Author(s): Kimberly Tam, Salahuddin J. Khan, Aristide Fattoriy, Lorenzo Cavallaro

Download: Paper (PDF)

Date: 7 Feb 2015

Document Type: Briefing Papers

Additional Documents: Slides

Associated Event: NDSS Symposium 2015


Today mobile devices and their application marketplaces drive the entire economy of the mobile landscape. For instance, Android platforms alone have produced staggering revenues exceeding 5 billion USD, which unfortunately attracts cybercriminals with malware now hitting the Android markets at an alarmingly rising pace. To better understand this slew of threats, we present The System, an automatic VMI-based dynamic analysis system to reconstruct the behavior of Android malware. Based on the key observation that all interesting behaviors are eventually expressed through system calls, The System presents a novel unified analysis able to capture both low-level OS-specific and high-level Android-specific behaviors. To this end, The System presents an automatic system call-centric analysis that faithfully reconstructs events of interests, including IPC and RPC interactions and complex Android objects, to describe the behavior of Android malware regardless of whether it is initiated from Java or native code execution. The System’s analysis generates detailed behavioral profiles that abstract a large stream of low-level—sometimes uninteresting—events into concise high-level semantics, which are well-suited to provide effective insights. We carried out an extensive evaluation to assess the capabilities and performance of The System on more than 2,900 Android malware samples. Our experiments show that The System faithfully reconstructs OS- and Android-specific behaviors and, through the use of a simple yet effective app stimulation technique, successfully triggers and discloses additional behaviors on more than 60% (on average) of the analyzed malware samples, qualitatively improving code coverage of dynamic-based analyses.