Skip to main content

Detecting Targeted Smartphone Malware with Behavior-Triggering Stochastic Models

  • Conference paper

Part of the Lecture Notes in Computer Science book series (LNSC,volume 8712)

Abstract

Malware for current smartphone platforms is becoming increasingly sophisticated. The presence of advanced networking and sensing functions in the device is giving rise to a new generation of targeted malware characterized by a more situational awareness, in which decisions are made on the basis of factors such as the device location, the user profile, or the presence of other apps. This complicates behavioral detection, as the analyst must reproduce very specific activation conditions in order to trigger malicious payloads. In this paper, we propose a system that addresses this problem by relying on stochastic models of usage and context events derived from real user traces. By incorporating the behavioral particularities of a given user, our scheme provides a solution for detecting malware targeting such a specific user. Our results show that the properties of these models follow a power-law distribution: a fact that facilitates an efficient generation of automatic testing patterns tailored for individual users, when done in conjunction with a cloud infrastructure supporting device cloning and parallel testing. We report empirical results with various representative case studies, demonstrating the effectiveness of this approach to detect complex activation patterns.

Keywords

  • Smartphone security
  • targeted malware
  • cloud analysis

References

  1. Juniper: 2013 mobile threats report. Technical report, Juniper Networks (2013)

    Google Scholar 

  2. Suarez-Tangil, G., Tapiador, J.E., Peris, P., Ribagorda, A.: Evolution, detection and analysis of malware for smart devices. IEEE Communications Surveys & Tutorials PP(99), 1–27 (2013)

    Google Scholar 

  3. Felt, A.P., Finifter, M., Chin, E., Hanna, S., Wagner, D.: A survey of mobile malware in the wild. In: Proceedings of the 1st ACM Workshop on Security and Privacy in Smartphones and Mobile Devices, SPSM 2011, pp. 3–14. ACM, New York (2011)

    Google Scholar 

  4. Zawoad, S., Hasan, R., Haque, M.: Poster: Stuxmob: A situational-aware malware for targeted attack on smart mobile devices (2013)

    Google Scholar 

  5. Hasan, R., Saxena, N., Haleviz, T., Zawoad, S., Rinehart, D.: Sensing-enabled channels for hard-to-detect command and control of mobile devices. In: Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security, pp. 469–480. ACM (2013)

    Google Scholar 

  6. Raiu, C., Emm, D.: Kaspersky security bulletin. Technical report, Kaspersky (2013), http://media.kaspersky.com/pdf/KSB_2013_EN.pdf

  7. Langner, R.: Stuxnet: Dissecting a cyberwarfare weapon. IEEE Security & Privacy 9(3), 49–51 (2011)

    CrossRef  Google Scholar 

  8. Corporation, S.: Internet security threat report. Technical report, Symantex (2013), http://www.symantec.com/content/en/us/enterprise/other_resources/b-istr_main_report_v18_2012_21291018.en-us.pdf

  9. Kalige, E., Burkey, D.: A case study of eurograbber: How 36 million euros was stolen via malware. Technical report, Versafe (December 2012)

    Google Scholar 

  10. Marquis-Boire, M., Marczak, B., Guarnieri, C., Scott-Railton, J.: You only click twice: Finfishers global proliferation. Research Brief (March 2013), https://citizenlab.org/wp-content/uploads/2013/07/15-2013-youonlyclicktwice.pdf

  11. Rogers, M.: Dendroid malware can take over your camera, record audio, and sneak into google play (March 2014), https://blog.lookout.com/blog/2014/03/06/dendroid/

  12. Capilla, R., Ortiz, O., Hinchey, M.: Context variability for context-aware systems. Computer 47(2), 85–87 (2014)

    CrossRef  Google Scholar 

  13. Gianazza, A., Maggi, F., Fattori, A., Cavallaro, L., Zanero, S.: Puppetdroid: A user-centric ui exerciser for automatic dynamic analysis of similar android applications. arXiv preprint arXiv:1402.4826 (2014)

    Google Scholar 

  14. Chakradeo, S., Reaves, B., Traynor, P., Enck, W.: Mast: Triage for market-scale mobile malware analysis. In: Proceedings of the Sixth ACM Conference on Security and Privacy in Wireless and Mobile Networks, WiSec 2013, pp. 13–24. ACM, New York (2013)

    CrossRef  Google Scholar 

  15. Enck, W., Gilbert, P., Chun, B., Cox, L., Jung, J., McDaniel, P., Sheth, A.: Taintdroid: an information-flow tracking system for realtime privacy monitoring on smartphones. In: Proceedings of the 9th USENIX Conference on Operating Systems Design and Implementation, pp. 1–6. USENIX Association (2010)

    Google Scholar 

  16. Portokalidis, G., Homburg, P., Anagnostakis, K., Bos, H.: Paranoid android: versatile protection for smartphones. In: Proceedings of the 26th Annual Computer Security Applications Conference, pp. 347–356 (2010)

    Google Scholar 

  17. Chun, B.G., Ihm, S., Maniatis, P., Naik, M., Patti, A.: Clonecloud: elastic execution between mobile device and cloud. In: Proceedings of the Sixth Conference on Computer Systems, pp. 301–314 (2011)

    Google Scholar 

  18. Kosta, S., Aucinas, A., Hui, P., Mortier, R., Zhang, X.: Thinkair: Dynamic resource allocation and parallel execution in the cloud for mobile code offloading. In: 2012 Proceedings IEEE INFOCOM, pp. 945–953. IEEE (2012)

