Francesco Mercaldo

A Classifier of Malicious Android Applications

Malware for smart phones is rapidly spreading out. This paper proposes a method for detecting malware based on three metrics, which evaluate: the occurrences of a specific subset of system calls, a weighted sum of a subset of permissions that the application required, and a set of combinations of permissions. The experimentation carried out suggests that these metrics are promising in detecting malware, but further improvements are needed to increase the quality of detection.

Effectiveness of Opcode ngrams for Detection of Multi Family Android Malware

With the wide diffusion of smartphones and their usage in a plethora of processes and activities, these devices have been handling an increasing variety of sensitive resources. Attackers are hence producing a large number of malware applications for Android (the most spread mobile platform), often by slightly modifying existing applications, which results in malware being organized in families. Some works in the literature showed that opcodes are informative for detecting malware, not only in the Android platform. In this paper, we investigate if frequencies of ngrams of opcodes are effective in detecting Android malware and if there is some significant malware family for which they are more or less effective. To this end, we designed a method based on state-of-the-art classifiers applied to frequencies of opcodes ngrams. Then, we experimentally evaluated it on a recent dataset composed of 11120 applications, 5560 of which are malware belonging to several different families. Results show that an accuracy of 97% can be obtained on the average, whereas perfect detection rate is achieved for more than one malware family.

Ransomware Steals Your Phone. Formal Methods Rescue It

Ransomware is a recent type of malware which makes inaccessible the files or the device of the victim. The only way to unlock the infected device or to have the keys for decrypting the files is to pay a ransom to the attacker. Commercial solutions for removing ransomware and restoring the infected devices and files are ineffective, since this malware uses a very robust form of asymmetric cryptography and erases shadow copies and recovery points of the operating system. Literature does not count many solutions for effectively detecting and blocking ransomware and, at the best knowledge of the authors, formal methods were never applied to identify ransomware. In this paper we propose a methodology based on formal methods that is able to detect the ransomware and to identify in the malwares code the instructions that implement the characteristic instructions of the ransomware. The results of the experimentation are strongly encouraging and suggest that the proposed methodology could be the right way to follow for developing commercial solutions that could successful intercept the ransomware and blocking the infections it provokes.

An HMM and structural entropy based detector for Android malware

Smartphones are becoming more and more popular and, as a consequence, malware writers are increasingly engaged to develop new threats and propagate them through official and third-party markets. In addition to the propagation vectors, malware is also evolving quickly the techniques adopted for infecting victims and hiding their malicious nature to antimalware scanning. From SMS Trojans to legitimate applications repacked with malicious payload, from AES encrypted root exploits to the dynamic loading of a payload retrieved from a remote server: malicious code is becoming more and more hard to detect.In this paper we experimentally evaluate two techniques for detecting Android malware: the first one is based on Hidden Markov Model, while the second one exploits structural entropy. These two techniques have been successfully applied to detect PCs viruses in previous works, and only one work in literature analyzes the application of HMM to the detection of Android malware. We demonstrate that these methods, which reveal effective for PCs virus, are also successful for detecting and classifying mobile malware.Our results are promising: we obtain a precision of 0.96 to discriminate a malware application, and a precision of 0.978 to identify the malware family.

Acquiring and Analyzing App Metrics for Effective Mobile Malware Detection

Android malware is becoming very effective in evading detection techniques, and traditional malware detection techniques are demonstrating their weaknesses. Signature based detection shows at least two drawbacks: first, the detection is possible only after the malware has been identified, and the time needed to produce and distribute the signature provides attackers with window of opportunities for spreading the malware in the wild. For solving this problem, different approaches that try to characterize the malicious behavior through the invoked system and API calls emerged. Unfortunately, several evasion techniques have proven effective to evade detection based on system and API calls. In this paper, we propose an approach for capturing the malicious behavior in terms of device resource consumption (using a thorough set of features), which is much more difficult to camouflage. We describe a procedure, and the corresponding practical setting, for extracting those features with the aim of maximizing their discriminative power. Finally, we describe the promising results we obtained experimenting on more than 2000 applications, on which our approach exhibited an accuracy greater than 99%.

Download malware? no, thanks: how formal methods can block update attacks

In mobile malware landscape there are many techniques to inject malicious payload in a trusted application: one of the most common is represented by the so-called update attack. After an apparently innocuous application is installed on the victims device, the user is asked to update the application, and a malicious behavior is added to the application. In this paper we propose a static method based on model checking able to identify this kind of attack. In addiction, our method is able to localize the malicious payload at method-level. We obtain an accuracy very close to 1 in identifying families implementing update attack using a real Android dataset composed by 2,581 samples.

A Case Study of Automating User Experience-Oriented Performance Testing on Smartphones

We have developed a platform named Advanced Test Environment (ATE) for supporting the design and the automatic execution of UX tests for applications running on Android smartphones. The platform collects objective metrics used to estimate the UX. In this paper, we investigate the extent that the metrics captured by ATE are able to approximate the results that are obtained from UX testing with real human users. Our findings suggest that ATE produces UX estimations that are comparable to those reported by human users. We have also compared ATE with three widespread benchmark tools that are commonly used in the industry, and the results show that ATE outperforms these tools.

Mobile malware detection using op-code frequency histograms

Mobile malware has grown in scale and complexity, as a consequence of the unabated uptake of smartphones worldwide. Malware writers have been developing detection evasion techniques which are rapidly making anti-malware technologies uneffective. In particular, zero-days malware is able to easily pass signature based detection, while dynamic analysis based techniques, which could be more accurate and robust, are too costly or inappropriate to real contexts, especially for reasons related to usability. This paper discusses a technique for discriminating Android malware from trusted applications that does not rely on signature, but on identifying a vector of features obtained from the static analysis of the Androids Dalvik code. Experimentation accomplished on a sample of 11,200 applications revealed that the proposed technique produces high precision (over 93%) in mobile malware detection, with an accuracy of 95%.

Identification of Android Malware Families with Model Checking

Android malware is increasing more and more in complexity. Current signature based antimalware mechanisms are not able to detect zero-day attacks, also trivial code transformations may evade detection. Malware writers usually add functionality to existing malware or merge different pieces of malware code: this is the reason why Android malware is grouped into families, i.e., every family has in common the malicious behavior. In this paper we present a model checking based approach in detecting Android malware families by means of analysing and verifying the Java Bytecode that is produced when the source code is compiled. A preliminary investigation has been also conducted to assess the validity of the proposed approach.

Composition-Malware: Building Android Malware at Run Time

We present a novel model of malware for Android, named composition-malware, which consists of composing fragments of code hosted on different and scattered locations at run time. An key feature of the model is that the malicious behavior could dynamically change and the payload could be activated under logic or temporal conditions. These characteristics allow a malware written according to this model to evade current malware detection technologies for Android platform, as the evaluation has demonstrated. The aim of the paper is to propose new approaches to malware detection that should be adopted in anti-malware tools for blocking a composition-malware.