Network and Distributed System Security (2012), NDSS '12.Google Scholar
- Dietz, M., Shekhar, S., Pisetsky, Y., Shu, A., and Wallach, D. S. QUIRE: Lightweight Provenance for Smart Phone Operating Systems. In Proceedings of the 20th USENIX Security Symposium (2011), USENIX Security '11. Google ScholarDigital Library
- Egele, M., Kruegel, C., Kirda, E., and Vigna, G. PiOS: Detecting Privacy Leaks in iOS Applications. In Proceedings of the 18th Annual Symposium on Network and Distributed System Security (2011), NDSS '11.Google Scholar
- Enck, W., Gilbert, P., Chun, B.-G., Cox, L. P., Jung, J., McDaniel, P., and Sheth, A. N. TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones. In Proceedings of the 9th USENIX Symposium on Operating Systems Design and Implementation (2010), USENIX OSDI '10. Google ScholarDigital Library
- Enck, W., Octeau, D., McDaniel, P., and Chaudhuri, S. A Study of Android Application Security. In Proceedings of the 20th USENIX Security Symposium (2011), USENIX Security '11. Google ScholarDigital Library
- Enck, W., Ongtang, M., and McDaniel, P. On Lightweight Mobile Phone Application Certification. In Proceedings of the 16th ACM Conference on Computer and Communications Security (2009), CCS '09. Google ScholarDigital Library
- Felt, A. P., Chin, E., Hanna, S., Song, D., and Wagner, D. Android Permissions Demystified. In Proceedings of the 18th ACM Conference on Computer and Communications Security (2011), CCS '11. Google ScholarDigital Library
- Felt, A. P., Wang, H. J., Moshchuk, A., Hanna, S., and Chin, E. Permission Re-Delegation: Attacks and Defenses. In Proceedings of the 20th USENIX Security Symposium (2011), USENIX Security '11. Google ScholarDigital Library
- Grace, M., Zhou, W., Jiang, X., and Sadeghi, A.-R. Unsafe Exposure Analysis of Mobile In-App Advertisements. In Proceedings of the 5th ACM Conference on Security and Privacy in Wireless and Mobile Networks (2012), ACM WiSec '12. Google ScholarDigital Library
- Grace, M., Zhou, Y., Wang, Z., and Jiang, X. Systematic Detection of Capability Leaks in Stock Android Smartphones. In Proceedings of the 19th Annual Symposium on Network and Distributed System Security (2012), NDSS '12.Google Scholar
- Hardy, N. The Confused Deputy: (or why capabilities might have been invented). ACM SIGOPS Operating Systems Review 22 (October 1998). Google ScholarDigital Library
- Hornyack, P., Han, S., Jung, J., Schechter, S., and Wetherall, D. These Aren't the Droids You're Looking For: Retrofitting Android to Protect Data from Imperious Applications. In Proceedings of the 18th ACM Conference on Computer and Communications Security (2011), CCS '11. Google ScholarDigital Library
- Lange, M., Liebergeld, S., Lackorzynski, A., Warg, A., and Peter, M. L4Android: A Generic Operating System Framework for Secure Smartphones. In Proceedings of the 1st Workshop on Security and Privacy in Smartphones and Mobile Devices (2011), CCS-SPSM '11. Google ScholarDigital Library
- Nauman, M., Khan, S., and Zhang, X. Apex: Extending Android Permission Model and Enforcement with User-Defined Runtime Constraints. In Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security (2010), ASIACCS '10. Google ScholarDigital Library
- Ongtang, M., McLaughlin, S., Enck, W., and McDaniel, P. Semantically Rich Application-Centric Security in Android. In Proceedings of the 2009 Annual Computer Security Applications Conference (2009), ACSAC '09. Google ScholarDigital Library
- Porter Felt, A., Finifter, M., Chin, E., Hanna, S., and Wagner, D. A Survey of Mobile Malware In The Wild. In Proceedings of the 1st Workshop on Security and Privacy in Smartphones and Mobile Devices (2011), CCS-SPSM '11. Google ScholarDigital Library
- Schrittwieser, S., Fruhwirt, P., Kieseberg, P., Leithner, M., Mulazzani, M., Huber, M., and Weippl, E. Guess Who's Texting You? Evaluating the Security of Smartphone Messaging Applications. In Proceedings of the 19th Annual Symposium on Network and Distributed System Security (2012), NDSS '12.Google Scholar
- Wang, H. J., Guo, C., Simon, D. R., and Zugenmaier, A. Shield: Vulnerability-Driven Network Filters for Preventing Known Vulnerability Exploits. In Proceedings of the ACM SIGCOMM 2004 Conference (2004), ACM SIGCOMM '04. Google ScholarDigital Library
- Wang, Z., Jiang, X., Cui, W., Wang, X., and Grace, M. ReFormat: Automatic Reverse Engineering of Encrypted Messages. In Proceedings of the 14th European Symposium on Research in Computer Security (September 2009), ESORICS '09. Google ScholarDigital Library
- Zhou, W., Zhou, Y., Jiang, X., and Ning, P. DroidMOSS: Detecting Repackaged Smartphone Applications in Third-Party Android Marketplaces. In Proceedings of the 2nd ACM Conference on Data and Application Security and Privacy (2012), CODASPY '12. Google ScholarDigital Library
- Zhou, Y., and Jiang, X. Dissecting Android Malware: Characterization and Evolution. In Proceedings of the 33rd IEEE Symposium on Security and Privacy (2012), IEEE Oakland '12. Google ScholarDigital Library
- Zhou, Y., Wang, Z., Zhou, W., and Jiang, X. Hey, You, Get off of My Market: Detecting Malicious Apps in Official and Alternative Android Markets. In Proceedings of the 19th Annual Symposium on Network and Distributed System Security (2012), NDSS '12.Google Scholar
- Zhou, Y., Zhang, X., Jiang, X., and Freeh, V. W. Taming Information-Stealing Smartphone Applications (on Android). In Proceedings of the 4th International Conference on Trust and Trustworthy Computing (2011), TRUST '11. Google ScholarDigital Library
Index Terms
- RiskRanker: scalable and accurate zero-day android malware detection
Recommendations
Effectiveness of Android Obfuscation on Evading Anti-malware
CODASPY '18: Proceedings of the Eighth ACM Conference on Data and Application Security and PrivacyObfuscation techniques have been conventionally used for legitimate applications, including preventing application reverse engineering, tampering and protecting intellectual property. A malware author could also leverage these benign techniques to hide ...
Hartley's test ranked opcodes for Android malware analysis
SIN '15: Proceedings of the 8th International Conference on Security of Information and NetworksThe popularity and openness of Android platform encourage malware authors to penetrate various market places with malicious applications. As a result, malware detection has become a critical topic in security. Currently signature-based system is able to ...
Stealth attacks: An extended insight into the obfuscation effects on Android malware
In order to effectively evade anti-malware solutions, Android malware authors are progressively resorting to automatic obfuscation strategies. Recent works have shown, on small-scale experiments, the possibility of evading anti-malware engines by ...
Comments