Um sistema para análise e detecção de aplicações maliciosas de Android
Resumo
O aumento na quantidade de dispositivos móveis vendidos levou ao surgimento de inúmeros exemplares de malware para estas plataformas. Essa situação é especialmente grave no caso do sistema Android, cujas lojas (oficial e alternativas) servem como ponto de infecção para muitos usuários. Com isso, faz-se necessário o desenvolvimento de técnicas para analisar aplicações provenientes das lojas de Android e identificar seus comportamentos maliciosos antes que elas sejam obtidas por usuários. Neste trabalho, apresenta-se um ambiente para análise dinâmica e detecção por aprendizado de máquina de malware de Android. Os testes para validação do ambiente, realizados com milhares de aplicações, resultaram em uma taxa de detecção de 95,45%.Referências
AndroidPIT. Androidpit. Disponível em http://www.androidpit.com.br/. Acessado em 07 de julho de 2013.
Andrubis. Andrubis: A tool for analyzing unknown android applications. Disponível em http://anubis.iseclab.org/. Acessado em 07 de julho de 2013.
APIMonitor. Apimonitor. Disponível em https://code.google.com/p/droidbox/wiki/APIMonitor. Acessado em 07 de julho de 2013.
Bayer, U., Kruegel, C., and Kirda, E. (2006). Ttanalyze: A tool for analyzing malware. In 15th European Institute for Computer Antivirus Research (EICAR 2006) Annual Conference.
Bellard, F. (2005). Qemu, a fast and portable dynamic translator. In Proceedings of the annual conference on USENIX Annual Technical Conference, ATEC ’05, pages 41–41, Berkeley, CA, USA. USENIX Association.
Blasing, T., Batyuk, L., Schmidt, A.-D., Camtepe, S. A., and Albayrak, S. (2010). An android application sandbox system for suspicious software detection. In Malicious and Unwanted Software (MALWARE), 2010 5th International Conference on, pages 55–62. IEEE.
Burguera, I., Zurutuza, U., and Nadjm-Tehrani, S. (2011). Crowdroid: behavior-based malware detection system for android. In Proceedings of the 1st ACM workshop on Security and privacy in smartphones and mobile devices, pages 15–26. ACM.
DroidBox. Android application sandbox. Disponível em https://code.google.com/p/droidbox/. Acessado em 07 de julho de 2013.
Enck, W., Gilbert, P., Chun, B., Cox, L., Jung, J., McDaniel, P., and Sheth, A. (2010). Taintdroid: an information-flow tracking system for realtime privacy monitoring on smartphones. In Proceedings of the 9th USENIX conference on Operating systems design and implementation, pages 1–6. USENIX Association.
Filho, D. S. F., Grégio, A. R., Afonso, V. M., DC, R., Santos, M. J., and de Geus, P. L. (2010). Análise comportamental de código malicioso através da monitoração de chamadas de sistema e tráfego de rede. In Anais do X Simpósio Brasileiro em Segurança da Informação e de Sistemas Computacionais.
Gartner (2012). Gartner says worldwide sales of mobile phones declined 3 percent in third quarter of 2012; smartphone sales increased 47 percent. Disponível em http://www.gartner.com/newsroom/id/2237315. Acessado em 07 de julho de 2013.
Google (2012). Android and security. Disponível em http://googlemobile.blogspot.com.br/2012/02/android-and-security.html. Acessado em 07 de julho de 2013.
Grace, M., Zhou, Y., Zhang, Q., Zou, S., and Jiang, X. (2012). Riskranker: scalable and accurate zero-day android malware detection. In Proceedings of the 10th international conference on Mobile systems, applications, and services, pages 281–294. ACM.
Hall, M., Frank, E., Holmes, G., Pfahringer, B., Reutemann, P., and Witten, I. (2009). The weka data mining software: an update. ACM SIGKDD Explorations Newsletter, 11(1):10–18.
JuniperNetworks (2013). Juniper networks mobile threat center third annual mobile threats report: March 2012 through march 2013. Disponível em [link]. Acessado em 07 de julho de 2013.
