ABSTRACT
Android platform adopts permissions to protect sensitive resources from untrusted apps. However, after permissions are granted by users at install time, apps could use these permissions (sensitive resources) with no further restrictions. Thus, recent years have witnessed the explosion of undesirable behaviors in Android apps. An important part in the defense is the accurate analysis of Android apps. However, traditional syscall-based analysis techniques are not well-suited for Android, because they could not capture critical interactions between the application and the Android system.
This paper presents VetDroid, a dynamic analysis platform for reconstructing sensitive behaviors in Android apps from a novel permission use perspective. VetDroid features a systematic framework to effectively construct permission use behaviors, i.e., how applications use permissions to access (sensitive) system resources, and how these acquired permission-sensitive resources are further utilized by the application. With permission use behaviors, security analysts can easily examine the internal sensitive behaviors of an app. Using real-world Android malware, we show that VetDroid can clearly reconstruct fine-grained malicious behaviors to ease malware analysis. We further apply VetDroid to 1,249 top free apps in Google Play. VetDroid can assist in finding more information leaks than TaintDroid, a state-of-the-art technique. In addition, we show how we can use VetDroid to analyze fine-grained causes of information leaks that TaintDroid cannot reveal. Finally, we show that VetDroid can help identify subtle vulnerabilities in some (top free) applications otherwise hard to detect.
- Android permissions. http://developer.android.com/reference/android/Manifest.permission.html.Google Scholar
- Androidos.tapsnake: Watching your every move. http://www.symantec.com/connect/blogs/androidostapsnake-watching-your-every-move.Google Scholar
- Android.smsreplicator. http://www.symantec.com/security_response/writeup.jsp?docid=2010-110214-1252-99.Google Scholar
- Facebook security phishing attack in the wild. http://www.securelist.com/en/blog/208193325/Facebook_Security_Phishing_Attack_In_The_Wild.Google Scholar
- Idc: Android market share reached 75% worldwide in q3 2012. http://techcrunch.com/2012/11/02/idc-android-market-share-reached-75-worldwide-in-q3--2012/.Google Scholar
- Mcafee threats report: Third quarter 2012. http://www.mcafee.com/ca/resources/reports/rp-quarterly-threat-q3--2012.pdf.Google Scholar
- Pendingintent. http://developer.android.com/reference/android/app/PendingIntent.html.Google Scholar
- Sms emulation using the android emulator. http://developer.android.com/tools/devices/emulator.html#sms.Google Scholar
- Ui/application exerciser monkey. http://developer.android.com/tools/help/monkey.html.Google Scholar
- Zeus-in-the-mobile - facts and theories. http://www.securelist.com/en/analysis/204792194/ZeuS_in_the_Mobile_Facts_and_Theories.Google Scholar
- Apple: ios 4. http://www.apple.com/iphone, 2011.Google Scholar
- K. W. Y. Au, Y. F. Zhou, Z. Huang, and D. Lie. Pscout: analyzing the android permission specification. In Proc. of ACM CCS'12, 2012. Google ScholarDigital Library
- D. Barrera, H. G. Kayacik, P. C. van Oorschot, and A. Somayaji. A methodology for empirical analysis of permission-based security models and its application to android. In Proc. of ACM CCS'10, 2010. Google ScholarDigital Library
- A. Bose, X. Hu, K. G. Shin, and T. Park. Behavioral detection of malware on mobile handsets. In Proc. of MobiSys'08, 2008. Google ScholarDigital Library
- S. Bugiel, L. Davi, A. Dmitrienko, T. Fischer, A.-R. Sadeghi, and B. Shastry. Towards taming privilege-escalation attacks on Android. In Proc. of NDSS'12, Feb. 2012.Google Scholar
- I. Burguera, U. Zurutuza, and S. Nadjm-Tehrani. Crowdroid: behavior-based malware detection system for android. In Proc. of SPSM'11, 2011. Google ScholarDigital Library
- D. Canali, A. Lanzi, D. Balzarotti, C. Kruegel, M. Christodorescu, and E. Kirda. A quantitative study of accuracy in system call-based malware detection. In Proc. of ISSTA'12, 2012. Google ScholarDigital Library
- S. Chakradeo, B. Reaves, P. Traynor, and W. Enck. Mast: triage for market-scale mobile malware analysis. In Proc. of WiSec'13, 2013. Google ScholarDigital Library
