Saurabh Chakradeo
William Enck
ABSTRACT
Malware is a pressing concern for mobile application market operators. While current mitigation techniques are keeping pace with the relatively infrequent presence of malicious code, the rapidly increasing rate of application development makes manual and resource-intensive automated analysis costly at market-scale. To address this resource imbalance, we present the Mobile Application Security Triage (MAST) architecture, a tool that helps to direct scarce malware analysis resources towards the applications with the greatest potential to exhibit malicious behavior. MAST analyzes attributes extracted from just the application package using Multiple Correspondence Analysis (MCA), a statistical method that measures the correlation between multiple categorical (i.e., qualitative) data. We train MAST using over 15,000 applications from Google Play and a dataset of 732 known-malicious applications. We then use MAST to perform triage on three third-party markets of different size and malware composition---36,710 applications in total. Our experiments show that MAST is both effective and performant. Using MAST ordered ranking, malware-analysis tools can find 95% of malware at the cost of analyzing 13% of the non-malicious applications on average across multiple markets, and MAST triage processes markets in less than a quarter of the time required to perform signature detection. More importantly, we show that successful triage can dramatically reduce the costs of removing malicious applications from markets.
- H. Abdi and D. Valentin. Multiple correspondence analysis. In Encyclopedia of Measurement and Statistics, page 13. Sage, California, 2007.Google Scholar
- Android market API. http://code.google.com/p/android-market-api/.Google Scholar
- Anzhi Market. http://www.anzhi.com.Google Scholar
- Apple app store, 2012. http://www.apple.com/iphone/from-the-app-store/.Google Scholar
- Baksmali, 2012. http://code.google.com/p/smali/.Google Scholar
- D. Barrera, H. G. Kayacik, P. C. van Oorschot, and A. Somayaji. A methodology for empirical analysis of permission-based security models and its application to android. In Proceedings of the 17th ACM conference on Computer and communications security, page 73. ACM Press, 2010. Google ScholarDigital Library
- C. Beaumont. Apple iPhone 'kill switch' discovered, August 2008. http://www.telegraph.co.uk/technology/3358115/Apple-iPhone-kill-switch-discovered.html.Google Scholar
- Blackberry app world, 2012. http://appworld.blackberry.com/webstore/.Google Scholar
- A. Bose, X. Hu, K. G. Shin, and T. Park. Behavioral detection of malware on mobile handsets. In Proceeding of the 6th international conference on Mobile systems, applications, and services, page 225. ACM Press, 2008. Google ScholarDigital Library
- T. Bray. Exercising Our Remote Application Removal Feature, June 2010. http://android-developers.blogspot.com/2010/06/exercising-our-remote-application.html.Google Scholar
- J. Burns. Developing Secure Mobile Applications for Android. iSEC Partners, Oct. 2008. http://www.isecpartners.com/files/iSEC_Securing_Android_Apps.pdf.Google Scholar
- E. Chin, A. P. Felt, K. Greenwood, and D. Wagner. Analyzing inter-application communication in android. In Proceedings of the 9th international conference on Mobile systems, applications, and services, MobiSys '11, pages 239--252, New York, NY, USA, 2011. ACM. Google ScholarDigital Library
- M. Egele, C. Kruegel, E. Kirda, and G. Vigna. PiOS: Detecting Privacy Leaks in iOS Applications. In Proceedings of the ISOC Network & Distributed System Security Symposium (NDSS), 2011.Google Scholar
- W. Enck, P. Gilbert, B. Chun, L. P. Cox, J. Jung, P. McDaniel, and A. Sheth. TaintDroid: An information-flow tracking system for realtime privacy monitoring on smartphones. In OSDI, pages 393--407, 2010. Google ScholarDigital Library
- W. Enck, D. Octeau, P. McDaniel, and S. Chaudhuri. A study of Android application security. In Proceedings of the 20th USENIX Security Symposium, San Francisco, CA, USA, 2011. Google ScholarDigital Library
- W. Enck, M. Ongtang, and P. McDaniel. On lightweight mobile phone application certification. In Proceedings of the 16th ACM conference on Computer and communications security, page 235. ACM Press, 2009. Google ScholarDigital Library
