International Conference on Security and Privacy in Communication Networks. 10th International ICST Conference, SecureComm 2014, Beijing, China, September 24-26, 2014, Revised Selected Papers, Part I

Research Article

Detecting Malicious Behaviors in Repackaged Android Apps with Loosely-Coupled Payloads Filtering Scheme

Download
286 downloads
  • @INPROCEEDINGS{10.1007/978-3-319-23829-6_31,
        author={Lulu Zhang and Yongzheng Zhang and Tianning Zang},
        title={Detecting Malicious Behaviors in Repackaged Android Apps with Loosely-Coupled Payloads Filtering Scheme},
        proceedings={International Conference on Security and Privacy in Communication Networks. 10th International ICST Conference, SecureComm 2014, Beijing, China, September 24-26, 2014, Revised Selected Papers, Part I},
        proceedings_a={SECURECOMM},
        year={2015},
        month={11},
        keywords={Android security Malicious behaviors Payloads filtering Dynamic instrumentation},
        doi={10.1007/978-3-319-23829-6_31}
    }
    
  • Lulu Zhang
    Yongzheng Zhang
    Tianning Zang
    Year: 2015
    Detecting Malicious Behaviors in Repackaged Android Apps with Loosely-Coupled Payloads Filtering Scheme
    SECURECOMM
    Springer
    DOI: 10.1007/978-3-319-23829-6_31
Lulu Zhang1,*, Yongzheng Zhang1,*, Tianning Zang1,*
  • 1: Chinese Academy of Sciences
*Contact email: zhanglulu@iie.ac.cn, zhangyongzheng@iie.ac.cn, zangtianning@iie.ac.cn

Abstract

Recently, the security problem of Android applications has been increasingly prominent. In this paper, we propose a novel approach to detect malicious behaviors in loosely-coupled repackaged Android apps. We extract and modify the FCG of an app based on its loosely-coupled property, and divide it into several sub-graphs to identify primary module and its related modules. In each remaining sub-graph, API calls are added and sensitive API paths are extracted for dynamic instrumentation on top of APIMonitor. The experiments are conducted with 438 malwares and 1529 apps from two third-party Android markets. Through manual verification, we confirm 5 kinds of malwares in 16 apps detected by our approach. And the detection rate of collected malwares reaches 99.77 %. The reduction rate of monitored functions reaches 42.95 % with 98.79 % of malicious functions being successfully saved. The time spent on static and dynamic analysis is 74.9 s and 16.0 s on average.