- P. P. Chan, L. C. Hui, and S. M. Yiu. Droidchecker: analyzing android applications for capability leak. In Proc. of WiSec'12, 2012. Google ScholarDigital Library
- K. Z. Chen, N. Johnson, V. D'Silva, S. Dai, K. MacNamara, T. Magrino, E. X. Wu, M. Rinard, and D. Song. Contextual policy enforcement in android applications with permission event graphs. In Proc. of NDSS'13, February 2013.Google Scholar
- M. Christodorescu, S. Jha, and C. Kruegel. Mining specifications of malicious behavior. In Proc. of ESEC-FSE'07, 2007. Google ScholarDigital Library
- P. M. Comparetti, G. Salvaneschi, E. Kirda, C. Kolbitsch, C. Kruegel, and S. Zanero. Identifying dormant functionality in malware programs. In Proc. of IEEE S&P'10, 2010. Google ScholarDigital Library
- M. Dietz, S. Shekhar, Y. Pisetsky, A. Shu, and D. S. Wallach. Quire: lightweight provenance for smart phone operating systems. In Proc. of USENIX Security'11, 2011. Google ScholarDigital Library
- W. Enck, P. Gilbert, B.-G. Chun, L. P. Cox, J. Jung, P. McDaniel, and A. N. Sheth. Taintdroid: an information-flow tracking system for realtime privacy monitoring on smartphones. In Proc. of OSDI'10, 2010. Google ScholarDigital Library
- W. Enck, M. Ongtang, and P. McDaniel. On lightweight mobile phone application certification. In Proc. of ACM CCS'09, 2009. Google ScholarDigital Library
- W. Enck, M. Ongtang, and P. McDaniel. Understanding android security. IEEE Security and Privacy, 7(1):50--57, Jan. 2009. Google ScholarDigital Library
- A. P. Felt, E. Chin, S. Hanna, D. Song, and D. Wagner. Android permissions demystified. In Proc. of ACM CCS'11, 2011. Google ScholarDigital Library
- A. P. Felt, S. Egelman, M. Finifter, D. Akhawe, and D. Wagner. How to ask for permission. In Proc. of HotSec'12, 2012. Google ScholarDigital Library
- A. P. Felt, M. Finifter, E. Chin, S. Hanna, and D. Wagner. A survey of mobile malware in the wild. In Proc. of SPSM'11, 2011. Google ScholarDigital Library
- A. P. Felt, K. Greenwood, and D. Wagner. The effectiveness of application permissions. In Proc. of WebApps'11, 2011. Google ScholarDigital Library
- A. P. Felt, H. J. Wang, A. Moshchuk, S. Hanna, and E. Chin. Permission re-delegation: attacks and defenses. In Proc. of USENIX Security'11, 2011. Google ScholarDigital Library
- M. Frank, B. Dong, A. P. Felt, and D. Song. Mining permission request patterns from android and facebook applications. In Proc. of ICDM'12, 2012. Google ScholarDigital Library
- M. Fredrikson, S. Jha, M. Christodorescu, R. Sailer, and X. Yan. Synthesizing near-optimal malware specifications from suspicious behaviors. In Proc. of IEEE S&P'10, 2010. Google ScholarDigital Library
- P. Gilbert, B.-G. Chun, L. P. Cox, and J. Jung. Vision: automated security validation of mobile apps at app markets. In Proc. of 2nd international workshop on Mobile cloud computing and services (MCS'11), 2011. Google ScholarDigital Library
- M. Grace, Y. Zhou, Z. Wang, and X. Jiang. Systematic detection of capability leaks in stock android smartphones. In Proc. of NDSS'12, 2012.Google Scholar
- M. Grace, Y. Zhou, Q. Zhang, S. Zou, and X. Jiang. Riskranker: scalable and accurate zero-day android malware detection. In Proc. of MobiSys'12, 2012. Google ScholarDigital Library
- M. C. Grace, W. Zhou, X. Jiang, and A.-R. Sadeghi. Unsafe exposure analysis of mobile in-app advertisements. In Proc. of WiSec'12, 2012. Google ScholarDigital Library
- M. G. Kang, S. McCamant, P. Poosankam, and D. Song. DTAGoogle Scholar
- : Dynamic taint analysis with targeted control-flow propagation. In Proc. of NDSS'11, Feb. 2011.Google Scholar
- C. Kolbitsch, P. M. Comparetti, C. Kruegel, E. Kirda, X. Zhou, and X. Wang. Effective and efficient malware detection at the end host. In Proc. of USENIX Security'09, 2009. Google ScholarDigital Library
- A. Lanzi, D. Balzarotti, C. Kruegel, M. Christodorescu, and E. Kirda. Accessminer: using system-centric models for malware protection. In Proc. of ACM CCS'10, 2010. Google ScholarDigital Library
- L. Lu, Z. Li, Z. Wu, W. Lee, and G. Jiang. Chex: statically vetting android apps for component hijacking vulnerabilities. In Prof. of ACM CCS'12, 2012. Google ScholarDigital Library
- W. Ma, P. Duan, S. Liu, G. Gu, and J.-C. Liu. Shadow attacks: Automatically evading system-call-behavior based malware detection. Springer Journal in Computer Virology, 2012. Google ScholarDigital Library
