The Research On Communication Mechanism And Traffic Signatures Extractor Of Android Malware Based On HTTP Protocol

In recent years,there is a rapid growth in the popularity of mobile devices and network access point.With the rapid development of the Android platform and Android applications,mobile malware writers would turn target to this platform.The previous research works proved that the majority of Android malware used HTTP-based C&C servers like mobile botnets.Mobile malware performs malicious behaviors such as malicious chargeback,disclosure of private information,and cause huge risks of property and privacy security to mobile users,and threat the network security of Android platform.However,the growing number of Android malware and their variants increased the difficulty of detecting malicious Android application.To improve the security of Android platform,it requires in-depth study of communication mechanisms and feature extraction technology to provide theoretical and technical support for Android malware detecting.First,this paper makes study on the communication mechanism of Android malware,and designs a communication mechanism integrated SMS and HTTP protocol,which is similar with the command and control(C&C)communication channel of the mobile botnets.We combine the short message service(SMS)and HTTP protocols to be C&C communication channel for Android malware,which is able to reduce system consumption,and improve the command information reception accuracy and execution,and hide malware traffic into benign HTTP traffic.The experimental results show that the malicious Android application,with communication channel that combined SMS and HTTP protocol,can achieve high efficiency,good stealthiness and less resource consuming.Besides,we also propose several possible detection methods aimed at communication channel of Android malware.Based on the research work of Android malware communication mechanism,and the challenges of detecting large number of Android malware and its variants,this paper proposes an automated network signature generation system for Android malware based on HTTP protocol.This system designs an automated testing tool DroidRunner,which is used to automatically trigger apps to access Internet and collect traffic,and is able to avoid the insufficient of manual collection.Then we collected 1260 known malicious family samples and 118 unknown malicious family samples of Android application to build the malicious network signature library by extracting malicious features,merging and clustering malicious network signature for those Android malware.The experiment results illustrate that this system can collect network traces accurately and extracts malicious network signature efficiently.