In this paper, we present a systematic study for the detection of malicious applications (or apps) on popular Android Markets. To this end, we first propose a permission-based behavioral footprinting scheme to detect new samples of known Android malware families. Then we apply a heuristics-based filtering scheme to identify certain inherent behaviors of unknown malicious families.
- Permission-based behavioral footprinting: detect the infection from known malware.
- Heuristics-based filtering scheme: detect unknown malware.
DroidRanger, in general:
- Collect Android apps.
- Extract fundamental properties and organise them with the app itself.
- Detect potentially malicious apps.
- Permission-based behavioral footprinting
- Heuristics-based filtering scheme
Detecting Known Android Malware
Some root exploits:
- For scalability and efficiency.
- Use essential permissions for the malware’s functionalities to filter out unrelated apps.
- Significantly reduce the number of apps that need to be processed in the second step.
- Two functionalities that are often misused by Android malware: sending SMS messages and monitoring SMS messages.
- Select the permissions required for its command and control channel, but not those required by optional payloads. For example, for Pjapps malware we should only choose INTERNET and RECEIVE SMS as the essential ones, not WRITE HISTORY BOOKMARKS.
Behavioral footprint matching
- Behavior-based approach.
- Behavioral footprinting scheme accommodates multiple dimensions to describe malware behaviors:
- First, the app-specific manifest file provides semantic-rich information about the app and the information is readily accessible for our purposes.
- Second, the app bytecode contains a wealth of semantic information, which can also be used in our behavioral footprints.
- Third, we can also express malware behaviors based on the structural layout of the app. (such as what packages are used by the app, what kind of class hierarchies they have, and where a specific resource is located)
Detecting Unknown Android Malware
- Identify potentially suspicious apps.
- Focus on certain Android features that may be misused to load new code.
- The first heuristic is related to the dynamic loading of Java binary code from a remote untrusted website.
- DexClassLoader class.
- The second heuristic is about the dynamic loading of native code locally.
- Though each app may run with a separate UID, the OS (Linux) kernel’s system call interface is directly exposed to the native code, making it possible for malicious apps to exploit vulnerabilities in OS kernel and privileged daemons to “root” the system.
Machine code and assembly code is sometimes called native code when referring to platform-dependent parts of language features or libraries.
Dynamic execution monitoring
- Deploys a dynamic execution monitor to inspect its runtime behaviors, particularly those triggered by the new code.
- For the dynamically loaded Java code, our dynamic monitor records any calls to the Android framework APIs (particularly these related to Android permissions) and their arguments.
- For the dynamically-loaded native code, our dynamic monitor collects system calls made by the native code.
If the app have suspicious runtime behaviors. We will further manually validate whether the app is indeed a zero-day malware. If yes, we will then extract the corresponding behavioral footprint and include it in the first detection engine to detect other samples infected by this malware.
Effectiveness of permission-based filtering
|ADRD||INTERNET, ACCESS NETWORK STATE RECEIVE BOOT COMPLETED||10, 379 (5.68%)|
|Bgserv||INTERNET, RECEIVE SMS, SEND SMS||2, 880 (1.58%)|
|DroidDream||CHANGE WIFI STATE||4, 096 (2.24%)|
|DroidDreamLight||INTERNET, READ PHONE STATE||71, 095 (38.89%)|
|Geinimi||INTERNET, SEND SMS||7, 620 (4.17%)|
|jSMSHider||INSTALL PACKAGES||1, 210 (0.66%)|
|BaseBridge||NATIVE CODE||8, 272 (4.52%)|
|Pjapps||INTERNET, RECEIVE SMS||4, 637 (2.54%)|
|Zsone||RECEIVE SMS, SEND SMS||3, 204 (1.75%)|
|zHash||CHANGE WIFI STATE||4, 096 (2.24%)|
Zero-day malware: Plankton
- Dynamic loading of untrusted code from remote websites.
- Transports the list of permissions granted to the app over to a remote server. (This would presumably allow the remote server to customize the dynamically loaded binary based on the granted app’s permissions.)
- Download plankton_v0.0.4.jar
- Invoke the DexClassLoader to support for Java class (plankton_v0.0.4.jar) loading.
- The plankton_v0.0.4.jar contains a number of bot-related functionalities or commands that can be remotely invoked.
- Highly sensitive private information: /bookmarks, /history, /dumplog
Zero-day malware: DroidKungFu
- Load native code in an unusual way (e.g., from non-standard directories).
- The app attempt to remount the system partition (with the sys_mount syscall) to make it writable.（我不是很懂提高权限到root后为什么要调用sys_mount syscall，是不是为了让/data/system这个目录可写）
- Analyse how DroidKungFu successfully launches a root exploit:
- The malware contains both Rageagainstthecage and Exploid root exploits in an encrypted form.
- When DroidKungFu runs, it will first decrypt and launch the root exploits.
- If successful, the malware will essentially elevate its privilege to root.
- It will install one particular app that acts as a bot client that will connect to a remote server to retrieve and execute commands.
We point out that our current study only explored two basic heuristics to uncover zero-day malware. And there exist many other heuristics that could be equally effective.