- W. Enck, M. Ongtang, and P. McDaniel. Understanding Android Security. IEEE Security & Privacy Magazine, 7(1):50--57, January/February 2009. Google ScholarDigital Library
- A. P. Felt, E. Chin, S. Hanna, D. Song, and D. Wagner. Android permissions demystified. In Proceedings of the 18th ACM conference on Computer and communications security, CCS '11, Chicago, Illinois, USA, Oct. 2011. Google ScholarDigital Library
- A. P. Felt, M. Finifter, E. Chin, S. Hanna, and D. Wagner. A survey of mobile malware in the wild. In ACM Workshop on Security and Privacy in Mobile Devices, Chicago, Illinois, USA, Oct. 2011. Google ScholarDigital Library
- GFan Market. http://www.gfan.com/.Google Scholar
- Google play, 2012. https://play.google.com/store/apps.Google Scholar
- M. Grace, Y. Zhou, Q. Zhang, S. Zou, and X. Jiang. RiskRanker: Scalable and Accurate Zero-day Android Malware Detection. In Proceedings of the International Conference on Mobile Systems, Applications, and Services (MobiSys), June 2012. Google ScholarDigital Library
- P. Hornyack, S. Han, J. Jung, S. Schechter, and D. Wetherall. These Aren't the Droids You're Looking For: Retrofitting Android to Protect Data from Imperious Applications. In Proceedings of the ACM Conference on Computer and Communications Security (CCS), 2011. Google ScholarDigital Library
- J. Jang, D. Brumley, and S. Venkataraman. Bitshred: feature hashing malware for scalable triage and semantic analysis. In Proceedings of the 18th ACM conference on Computer and communications security, CCS '11, pages 309--320, New York, NY, USA, 2011. ACM. Google ScholarDigital Library
- X. Jiang. Questionable Android Apps -- SndApps -- Found and Removed from Official Android Market, July 2011. http://www.csc.ncsu.edu/faculty/jiang/SndApps/.Google Scholar
- X. Jiang. Security Alert: New Android SMS Trojan -- YZHCSMS -- Found in Official Android Market and Alternative Markets, June 2011. http://www.csc.ncsu.edu/faculty/jiang/YZHCSMS/.Google Scholar
- X. Jiang. Security Alert: New Stealthy Android Spyware -- Plankton -- Found in Official Android Market, June 2011. http://www.csc.ncsu.edu/faculty/jiang/Plankton/.Google Scholar
- H. Kim, J. Smith, and K. G. Shin. Detecting energy-greedy anomalies and mobile malware variants. In Proceeding of the 6th international conference on Mobile systems, applications, and services, page 239. ACM Press, 2008. Google ScholarDigital Library
- A. Kingsley-Hughes. So that's what happens when you highlight an iOS security hole, November 2011. http://www.zdnet.com/blog/hardware/so-thats-what-happens-when-you-highlightan-ios-security-hole/16078.Google Scholar
- L. Liu, G. Yan, X. Zhang, and S. Chen. VirusMeter: preventing your cellphone from spies. In Recent Advances in Intrusion Detection, volume 5758, pages 244--264, Berlin, Heidelberg, 2009. Springer Berlin Heidelberg. Google ScholarDigital Library
- H. Lockheimer. Android and Security. Google Mobile Blog, Feb. 2012. http://googlemobile.blogspot.com/2012/02/android-and-security.html.Google Scholar
- Lookout Mobile Security. Mobile threat report. Technical report, Lookout Mobile Security, Aug. 2011.Google Scholar
- Lookout mobile security, 2012. https://www.mylookout.com/.Google Scholar
- J. Lowensohn. iPhone lock-screen password app pulled, June 2011. http://news.cnet.com/8301-27076_3-20071405-248/iphone-lock-screen-password-app-pulled/.Google Scholar
- K. Mahaffey. Security Alert: DroidDream Malware Found in Official Android Market, March 2011. http://blog.mylookout.com/2011/03/security-alert-malware-found-inofficial-android-market-droiddream/.Google Scholar
- P. Marquardt, A. Verma, H. Carter, and P. Traynor. (sp)iPhone: Decoding Vibrations From Nearby Keyboards Using Mobile Phone Accelerometers. In Proceedings of the ACM Conference on Computer and Communications Security (CCS), 2011. Google ScholarDigital Library
- P. McDaniel and W. Enck. Not so great expectations: Why application markets haven't failed security. IEEE Security & Privacy, 8(5):76--78, Oct. 2010. Google ScholarDigital Library
- Min Zheng, Patrick P.C. Lee, and John C.S. Lui. ADAM: an automatic and extensible platform to stress test android anti-virus systems. In Proceedings of the 9th Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA'12), Heraklion, Crete, Greece, July 2012. Google ScholarDigital Library
