Skip to main content
SpringerLink
Log in

Using Provenance Patterns to Vet Sensitive Behaviors in Android Apps

  • Conference paper
Security and Privacy in Communication Networks (SecureComm 2015)

Abstract

We propose Dagger, a lightweight system to dynamically vet sensitive behaviors in Android apps. Dagger avoids costly instrumentation of virtual machines or modifications to the Android kernel. Instead, Dagger reconstructs the program semantics by tracking provenance relationships and observing apps’ runtime interactions with the phone platform. More specifically, Dagger uses three types of low-level execution information at runtime: system calls, Android Binder transactions, and app process details. System call collection is performed via Strace [7], a low-latency utility for Linux and other Unix-like systems. Binder transactions are recorded by accessing Binder module logs via sysfs [8]. App process details are extracted from the Android /proc file system [6]. A data provenance graph is then built to record the interactions between the app and the phone system based on these three types of information. Dagger identifies behaviors by matching the provenance graph with the behavior graph patterns that are previously extracted from the internal working logic of the Android framework. We evaluate Dagger on both a set of over 1200 known malicious Android apps, and a second set of 1000 apps randomly selected from a corpus of over 18,000 Google Play apps. Our evaluation shows that Dagger can effectively vet sensitive behaviors in apps, especially for those using complex obfuscation techniques. We measured the overhead based on a representative benchmark app, and found that both the memory and CPU overhead are less than 10%. The runtime overhead is less than 63%, which is significantly lower than that of existing approaches.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Antutu benchmark. https://play.google.com/store/apps/details?id=com.antutu.ABenchMark&hl=en

  2. Graphviz - graph visualization software. http://www.graphviz.org/

  3. National security agency. security-enhanced linux. http://www.nsa.gov/research/selinux

  4. Neo4j. http://www.neo4j.org/?gclid=CIXUs_D-xb0CFQaBfgodIAMARw

  5. Obfuscating embedded malware on android. http://www.symantec.com/connect/blogs/obfuscating-embedded-malware-android

  6. The proc filesystem. http://en.wikipedia.org/wiki/Procfs

  7. Strace - trace system calls and signals. http://linux.die.net/man/1/strace

  8. Sysfs. http://en.wikipedia.org/wiki/Sysfs

  9. Ui/application exerciser monkey. http://developer.android.com/tools/help/monkey.html

  10. Andrus, J., Dall, C., Hof, A.V., Laadan, O., Nieh, J.: Cells: a virtual mobile smartphone architecture. In: Proceedings of 23rd SOSP (2011)

    Google Scholar 

  11. Au, K., Zhou, Y., Huang, Z., Lie, D., Gong, X., Han, X., Zhou, W.: Pscout: analyzing the android permission specification. In: Proceedings of the 19th CCS (2012)

    Google Scholar 

  12. Backes, M., Bugiel, S., Gerling, S.: Scippa: system-centric IPC provenance on Android. In: 30th Annual Computer Security Applications Conference (2014)

    Google Scholar 

  13. Bose, A., Hu, X., Shin, K.G., Park, T.: Behavioral detection of malware on mobile handsets. In: Proceedings of the 6th MobiSys (2008)

    Google Scholar 

  14. Bugiel, S., Davi, L., Dmitrienko, A., Fischer, T., Sadeghi, A.-R., Shastry, B.: Towards taming privilege-escalation attacks on android. In: Proceedings of the 19th NDSS (2012)

    Google Scholar 

  15. Burguera, I., Zurutuza, U., Nadjm-Tehrani, S.: Crowdroid: behavior-based malware detection system for android. In: Proceedings of the 1st Workshop on CCSSPSM (2011)

    Google Scholar 

  16. Chan, P.P., Hui, L.C., Yiu, S.M.: Droidchecker: analyzing android applications for capability leak. In: Proceedings of the 5th ACM Conference on Security and Privacy in Wireless and Mobile Networks (2012)

    Google Scholar 

  17. Chen, K., Johnson, N., Silva, V., Dai, S., MacNamara, K., Magrino, T., Wu, E., Rinard, M., Song, D.: Contextual policy enforcement in android applications with permission event graphs. In: Proceedings of the NDSS (2013)

    Google Scholar 

  18. Chenxiong, Q., Xiapu, L., Yuru, S., Alvin, C.: Ndroid: on tracking information flows through jni in android applications. In: Proceedings of the 44th DSN (2014)

    Google Scholar 

  19. Chin, E., Felt, A.P., Greenwood, K., Wagner, D.: Analyzing inter-application communication in android. In: Proceedings of the 9th MobiSys (2011)

    Google Scholar 

  20. Conti, M., Nguyen, V.T.N., Crispo, B.: CRePE: context-related policy enforcement for Android. In: Burmester, M., Tsudik, G., Magliveras, S., Ilić, I. (eds.) ISC 2010. LNCS, vol. 6531, pp. 331–345. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  21. Dietz, M., Shekhar, S., Pisetsky, Y., Shu, A., Wallach, D.S.: Quire: lightweight provenance for smart phone operating systems. In: Proceedings of the USENIX Security (2011)

