Abstract
Smart mobile devices process and store a vast amount of security- and privacy-sensitive data. To protect this data from malicious applications mobile operating systems, such as Android, adopt fine-grained access control architectures. However, related work has shown that these access control architectures are susceptible to application-layer privilege escalation attacks. Both automated static and dynamic program analysis promise to proactively detect such attacks. Though while state-of-the-art static analysis frameworks cannot adequately address native and highly obfuscated code, dynamic analysis is vulnerable to malicious applications using logic bombs to avoid early detection.
In contrast, the long-term observation of application behavior could help users and security analysts better understand malicious apps. In this paper we present the design and implementation of DroidAuditor, which observes application behavior on real Android devices and generates a graph-based representation. It visualizes this behavior graph, which enables users to develop an intuitive understanding of application internals. Our solution further allows security analysts to query the behavior graph for malicious patterns. We present the design of the DroidAuditor framework and instantiate it using the Android Security Modules (ASM) access control architecture. We evaluate its capability to detect application-layer privilege escalation attacks, such as confused deputy and collusion attacks. In addition, we demonstrate how our architecture can be used to analyze malicious spyware applications.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Backes, M., Bugiel, S., Gerling, S.: Scippa: system-centric IPC provenance on android. In: 30th Annual Computer Security Applications Conference, pp. 36–45. ACM (2014)
Blsing, T., Batyuk, L., Schmidt, A.-D., Camtepe, S., Albayrak, S.: An android application sandbox system for suspicious software detection. In: 5th International Conference on Malicious and Unwanted Software, pp. 55–62 (2010)
Bugiel, S., Davi, L., Dmitrienko, A., Fischer, T., Sadeghi, A.-R., Shastry, B.: Towards taming privilege-escalation attacks on android. In: 19th Annual Network & Distributed System Security Symposium (2012)
Davi, L., Dmitrienko, A., Sadeghi, A.-R., Winandy, M.: Privilege escalation attacks on android. In: Burmester, M., Tsudik, G., Magliveras, S., Ilić, I. (eds.) ISC 2010. LNCS, vol. 6531, pp. 346–360. Springer, Heidelberg (2011). doi:10.1007/978-3-642-18178-8_30
Dietz, M., Shekhar, S., Pisetsky, Y., Shu, A., Wallach, D.S.: Quire: lightweight provenance for smart phone operating systems. In: 20th USENIX Security Symposium, USENIX (2011)
Enck, W., Gilbert, P., Chun, B.-G., Cox, L.P., Jung, J., McDaniel, P., Sheth, A.N.: TaintDroid: an information flow tracking system for real-time privacy monitoring on smartphones. Commun. ACM 57(3), 99–106 (2014)
Felt, A.P., Wang, H.J., Moshchuk, A., Hanna, S., Chin, E.: Permission re-delegation: attacks and defenses. In: 20th USENIX Security Symposium, USENIX (2011)
Heuser, S., Nadkarni, A., Enck, W., Sadeghi, A.-R.: ASM: a programmable interface for extending android security. In: 23rd USENIX Security Symposium, USENIX (2014)
Heuser, S., Negro, M., Pendyala, P.K., Sadeghi, A.-R.: DroidAuditor: Forensic Analysis of Application-Layer Privilege Escalation Attacks on Android. Technical report, TU Darmstadt (2016)
Lineberry, A., Richardson, D.L., Wyatt, T.: These Aren’t the Permissions You’re Looking For. DefCon 18 (2010)
McAfee. Threats report May 2015. http://www.mcafee.com/us/resources/reports/rp-quarterly-threat-q1-2015.pdf, May 2015
Rasthofer, S., Asrar, I., Huber, S., Bodden, E.: How current android malware seeks to evade automated code analysis. In: Akram, R.N., Jajodia, S. (eds.) WISTP 2015. LNCS, vol. 9311, pp. 187–202. Springer, Cham (2015). doi:10.1007/978-3-319-24018-3_12
Rastogi, V., Chen, Y., Enck, W.: AppsPlayground: automatic security analysis of smartphone applications. In: Third ACM Conference on Data and Application Security and Privacy, pp. 209–220. ACM (2013)
Spreitzenbarth, M., Freiling, F., Echtler, F., Schreck, T., Hoffmann, J.: Mobile-sandbox: having a deeper look into android applications. In: 28th Annual ACM Symposium on Applied Computing, pp. 1808–1815. ACM (2013)
Tam, K., Khan, S.J., Fattori, A., Cavallaro, L.: CopperDroid: automatic reconstruction of android malware behaviors. In: 22nd Annual Network & Distributed System Security Symposium (2015)
Yan, L.K., Yin, H.: DroidScope: seamlessly reconstructing the OS and dalvik semantic views for dynamic android malware analysis. In: 21st USENIX Security Symposium, USENIX (2012)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 International Financial Cryptography Association
About this paper
Cite this paper
Heuser, S., Negro, M., Pendyala, P.K., Sadeghi, AR. (2017). DroidAuditor: Forensic Analysis of Application-Layer Privilege Escalation Attacks on Android (Short Paper). In: Grossklags, J., Preneel, B. (eds) Financial Cryptography and Data Security. FC 2016. Lecture Notes in Computer Science(), vol 9603. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-54970-4_15
Download citation
DOI: https://doi.org/10.1007/978-3-662-54970-4_15
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-662-54969-8
Online ISBN: 978-3-662-54970-4
eBook Packages: Computer ScienceComputer Science (R0)