| There has been an explosive growth in malware for mo-bile phones over the past few years. Android is an open-source platform and remained the most popular mobile operating system in the world, capturing over 80 percent of the market. Consequently malwares on the An-droid platform have the largest quantity and the fastest growth rising pace. As the amount of important private data stored in mobile de-vice becomes larger, the data gets more valuable, which makes malwares to be a serious threat rapidly.Application behavior analysis is a primary technique to fight against malwares. However, there are some limitations in current app behavior analysis methods. For instance, many popular dynamic analysis researches are built on top of Dalvik virtual machine. The behavior of native code is one big blind spot for their methods. VMI based researches can over come this limitation, however they’re ran in simulated environments. Today malwares can detect where they are running so as to hide the unlawful behaviors.Considering these, we present the DroidRevealer. The novelty of DroidRevealer lies in its kernel-level system calls monitoring in android linux kernel, and it’s executed on real android devices. It can monitor both app-level Android-specific behaviors and OS-level behaviors no matter whether these behaviors are initiated from the Java, JNI or Linux ELF. By intercepting and interpreting certain file/network related and android-specific system calls, and with the help of a current static analysis tool, it can reconstruct all critical app behaviors in real-time. Linux kernel is the lowest level in Android system, so it has the highest privileges. It is very difficult for applications with normal privileges to detect, so most applications cannot evade it. In addition DroidRevealer’s results do not simply focus on a single kind of behavior or a solo app. Instead our DroidRevealer is data-oriented. Finally it creates an intelligible graph as the behavior results, which can provide both a good basis for detection and key evidence for forensics. |
PDF Full Text Request