SherlockDroid: a research assistant to spot unknown malware in Android marketplaces

Original Paper

Abstract

With over 1,400,000 Android applications in Google Play alone, and dozens of different marketplaces, Android malware unfortunately have no difficulty to sneak in and silently spread. Known malware and their variants are nowadays quite well detected by anti-virus scanners. Nevertheless, the fundamentally new and unknown malware remain an issue. To assist research teams in the discovery of such new malware, we built an infrastructure, named SherlockDroid, whose goal is to filter out the mass of applications and only keep those which are the most likely to be malicious for future inspection by Anti-virus teams. SherlockDroid consists of marketplace crawlers, code-level property extractors and a classification tool named Alligator which decides whether the sample looks malicious or not, based on some prior learning. In our tests, we extracted properties and classified over 480K applications. During two crawling campaigns in July 2014 and October 2014, SherlockDroid crawled over 120K applications with the detection of one new malware, Android/Odpa.A!tr.spy, and two new riskware. With previous findings, this increases SherlockDroid and Alligator’s “Hall of Shame” to 8 malware and potentially unwanted applications.

Keywords

Android Malware Classification Static analysis Security 

Notes

Acknowledgments

We wish to thank Ruchna Nigam, for her help on SherlockDroid.

References

  1. 1.
    Harley, D., Lee, A.: Heuristic analysis—detecting unknown viruses. http://www.eset.com/us/resources/white-papers/Heuristic_Analysis.pdf (2007)
  2. 2.
    Cohen, F.: Computer viruses—theory and experiments. Comput. Secur. 6, 22–35 (1987)CrossRefGoogle Scholar
  3. 3.
    Mills, E.: Users upset after CA anti-virus detects Windows system file as virus (2009). http://www.cnet.com/news/users-upset-after-ca-anti-virus-detects-windows-system-file-as-virus/
  4. 4.
    Popa, B.: AVG anti-virus breaks down Windows XP due to false positive. http://news.softpedia.com/news/AVG-Anti-Virus-Breaks-Down-Windows-XP-Due-to-False-Positive-337395.shtml (2013)
  5. 5.
    Seltzer, L.: Lessons of the McAfee false positive Fiasco. http://securitywatch.pcmag.com/malware/283982-lessons-of-the-mcafee-false-positive-fiasco (2010)
  6. 6.
    Burguera, I., Zurutuza, U., Nadjm-Tehrani, S.: Crowdroid: behavior-based malware detection system for android. In: Proceedings of the 1st ACM Workshop on Security and Privacy in Smartphones and Mobile Devices. SPSM ’11, pp. 15–26. ACM, New York, NY, USA (2011)Google Scholar
  7. 7.
    Dini, G., Martinelli, F., Saracino, A., Sgandurra, D.: Madam: a multi-level anomaly detector for android malware. Computer Network Security. In: 6th International Conference on Mathematical Methods. Models and Architectures for Computer Network Security, MMM-ACNS, Lecture Notes in Computer Science, vol. 7531, pp. 240–253. Springer, St. Petersburg, Russia (2012)Google Scholar
  8. 8.
    Xie, L., Zhang, X., Seifert, J.P., Zhu, S.: pBMDS: a behavior-based malware detection system for cellphone devices. In: Proceedings of the third ACM conference on Wireless network security. WiSec ’10, pp. 37–48. ACM, New York, NY, USA (2010)Google Scholar
  9. 9.
    Lindorder, M., et al.: Andrubis—1,000,000 apps later: a view on current android malware behaviors. In: Proceedings of the the 3rd International Workshop on Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS) (2014)Google Scholar
  10. 10.
    Enck, W., Gilbert, P., Chun, B.G., Cox, L.P., Jung, J., McDaniel, P., Sheth, A.N.: Taintdroid: an information-flow tracking system for realtime privacy monitoring on smartphones. In: Proceedings of the 9th USENIX Conference on Operating Systems Design and Implementation, OSDI’10, pp. 1–6. USENIX Association, Berkeley, CA, USA (2010). URL http://dl.acm.org/citation.cfm?id=1924943.1924971
  11. 11.
    Lindorfer, M.e.a.: AndRadar: fast discovery of android applications in alternative markets. In: Proceedings of the 11th Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA) (2014)Google Scholar
  12. 12.
    Viennot, N., Garcia, E., Nieh, J.: A measurement study of google play. In: The 2014 ACM International Conference on Measurement and Modeling of Computer Systems, SIGMETRICS ’14, pp. 221–233. ACM, New York, NY, USA (2014)Google Scholar
  13. 13.
    Aung, Z., Zaw, W.: Permission-based android malware detection. Int. J. Sci. Technol. Res. 2 (2013)Google Scholar
  14. 14.
    Yan, L.K., Yin, H.: Droidscope: seamlessly reconstructing the os and dalvik semantic views for dynamic android malware analysis. In: USENIX Security Symposium, pp. 569–584 (2012)Google Scholar
  15. 15.
    Bläsing, T., Schmidt, A.D., Batyuk, L., Camtepe, S.A., Albayrak, S.: An Android application Sandbox System for suspicious software detection. In: 5th International Conference on Malicious and Unwanted Software (MALWARE’2010). Nancy, France (2010)Google Scholar
