Um sistema para análise e detecção de aplicações maliciosas de Android
Abstract
The increase in mobile device sales has led to the rise of new malware samples targeting these platforms. This scenario is specially serious for the Android operating system, whose marketplaces (official and alternative) have been used as a point of infection for many users. Therefore, there is a need for the development of techniques to analyze applications from marketplaces and to identify their malicious behavior before publishing them and allowing the users to get infected. In this paper, we present a system to dynamically analyze and to detect (based on machine learning algorithms) malicious Android applications. The tests performed to validate the system were done using thousands of applications, leveraging detection rates of 95,45%.References
AndroidPIT. Androidpit. Disponível em http://www.androidpit.com.br/. Acessado em 07 de julho de 2013.
Andrubis. Andrubis: A tool for analyzing unknown android applications. Disponível em http://anubis.iseclab.org/. Acessado em 07 de julho de 2013.
APIMonitor. Apimonitor. Disponível em https://code.google.com/p/droidbox/wiki/APIMonitor. Acessado em 07 de julho de 2013.
Bayer, U., Kruegel, C., and Kirda, E. (2006). Ttanalyze: A tool for analyzing malware. In 15th European Institute for Computer Antivirus Research (EICAR 2006) Annual Conference.
Bellard, F. (2005). Qemu, a fast and portable dynamic translator. In Proceedings of the annual conference on USENIX Annual Technical Conference, ATEC ’05, pages 41–41, Berkeley, CA, USA. USENIX Association.
Blasing, T., Batyuk, L., Schmidt, A.-D., Camtepe, S. A., and Albayrak, S. (2010). An android application sandbox system for suspicious software detection. In Malicious and Unwanted Software (MALWARE), 2010 5th International Conference on, pages 55–62. IEEE.
Burguera, I., Zurutuza, U., and Nadjm-Tehrani, S. (2011). Crowdroid: behavior-based malware detection system for android. In Proceedings of the 1st ACM workshop on Security and privacy in smartphones and mobile devices, pages 15–26. ACM.
DroidBox. Android application sandbox. Disponível em https://code.google.com/p/droidbox/. Acessado em 07 de julho de 2013.
Enck, W., Gilbert, P., Chun, B., Cox, L., Jung, J., McDaniel, P., and Sheth, A. (2010). Taintdroid: an information-flow tracking system for realtime privacy monitoring on smartphones. In Proceedings of the 9th USENIX conference on Operating systems design and implementation, pages 1–6. USENIX Association.
Filho, D. S. F., Grégio, A. R., Afonso, V. M., DC, R., Santos, M. J., and de Geus, P. L. (2010). Análise comportamental de código malicioso através da monitoração de chamadas de sistema e tráfego de rede. In Anais do X Simpósio Brasileiro em Segurança da Informação e de Sistemas Computacionais.
Gartner (2012). Gartner says worldwide sales of mobile phones declined 3 percent in third quarter of 2012; smartphone sales increased 47 percent. Disponível em http://www.gartner.com/newsroom/id/2237315. Acessado em 07 de julho de 2013.
Google (2012). Android and security. Disponível em http://googlemobile.blogspot.com.br/2012/02/android-and-security.html. Acessado em 07 de julho de 2013.
Grace, M., Zhou, Y., Zhang, Q., Zou, S., and Jiang, X. (2012). Riskranker: scalable and accurate zero-day android malware detection. In Proceedings of the 10th international conference on Mobile systems, applications, and services, pages 281–294. ACM.
Hall, M., Frank, E., Holmes, G., Pfahringer, B., Reutemann, P., and Witten, I. (2009). The weka data mining software: an update. ACM SIGKDD Explorations Newsletter, 11(1):10–18.
JuniperNetworks (2013). Juniper networks mobile threat center third annual mobile threats report: March 2012 through march 2013. Disponível em [link]. Acessado em 07 de julho de 2013.
