Detecting Targeted Smartphone Malware with Behavior-Triggering Stochastic Models

  • Guillermo Suarez-Tangil
  • Mauro Conti
  • Juan E. Tapiador
  • Pedro Peris-Lopez
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8712)


Malware for current smartphone platforms is becoming increasingly sophisticated. The presence of advanced networking and sensing functions in the device is giving rise to a new generation of targeted malware characterized by a more situational awareness, in which decisions are made on the basis of factors such as the device location, the user profile, or the presence of other apps. This complicates behavioral detection, as the analyst must reproduce very specific activation conditions in order to trigger malicious payloads. In this paper, we propose a system that addresses this problem by relying on stochastic models of usage and context events derived from real user traces. By incorporating the behavioral particularities of a given user, our scheme provides a solution for detecting malware targeting such a specific user. Our results show that the properties of these models follow a power-law distribution: a fact that facilitates an efficient generation of automatic testing patterns tailored for individual users, when done in conjunction with a cloud infrastructure supporting device cloning and parallel testing. We report empirical results with various representative case studies, demonstrating the effectiveness of this approach to detect complex activation patterns.


Smartphone security targeted malware cloud analysis 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Juniper: 2013 mobile threats report. Technical report, Juniper Networks (2013)Google Scholar
  2. 2.
    Suarez-Tangil, G., Tapiador, J.E., Peris, P., Ribagorda, A.: Evolution, detection and analysis of malware for smart devices. IEEE Communications Surveys & Tutorials PP(99), 1–27 (2013)Google Scholar
  3. 3.
    Felt, A.P., Finifter, M., Chin, E., Hanna, S., Wagner, D.: A survey of mobile malware in the wild. In: Proceedings of the 1st ACM Workshop on Security and Privacy in Smartphones and Mobile Devices, SPSM 2011, pp. 3–14. ACM, New York (2011)Google Scholar
  4. 4.
    Zawoad, S., Hasan, R., Haque, M.: Poster: Stuxmob: A situational-aware malware for targeted attack on smart mobile devices (2013)Google Scholar
  5. 5.
    Hasan, R., Saxena, N., Haleviz, T., Zawoad, S., Rinehart, D.: Sensing-enabled channels for hard-to-detect command and control of mobile devices. In: Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security, pp. 469–480. ACM (2013)Google Scholar
  6. 6.
    Raiu, C., Emm, D.: Kaspersky security bulletin. Technical report, Kaspersky (2013),
  7. 7.
    Langner, R.: Stuxnet: Dissecting a cyberwarfare weapon. IEEE Security & Privacy 9(3), 49–51 (2011)CrossRefGoogle Scholar
  8. 8.
    Corporation, S.: Internet security threat report. Technical report, Symantex (2013),
  9. 9.
    Kalige, E., Burkey, D.: A case study of eurograbber: How 36 million euros was stolen via malware. Technical report, Versafe (December 2012)Google Scholar
  10. 10.
    Marquis-Boire, M., Marczak, B., Guarnieri, C., Scott-Railton, J.: You only click twice: Finfishers global proliferation. Research Brief (March 2013),
  11. 11.
    Rogers, M.: Dendroid malware can take over your camera, record audio, and sneak into google play (March 2014),
  12. 12.
    Capilla, R., Ortiz, O., Hinchey, M.: Context variability for context-aware systems. Computer 47(2), 85–87 (2014)CrossRefGoogle Scholar
  13. 13.
    Gianazza, A., Maggi, F., Fattori, A., Cavallaro, L., Zanero, S.: Puppetdroid: A user-centric ui exerciser for automatic dynamic analysis of similar android applications. arXiv preprint arXiv:1402.4826 (2014)Google Scholar
  14. 14.
    Chakradeo, S., Reaves, B., Traynor, P., Enck, W.: Mast: Triage for market-scale mobile malware analysis. In: Proceedings of the Sixth ACM Conference on Security and Privacy in Wireless and Mobile Networks, WiSec 2013, pp. 13–24. ACM, New York (2013)CrossRefGoogle Scholar
  15. 15.
    Enck, W., Gilbert, P., Chun, B., Cox, L., Jung, J., McDaniel, P., Sheth, A.: Taintdroid: an information-flow tracking system for realtime privacy monitoring on smartphones. In: Proceedings of the 9th USENIX Conference on Operating Systems Design and Implementation, pp. 1–6. USENIX Association (2010)Google Scholar
  16. 16.
    Portokalidis, G., Homburg, P., Anagnostakis, K., Bos, H.: Paranoid android: versatile protection for smartphones. In: Proceedings of the 26th Annual Computer Security Applications Conference, pp. 347–356 (2010)Google Scholar
  17. 17.
    Chun, B.G., Ihm, S., Maniatis, P., Naik, M., Patti, A.: Clonecloud: elastic execution between mobile device and cloud. In: Proceedings of the Sixth Conference on Computer Systems, pp. 301–314 (2011)Google Scholar