    Google Scholar 

  22. Enck, W., Gilbert, P., Chun, B.G., Cox, L.P., Jung, J., Mc-Daniel, P., Sheth, A.N.: Taintdroid: an information-flow tracking system for realtime privacy monitoring on smartphones. In: Proceedings of the 9th OSDI (2010)

    Google Scholar 

  23. Enck, W., Ongtang, M., McDaniel, P.: On lightweight mobile phone application certification. In: Proceedings of the 16th CCS (2009)

    Google Scholar 

  24. Felt, A.P., Chin, E., Hanna, S., Song, D., Wagner, D.: Android permissions demystied. In: Proceedings of the 18th CCS (2011)

    Google Scholar 

  25. Felt, A.P., Wang, H.J., Moshchuk, A., Hanna, S., Chin, E.: Permission re-delegation: attacks and defenses. In: Proceedings of the USENIX Security (2011)

    Google Scholar 

  26. Tariq, D., Gehani, A.: SPADE: support for provenance auditing in distributed environments. In: Narasimhan, P., Triantafillou, P. (eds.) Middleware 2012. LNCS, vol. 7662, pp. 101–120. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  27. Joung Ham, Y., Moon, D., Lee, H.-W., Deok Lim, J., Nyeo Kim, J.: Android mobile application system call event pattern analysis for determination of malicious attack. International Journal of Security and Its Applications 8(1) (2014)

    Google Scholar 

  28. Hornyack, P., Han, S., Jung, J., Schechter, S., Wetherall, D.: These are not the droids you are looking for: retrofitting android to protect data from imperious applications. In: Proceedings of the 18th CCS (2011)

    Google Scholar 

  29. Jing, Y., Zhao, Z., Ahn, G., Hu, H.: Morpheus: automatically generating heuristics to detect Android emulators. In: Proceedings of ACSAC (2014)

    Google Scholar 

  30. Karami, M., Elsabagh, M., Najafiborazjani, P., Stavrou, A.: Behavioral analysis of Android applications using automated instrumentation. In: 7th International Conference on Software Security and Reliability Companion (2013)

    Google Scholar 

  31. Lange, M., Liebergeld, S., Lackorzynski, A., Warg, A., Peter, M.: L4android: a generic operating system framework for secure smartphones. In: Proceedings of the 1st Workshop on Security and Privacy in Smartphones and Mobile Devices (2011)

    Google Scholar 

  32. Lu, L., Li, Z., Wu, Z., Lee, W., Jiang, G.: Chex: statically vetting android apps for component hijacking vulnerablilities. In: Proceedings of the 19th CCS (2012)

    Google Scholar 

  33. Mengtao, S., Gang, T.: Nativeguard: protecting android applications from third-party native libraries. In: Proceedings of ACM Conference on Security and Privacy in Wireless & Mobile Networks (2014)

    Google Scholar 

  34. Moreau, L., Clifford, B., Freire, J., Futrelle, J., Gil, Y., Groth, P., Kwasnikowska, N., Miles, S., Missier, P., Myers, J., Plale, B., Simmhan, Y., Stephan, E., Van, J.: The open provenance model core specification (v1.1). In: Future Generation Computer Systems (2010)

    Google Scholar 

  35. Nauman, M., Khan, S., Zhang, X.: Apex: extending android permission model and enforcement with user-defined runtime constraints. In: Proceedings of the 5th ACM Symposium on ICCS (2010)

    Google Scholar 

  36. Ongtang, M., Butler, K., McDaniel, P.: Porscha: policy oriented secure content handling in android. In: Proceedings of the 26th ACSAC (2010)

    Google Scholar 

  37. Ongtang, M., McLaughlin, S., Enck, W., McDaniel, P.: Semantically rich application-centric security in android. In: Proceedings of the 25th ACSAC (2009)

    Google Scholar 

  38. Peng, H., Gates, C., Sarm, B., Li, N., Qi, Y., Potharaju, R., Nita-Rotaru, C., Molloy, I.: Using probabilistic generative models for ranking risks of android apps. In: Proceedings of the 19th CCS (2012)

    Google Scholar 

  39. Portokalidis, G., Homburg, P., Anagnostakis, K., Bos, H.: Paranoid Android: versatile protection for smartphones. In: Proceedings of the 26th ACSAC (2010)

    Google Scholar 

  40. Rastogi, V., Chen, Y., Jiang, X.: Droidchameleon: evaluating android anti-malware against transformation attacks. In: Proceedings of the 8th ICCS (2013)

    Google Scholar 

  41. Reina, A., Fattori, A., Cavallaro, L.: A system call-centric analysis and stimulation technique to automatically reconstruct android malware behaviors. In: Proceedings of the EUROSEC (2013)

