Skip to main content
SpringerLink
Log in

Monitoring Real Android Malware

  • Conference paper
  • First Online:
Runtime Verification

Part of the book series: Lecture Notes in Computer Science ((LNPSE,volume 9333))

Abstract

In the most comprehensive study on Android attacks so far (undertaken by the Android Malware Genome Project), the behaviour of more than 1, 200 malwares was analysed and categorised into common, recurring groups of attacks. Based on this work (and the corresponding actual malware files), we present an approach for specifying and identifying these (and similar) attacks using runtime verification.

While formally, our approach is based on a first-order logic abstraction of malware behaviour, it practically relies on our Android event interception tool, MonitorMe, which lets us capture almost any system event that can be triggered by apps on a user’s Android device.

This paper details on MonitorMe, our formal specification of malware behaviour and practical experiments, undertaken with various different Android devices and versions on a wide range of actual malware incarnations from the above study. In a nutshell, we were able to detect real malwares from 46 out of 49 different malware families, which strengthen the idea that runtime verification may, indeed, be a good choice for mobile security in the future.

NICTA is funded by the Australian Government as represented by the Department of Broadband, Communications and the Digital Economy and the Australian Research Council through the ICT Centre of Excellence program.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    http://kuester.multics.org/MonitorMe/.

  2. 2.

    http://kuester.multics.org/DroidTracer/.

  3. 3.

    https://github.com/jckuester/ltlfo2mon.

  4. 4.

    https://www.kernel.org/doc/Documentation/kprobes.txt.

  5. 5.

    http://developer.android.com/reference/android/os/Binder.html.

  6. 6.

    http://www.linuxfoundation.org/collaborate/workgroups/networking/generic_netlink_howto.

  7. 7.

    http://www.carisma.slowglass.com/~tgr/libnl/.

  8. 8.

    Traces are available at http://kuester.multics.org/DroidTracer/malware/traces.

  9. 9.

    UIDs below 10000 are reserved for system apps with higher privileges.

  10. 10.

    http://developer.android.com/training/articles/security-tips.html#UserData.

  11. 11.

    http://thehackernews.com/2014/11/ubers-android-app-is-literally-malware_28.html.

References

  1. Backes, M., Gerling, S., Hammer, C., Maffei, M., von Styp-Rekowsky, P.: AppGuard – enforcing user requirements on Android apps. In: Piterman, N., Smolka, S.A. (eds.) TACAS 2013 (ETAPS 2013). LNCS, vol. 7795, pp. 543–548. Springer, Heidelberg (2013)

    Chapter  Google Scholar 

  2. Bauer, A., Küster, J.-C., Vegliach, G.: The ins and outs of first-order runtime verification. To appear in: Formal Methods in System Design (FMSD) (2015)

    Google Scholar 

  3. Bauer, A., Leucker, M., Schallhart, C.: Runtime verification for LTL and TLTL. ACM Trans. Softw. Eng. Methodol. 20(4), 14 (2011)

    Article  Google Scholar 

  4. Bugiel, S., Davi, L., Dmitrienko, A., Fischer, T., Sadeghi, A.-R., Shastry, B.: Towards taming privilege-escalation attacks on Android. In: NDSS (2012)

    Google Scholar 

  5. Dwyer, M.B., Avrunin, G.S., Corbett, J.C.: Patterns in property specifications for finite-state verification. In: ICSE, pp. 411–420. IEEE (1999)

    Google Scholar 

  6. Enck, W., Gilbert, P., Chun, B.-G., Cox, L.P., Jung, J., McDaniel, P., Sheth, A.N.: TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones. In: OSDI. USENIX (2010)

    Google Scholar 

  7. Halle, S., Villemaire, R.: Runtime monitoring of message-based workflows with data. In: EDOC, pp. 63–72. IEEE (2008)

    Google Scholar 

  8. Hornyack, P., Han, S., Jung, J., Schechter, S., Wetherall, D.: These aren’t the droids you’re looking for: retrofitting Android to protect data from imperious applications. In: CCS, pp. 639–652. ACM (2011)

    Google Scholar 

  9. Jin, D., Meredith, P.O., Lee, C., Rosu, G.: JavaMOP: efficient parametric runtime monitoring framework. In: ICSE, pp. 1427–1430. IEEE (2012)

    Google Scholar 

  10. Küster, J.-C., Bauer, A.: Platform-centric Android monitoring–modular and efficient. Comp. Research Repository (CoRR) arXiv:1406.2041. ACM, June 2014

  11. Moser, A., Kruegel, C., Kirda, E.: Limits of static analysis for malware detection. In: ACSAC, pp. 421–430. IEEE (2007)

    Google Scholar 

  12. Rasthofer, S., Arzt, S., Lovat, E., Bodden, E.: DroidForce: Enforcing complex, data-centric, system-wide policies in Android. In: ARES, pp. 40–49. IEEE (2014)

    Google Scholar 

  13. Vidas, T., Christin, N.: Evading Android runtime analysis via sandbox detection. In: ASIACCS, pp. 447–458. ACM (2014)

    Google Scholar 

  14. Xu, R., Saïdi, H., Anderson, R.: Aurasium: practical policy enforcement for Android applications. In: USENIX Security Symposium, pp. 27–27. USENIX (2012)

    Google Scholar 

  15. Zhou, Y., Jiang, X.: Dissecting Android malware: characterization and evolution. In: S&P, pp. 95–109. IEEE (2012)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. NICTA, Canberra, Australia

    Jan-Christoph Küster

  2. Australian National University, Canberra, Australia

    Jan-Christoph Küster

  3. TU München, Munich, Germany

    Andreas Bauer

Authors
  1. Jan-Christoph Küster
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Andreas Bauer
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Jan-Christoph Küster .

Editor information

Editors and Affiliations

  1. TU Wien, Vienna, Austria

    Ezio Bartocci

  2. Max Planck Institute for Software Systems, Kaiserslautern, Germany

    Rupak Majumdar

Rights and permissions

Reprints and permissions

Copyright information

© 2015 Springer International Publishing Switzerland

About this paper

Cite this paper

Küster, JC., Bauer, A. (2015). Monitoring Real Android Malware. In: Bartocci, E., Majumdar, R. (eds) Runtime Verification. Lecture Notes in Computer Science(), vol 9333. Springer, Cham. https://doi.org/10.1007/978-3-319-23820-3_9

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-23820-3_9

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-23819-7

  • Online ISBN: 978-3-319-23820-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation