| 3G service has been developing rapidly in China since its launch in2009. Moreusers start to use smart terminals along with the widespread of3G network, meanwhileAndroid begins to predominate the smart phone market due to its openness andcost-effectiveness. Nevertheless, the rapid expansion of Android market shareintroduces malware aiming at Android at an alarming rate, which poses great threats toits users.Some solutions to security issues on Android have been put forward, but most ofthem belong to the traditional static analysis approach, and they cannot analyzemalicious behaviors during the execution of a program. Although few solutions are ableto analyze samples dynamically, they show weaknesses in stability and so forth.According to previous statement, this dissertation proposes an approach byanalyzing Android malware dynamically at virtual machine level, which actively tracksand records the behavior of target program instead of using traditional static analysismethod. Based on the newly-proposed method, a new Android malware behavioranalysis system based on sandbox is proposed, which modifies the Android system andtracks data originated from sensitive sources. Defining data tags in our new system isthe first step, and it is based on the premise of analyzing data sources and applicationinterface libraries that malware frequently uses. And then this dissertation concentrateson how to embed data tags at various object levels, along with transmitting data andtags across programs by Binder IPC mechanism. Finally, a module for extracting tagsfrom data is also constructed, so as to acquire valuable information indicating how datais handled. In addition, a module for exporting logs out of the virtual machine isimplemented as well, which enables recording of sensitive data.To verify the correctness of our system, relevant tests are designed. And twodifferent kinds of Android applications for testing are selected, one is a self-writtenprogram imitating behaviors that malware possesses, such as file operation, sensitivedata access and automatic Internet connection in the background; and others aremalware samples collected online. The self-written sample invokes APIs provided by embedded points, and can present a whole picture of actions that malwares take whencompared with scatterd behaviors of real test samples, thus presents us how data is usedby different samples.Our system can make up for defects that static analysis systems cannot analyzebehaviors of programs at runtime, and is able to track transmissions of sensitive data byanalyzing applications’ behavior at runtime, and therefore is superior to traditional staticanalysis systems. Besides, by building sandbox with emulator, our system is immune todamages caused by malwares, and using tags only in transmission can also minimize theprobability of our sandbox being detected. Finally, embedding tags at virtual machinelevel instead of Linux kernel enables future transplantation, thus it becomes available tooperate on various platforms. |
PDF Full Text Request