research-article

Vetting undesirable behaviors in android apps with permission use analysis

Authors:
Yuan Zhang

Fudan University, Shanghai, China

Fudan University, Shanghai, China
View Profile

,
Min Yang

Fudan University, Shanghai, China

Fudan University, Shanghai, China
View Profile

,
Bingquan Xu

Fudan University, Shanghai, China

Fudan University, Shanghai, China
View Profile

,
Zhemin Yang

Fudan University, Shanghai, China

Fudan University, Shanghai, China
View Profile

,
Guofei Gu

Texas A&M University, College Station, USA

Texas A&M University, College Station, USA
View Profile

,
Peng Ning

NC State University, Raleigh, USA

NC State University, Raleigh, USA
View Profile

,
X. Sean Wang

Fudan University, Shanghai, China

Fudan University, Shanghai, China
View Profile

,
Binyu Zang

Fudan University, Shanghai, China

Fudan University, Shanghai, China
View Profile

CCS '13: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications securityNovember 2013Pages 611–622https://doi.org/10.1145/2508859.2516689

Published:04 November 2013Publication History

CCS '13: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security

Pages 611–622

ABSTRACT

Android platform adopts permissions to protect sensitive resources from untrusted apps. However, after permissions are granted by users at install time, apps could use these permissions (sensitive resources) with no further restrictions. Thus, recent years have witnessed the explosion of undesirable behaviors in Android apps. An important part in the defense is the accurate analysis of Android apps. However, traditional syscall-based analysis techniques are not well-suited for Android, because they could not capture critical interactions between the application and the Android system.

This paper presents VetDroid, a dynamic analysis platform for reconstructing sensitive behaviors in Android apps from a novel permission use perspective. VetDroid features a systematic framework to effectively construct permission use behaviors, i.e., how applications use permissions to access (sensitive) system resources, and how these acquired permission-sensitive resources are further utilized by the application. With permission use behaviors, security analysts can easily examine the internal sensitive behaviors of an app. Using real-world Android malware, we show that VetDroid can clearly reconstruct fine-grained malicious behaviors to ease malware analysis. We further apply VetDroid to 1,249 top free apps in Google Play. VetDroid can assist in finding more information leaks than TaintDroid, a state-of-the-art technique. In addition, we show how we can use VetDroid to analyze fine-grained causes of information leaks that TaintDroid cannot reveal. Finally, we show that VetDroid can help identify subtle vulnerabilities in some (top free) applications otherwise hard to detect.