    Google Scholar 

  19. Zonouz, S., Houmansadr, A., Berthier, R., Borisov, N., Sanders, W.: Secloud: A cloud-based comprehensive and lightweight security solution for smartphones. Computers & Security (2013)

    Google Scholar 

  20. Fleck, D., Tokhtabayev, A., Alarif, A., Stavrou, A., Nykodym, T.: Pytrigger: A system to trigger & extract user-activated malware behavior. In: 2013 Eighth International Conference on Availability, Reliability and Security (ARES), pp. 92–101. IEEE (2013)

    Google Scholar 

  21. Zheng, C., Zhu, S., Dai, S., Gu, G., Gong, X., Han, X., Zou, W.: Smartdroid: an automatic system for revealing UI-based trigger conditions in Android applications. In: Proceedings of the Second ACM Workshop on Security and Privacy in Smartphones and Mobile Devices, SPSM 2012, pp. 93–104. ACM, New York (2012)

    CrossRef  Google Scholar 

  22. Rastogi, V., Chen, Y., Enck, W.: Appsplayground: automatic security analysis of smartphone applications. In: Proceedings of the Third ACM Conference on Data and Application Security and Privacy, CODASPY 2013, pp. 209–220. ACM, New York (2013)

    CrossRef  Google Scholar 

  23. Jensen, C.S., Prasad, M.R., Møller, A.: Automated testing with targeted event sequence generation. In: Proceedings of the 2013 International Symposium on Software Testing and Analysis, pp. 67–77. ACM (2013)

    Google Scholar 

  24. Liang, C.J.M., Lane, N.D., Brouwers, N., Zhang, L., Karlsson, B., Liu, H., Liu, Y., Tang, J., Shan, X., Chandra, R., et al.: Context virtualizer: A cloud service for automated large-scale mobile app testing under real-world conditions

    Google Scholar 

  25. Machiry, A., Tahiliani, R., Naik, M.: Dynodroid: An input generation system for android apps. In: Proceedings of the 2013 9th Joint Meeting on Foundations of Software Engineering, ESEC/FSE 2013, pp. 224–234. ACM, New York (2013)

    CrossRef  Google Scholar 

  26. Reina, A., Fattori, A., Cavallaro, L.: A system call-centric analysis and stimulation technique to automatically reconstruct android malware behaviors. In: Proceedings of the 6th European Workshop on System Security (EUROSEC), Prague, Czech Republic (April 2013)

    Google Scholar 

  27. Conti, M., Crispo, B., Fernandes, E., Zhauniarovich, Y.: Crepe: A system for enforcing fine-grained context-related policies on android. IEEE Transactions on Information Forensics and Security 7(5), 1426–1438 (2012)

    CrossRef  Google Scholar 

  28. Norris, J.R.: Markov chains. Number 2008. Cambridge University Press (1998)

    Google Scholar 

  29. Suarez-Tangil, G., Lobardi, F., Tapiador, J.E., Pietro, R.D.: Thwarting obfuscated malware via differential fault analysis. IEEE Computer (June 2014)

    Google Scholar 

  30. Android: Android developers (visited December 2013), http://developer.android.com/

  31. Lantz, P.: Android application sandbox (visited December 2013), https://code.google.com/p/droidbox/

  32. Clauset, A., Shalizi, C.R., Newman, M.E.: Power-law distributions in empirical data. SIAM Review 51(4), 661–703 (2009)

    CrossRef  MATH  MathSciNet  Google Scholar 

  33. Wei, X., Gomez, L., Neamtiu, I., Faloutsos, M.: Profiledroid: Multi-layer profiling of android applications. In: Proceedings of the 18th Annual International Conference on Mobile Computing and Networking, Mobicom 2012, pp. 137–148. ACM, New York (2012)

    Google Scholar 

  34. Albert, R., Barabási, A.L.: Statistical mechanics of complex networks. Reviews of Modern Physics 74(1), 47 (2002)

    CrossRef  MATH  MathSciNet  Google Scholar 

  35. Erdős, P., Rényi, A.: On the evolution of random graphs. Magyar Tud. Akad. Mat. Kutató Int. Közl 5, 17–61 (1960)

    Google Scholar 

  36. Bertrand, A., David, R., Akimov, A., Junk, P.: Remote administration tool for android devices (visited December 2013), https://github.com/DesignativeDave/androrat

  37. Zhou, W., Zhou, Y., Grace, M., Jiang, X., Zou, S.: Fast, scalable detection of piggybacked mobile applications. In: Proceedings of the Third ACM Conference on Data and Application Security and Privacy, pp. 185–196. ACM (2013)

    Google Scholar 

  38. Zhou, Y., Jiang, X.: Dissecting android malware: Characterization and evolution. In: Proceedings of the 33rd IEEE Symposium on Security and Privacy (Oakland 2012) (May 2012)

    Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2014 Springer International Publishing Switzerland

About this paper

Cite this paper

Suarez-Tangil, G., Conti, M., Tapiador, J.E., Peris-Lopez, P. (2014). Detecting Targeted Smartphone Malware with Behavior-Triggering Stochastic Models. In: Kutyłowski, M., Vaidya, J. (eds) Computer Security - ESORICS 2014. ESORICS 2014. Lecture Notes in Computer Science, vol 8712. Springer, Cham. https://doi.org/10.1007/978-3-319-11203-9_11

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-11203-9_11

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-11202-2

  • Online ISBN: 978-3-319-11203-9

  • eBook Packages: Computer ScienceComputer Science (R0)