Schmidt, A.-D., Bye, R., Schmidt, H.-G., Clausen, J., Kiraz, O., Yuksel, K. A., Camtepe, S. A., and Albayrak, S. (2009). Static analysis of executables for collaborative malware detection on android. In Communications, 2009. ICC’09. IEEE International Conference on, pages 1–5. IEEE.
Spreitzenbarth, M., Freiling, F., Echtler, F., Schreck, T., and Hoffmann, J. (2013). Mobilesandbox: having a deeper look into android applications. In Proceedings of the 28th Annual ACM Symposium on Applied Computing, pages 1808–1815. ACM.
Su, X., Chuah, M., and Tan, G. (2012). Smartphone dual defense protection framework: Detecting malicious applications in android markets. In Mobile Ad-hoc and Sensor Networks (MSN), 2012 Eighth International Conference on, pages 153–160. IEEE.
VirusTotal. Virustotal - free online virus, malware and url scanner. Disponível em https://www.virustotal.com/en/. Acessado em 07 de julho de 2013.
VRT (2013). Changing the imei, provider, model, and phone number in the android emulator. Disponível em http://vrt-blog.snort.org/2013/04/changing-imei-provider-model-and-phone.html. Acessado em 07 de julho de 2013.
Willems, C., Holz, T., and Freiling, F. (2007). Toward automated dynamic malware analysis using cwsandbox. Security & Privacy, IEEE, 5(2):32–39.
Yan, L. K. and Yin, H. (2012). Droidscope: Seamlessly reconstructing the os and dalvik semantic views for dynamic android malware analysis. In Proceedings of the 21st USENIX conference on Security symposium, pages 29–29. USENIX Association.
Zhou, Y. and Jiang, X. (2012). Dissecting android malware: Characterization and evolution. In Proceedings of the 33rd IEEE Symposium on Security and Privacy.
Zhou, Y., Wang, Z., Zhou, W., and Jiang, X. (2012). Hey, you, get off of my market: Detecting malicious apps in official and alternative android markets. In Proceedings of the 19th Annual Network and Distributed System Security Symposium.
Andrubis. Andrubis: A tool for analyzing unknown android applications. Disponível em http://anubis.iseclab.org/. Acessado em 07 de julho de 2013.
APIMonitor. Apimonitor. Disponível em https://code.google.com/p/droidbox/wiki/APIMonitor. Acessado em 07 de julho de 2013.
Bayer, U., Kruegel, C., and Kirda, E. (2006). Ttanalyze: A tool for analyzing malware. In 15th European Institute for Computer Antivirus Research (EICAR 2006) Annual Conference.
Bellard, F. (2005). Qemu, a fast and portable dynamic translator. In Proceedings of the annual conference on USENIX Annual Technical Conference, ATEC ’05, pages 41–41, Berkeley, CA, USA. USENIX Association.
Blasing, T., Batyuk, L., Schmidt, A.-D., Camtepe, S. A., and Albayrak, S. (2010). An android application sandbox system for suspicious software detection. In Malicious and Unwanted Software (MALWARE), 2010 5th International Conference on, pages 55–62. IEEE.
Burguera, I., Zurutuza, U., and Nadjm-Tehrani, S. (2011). Crowdroid: behavior-based malware detection system for android. In Proceedings of the 1st ACM workshop on Security and privacy in smartphones and mobile devices, pages 15–26. ACM.
DroidBox. Android application sandbox. Disponível em https://code.google.com/p/droidbox/. Acessado em 07 de julho de 2013.
Enck, W., Gilbert, P., Chun, B., Cox, L., Jung, J., McDaniel, P., and Sheth, A. (2010). Taintdroid: an information-flow tracking system for realtime privacy monitoring on smartphones. In Proceedings of the 9th USENIX conference on Operating systems design and implementation, pages 1–6. USENIX Association.
Filho, D. S. F., Grégio, A. R., Afonso, V. M., DC, R., Santos, M. J., and de Geus, P. L. (2010). Análise comportamental de código malicioso através da monitoração de chamadas de sistema e tráfego de rede. In Anais do X Simpósio Brasileiro em Segurança da Informação e de Sistemas Computacionais.