  16. 16.
    Shabtai, A., Kanonov, U., Elovici, Y., Glezer, C., Weiss, Y.: “Andromaly”: a behavioral malware detection framework for android devices. J. Intell. Inf. Syst. 38(1), 161–190 (2012). doi:10.1007/s10844-010-0148-x CrossRefGoogle Scholar
  17. 17.
    Arp, D., Spreitzenbarth, M., Habner, M., Gascon, H., Rieck, K.: Drebin: efficient and explainable detection of Android malware in your pocket. In: Proceedings of the 17th Network and Distributed System Security Symposium (NDSS) (2014)Google Scholar
  18. 18.
    Rastogi, V., Chen, Y., Enck, W.: Appsplayground: automatic security analysis of smartphone applications. In: Proceedings of the Third ACM Conference on Data and Application Security and Privacy. CODASPY ’13, pp. 209–220. ACM, New York, NY, USA (2013)Google Scholar
  19. 19.
    Zhou, Y., Wang, Z., Zhou, W., Jiang, X.: Hey, you, get off of my market: detecting malicious apps in official and alternative android markets. In: Proceedings of the 19th Network and Distributed System Security Symposium (NDSS 2012). San Diego, CA, USA (2012)Google Scholar
  20. 20.
    Reina, A., Fattori, A., Cavallaro, L.: A system call-centric analysis and stimulation technique to automatically reconstruct android malware behaviors. In: Proceedings of the 6th European Workshop on System Security (EUROSEC 2013). Prague, Czech Republic (2013)Google Scholar
  21. 21.
    Apvrille, A., Strazzere, T.: Reducing the window of opportunity for Android malware. Gotta catch’em all. J. Comput. Virol. 8, 61–71 (2012)Google Scholar
  22. 22.
    Demiroz, A.: Google play crawler java api. https://github.com/Akdeniz/google-play-crawler
  23. 23.
    INTERPOL, Kaspersky Lab: 60 % of android attacks use financial malware. http://www.kaspersky.com/about/news/virus/2014/sixty-per-cent-of-Android-attacks-use-financial-malware
  24. 24.
    Chakradeo, S., Reaves, B., Traynor, P., Enck, W.: MAST: triage for market-scale mobile malware analysis. In: Proceedings of 6th WiSec (2013)Google Scholar
  25. 25.
    Sanz, B., Santos, I., Laorden, C., Ugarte-Pedrero, X., Bringas, P.G., Maranon, G.A.: Puma: Permission usage to detect malware in android. In: A. Herrero, V., Snasel, A., Abraham, I., Zelinka, B., Baruque, H., Quintian-Pardo, J.L., Calvo-Rolle, J., Sedano, E., Corchado (eds.) CISIS/ICEUTE/SOCO Special Sessions, Advances in Intelligent Systems and Computing, vol. 189, pp. 289–298. Springer. URL http://dblp.uni-trier.de/db/conf/softcomp/soco2012s.html#SanzSLUBA12 (2012)
  26. 26.
    Zhao, M., Zhang, T., Ge, F., Yuan, Z.: Robotdroid: a lightweight malware detection framework on smartphones. J. Netw. 7(4) (2012). URL http://ojs.academypublisher.com/index.php/jnw/article/view/jnw0704715722
  27. 27.
    Schulz, Patrick.: Dalvik Bytecode Obfuscation on Android (2012). http://www.dexlabs.org/blog/bytecode-obfuscation
  28. 28.
    Lindorfer, M., Kolbitsch, C., Milani Comparetti, P.: Detecting environment-sensitive malware. In: Proceedings of the 14th International Conference on Recent Advances in Intrusion Detection, RAID’11, pp. 338–357. Springer-Verlag, Berlin, Heidelberg (2011). doi:10.1007/978-3-642-23644-0_18
  29. 29.
    Book, T., Pridgen, A., Wallach, D.S.: Longitudinal analysis of android ad library permissions. CoRR abs/1303.0857 (2013)Google Scholar
  30. 30.
    de Pontevès, K., Apvrille, A.: Analysis of android in-app advertisement kits. In: The 23rd Virus Bulletin International Conference, pp. 157–162 (2013)Google Scholar
  31. 31.
    Fortiguard Center: Android/RuSMS.AO (2013). Fortiguard Encyclopedia, http://www.fortiguard.com/encyclopedia/virus/#id=5897642
  32. 32.
    Apvrille, L.: Alligator: anaLyzing malware wIth partitioning and probability-based algorithms. http://alligator.telecom-paristech.fr/ (2014)
  33. 33.
    Apvrille, L., Apvrille, A.: Pre-filtering mobile malware with Heuristic techniques. In: GreHack, pp. 43–59. Grenoble, France (2013)Google Scholar
  34. 34.
    Chang, C.C., Lin, C.J.: LIBSVM: a library for support vector machines. ACM Trans. Intell. Syst. Technol. 2, 27:1–27:27 (2011). Software available at http://www.csie.ntu.edu.tw/~cjlin/libsvm
  35. 35.
    Schapire, R.E., Singer, Y.: Improved boosting algorithms using confidence-rated predictions. In: Machine learning, pp. 80–91 (1999)Google Scholar
  36. 36.
    Kose, N., Apvrille, L., Dugelay, J.L.: Facial makeup detection technique based on texture and shape analysis. In: 11th IEEE International Conference on Automatic Face and Gesture Recognition (FG 2015) (2015)Google Scholar
  37. 37.
    Soergel, D.: Efficient training of support vector machines in java. https://github.com/davidsoergel/jlibsvm (2014)

Copyright information

© Springer-Verlag France 2015

Authors and Affiliations

  1. 1.FortiGuard Labs, FortinetBiotFrance
  2. 2.Institut Mines-Telecom, Telecom ParisTech, CNRS/LTCIBiotFrance

Personalised recommendations