Abstract
Malware have threatened Android security for a long time. One of main sources of those Android malware is that attackers inject malicious payloads into legitimate apps and then republish them, called repackaged malware. In this paper, we propose a new dynamic approach to analyze and detect the behaviors of Android repackaged malware. Our approach mainly concerns the framework-level behaviors of apps with rich semantics and a special execution sandbox is firstly constructed to extract them. Then, assuming that malicious payloads are usually triggered by certain events, we reconstruct the execution dependency graph to distinguish different event behaviors of malware. Thus, based on the independent event behavior sequences, only a small amount of malware samples from the same family are required to accurately compare and locate their common behaviors, which can be further used as signatures to detect other suspicious Android apps or to analyze malware’s activities. For evaluation, we have implement the prototype system and 9 families of real world repackaged malware are detected in our experiments. Although only 3 samples for each family are randomly chosen to extract their common malware behaviors, the results show that our approach still has a high detection accuracy (96.3 %). In addition, some attacks such as code encryption and delay attack are also studied in this work.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
App components. http://developer.android.com/guide/components/index.html
Dexprotector. https://dexprotector.com/
Genome project. http://www.malgenomeproject.org/
Aafer, Y., Du, W., Yin, H.: DroidAPIMiner: mining API-level features for robust malware detection in android. In: Zia, T., Zomaya, A., Varadharajan, V., Mao, M. (eds.) SecureComm 2013. LNICST, vol. 127, pp. 86–103. Springer, Heidelberg (2013)
Afonso, V.M., de Amorim, M.F., Grégio, A.R.A., Junquera, G.B., de Geus, P.L.: Identifying android malware using dynamically obtained features. J. Comput. Virol. Hacking Tech. 11(1), 9–17 (2015)
Chen, K., Liu, P., Zhang, Y.: Achieving accuracy and scalability simultaneously in detecting application clones on android markets. In: 36th International Conference on Software Engineering, ICSE 2014, Hyderabad, India, 31 May – 07 June 2014, pp. 175–186 (2014)
Chen, K., Wang, P., Lee, Y., Wang, X., Zhang, N., Huang, H., Zou, W., Liu, P.: Finding unknown malice in 10 seconds: mass vetting for new threats at the google-play scale. In: 24th USENIX Security Symposium, USENIX Security 2015, Washington, D.C. USA, 12–14 August 2015, pp. 659–674 (2015)
Crussell, J., Gibler, C., Chen, H.: Scalable semantics-based detection of similar android applications. In: Proceedings of Esorics, vol. 13. Citeseer (2013)
Ellson, J., Gansner, E.R., Koutsofios, L., North, S.C., Woodhull, G.: Graphviz - open source graph drawing tools. In: Mutzel, P., Jünger, M., Leipert, S. (eds.) GD 2001. LNCS, vol. 2265, pp. 483–484. Springer, Heidelberg (2002)
Feng, Y., Anand, S., Dillig, I., Aiken, A.: Apposcopy: semantics-based detection of android malware through static analysis. In: Proceedings of the 22nd ACM SIGSOFT International Symposium on Foundations of Software Engineering, (FSE-22), Hong Kong, China, 16–22 November 2014, pp. 576–587 (2014)
Isohara, T., Takemori, K., Kubota, A.: Kernel-based behavior analysis for android malware detection. In: Seventh International Conference on Computational Intelligence and Security, CIS 2011, Sanya, Hainan, China, 3–4 December 2011, pp. 1011–1015 (2011)
Lin, Y., Lai, Y., Chen, C., Tsai, H.: Identifying android malicious repackaged applications by thread-grained system call sequences. Comput. Secur. 39, 340–350 (2013)
Rastogi, V., Chen, Y., Jiang, X.: Droidchameleon: evaluating android anti-malware against transformation attacks. In: 8th ACM Symposium on Information, Computer and Communications Security, ASIA CCS 2013, Hangzhou, China, 08–10 May 2013, pp. 329–334 (2013)