Gartner (2012). Gartner says worldwide sales of mobile phones declined 3 percent in third quarter of 2012; smartphone sales increased 47 percent. Disponível em http://www.gartner.com/newsroom/id/2237315. Acessado em 07 de julho de 2013.
Google (2012). Android and security. Disponível em http://googlemobile.blogspot.com.br/2012/02/android-and-security.html. Acessado em 07 de julho de 2013.
Grace, M., Zhou, Y., Zhang, Q., Zou, S., and Jiang, X. (2012). Riskranker: scalable and accurate zero-day android malware detection. In Proceedings of the 10th international conference on Mobile systems, applications, and services, pages 281–294. ACM.
Hall, M., Frank, E., Holmes, G., Pfahringer, B., Reutemann, P., and Witten, I. (2009). The weka data mining software: an update. ACM SIGKDD Explorations Newsletter, 11(1):10–18.
JuniperNetworks (2013). Juniper networks mobile threat center third annual mobile threats report: March 2012 through march 2013. Disponível em [link]. Acessado em 07 de julho de 2013.
Schmidt, A.-D., Bye, R., Schmidt, H.-G., Clausen, J., Kiraz, O., Yuksel, K. A., Camtepe, S. A., and Albayrak, S. (2009). Static analysis of executables for collaborative malware detection on android. In Communications, 2009. ICC’09. IEEE International Conference on, pages 1–5. IEEE.
Spreitzenbarth, M., Freiling, F., Echtler, F., Schreck, T., and Hoffmann, J. (2013). Mobilesandbox: having a deeper look into android applications. In Proceedings of the 28th Annual ACM Symposium on Applied Computing, pages 1808–1815. ACM.
Su, X., Chuah, M., and Tan, G. (2012). Smartphone dual defense protection framework: Detecting malicious applications in android markets. In Mobile Ad-hoc and Sensor Networks (MSN), 2012 Eighth International Conference on, pages 153–160. IEEE.
VirusTotal. Virustotal - free online virus, malware and url scanner. Disponível em https://www.virustotal.com/en/. Acessado em 07 de julho de 2013.
VRT (2013). Changing the imei, provider, model, and phone number in the android emulator. Disponível em http://vrt-blog.snort.org/2013/04/changing-imei-provider-model-and-phone.html. Acessado em 07 de julho de 2013.
Willems, C., Holz, T., and Freiling, F. (2007). Toward automated dynamic malware analysis using cwsandbox. Security & Privacy, IEEE, 5(2):32–39.
Yan, L. K. and Yin, H. (2012). Droidscope: Seamlessly reconstructing the os and dalvik semantic views for dynamic android malware analysis. In Proceedings of the 21st USENIX conference on Security symposium, pages 29–29. USENIX Association.
Zhou, Y. and Jiang, X. (2012). Dissecting android malware: Characterization and evolution. In Proceedings of the 33rd IEEE Symposium on Security and Privacy.
Zhou, Y., Wang, Z., Zhou, W., and Jiang, X. (2012). Hey, you, get off of my market: Detecting malicious apps in official and alternative android markets. In Proceedings of the 19th Annual Network and Distributed System Security Symposium.
Published
2013-11-11
How to Cite
AFONSO, Vitor M.; AMORIM, Matheus F. de; ELLERY, Eduardo; GRÉGIO, André R. A.; JUNQUERA, Glauco B.; SCHICK, Guilherme A. K.; DAHAB, Ricardo; GEUS, Paulo Lício de.
Um sistema para análise e detecção de aplicações maliciosas de Android. In: BRAZILIAN SYMPOSIUM ON CYBERSECURITY (SBSEG), 13. , 2013, Manaus.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2013
.
p. 240-252.
DOI: https://doi.org/10.5753/sbseg.2013.19549.