- Ndoo market. http://www.nduoa.com/.Google Scholar
- NetQin Mobile Security, 2012. http://www.netqin.com/en/.Google Scholar
- M. Neugschwandtner, P. M. Comparetti, G. Jacob, and C. Kruegel. Forecast: skimming off the malware cream. In Proceedings of the 27th Annual Computer Security Applications Conference, ACSAC '11, pages 11--20, New York, NY, USA, 2011. ACM. Google ScholarDigital Library
- Nicholas J. Percoco and Sean Schulte. Adventures in BouncerLand. In Blackhat USA, Las Vegas, NV, 2012.Google Scholar
- M. Parkour. Contagio mobile malware MiniDump. http://contagiominidump.blogspot.com/.Google Scholar
- H. Peng, C. Gates, B. Sarma, N. Li, Y. Qi, R. Potharaju, C. Nita-Rotaru, and I. Molloy. Using probabilistic generative models for ranking risks of android apps. In Proceedings of the 2012 ACM conference on Computer and communications security, CCS '12, page 241--252, New York, NY, USA, 2012. ACM. Google ScholarDigital Library
- R. Perdisci, A. Lanzi, and W. Lee. Mcboost: Boosting scalability in malware collection and analysis using statistical classification of executables. In Proceedings of the 2008 Annual Computer Security Applications Conference, ACSAC '08, pages 301--310, Washington, DC, USA, 2008. IEEE Computer Society. Google ScholarDigital Library
- B. L. Roux and H. Rouanet. Multiple Correspondence Analysis. Number 163 in Quantitative Applications in the Social Sciences. SAGE Publications, Los Angeles, California, USA, 2010.Google Scholar
- B. P. Sarma, N. Li, C. Gates, R. Potharaju, C. Nita-Rotaru, and I. Molloy. Android permissions: a perspective combining risks and benefits. In Proceedings of the 17th ACM symposium on Access Control Models and Technologies, SACMAT '12, page 13--22, New York, NY, USA, 2012. ACM. Google ScholarDigital Library
- R. E. Schapire. The Boosting Approach to Machine Learning: An Overview. In Nonlinear Estimation and Classification. Springer, 2003.Google ScholarCross Ref
- SoftAndroid Market. http://softandroid.ru.Google Scholar
- Trend Micro Command Line Antivirus Scanner, 2012. http://esupport.trendmicro.com/solution/en-us/0117058.aspx.Google Scholar
- Windows Phone: Marketplace, 2011. http://www.windowsphone.com/en-US/marketplace.Google Scholar
- B. Womack. Google says 700,000 applications available for android, Oct. 2012.Google Scholar
- Y. Zhou and X. Jiang. Dissecting Android Malware: Characterization and Evolution. In Proceedings of the IEEE Symposium on Security and Privacy (OAKLAND), 2012. Google ScholarDigital Library
- Y. Zhou, Z. Wang, W. Zhou, and X. Jiang. Hey, You, Get off of My Market: Detecting Malicious Apps in Official and Alternative Android Markets. In Proceedings of the Network and Distributed System Security Symposium, Feb. 2012.Google Scholar
- Y. Zhou, X. Zhang, X. Jiang, and V. W. Freeh. Taming information-stealing smartphone applications (on android). In TRUST, pages 93--107, 2011. Google ScholarDigital Library
Index Terms
- MAST: triage for market-scale mobile malware analysis
Recommendations
How I Met Your Mother?
ICETE 2016: Proceedings of the 13th International Joint Conference on e-Business and TelecommunicationsAndroid malware is becoming more and more aggressive, in terms of impact on the victimâ s device and in
terms of capability of evading detection. Not only smartphones with their sensitive information are targeted
by attackers, but also devices such as ...
POSTER: A Framework for Phylogenetic Analysis in Mobile Environment
ASIACCS '18: Proceedings of the 2018 on Asia Conference on Computer and Communications SecurityTo maximize the probability of successful attacks and reduce the odds of being detected, malware developers implement different versions of the same malicious payloads. As a matter of fact, malware writers often generate new malicious code starting from ...
Towards an Automatic Method for API Association Extraction for PE-Malware Categorization
IPAC '15: Proceedings of the International Conference on Intelligent Information Processing, Security and Advanced CommunicationBehavior-based malware detection techniques remain one of the most efficient protections against malicious programs. Such techniques are based on constructing models representing malicious and legitimate behaviors by analyzing the set of APIs (...
Comments