Schmidt, A.-D., Bye, R., Schmidt, H.-G., Clausen, J., Kiraz, O., Yuksel, K. A., Camtepe, S. A., and Albayrak, S. (2009). Static analysis of executables for collaborative malware detection on android. In Communications, 2009. ICC’09. IEEE International Conference on, pages 1–5. IEEE.
Spreitzenbarth, M., Freiling, F., Echtler, F., Schreck, T., and Hoffmann, J. (2013). Mobilesandbox: having a deeper look into android applications. In Proceedings of the 28th Annual ACM Symposium on Applied Computing, pages 1808–1815. ACM.
Su, X., Chuah, M., and Tan, G. (2012). Smartphone dual defense protection framework: Detecting malicious applications in android markets. In Mobile Ad-hoc and Sensor Networks (MSN), 2012 Eighth International Conference on, pages 153–160. IEEE.
VirusTotal. Virustotal - free online virus, malware and url scanner. Disponível em https://www.virustotal.com/en/. Acessado em 07 de julho de 2013.
VRT (2013). Changing the imei, provider, model, and phone number in the android emulator. Disponível em http://vrt-blog.snort.org/2013/04/changing-imei-provider-model-and-phone.html. Acessado em 07 de julho de 2013.
Willems, C., Holz, T., and Freiling, F. (2007). Toward automated dynamic malware analysis using cwsandbox. Security & Privacy, IEEE, 5(2):32–39.
Yan, L. K. and Yin, H. (2012). Droidscope: Seamlessly reconstructing the os and dalvik semantic views for dynamic android malware analysis. In Proceedings of the 21st USENIX conference on Security symposium, pages 29–29. USENIX Association.
Zhou, Y. and Jiang, X. (2012). Dissecting android malware: Characterization and evolution. In Proceedings of the 33rd IEEE Symposium on Security and Privacy.
Zhou, Y., Wang, Z., Zhou, W., and Jiang, X. (2012). Hey, you, get off of my market: Detecting malicious apps in official and alternative android markets. In Proceedings of the 19th Annual Network and Distributed System Security Symposium.
Andrubis. Andrubis: A tool for analyzing unknown android applications. Disponível em http://anubis.iseclab.org/. Acessado em 07 de julho de 2013.
APIMonitor. Apimonitor. Disponível em https://code.google.com/p/droidbox/wiki/APIMonitor. Acessado em 07 de julho de 2013.
Bayer, U., Kruegel, C., and Kirda, E. (2006). Ttanalyze: A tool for analyzing malware. In 15th European Institute for Computer Antivirus Research (EICAR 2006) Annual Conference.
Bellard, F. (2005). Qemu, a fast and portable dynamic translator. In Proceedings of the annual conference on USENIX Annual Technical Conference, ATEC ’05, pages 41–41, Berkeley, CA, USA. USENIX Association.
Blasing, T., Batyuk, L., Schmidt, A.-D., Camtepe, S. A., and Albayrak, S. (2010). An android application sandbox system for suspicious software detection. In Malicious and Unwanted Software (MALWARE), 2010 5th International Conference on, pages 55–62. IEEE.
Burguera, I., Zurutuza, U., and Nadjm-Tehrani, S. (2011). Crowdroid: behavior-based malware detection system for android. In Proceedings of the 1st ACM workshop on Security and privacy in smartphones and mobile devices, pages 15–26. ACM.
DroidBox. Android application sandbox. Disponível em https://code.google.com/p/droidbox/. Acessado em 07 de julho de 2013.
Enck, W., Gilbert, P., Chun, B., Cox, L., Jung, J., McDaniel, P., and Sheth, A. (2010). Taintdroid: an information-flow tracking system for realtime privacy monitoring on smartphones. In Proceedings of the 9th USENIX conference on Operating systems design and implementation, pages 1–6. USENIX Association.
