Shweta Bhandari

DRACO: DRoid analyst combo an android malware analysis framework

Android being the most popular open source mobile operating system, attracts a plethora of app developers. Millions of applications are developed for Android platform with a great extent of behavioral diversities and are available on Play Store as well as on many third party app stores. Due to its open nature, in the past Android Platform has been targeted by many malware writers. The conventional way of signature-based detection methods for detecting malware on a device are no longer promising due to an exponential increase in the number of variants of the same application with different signatures. Moreover, they lack in dynamic analysis too. In this paper, we propose DRACO, which employs a two-phase detection technique that blends the synergy of both static and dynamic analysis. It has two modules, client module that is in the form an Android app and gets installed on mobile devices and a server module that runs on a server. DRACO also explains user about the features contributing to the maliciousness of analyzed app and generates scoring for that maliciousness. It does not require any root or super-user privileges. In an evaluation of 18,000 benign applications and 10,000 malware samples, DRACO performs better than several related existing approaches and detects 98.4% of the malware with few false alerts. On ten popular smartphones, the method requires an average of 6 seconds for on device analysis and 90 seconds on server analysis.

Intersection Automata Based Model for Android Application Collusion

Android applications need to access and share users sensitive data. To maintain users privacy and related data security, it is essential to protect this data. Android security framework enforces permission protected model but it has been shown that applications can bypass this security model. Attacks based on such unauthorized privileges are known as Inter-Component Communication (ICC) Collusion Attacks. In this paper, we propose, a novel automaton framework that allows effective detection of intent based collusion. Our detection framework operates at the component-level. To evaluate our proposal, we developed 14 applications and took 4 applications from Google Play Store. We took all possible combinations from the set of 21 applications. We tested our approach on 210 pairs of applications derived from the set of 21 applications. Time and space complexity of our proposed approach is O(n) where n is the number of components in all the applications under analysis. The experimental results demonstrate that our technique is scalable to application sizing and more efficient as compared to other state of the art approaches.

DroidAnalyst: Synergic App Framework for Static and Dynamic App Analysis

Evolution of mobile devices, availability of additional resources coupled with enhanced functionality has leveraged smartphone to substitute the conventional computing devices. Mobile device users have adopted smartphones for online payments, sending emails, social networking, and stores the user sensitive information. The ever increasing mobile devices has attracted malware authors and cybercriminals to target mobile platforms. Android, the most popular open source mobile OS is being targeted by the malware writers. In particular, less monitored third party markets are being used as infection and propagation sources. Given the threats posed by the increasing number of malicious apps, security researchers must be able to analyze the malware quickly and efficiently; this may not be feasible with the manual analysis. Hence, automated analysis techniques for app vetting and malware detection are necessary. In this chapter, we present DroidAnalyst, a novel automated app vetting and malware analysis framework that integrates the synergy of static and dynamic analysis to improve accuracy and efficiency of analysis. DroidAnalyst generates a unified analysis model that combines the strengths of the complementary approaches with multiple detection methods, to increase the app code analysis. We have evaluated our proposed solution DroidAnalyst against a reasonable dataset consisting real-world benign and malware apps.

SneakLeak: Detecting Multipartite Leakage Paths in Android Apps

In this paper, a technique is proposed to address the threat emerging from multiple colluding Android applications (apps). Existing techniques have focused on single app analysis which may be defeated by scattering leakage-capable path segments across multiple apps. In such a scenario, individual app shall appear benign. Whereas, together with other conspiring apps, if present, can lead to information leakage. This threat is known as app collusion. Relay of private and sensitive information from one app to another is possible via multiple communication mechanisms provided by Android. In this paper, we present SneakLeak, a new model-checking based technique for detection of app collusion. The proposed method analyze multiple apps simultaneously. SneakLeak can identify any set of conspiring apps that might be involved in the collusion. To demonstrate the efficacy of our proposal, we experimented with Android apps exhibiting collusion through inter-app communication. The apps are taken from test dataset named DroidBench. Our experiments show that the technique can precisely detect the presence/absence of collusion among apps.

POSTER: Detecting Inter-App Information Leakage Paths

Sensitive (private) information can escape from one app to another using one of the multiple communication methods provided by Android for inter-app communication. This leakage can be malicious. In such a scenario, individual benign app, in collusion with other conspiring apps, if present, can leak the private information. In this work in progress, we present, a new model-checking based approach for inter-app collusion detection. The proposed technique takes into account simultaneous analysis of multiple apps. We are able to identify any set of conspiring apps involved in the collusion. To evaluate the efficacy of our tool, we developed Android apps that exhibit collusion through inter-app communication. Eight demonstrative sets of apps have been contributed to widely used test dataset named DroidBench. Our experiments show that proposed technique can accurately detect the presence/absence of collusion among apps. To the best of our knowledge, our proposal has improved detection capability than other techniques.

Android inter-app communication threats and detection techniques

Abstract With the digital breakthrough, smart phones have become very essential component for many routine tasks like shopping, paying bills, transferring money, instant messaging, emails etc. Mobile devices are very attractive attack surface for cyber thieves as they hold personal details (accounts, locations, contacts, photos) and have potential capabilities for eavesdropping (with cameras/microphone, wireless connections). Android, being the most popular, is the target of malicious hackers who are trying to use Android app as a tool to break into and control device. Android malware authors use many anti-analysis techniques to hide from analysis tools. Academic researchers and commercial anti-malware companies are putting great effort to detect such malicious apps. They are making use of the combinations of static, dynamic and behavior-based analysis techniques. Despite of all the security mechanisms provided by Android, apps can carry out malicious actions through inter-app communication. One such inter-app communication threats is collusion. In collusion, malicious functionality is divided across multiple apps. Each participating app accomplishes its part and communicate information to another app through Inter Component Communication (ICC). ICC does not require any special permissions. Also there is no compulsion to inform user about the communication. Each participating app needs to request a minimal set of privileges, which may make it appear benign to current state-of-the-art techniques that analyze one app at a time. There are many surveys on app analysis techniques in Android; however they focus on single-app analysis. This survey highlights several inter-app communication threats, in particular collusion among multiple-apps. In this paper, we present Android vulnerabilities that may be exploited for carrying privilege escalation attacks, privacy leakage and collusion attacks. We cover the existing threat analysis, scenarios, and a detailed comparison of tools for intra- and inter-app analysis. To the best of our knowledge this is the first survey on inter-app communication threats, app collusion and state-of-the-art detection tools in Android.

SniffDroid: Detection of Inter-App Privacy Leaks in Android

Android has deprecated the use of readable/writeable mode for shared preferences from API level 17. Hence, the researchers are not paying much attention towards the privacy leak via shared preferences. However, Android app developers are still using these modes in practice. This may have serious ramifications such as privacy leakage, privilege escalation, etc, and may pose a severe threat to an user’s privacy. In this paper, we present an automaton based static analysis technique named SniffDroid to detect the inter-app privacy leaks via shared preferences in Android. To evaluate the performance of SniffDroid in real-time, we tested it on our developed dataset of 21 apps and 240 Google playstore apps. These apps are chosen from various categories such as banking, wallet, location, shopping, etc. SniffDroid conducts analysis at the component level. The empirical results of the proposed method indicate that SniffDroid operates in linear time w.r.t. the number of components. It works efficiently on apps of all sizes and is scalable.