Study On Construction And Static Analysis For Android Privilege Escalation Attacks

Since smartphones have stored diverse sensitive privacy information, including credit card, SMS message, audio record, geographic location and so on, a great deal of malware are desired to tamper them. As one of the most prevalent platforms, Android contains sensitive resources that can only be accessed via corresponding APIs, and the APIs can be invoked only when user has authorized permissions in the Android per-mission model. However, a novel threat called privilege escalation attack may bypass this watchdog. In this thesis, we focus on the study of construction and static analysis for this particular attack.Firstly, the whole background of Android will be introduced, especially commu-nication channels between applications. Then the cooperation way and the scene of privilege escalation attack will be described. And we also clarify methods used by mobile antivirus scanners in order to explore the validity of this attack on traditional methods.Secondly, we explore three styles of privilege-escalation malware evolution tech-niques based on their different functionalities. We also present and discuss some ex-tensive privilege escalation transformation to enhance the anti-testing.Thirdly, in order to conquer this threat model, we have developed a tool called DroidAlarm to conduct a full-spectrum analysis for identifying potential capability leaks and present concrete capability leak paths by static analysis on Android appli-cations. This is the first bytecode-based static capability leak analyzer on all kinds of communication channels, including ICC, file system and network sockets.Finally, we experiment on the construction and static analysis for privilege es-calation attack on Android. VirusTotal and mobile antivirus scanners suggested by AV-TEST are selected to be the evaluation systems. We transform samples from An-droid Malware Genome Project. And they have showed great effectiveness against a set of antivirus tools. The detection ratios present different and distinguished reduc-tion, compared to an average 61% and 80% detection ratio before transformation. And DroidAlarm can both alarm the original samples and all the transformed cases by ex-posing capability leak paths in them.