- A. MacHiry, R. Tahiliani, and M. Naik. Dynodroid: An input generation system for android apps. Technical report, Program Analysis Group, Georgia Tech, 2012.Google Scholar
- A. Moser, C. Kruegel, and E. Kirda. Exploring multiple execution paths for malware analysis. In Proc. of IEEE S&P'07, 2007. Google ScholarDigital Library
- M. Nauman, S. Khan, and X. Zhang. Apex: extending android permission model and enforcement with user-defined runtime constraints. In Proc. of AsiaCCS'10, 2010. Google ScholarDigital Library
- M. Ongtang, S. McLaughlin, W. Enck, and P. McDaniel. Semantically rich application-centric security in android. In Proc. of ACSAC'09, 2009. Google ScholarDigital Library
- H. Peng, C. Gates, B. Sarma, N. Li, Y. Qi, R. Potharaju, C. Nita-Rotaru, and I. Molloy. Using probabilistic generative models for ranking risks of android apps. In Proc. of ACM CCS'12, 2012. Google ScholarDigital Library
- V. Rastogi, Y. Chen, and W. Enck. Appsplayground: Automatic security analysis of smartphone applications. In Proc. of CODASPY'13, 2013. Google ScholarDigital Library
- K. Rieck, T. Holz, C. Willems, P. Düssel, and P. Laskov. Learning and classification of malware behavior. In Proc. of DIMVA'08, 2008. Google ScholarDigital Library
- S. Rosen, Z. Qian, and Z. M. Mao. Appprofiler: a flexible method of exposing privacy-related behavior in android applications to end users. In Proc. of CODASPY'13, 2013. Google ScholarDigital Library
- H.-G. Schmidt, K. Raddatz, A.-D. Schmidt, A. Camtepe, and S. Albayrak. Google android: A comprehensive introduction. Technical report, DAI-Labor, TU Berlin, 2009.Google Scholar
- S. Schrittwieser, P. Fruehwirt, P. Kieseberg, M. Leithner, M. Mulazzani, M. Huber, and E. R. Weippl. Guess who is texting you? evaluating the security of smartphone messaging applications. In Prof. of NDSS'12, Feb 2012.Google Scholar
- X. Wei, L. Gomez, I. Neamtiu, and M. Faloutsos. Profiledroid: multi-layer profiling of android applications. In Proc. of Mobicom'12, 2012. Google ScholarDigital Library
- J. Wilhelm and T.-c. Chiueh. A forced sampled execution approach to kernel rootkit identification. In Proc. of RAID'07, 2007. Google ScholarDigital Library
- Z. Xu, L. Chen, G. Gu, and C. Kruegel. Peerpress: utilizing enemies' p2p strength against them. In Proc. of ACM CCS'12, 2012. Google ScholarDigital Library
- L. K. Yan and H. Yin. Droidscope: seamlessly reconstructing the os and dalvik semantic views for dynamic android malware analysis. In Proc. of USENIX Security'12, 2012. Google ScholarDigital Library
- Z. Yang, M. Yang, Y. Zhang, G. Gu, P. Ning, and X. S. Wang. Appintent: Analyzing sensitive data transmission in android for privacy leakage detection. In Proc. of ACM CCS'13, 2013. Google ScholarDigital Library
- H. R. Zeidanloo and A. A. Manaf. Botnet command and control mechanisms. In Proc. of ICCEE'09, 2009. Google ScholarDigital Library
- Y. Zhou and X. Jiang. Dissecting android malware: Characterization and evolution. In Proc. of IEEE S&P'12, 2012. Google ScholarDigital Library
- Y. Zhou, Z. Wang, W. Zhou, and X. Jiang. Hey, you, get off of my market: Detecting malicious apps in official and alternative Android markets. In Proc. of NDSS'12, 2012.Google Scholar
Index Terms
- Vetting undesirable behaviors in android apps with permission use analysis
Recommendations
Permission Use Analysis for Vetting Undesirable Behaviors in Android Apps
The android platform adopts permissions to protect sensitive resources from untrusted apps. However, after permissions are granted by users at install time, apps could use these permissions (sensitive resources) with no further restrictions. Thus, ...
Detecting Android malicious apps and categorizing benign apps with ensemble of classifiers
Android platform has dominated the markets of smart mobile devices in recent years. The number of Android applications (apps) has seen a massive surge. Unsurprisingly, Android platform has also become the primary target of attackers. The management of ...
An automatically vetting mechanism for SSL error-handling vulnerability in android hybrid Web apps
A large set of diverse hybrid mobile apps, which use both native Android app UIs and Web UIs, are widely available in today's smartphones. These hybrid apps usually use SSL or TLS to secure HTTP based communication. However, researchers show that ...
Comments