Abstract
As mobile devices become more and more adopted by users for daily personal and professional activities, associated security risks and impact to them also increase. Although there are a number of proposals aimed at fighting against such incidents, the topic still remains challenging. This paper presents ADroid, a novel security tool for Android platforms with three main distinguishing characteristics. First, three groups of features are monitored over time: interfaces usage, application-related and communication-related features. Second, a lightweight anomaly-based detection procedure is performed over these features in order to determine the occurrence of unexpected abnormal activities. Third, the user can also create specific white/black lists to indicate in an easy way certain allowed/undesired activities which, if so, should trigger an alarm by the supervision system. ADroid has been implemented in a real environment and evaluated through experimentation. The detection accuracy exhibited and the resources consumption involved in its operation show the goodness and promising capabilities of the system.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
Notes
This ‘complexity’ refers to the detection phase only since: (a) the training phase does not necessarily have to take place on the mobile device itself, and, even if so, (b) its impact will be relative since this stage is usually just carried out once at the beginning.
It is remarkable that it is not necessary to root the device to run ADroid since no special permissions or actions are required beyond those specified in the associated AndroidManifest.xml file.
References
IDC: Worldwide Quarterly Smart Connected Device Tracker. International Data Corporation. https://www.idc.com/tracker/showproductinfo.jsp?prod_id=655. Accessed August 2015
Svajcer, V.: Sophos Mobile Security Threat Report. In: Mobile World Congress. http://www.sophos.com/en-us/medialibrary/PDFs/other/sophos-mobile-security-threat-report. Accessed October 2014
Kaspersky: Kaspersky Security Bulletin 2013. http://media.kaspersky.com/pdf/KSB_2013_EN. Accessed October 2014
Mansfield-Devine, S.: Android architecture: attacking the weak points. In: Network Security, no. 10, pp. 5–12 (2012)
La Polla, M., Martinelli, F., Sgandurra, D.: A survey on security for mobile devices. IEEE Commun. Surv. Tutor. 15(1), 446–471 (2013)
Suárez, G., Tapiador, J.E., Peris, P., Ribagorda, A.: Evolution, detection and analysis of malware for smart devices. IEEE Commun. Surv. Tutor. 16(2), 961–987 (2014)
Kim, G., Lee, S., Kim, S.: A novel hybrid intrusion detection method integrating anomaly detection with misuse detection. Expert Syst. Appl. 41(4), 1690–1700 (2014)
García-Teodoro, P., Díaz-Verdejo, J.E., Maciá-Fernández, G., Vázquez, E.: Anomaly-based network intrusion detection: techniques, systems and challenges. Comput. Secur. 28, 18–28 (2009)
Sato, R., Chiba, D., Goto, S.: Detecting Android malware by analyzing manifest files. Proc. Asia Pac. Adv. Netw. 36, 23–31 (2013)
Felt, A.P., Chin, E., Hanna, S., Song, D., Wagner, D.: Android permissions demystified. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, pp. 627–638 (2011)
Chin, E., Felt, A.P., Greenwood, K., Wagner, D.: Analyzing inter-application communication in Android. In: Proceedings of the 9th Annual International Conference on Mobile Systems, Applications, and Services (MobiSys), pp. 239–252 (2011)
Grace, M., Zhou, Y., Wang, Z., Jiang, X.: Systematic detection of capability leaks in stock Android smartphones. In: Proceedings of the 19th Annual Symposium on Network and Distributed System Security (NDSS) (2012)
Zhou, W., Zhou, Y., Jiang, X., Ning, P.: Detecting repackaged smartphone applications in third-party android marketplaces. In: Proceedings of the 2nd ACM Conference on Data and Application Security and Privacy (CODASPY), pp. 317–326 (2012)