References

Android permissions. http://developer.android.com/reference/android/Manifest.permission.html.Google Scholar
Androidos.tapsnake: Watching your every move. http://www.symantec.com/connect/blogs/androidostapsnake-watching-your-every-move.Google Scholar
Android.smsreplicator. http://www.symantec.com/security_response/writeup.jsp?docid=2010-110214-1252-99.Google Scholar
Facebook security phishing attack in the wild. http://www.securelist.com/en/blog/208193325/Facebook_Security_Phishing_Attack_In_The_Wild.Google Scholar
Idc: Android market share reached 75% worldwide in q3 2012. http://techcrunch.com/2012/11/02/idc-android-market-share-reached-75-worldwide-in-q3--2012/.Google Scholar
Mcafee threats report: Third quarter 2012. http://www.mcafee.com/ca/resources/reports/rp-quarterly-threat-q3--2012.pdf.Google Scholar
Pendingintent. http://developer.android.com/reference/android/app/PendingIntent.html.Google Scholar
Sms emulation using the android emulator. http://developer.android.com/tools/devices/emulator.html#sms.Google Scholar
Ui/application exerciser monkey. http://developer.android.com/tools/help/monkey.html.Google Scholar
Zeus-in-the-mobile - facts and theories. http://www.securelist.com/en/analysis/204792194/ZeuS_in_the_Mobile_Facts_and_Theories.Google Scholar
Apple: ios 4. http://www.apple.com/iphone, 2011.Google Scholar
K. W. Y. Au, Y. F. Zhou, Z. Huang, and D. Lie. Pscout: analyzing the android permission specification. In Proc. of ACM CCS'12, 2012. Google ScholarDigital Library
D. Barrera, H. G. Kayacik, P. C. van Oorschot, and A. Somayaji. A methodology for empirical analysis of permission-based security models and its application to android. In Proc. of ACM CCS'10, 2010. Google ScholarDigital Library
A. Bose, X. Hu, K. G. Shin, and T. Park. Behavioral detection of malware on mobile handsets. In Proc. of MobiSys'08, 2008. Google ScholarDigital Library
S. Bugiel, L. Davi, A. Dmitrienko, T. Fischer, A.-R. Sadeghi, and B. Shastry. Towards taming privilege-escalation attacks on Android. In Proc. of NDSS'12, Feb. 2012.Google Scholar
I. Burguera, U. Zurutuza, and S. Nadjm-Tehrani. Crowdroid: behavior-based malware detection system for android. In Proc. of SPSM'11, 2011. Google ScholarDigital Library
D. Canali, A. Lanzi, D. Balzarotti, C. Kruegel, M. Christodorescu, and E. Kirda. A quantitative study of accuracy in system call-based malware detection. In Proc. of ISSTA'12, 2012. Google ScholarDigital Library
S. Chakradeo, B. Reaves, P. Traynor, and W. Enck. Mast: triage for market-scale mobile malware analysis. In Proc. of WiSec'13, 2013. Google ScholarDigital Library
P. P. Chan, L. C. Hui, and S. M. Yiu. Droidchecker: analyzing android applications for capability leak. In Proc. of WiSec'12, 2012. Google ScholarDigital Library
K. Z. Chen, N. Johnson, V. D'Silva, S. Dai, K. MacNamara, T. Magrino, E. X. Wu, M. Rinard, and D. Song. Contextual policy enforcement in android applications with permission event graphs. In Proc. of NDSS'13, February 2013.Google Scholar
M. Christodorescu, S. Jha, and C. Kruegel. Mining specifications of malicious behavior. In Proc. of ESEC-FSE'07, 2007. Google ScholarDigital Library
P. M. Comparetti, G. Salvaneschi, E. Kirda, C. Kolbitsch, C. Kruegel, and S. Zanero. Identifying dormant functionality in malware programs. In Proc. of IEEE S&P'10, 2010. Google ScholarDigital Library
M. Dietz, S. Shekhar, Y. Pisetsky, A. Shu, and D. S. Wallach. Quire: lightweight provenance for smart phone operating systems. In Proc. of USENIX Security'11, 2011. Google ScholarDigital Library
W. Enck, P. Gilbert, B.-G. Chun, L. P. Cox, J. Jung, P. McDaniel, and A. N. Sheth. Taintdroid: an information-flow tracking system for realtime privacy monitoring on smartphones. In Proc. of OSDI'10, 2010. Google ScholarDigital Library
W. Enck, M. Ongtang, and P. McDaniel. On lightweight mobile phone application certification. In Proc. of ACM CCS'09, 2009. Google ScholarDigital Library
W. Enck, M. Ongtang, and P. McDaniel. Understanding android security. IEEE Security and Privacy, 7(1):50--57, Jan. 2009. Google ScholarDigital Library
A. P. Felt, E. Chin, S. Hanna, D. Song, and D. Wagner. Android permissions demystified. In Proc. of ACM CCS'11, 2011. Google ScholarDigital Library
A. P. Felt, S. Egelman, M. Finifter, D. Akhawe, and D. Wagner. How to ask for permission. In Proc. of HotSec'12, 2012. Google ScholarDigital Library
A. P. Felt, M. Finifter, E. Chin, S. Hanna, and D. Wagner. A survey of mobile malware in the wild. In Proc. of SPSM'11, 2011. Google ScholarDigital Library
A. P. Felt, K. Greenwood, and D. Wagner. The effectiveness of application permissions. In Proc. of WebApps'11, 2011. Google ScholarDigital Library
A. P. Felt, H. J. Wang, A. Moshchuk, S. Hanna, and E. Chin. Permission re-delegation: attacks and defenses. In Proc. of USENIX Security'11, 2011. Google ScholarDigital Library
M. Frank, B. Dong, A. P. Felt, and D. Song. Mining permission request patterns from android and facebook applications. In Proc. of ICDM'12, 2012. Google ScholarDigital Library
