Design and Implementation of MobiSaS: Mobile Security Analysis System

Smartphones and mobile devices are rapidly becoming indispensable for many users. According to the official record, Google Play has 1.3 million apps and iTunes App Store has 1.2 million apps in 2014. However, most of the apps still have numbers of vulnerabilities. In addition, a large number of customers also attracts malware writers to distribute their malware into the wild. Therefore, there is an urgent need to have a "security analytic & forensic system" which can facilitate analysts to examine, dissect, associate and correlate a large number of mobile applications. An effective analytic system needs to address the following questions: How to automatically collect and manage a high volume of mobile apps and firmwares? How to analyze a suspicious application/firmware, and identify vulnerabilities or associate it with existing malware families in the database? How to reveal similar malicious logic in various malware, and to quickly detect the zero-day malicious code segment?;In this paper, we present the design and implementation of MobiSaS (Mobile Security Analysis System). For Android, the system uses a multi-level signature algorithm to extract the malware feature based on their semantic meaning at the app/class/method level. Then the system uses multi-level signatures to identify repackaged malware/apps, and perform class association among malware/apps. In addition, MobiSaS uses ptrace to monitor selected system calls of the target process which is running the dynamic payloads, and classifies the payloads behaviors through the system call sequence. What's more, the system performs a novel evaluation methodology for customized Android firmwares on both the application level and system level. For iOS, MobiSaS uses both static and dynamic analysis techniques to analyze the structure of suspicious iOS apps. In addition, the system has three detectors which focus on the detection of iOS private APIs, URL schemes vulnerability and sensitive information leakage.;To show the effectiveness of MobiSaS, we did large scale experiments. For Android apps, we have successfully collected 150,368 Android apps, and determined 2,475 malware samples from 102 families. Among those, there are 327 zero-day malware samples from six different malware families. For Android firmwares, we use MobiSaS to systematically analyze 250 customized Android firmwares and 24,009 pre-installed apps. On the application level, we successfully discovered 1,947 (8.1%) apps have signature vulnerability and 19 (7.6%) firmwares contain pre-installed malware. On system level, we discovered 142 (56.8%) firmwares have the default signature vulnerability, five (2.0%) firmwares contain malicious hosts file, 40 (16.0%) firmwares have the native level privilege escalation vulnerability and at least 249 (99.6%) firmwares have the Java level privilege escalation vulnerability. For iOS, we discovered that 844(59.9%) out of the 1,408 iOS enpublic apps we studied do use private APIs. 14(0.9%) apps contain URL scheme vulnerabilities and 901(63.9%) apps transport sensitive information through unencrypted channel. In addition, we summarized 25 private APIs which are crucial and security sensitive on iOS 6/7/8, and we have filed three CVEs (Common Vulnerabilities and Exposures) for iOS devices.