| Following the rapid development of mobile system platform, smartphones become an important part of people’s daily lives. Hence, the sensitive data and confidential software are increasingly accumulated on the mobile side, such as mobile bank or financial charge. However, the security of the mobile is always a problem. The malware have not only increased in number, but enhanced their attacking behavior as well. In the epoch of smartphone, malicious behaviors have overwhelmed their predecessor in the feature phone both in quantity and quality. Such tendency will become the most significant trouble for the development of smartphone.Current mobile operating systems, such as Android and iOS, utilize application based permission granting system for securing the platform sensors or user privacy. Nevertheless, application based permission granting system has its own inherent problems. First, users’ careless or insufficient knowledge or even misunderstanding of the permission may cause the permission unchecked. Second, application developer may result in over-claim of permission either intended or unconsciousness. Third, more than two application, either normal or malware, may trigger permission escalation attack, which can bypass the permission auditing system. The root cause of such problem is that the entity of the permission granting cannot help the user to understand its behaviors. Current permissions are based on application. The only way for user to understand its behaviors is the description on the market. Yet, it is obvious that most users do not have such ability to fully understand and judge the right of the permission.Concerning malware, nowadays malicious code does not appear alone. Usually, they infected the normal application and downloaded by users as a whole. Another situation is the flood of spyware and greyware which have normal useful behavior forehead while contain background behavior collecting sensitive data and user privacy. According to current security architecture, user cannot tell the differences between normal application and such privacy stealing application. Because only based on the description and the application’s normal functionality, some permission should be allowed. Yet, the permissions would be inherited by all the components and codes which may harm the user privacy.In order to tackle the problem above, we introduced a new malicious behavior detection mechanism, named event tracing judging. Compared with previous application based permission granting system, we have utilized event trace as the granularity for judging normal or malicious. Event trace is a certain event handling functions triggered by an original event. Since the mobile systems are event-driven in natural, all the developer code will be triggered by some events. Hence, we also call event trace the "application behavior". The context of event trace is an summary of application behavior. It includes the reason of such event trace, which functions are invoked and the final destination of the data flow. By reading the detail report, user can clearly know the application behavior and may judge such behavior by himself/herself.Based on the concept and theory above, we designed and implemented the system, EventChain, on Android for online malware detection. It can track the application’s event trace and spread the context of event trace amongst threads and processes. When there is a behavior violating the security policy, EventChain will alert the user and provide context of event trace as an evidence for judging. As an online malware detection tool, EventChain has good performance and only incur less than 10% performance overhead in CPU-intensive benchmarks. |