    Google Scholar 

  42. Schmidt, A., Bye, R., Schmidt, H., Clausen, J., Kiraz, O., Yxksel, K., Camtepe, S., Sahin, A.: Static analysis of executables for collaborative malware detection on android. In: ICC Communication and Information Systems Security Symposium (2009)

    Google Scholar 

  43. Schmidt, A., Schmidt, H., Clausen, J., Yuksel, K., Kiraz, O., Sahin, A., Camtepe, S.: Enhancing security of linux-based android devices. In: Proceedings of 15th International Linux Kongress (2008)

    Google Scholar 

  44. Shabtai, A., Fledel, Y., Elovici, Y.: Securing android- powered mobile devices using selinux. In: Proceedings of 31th IEEE Security and Privacy (2010)

    Google Scholar 

  45. Vidas, T., Christin, N.: Evading Android runtime analysis via sandbox detection. In: Proceedings of ASIACCS (2014)

    Google Scholar 

  46. Wei, X., Gomez, L., Neamtiu, I., Faloutsos, M.: Profiledroid: multi-layer profiling of Android applications. In: 18th Annual International Conference on Mobile Computing and Networking (2012)

    Google Scholar 

  47. Wu, D., Mao, C., Wei, T., Lee, H., Wu, K.: Droidmat: Android malware detection through manifest and api calls tracing. In: Proceedings of the 7th Asia JCIS (2012)

    Google Scholar 

  48. Wu, L., Grace, M., Zhou, Y., Wu, C., Jiang, X.: The impact of vendor customizations on android security. In: Proceedings of the CCS (2013)

    Google Scholar 

  49. Xu, R., Saidi, H., Anderson, R.: Aurasium: practical policy enforcement for android applications. In: Proceedings of the USENIX Security Symposium (2012)

    Google Scholar 

  50. Yan, L., Yin, H.: Droidscope: seamlessly reconstructing the os and dalvik semantic views for dynamic android malware analysis. In: Proceedings of the 21st USENIX Security Symposium (2012)

    Google Scholar 

  51. Zhang, Y., Yang, M., Xu, B., Yang, Z., Gu, G., Ning, P., Wang, X., Zang, B.: Vetting undesirable behaviors in android apps with permission use analysis. In: Proceedings of CCS (2013)

    Google Scholar 

  52. Zheng, C., Zhu, S., Dai, S., Gu, G., Gong, X., Han, X., Zhou, W.: Smartdroid: an automatic system for revealing ui-based trigger conditions in android applications. In: Proceedings of the 2nd edn. ACM Workshop on Security and Privacy in Smartphones and Mobile Devices (2012)

    Google Scholar 

  53. Zhou, W., Zhou, Y., Jiang, X., Ning, P.: Detecting repackaged smartphone applications in third-party Android marketplaces. In: CODASPY (2012)

    Google Scholar 

  54. Zhou, Y., Jiang, X.: Dissecting android malware: characterization and evolution. In: Proceedings of the 2012 IEEE Symposium on Security and Privacy (2012)

    Google Scholar 

  55. Zhou, Y., Wang, Z., Zhou, W., Jiang, X.: Hey, you, get off of my market: detecting malicious apps in official and alternative android markets. In: Proceedings of the 19th NDSS (2012)

    Google Scholar 

  56. Zhou, Y., Zhang, Q., Zou, S., Jiang, X.: Riskranker: scalable and accurate zero-day android malware detection. In: Proceedings of the 10th MobiSys (2012)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Texas A&M University, College Station, TX, USA

    Chao Yang, Guangliang Yang & Guofei Gu

  2. SRI International, Menlo Park, CA, USA

    Ashish Gehani, Vinod Yegneswaran & Dawood Tariq

Authors
  1. Chao Yang
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Guangliang Yang
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Ashish Gehani
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Vinod Yegneswaran
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Dawood Tariq
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Guofei Gu
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Vinod Yegneswaran .

Editor information

Editors and Affiliations

  1. The University of Texas at Dallas, Richardson, Texas, USA

    Bhavani Thuraisingham

  2. Indiana University at Bloomington, Bloomington, Indiana, USA

    XiaoFeng Wang

  3. SRI International, Menlo Park, California, USA

    Vinod Yegneswaran

Rights and permissions

Reprints and permissions

Copyright information

© 2015 Institute for Computer Sciences, Social Informatics and Telecommunications Engineering

About this paper

Cite this paper

Yang, C., Yang, G., Gehani, A., Yegneswaran, V., Tariq, D., Gu, G. (2015). Using Provenance Patterns to Vet Sensitive Behaviors in Android Apps. In: Thuraisingham, B., Wang, X., Yegneswaran, V. (eds) Security and Privacy in Communication Networks. SecureComm 2015. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 164. Springer, Cham. https://doi.org/10.1007/978-3-319-28865-9_4

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-28865-9_4

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-28864-2

  • Online ISBN: 978-3-319-28865-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation