Abstract
Focusing on the sensitive behaviors of malware, such as privacy stealing and money costing, this paper proposes a new method to monitor software behaviors and detect malicious applications on Android platform. According to the theory and implementation of Android Binder interprocess communication mechanism, a prototype system that integrates behavior monitoring and intercepting, malware detection, and identification is built in this work. There are 50 different kinds of samples used in the experiment of malware detection, including 40 normal samples and 10 malicious samples. The theoretical analysis and experimental result demonstrate that this system is effective in malware detection and interception, with a true positive rate equal to 100% and a false positive rate less than 3%.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Schmidt A D, Schmidt H G, Clausen J, et al. Enhancing security of Linux-based Android devices [EB/OL]. [2011-11-19]. http://www.dai-labor.de/fileadmin/files/publications/lk2008-android_security.pdf .
Burguera L, Urko Z, Simin N. Crowdroid: behavior-based malware detection system for Android [C]//Proc 1st ACM Workshop on Security and Privacy in Smartphones and Mobile Devices. New York: ACM Press, 2011: 15–26.
Manuel E, Theodoor S, Engin K, et al. A survey on automated dynamic malware analysis techniques and tools [J]. ACM Computing Surveys, 2012, 44(2): 1–49.
Wikipedia. Inter-process communication [EB/OL]. [2012-01-07] http://en.wikipedia.org/wiki/Inter-process_communication .
Schreibe T. Android binder [EB/OL]. [2012-03-29]. http://www.nds.rub.de/media/attachments/files/2012/03/binder.pdf .
Zhang Hejun, Zhang Yue. Research and application of dynamic link mechanism in Linux [J]. Computer Engineering, 2006, 32(22): 64–66(Ch).
Xfocus Team. Injecting shared library [EB/OL]. [2011-12-14]. http://www.focus.net/articles/200208/438.html .
TIS Committee. Executable and linkable format [EB/OL]. [2011-10-30]. http://www.skyfree.org/linux/references/ELF_Format.pdf .
Anonymous. Runtime process infection [EB/OL]. [2011-12-05]. http://www.phrack.org/issues.html?issue=59&id=8 .
Li T S, Jing S, Xu J H, et al. The research of dalvik virtual machine on the Android platform[C]// Proc 3rd International Conf on Manufacturing Science and Engineering, Xiamen: IEEE Press, 2012: 2534–2537
Tang W, Jin G, He J M, et al. Extending Android security enforcement with a security distance model [EB/OL]. [2012-01-06]. http://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=06006288 . (DOI: 10.1109/ITAP.2011.6006288)
Android Developers Guide. Android platform versions’ current distribution [EB/OL]. [2011-10-30]. http://developer.android.com/resources/dashboard/platform-versions.html .
ContagioMobile Blog. Collection of 96 mobile malware samples [EB/OL]. [2011-11-04]. http://contagiominidump.blogspot.com .
Author information
Authors and Affiliations
Corresponding author
Additional information
Foundation item: Supported by the National Natural Science Foundation of China (61103220) and the Fundamental Research Funds for the Central Universities (6082013) and the National Natural Science Foundation of Hubei (2011CDB456), and Chenguang Program (2012710367)
Biography: PENG Guojun, male, Associate professor, Ph. D., research direction: malicious code, network and information system security.
Rights and permissions
About this article
Cite this article
Peng, G., Shao, Y., Wang, T. et al. Research on android malware detection and interception based on behavior monitoring. Wuhan Univ. J. Nat. Sci. 17, 421–427 (2012). https://doi.org/10.1007/s11859-012-0864-x
Received:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11859-012-0864-x