Abstract
In the most comprehensive study on Android attacks so far (undertaken by the Android Malware Genome Project), the behaviour of more than 1, 200 malwares was analysed and categorised into common, recurring groups of attacks. Based on this work (and the corresponding actual malware files), we present an approach for specifying and identifying these (and similar) attacks using runtime verification.
While formally, our approach is based on a first-order logic abstraction of malware behaviour, it practically relies on our Android event interception tool, MonitorMe, which lets us capture almost any system event that can be triggered by apps on a user’s Android device.
This paper details on MonitorMe, our formal specification of malware behaviour and practical experiments, undertaken with various different Android devices and versions on a wide range of actual malware incarnations from the above study. In a nutshell, we were able to detect real malwares from 46 out of 49 different malware families, which strengthen the idea that runtime verification may, indeed, be a good choice for mobile security in the future.
NICTA is funded by the Australian Government as represented by the Department of Broadband, Communications and the Digital Economy and the Australian Research Council through the ICT Centre of Excellence program.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
- 2.
- 3.
- 4.
- 5.
- 6.
- 7.
- 8.
Traces are available at http://kuester.multics.org/DroidTracer/malware/traces.
- 9.
UIDs below 10000 are reserved for system apps with higher privileges.
- 10.
- 11.
References
Backes, M., Gerling, S., Hammer, C., Maffei, M., von Styp-Rekowsky, P.: AppGuard – enforcing user requirements on Android apps. In: Piterman, N., Smolka, S.A. (eds.) TACAS 2013 (ETAPS 2013). LNCS, vol. 7795, pp. 543–548. Springer, Heidelberg (2013)
Bauer, A., Küster, J.-C., Vegliach, G.: The ins and outs of first-order runtime verification. To appear in: Formal Methods in System Design (FMSD) (2015)
Bauer, A., Leucker, M., Schallhart, C.: Runtime verification for LTL and TLTL. ACM Trans. Softw. Eng. Methodol. 20(4), 14 (2011)
Bugiel, S., Davi, L., Dmitrienko, A., Fischer, T., Sadeghi, A.-R., Shastry, B.: Towards taming privilege-escalation attacks on Android. In: NDSS (2012)
Dwyer, M.B., Avrunin, G.S., Corbett, J.C.: Patterns in property specifications for finite-state verification. In: ICSE, pp. 411–420. IEEE (1999)
Enck, W., Gilbert, P., Chun, B.-G., Cox, L.P., Jung, J., McDaniel, P., Sheth, A.N.: TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones. In: OSDI. USENIX (2010)
Halle, S., Villemaire, R.: Runtime monitoring of message-based workflows with data. In: EDOC, pp. 63–72. IEEE (2008)
Hornyack, P., Han, S., Jung, J., Schechter, S., Wetherall, D.: These aren’t the droids you’re looking for: retrofitting Android to protect data from imperious applications. In: CCS, pp. 639–652. ACM (2011)
Jin, D., Meredith, P.O., Lee, C., Rosu, G.: JavaMOP: efficient parametric runtime monitoring framework. In: ICSE, pp. 1427–1430. IEEE (2012)
Küster, J.-C., Bauer, A.: Platform-centric Android monitoring–modular and efficient. Comp. Research Repository (CoRR) arXiv:1406.2041. ACM, June 2014
Moser, A., Kruegel, C., Kirda, E.: Limits of static analysis for malware detection. In: ACSAC, pp. 421–430. IEEE (2007)
Rasthofer, S., Arzt, S., Lovat, E., Bodden, E.: DroidForce: Enforcing complex, data-centric, system-wide policies in Android. In: ARES, pp. 40–49. IEEE (2014)
Vidas, T., Christin, N.: Evading Android runtime analysis via sandbox detection. In: ASIACCS, pp. 447–458. ACM (2014)
Xu, R., Saïdi, H., Anderson, R.: Aurasium: practical policy enforcement for Android applications. In: USENIX Security Symposium, pp. 27–27. USENIX (2012)
Zhou, Y., Jiang, X.: Dissecting Android malware: characterization and evolution. In: S&P, pp. 95–109. IEEE (2012)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Küster, JC., Bauer, A. (2015). Monitoring Real Android Malware. In: Bartocci, E., Majumdar, R. (eds) Runtime Verification. Lecture Notes in Computer Science(), vol 9333. Springer, Cham. https://doi.org/10.1007/978-3-319-23820-3_9
Download citation
DOI: https://doi.org/10.1007/978-3-319-23820-3_9
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-23819-7
Online ISBN: 978-3-319-23820-3
eBook Packages: Computer ScienceComputer Science (R0)