Shabtai, A., Kanonov, U., Elovici, Y., Glezer, C., Weiss, Y.: “Andromaly”: a behavioral malware detection framework for android devices. J. Intell. Inf. Syst. 38(1), 161–190 (2012)
Su, X., Chuah, M., Tan, G.: Smartphone dual defense protection framework: detecting malicious applications in android markets. In: 8th International Conference on Mobile Ad-hoc and Sensor Networks, MSN 2012, Chengdu, China, 14–16 December 2012, pp. 153–160 (2012)
Yang, C., Xu, Z., Gu, G., Yegneswaran, V., Porras, P.: DroidMiner: automated mining and characterization of fine-grained malicious behaviors in android applications. In: Kutyłowski, M., Vaidya, J. (eds.) ICAIS 2014, Part I. LNCS, vol. 8712, pp. 163–182. Springer, Heidelberg (2014)
Yang, W., Xiao, X., Andow, B., Li, S., Xie, T., Enck, W.: Appcontext: differentiating malicious and benign mobile app behaviors using context. In: 37th IEEE/ACM International Conference on Software Engineering, ICSE 2015, Florence, Italy, 16–24 May 2015, vol. 1, pp. 303–313 (2015)
Yang, W., Li, J., Zhang, Y., Li, Y., Shu, J., Gu, D.: Apklancet: tumor payload diagnosis and purification for android applications. In: 9th ACM Symposium on Information, Computer and Communications Security, ASIA CCS 2014, Kyoto, Japan, 03–06 June 2014, pp. 483–494 (2014)
Yang, Z., Yang, M., Zhang, Y., Gu, G., Ning, P., Wang, X.S.: Appintent: analyzing sensitive data transmission in android for privacy leakage detection. In: 2013 ACM SIGSAC Conference on Computer and Communications Security, CCS 2013, Berlin, Germany, 4–8 November 2013, pp. 1043–1054 (2013)
Zhang, F., Huang, H., Zhu, S., Wu, D., Liu, P.: Viewdroid: towards obfuscation-resilient mobile application repackaging detection. In: 7th ACM Conference on Security & Privacy in Wireless and Mobile Networks, WiSec 2014, Oxford, United Kingdom, 23–25 July 2014, pp. 25–36 (2014)
Zhang, M., Duan, Y., Yin, H., Zhao, Z.: Semantics-aware android malware classification using weighted contextual API dependency graphs. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, Scottsdale, AZ, USA, 3–7 November 2014, pp. 1105–1116 (2014)
Zhou, W., Zhou, Y., Grace, M.C., Jiang, X., Zou, S.: Fast, scalable detection of “piggybacked” mobile applications. In: Third ACM Conference on Data and Application Security and Privacy, CODASPY 2013, San Antonio, TX, USA, 18–20 February 2013, pp. 185–196 (2013)
Zhou, W., Zhou, Y., Jiang, X., Ning, P.: Detecting repackaged smartphone applications in third-party android marketplaces. In: Second ACM Conference on Data and Application Security and Privacy, CODASPY 2012, San Antonio, TX, USA, 7–9 February 2012, pp. 317–326 (2012)
Zhou, Y., Jiang, X.: Dissecting android malware: characterization and evolution. In: IEEE Symposium on Security and Privacy, SP 2012, San Francisco, California, USA, 21–23 May 2012, pp. 95–109 (2012)
Acknowledgement
This work was supported by National Key Research and Development Plan under Grant No. 2016YFB0800603, National Natural Science Foundation of China (NSFC) under Grant No. 61402477 and No. 61100228, the Strategic Priority Research Program of the Chinese Academy of Sciences under Grant No. XDA06010703.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this paper
Cite this paper
Lin, Z., Wang, R., Jia, X., Zhang, S., Wu, C. (2016). Analyzing Android Repackaged Malware by Decoupling Their Event Behaviors. In: Ogawa, K., Yoshioka, K. (eds) Advances in Information and Computer Security. IWSEC 2016. Lecture Notes in Computer Science(), vol 9836. Springer, Cham. https://doi.org/10.1007/978-3-319-44524-3_1
Download citation
DOI: https://doi.org/10.1007/978-3-319-44524-3_1
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-44523-6
Online ISBN: 978-3-319-44524-3
eBook Packages: Computer ScienceComputer Science (R0)