  18. 18.
    Kosta, S., Aucinas, A., Hui, P., Mortier, R., Zhang, X.: Thinkair: Dynamic resource allocation and parallel execution in the cloud for mobile code offloading. In: 2012 Proceedings IEEE INFOCOM, pp. 945–953. IEEE (2012)Google Scholar
  19. 19.
    Zonouz, S., Houmansadr, A., Berthier, R., Borisov, N., Sanders, W.: Secloud: A cloud-based comprehensive and lightweight security solution for smartphones. Computers & Security (2013)Google Scholar
  20. 20.
    Fleck, D., Tokhtabayev, A., Alarif, A., Stavrou, A., Nykodym, T.: Pytrigger: A system to trigger & extract user-activated malware behavior. In: 2013 Eighth International Conference on Availability, Reliability and Security (ARES), pp. 92–101. IEEE (2013)Google Scholar
  21. 21.
    Zheng, C., Zhu, S., Dai, S., Gu, G., Gong, X., Han, X., Zou, W.: Smartdroid: an automatic system for revealing UI-based trigger conditions in Android applications. In: Proceedings of the Second ACM Workshop on Security and Privacy in Smartphones and Mobile Devices, SPSM 2012, pp. 93–104. ACM, New York (2012)CrossRefGoogle Scholar
  22. 22.
    Rastogi, V., Chen, Y., Enck, W.: Appsplayground: automatic security analysis of smartphone applications. In: Proceedings of the Third ACM Conference on Data and Application Security and Privacy, CODASPY 2013, pp. 209–220. ACM, New York (2013)CrossRefGoogle Scholar
  23. 23.
    Jensen, C.S., Prasad, M.R., Møller, A.: Automated testing with targeted event sequence generation. In: Proceedings of the 2013 International Symposium on Software Testing and Analysis, pp. 67–77. ACM (2013)Google Scholar
  24. 24.
    Liang, C.J.M., Lane, N.D., Brouwers, N., Zhang, L., Karlsson, B., Liu, H., Liu, Y., Tang, J., Shan, X., Chandra, R., et al.: Context virtualizer: A cloud service for automated large-scale mobile app testing under real-world conditionsGoogle Scholar
  25. 25.
    Machiry, A., Tahiliani, R., Naik, M.: Dynodroid: An input generation system for android apps. In: Proceedings of the 2013 9th Joint Meeting on Foundations of Software Engineering, ESEC/FSE 2013, pp. 224–234. ACM, New York (2013)CrossRefGoogle Scholar
  26. 26.
    Reina, A., Fattori, A., Cavallaro, L.: A system call-centric analysis and stimulation technique to automatically reconstruct android malware behaviors. In: Proceedings of the 6th European Workshop on System Security (EUROSEC), Prague, Czech Republic (April 2013)Google Scholar
  27. 27.
    Conti, M., Crispo, B., Fernandes, E., Zhauniarovich, Y.: Crepe: A system for enforcing fine-grained context-related policies on android. IEEE Transactions on Information Forensics and Security 7(5), 1426–1438 (2012)CrossRefGoogle Scholar
  28. 28.
    Norris, J.R.: Markov chains. Number 2008. Cambridge University Press (1998)Google Scholar
  29. 29.
    Suarez-Tangil, G., Lobardi, F., Tapiador, J.E., Pietro, R.D.: Thwarting obfuscated malware via differential fault analysis. IEEE Computer (June 2014)Google Scholar
  30. 30.
    Android: Android developers (visited December 2013),
  31. 31.
    Lantz, P.: Android application sandbox (visited December 2013),
  32. 32.
    Clauset, A., Shalizi, C.R., Newman, M.E.: Power-law distributions in empirical data. SIAM Review 51(4), 661–703 (2009)CrossRefzbMATHMathSciNetGoogle Scholar
  33. 33.
    Wei, X., Gomez, L., Neamtiu, I., Faloutsos, M.: Profiledroid: Multi-layer profiling of android applications. In: Proceedings of the 18th Annual International Conference on Mobile Computing and Networking, Mobicom 2012, pp. 137–148. ACM, New York (2012)Google Scholar
  34. 34.
    Albert, R., Barabási, A.L.: Statistical mechanics of complex networks. Reviews of Modern Physics 74(1), 47 (2002)CrossRefzbMATHMathSciNetGoogle Scholar
  35. 35.
    Erdős, P., Rényi, A.: On the evolution of random graphs. Magyar Tud. Akad. Mat. Kutató Int. Közl 5, 17–61 (1960)Google Scholar
  36. 36.
    Bertrand, A., David, R., Akimov, A., Junk, P.: Remote administration tool for android devices (visited December 2013),
  37. 37.
    Zhou, W., Zhou, Y., Grace, M., Jiang, X., Zou, S.: Fast, scalable detection of piggybacked mobile applications. In: Proceedings of the Third ACM Conference on Data and Application Security and Privacy, pp. 185–196. ACM (2013)Google Scholar
  38. 38.
    Zhou, Y., Jiang, X.: Dissecting android malware: Characterization and evolution. In: Proceedings of the 33rd IEEE Symposium on Security and Privacy (Oakland 2012) (May 2012)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Guillermo Suarez-Tangil
    • 1
  • Mauro Conti
    • 2
  • Juan E. Tapiador
    • 1
  • Pedro Peris-Lopez
    • 1
  1. 1.Department of Computer ScienceUniversidad Carlos III de MadridSpain
  2. 2.Department of MathematicsUniversity of PadovaItaly

Personalised recommendations