Filho, D. S. F., Grégio, A. R., Afonso, V. M., DC, R., Santos, M. J., and de Geus, P. L. (2010). Análise comportamental de código malicioso através da monitoração de chamadas de sistema e tráfego de rede. In Anais do X Simpósio Brasileiro em Segurança da Informação e de Sistemas Computacionais.
Gartner (2012). Gartner says worldwide sales of mobile phones declined 3 percent in third quarter of 2012; smartphone sales increased 47 percent. Disponível em http://www.gartner.com/newsroom/id/2237315. Acessado em 07 de julho de 2013.
Google (2012). Android and security. Disponível em http://googlemobile.blogspot.com.br/2012/02/android-and-security.html. Acessado em 07 de julho de 2013.
Grace, M., Zhou, Y., Zhang, Q., Zou, S., and Jiang, X. (2012). Riskranker: scalable and accurate zero-day android malware detection. In Proceedings of the 10th international conference on Mobile systems, applications, and services, pages 281–294. ACM.
Hall, M., Frank, E., Holmes, G., Pfahringer, B., Reutemann, P., and Witten, I. (2009). The weka data mining software: an update. ACM SIGKDD Explorations Newsletter, 11(1):10–18.
JuniperNetworks (2013). Juniper networks mobile threat center third annual mobile threats report: March 2012 through march 2013. Disponível em [link]. Acessado em 07 de julho de 2013.
Schmidt, A.-D., Bye, R., Schmidt, H.-G., Clausen, J., Kiraz, O., Yuksel, K. A., Camtepe, S. A., and Albayrak, S. (2009). Static analysis of executables for collaborative malware detection on android. In Communications, 2009. ICC’09. IEEE International Conference on, pages 1–5. IEEE.
Spreitzenbarth, M., Freiling, F., Echtler, F., Schreck, T., and Hoffmann, J. (2013). Mobilesandbox: having a deeper look into android applications. In Proceedings of the 28th Annual ACM Symposium on Applied Computing, pages 1808–1815. ACM.
Su, X., Chuah, M., and Tan, G. (2012). Smartphone dual defense protection framework: Detecting malicious applications in android markets. In Mobile Ad-hoc and Sensor Networks (MSN), 2012 Eighth International Conference on, pages 153–160. IEEE.
VirusTotal. Virustotal - free online virus, malware and url scanner. Disponível em https://www.virustotal.com/en/. Acessado em 07 de julho de 2013.
VRT (2013). Changing the imei, provider, model, and phone number in the android emulator. Disponível em http://vrt-blog.snort.org/2013/04/changing-imei-provider-model-and-phone.html. Acessado em 07 de julho de 2013.
Willems, C., Holz, T., and Freiling, F. (2007). Toward automated dynamic malware analysis using cwsandbox. Security & Privacy, IEEE, 5(2):32–39.
Yan, L. K. and Yin, H. (2012). Droidscope: Seamlessly reconstructing the os and dalvik semantic views for dynamic android malware analysis. In Proceedings of the 21st USENIX conference on Security symposium, pages 29–29. USENIX Association.
Zhou, Y. and Jiang, X. (2012). Dissecting android malware: Characterization and evolution. In Proceedings of the 33rd IEEE Symposium on Security and Privacy.
Zhou, Y., Wang, Z., Zhou, W., and Jiang, X. (2012). Hey, you, get off of my market: Detecting malicious apps in official and alternative android markets. In Proceedings of the 19th Annual Network and Distributed System Security Symposium.
Publicado
11/11/2013
Como Citar
AFONSO, Vitor M.; AMORIM, Matheus F. de; ELLERY, Eduardo; GRÉGIO, André R. A.; JUNQUERA, Glauco B.; SCHICK, Guilherme A. K.; DAHAB, Ricardo; GEUS, Paulo Lício de.
Um sistema para análise e detecção de aplicações maliciosas de Android. In: SIMPÓSIO BRASILEIRO DE SEGURANÇA DA INFORMAÇÃO E DE SISTEMAS COMPUTACIONAIS (SBSEG), 13. , 2013, Manaus.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2013
.
p. 240-252.
DOI: https://doi.org/10.5753/sbseg.2013.19549.