M. Fredrikson, S. Jha, M. Christodorescu, R. Sailer, and X. Yan. Synthesizing near-optimal malware specifications from suspicious behaviors. In Proc. of IEEE S&P'10, 2010. Google ScholarDigital Library
P. Gilbert, B.-G. Chun, L. P. Cox, and J. Jung. Vision: automated security validation of mobile apps at app markets. In Proc. of 2nd international workshop on Mobile cloud computing and services (MCS'11), 2011. Google ScholarDigital Library
M. Grace, Y. Zhou, Z. Wang, and X. Jiang. Systematic detection of capability leaks in stock android smartphones. In Proc. of NDSS'12, 2012.Google Scholar
M. Grace, Y. Zhou, Q. Zhang, S. Zou, and X. Jiang. Riskranker: scalable and accurate zero-day android malware detection. In Proc. of MobiSys'12, 2012. Google ScholarDigital Library
M. C. Grace, W. Zhou, X. Jiang, and A.-R. Sadeghi. Unsafe exposure analysis of mobile in-app advertisements. In Proc. of WiSec'12, 2012. Google ScholarDigital Library
M. G. Kang, S. McCamant, P. Poosankam, and D. Song. DTAGoogle Scholar
: Dynamic taint analysis with targeted control-flow propagation. In Proc. of NDSS'11, Feb. 2011.Google Scholar
C. Kolbitsch, P. M. Comparetti, C. Kruegel, E. Kirda, X. Zhou, and X. Wang. Effective and efficient malware detection at the end host. In Proc. of USENIX Security'09, 2009. Google ScholarDigital Library
A. Lanzi, D. Balzarotti, C. Kruegel, M. Christodorescu, and E. Kirda. Accessminer: using system-centric models for malware protection. In Proc. of ACM CCS'10, 2010. Google ScholarDigital Library
L. Lu, Z. Li, Z. Wu, W. Lee, and G. Jiang. Chex: statically vetting android apps for component hijacking vulnerabilities. In Prof. of ACM CCS'12, 2012. Google ScholarDigital Library
W. Ma, P. Duan, S. Liu, G. Gu, and J.-C. Liu. Shadow attacks: Automatically evading system-call-behavior based malware detection. Springer Journal in Computer Virology, 2012. Google ScholarDigital Library
A. MacHiry, R. Tahiliani, and M. Naik. Dynodroid: An input generation system for android apps. Technical report, Program Analysis Group, Georgia Tech, 2012.Google Scholar
A. Moser, C. Kruegel, and E. Kirda. Exploring multiple execution paths for malware analysis. In Proc. of IEEE S&P'07, 2007. Google ScholarDigital Library
M. Nauman, S. Khan, and X. Zhang. Apex: extending android permission model and enforcement with user-defined runtime constraints. In Proc. of AsiaCCS'10, 2010. Google ScholarDigital Library
M. Ongtang, S. McLaughlin, W. Enck, and P. McDaniel. Semantically rich application-centric security in android. In Proc. of ACSAC'09, 2009. Google ScholarDigital Library
H. Peng, C. Gates, B. Sarma, N. Li, Y. Qi, R. Potharaju, C. Nita-Rotaru, and I. Molloy. Using probabilistic generative models for ranking risks of android apps. In Proc. of ACM CCS'12, 2012. Google ScholarDigital Library
V. Rastogi, Y. Chen, and W. Enck. Appsplayground: Automatic security analysis of smartphone applications. In Proc. of CODASPY'13, 2013. Google ScholarDigital Library
K. Rieck, T. Holz, C. Willems, P. Düssel, and P. Laskov. Learning and classification of malware behavior. In Proc. of DIMVA'08, 2008. Google ScholarDigital Library
S. Rosen, Z. Qian, and Z. M. Mao. Appprofiler: a flexible method of exposing privacy-related behavior in android applications to end users. In Proc. of CODASPY'13, 2013. Google ScholarDigital Library
H.-G. Schmidt, K. Raddatz, A.-D. Schmidt, A. Camtepe, and S. Albayrak. Google android: A comprehensive introduction. Technical report, DAI-Labor, TU Berlin, 2009.Google Scholar
S. Schrittwieser, P. Fruehwirt, P. Kieseberg, M. Leithner, M. Mulazzani, M. Huber, and E. R. Weippl. Guess who is texting you? evaluating the security of smartphone messaging applications. In Prof. of NDSS'12, Feb 2012.Google Scholar
X. Wei, L. Gomez, I. Neamtiu, and M. Faloutsos. Profiledroid: multi-layer profiling of android applications. In Proc. of Mobicom'12, 2012. Google ScholarDigital Library
J. Wilhelm and T.-c. Chiueh. A forced sampled execution approach to kernel rootkit identification. In Proc. of RAID'07, 2007. Google ScholarDigital Library
Z. Xu, L. Chen, G. Gu, and C. Kruegel. Peerpress: utilizing enemies' p2p strength against them. In Proc. of ACM CCS'12, 2012. Google ScholarDigital Library
L. K. Yan and H. Yin. Droidscope: seamlessly reconstructing the os and dalvik semantic views for dynamic android malware analysis. In Proc. of USENIX Security'12, 2012. Google ScholarDigital Library
Z. Yang, M. Yang, Y. Zhang, G. Gu, P. Ning, and X. S. Wang. Appintent: Analyzing sensitive data transmission in android for privacy leakage detection. In Proc. of ACM CCS'13, 2013. Google ScholarDigital Library
H. R. Zeidanloo and A. A. Manaf. Botnet command and control mechanisms. In Proc. of ICCEE'09, 2009. Google ScholarDigital Library
Y. Zhou and X. Jiang. Dissecting android malware: Characterization and evolution. In Proc. of IEEE S&P'12, 2012. Google ScholarDigital Library
Y. Zhou, Z. Wang, W. Zhou, and X. Jiang. Hey, you, get off of my market: Detecting malicious apps in official and alternative Android markets. In Proc. of NDSS'12, 2012.Google Scholar

