Monitoring Real Android Malware

  • Jan-Christoph KüsterEmail author
  • Andreas Bauer
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9333)


In the most comprehensive study on Android attacks so far (undertaken by the Android Malware Genome Project), the behaviour of more than 1, 200 malwares was analysed and categorised into common, recurring groups of attacks. Based on this work (and the corresponding actual malware files), we present an approach for specifying and identifying these (and similar) attacks using runtime verification.

While formally, our approach is based on a first-order logic abstraction of malware behaviour, it practically relies on our Android event interception tool, MonitorMe, which lets us capture almost any system event that can be triggered by apps on a user’s Android device.

This paper details on MonitorMe, our formal specification of malware behaviour and practical experiments, undertaken with various different Android devices and versions on a wide range of actual malware incarnations from the above study. In a nutshell, we were able to detect real malwares from 46 out of 49 different malware families, which strengthen the idea that runtime verification may, indeed, be a good choice for mobile security in the future.


Kernel Module Android Platform Runtime Verification Suspicious Behaviour Method Argument 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Backes, M., Gerling, S., Hammer, C., Maffei, M., von Styp-Rekowsky, P.: AppGuard – enforcing user requirements on Android apps. In: Piterman, N., Smolka, S.A. (eds.) TACAS 2013 (ETAPS 2013). LNCS, vol. 7795, pp. 543–548. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  2. 2.
    Bauer, A., Küster, J.-C., Vegliach, G.: The ins and outs of first-order runtime verification. To appear in: Formal Methods in System Design (FMSD) (2015)Google Scholar
  3. 3.
    Bauer, A., Leucker, M., Schallhart, C.: Runtime verification for LTL and TLTL. ACM Trans. Softw. Eng. Methodol. 20(4), 14 (2011)CrossRefGoogle Scholar
  4. 4.
    Bugiel, S., Davi, L., Dmitrienko, A., Fischer, T., Sadeghi, A.-R., Shastry, B.: Towards taming privilege-escalation attacks on Android. In: NDSS (2012)Google Scholar
  5. 5.
    Dwyer, M.B., Avrunin, G.S., Corbett, J.C.: Patterns in property specifications for finite-state verification. In: ICSE, pp. 411–420. IEEE (1999)Google Scholar
  6. 6.
    Enck, W., Gilbert, P., Chun, B.-G., Cox, L.P., Jung, J., McDaniel, P., Sheth, A.N.: TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones. In: OSDI. USENIX (2010)Google Scholar
  7. 7.
    Halle, S., Villemaire, R.: Runtime monitoring of message-based workflows with data. In: EDOC, pp. 63–72. IEEE (2008)Google Scholar
  8. 8.
    Hornyack, P., Han, S., Jung, J., Schechter, S., Wetherall, D.: These aren’t the droids you’re looking for: retrofitting Android to protect data from imperious applications. In: CCS, pp. 639–652. ACM (2011)Google Scholar
  9. 9.
    Jin, D., Meredith, P.O., Lee, C., Rosu, G.: JavaMOP: efficient parametric runtime monitoring framework. In: ICSE, pp. 1427–1430. IEEE (2012)Google Scholar
  10. 10.
    Küster, J.-C., Bauer, A.: Platform-centric Android monitoring–modular and efficient. Comp. Research Repository (CoRR) arXiv:1406.2041. ACM, June 2014
  11. 11.
    Moser, A., Kruegel, C., Kirda, E.: Limits of static analysis for malware detection. In: ACSAC, pp. 421–430. IEEE (2007)Google Scholar
  12. 12.
    Rasthofer, S., Arzt, S., Lovat, E., Bodden, E.: DroidForce: Enforcing complex, data-centric, system-wide policies in Android. In: ARES, pp. 40–49. IEEE (2014)Google Scholar
  13. 13.
    Vidas, T., Christin, N.: Evading Android runtime analysis via sandbox detection. In: ASIACCS, pp. 447–458. ACM (2014)Google Scholar
  14. 14.
    Xu, R., Saïdi, H., Anderson, R.: Aurasium: practical policy enforcement for Android applications. In: USENIX Security Symposium, pp. 27–27. USENIX (2012)Google Scholar
  15. 15.
    Zhou, Y., Jiang, X.: Dissecting Android malware: characterization and evolution. In: S&P, pp. 95–109. IEEE (2012)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  1. 1.NICTACanberraAustralia
  2. 2.Australian National UniversityCanberraAustralia
  3. 3.TU MünchenMunichGermany

Personalised recommendations