Grace, M., Zhou, Y., Zhang, Q., Zou, S., Jiang, X.:. Riskranker: scalable and accurate zero-day android malware detection. In: Proceedings of the International Conference on Mobile Systems, Applications, and Services (MOBISYS), pp. 281–294 (2012)
Enck, W., Gilbert, P., Chun, B.G., Cox, L.P., Jung, J., McDaniel, P., Sheth, A.: Taintdroid: an information-flow tracking system for realtime privacy monitoring on smartphones. In: Proceedings of the USENIX Symposium on Operating Systems Design and Implementation (OSDI), pp. 393–407 (2010)
Arp, D., Spreitzenbarth, M., Hbner, M., Gascon, H., Rieck, K.: DREBIN: effective and explainable detection of android malware in your pocket. In: Network and Distributed System Security (NDSS), pp. 23–26 (2014)
Rastogi, V., Chen, Y., Enck, W.: AppsPlayground: automatic security analysis of smartphone applications. In: Proceedings of the 3rd ACM Conference on Data and Application Security and Privacy, pp. 209–220 (2013)
Shabtai, A., Kanonov, U., Elovici, Y., Glezer, C., Weiss, Y.: Andromaly: a behavioral malware detection framework for android devices. J. Intell. Inf. Syst. 38, 161–190 (2012)
Dini, G., Martinelli, F., Saracino, A., Sgandurra, D.: MADAM: a Multi-level anomaly detector for Android malware. In: Proceedings of the 6th International Conference on Mathematical Methods, Models and Architectures for Computer Network Security, pp. 240–253 (2012)
Burguera, I., Zurutuza, U., Nadijm-Tehrani, S.: Crowdroid: Behavior-based malware detection system for Android. In: Proceedings of the 1st ACM Workshop on Security and Privacy in Smartphones and Mobile Devices, pp. 15–26 (2011)
Aafer, Y., Du, W., Yin, H.: DroidAPIMiner: mining API-level features for robust malware detection in Android. In: Proceedings of the International Conference on Security and Privacy in Communication Networks (SecureComm), vol. 127, pp. 86–103 (2013)
Sánchez-Casado, L., Maciá-Fernández, G., García-Teodoro, P., Magán-Carriń, R.: A model of data forwarding in MANETs for lightweight detection of malicious packet dropping. Comput. Netw. 87, 44–58 (2015)
Tam, K., Khan, S.J., Fattori, A., Cavallaro, L.: CopperDroid: automatic reconstruction of Android malware behaviors. In: 22nd Annual Network and Distributed System Security Symposium (NDSS), pp. 1–15 (2015)
Penning, N., Hoffman, M., Nikolai, J., Yong, W.: Mobile malware security challenges and cloud-based detection. In: International Conference on Collaboration Technologies and Systems (CTS), pp. 181–188 (2014)
Jadhav, S., Dutia, S., Calangutkar, K., Tae, O., Young, H.K., Joeng, N.K.: Cloud-based Android botnet malware detection system. In: 17th International Conference on Advanced Communication Technology (ICACT), pp. 347–352 (2015)
Felt, A.P., Wang, H.J., Moshchuk, A., Hanna, S., Chin, E.: Permission re-delegation: attacks and defenses. In: Proceedings of the 20th USENIX Conference on Security, pp. 22–37 (2011)
Sun, S.T., Cuadros. A., Beznosov, K.: Android rooting: methods, detection, and evasion. In: Proceedings of the 5th. Annual ACM CCS Workshop on Security and Privacy in Smartphones and Mobile Devices (SPSM), pp. 3–14 (2015)
Acknowledgments
This work has been partially supported by Spanish Government-MINECO (Ministerio de Economía y Competitividad) and FEDER funds, through Project TIN2014-60346-R. We also thank anonymous reviewers for their insights and suggestions on earlier versions of this manuscript that have contributed to improve its organization and quality.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Ruiz-Heras, A., García-Teodoro, P. & Sánchez-Casado, L. ADroid: anomaly-based detection of malicious events in Android platforms. Int. J. Inf. Secur. 16, 371–384 (2017). https://doi.org/10.1007/s10207-016-0333-1
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10207-016-0333-1