Index Terms

Vetting undesirable behaviors in android apps with permission use analysis
1. Security and privacy
  1. Systems security
    1. Operating systems security
2. Software and its engineering
  1. Software creation and management
    1. Designing software
      1. Requirements analysis

Recommendations

Permission Use Analysis for Vetting Undesirable Behaviors in Android Apps

The android platform adopts permissions to protect sensitive resources from untrusted apps. However, after permissions are granted by users at install time, apps could use these permissions (sensitive resources) with no further restrictions. Thus, ...
Read More
Detecting Android malicious apps and categorizing benign apps with ensemble of classifiers

Android platform has dominated the markets of smart mobile devices in recent years. The number of Android applications (apps) has seen a massive surge. Unsurprisingly, Android platform has also become the primary target of attackers. The management of ...
Read More
An automatically vetting mechanism for SSL error-handling vulnerability in android hybrid Web apps

A large set of diverse hybrid mobile apps, which use both native Android app UIs and Web UIs, are widely available in today's smartphones. These hybrid apps usually use SSL or TLS to secure HTTP based communication. However, researchers show that ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
CCS '13: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
November 2013
1530 pages
ISBN:9781450324779
DOI:10.1145/2508859
General Chair:
Ahmad-Reza Sadeghi
TU Darmstadt, CASED, Intel ICRI-SC, Germany
,
Program Chairs:
Virgil Gligor
Carnegie Mellon University, USA
,
Moti Yung
Columbia University, USA
Copyright © 2013 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 4 November 2013
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
android behavior representation}
android security
permission use analysis
vetting undesirable behaviors
Qualifiers
- research-article
Conference

Acceptance Rates
CCS '13 Paper Acceptance Rate105of530submissions,20%Overall Acceptance Rate1,261of6,999submissions,18%
More
Upcoming Conference
CCS '24

Sponsor:

sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 211
  Total Citations
  View Citations
- 2,608
  Total Downloads
- Downloads (Last 12 months)91
- Downloads (Last 6 weeks)8
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Vetting undesirable behaviors in android apps with permission use analysis

CCS '13: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security

ABSTRACT

References

Cited By

Index Terms

Recommendations

Permission Use Analysis for Vetting Undesirable Behaviors in Android Apps

Detecting Android malicious apps and categorizing benign apps with ensemble of classifiers

An automatically vetting mechanism for SSL error-handling vulnerability in android hybrid Web apps