Eight years of rider measurement in the Android malware ecosystem: evolution and lessons learned

Despite the growing threat posed by Android malware, the research community is still lacking a comprehensive view of common behaviors and trends exposed by malware families active on the platform. Without such view, the researchers incur the risk of developing systems that only detect outdated threats, missing the most recent ones. In this paper, we conduct the largest measurement of Android malware behavior to date, analyzing over 1.2 million malware samples that belong to 1.2K families over a period of eight years (from 2010 to 2017). We aim at understanding how the behavior of Android malware has evolved over time, focusing on repackaging malware. In this type of threats different innocuous apps are piggybacked with a malicious payload (rider), allowing inexpensive malware manufacturing. One of the main challenges posed when studying repackaged malware is slicing the app to split benign components apart from the malicious ones. To address this problem, we use differential analysis to isolate software components that are irrelevant to the campaign and study the behavior of malicious riders alone. Our analysis framework relies on collective repositories and recent advances on the systematization of intelligence extracted from multiple anti-virus vendors. We find that since its infancy in 2010, the Android malware ecosystem has changed significantly, both in the type of malicious activity performed by the malicious samples and in the level of obfuscation used by malware to avoid detection. We then show that our framework can aid analysts who attempt to study unknown malware families. Finally, we discuss what our findings mean for Android malware detection research, highlighting areas that need further attention by the research community.Accepted manuscrip

Mobile Malware Behaviour through Opcode Analysis

As the popularity of mobile devices are on the rise, millions of users are now exposed to mobile malware threats. Malware is known for its ability in causing damage to mobile devices. Attackers often use it as a way to use the resources available and for other cybercriminal benefits such stealing users’ data, credentials and credit card number. Various detection techniques have been introduced in mitigating mobile malware, yet the malware author has its own method to overcome the detection method. This paper presents mobile malware analysis approaches through opcode analysis. Opcode analysis on mobile malware reveals the behaviour of malicious application in the binary level. The comparison made between the numbers of opcode occurrence from a malicious application and benign shows a significance traits. These differences can be used in classifying the malicious and benign mobile application

Android malware detection based on image-based features and machine learning techniques

Bakour, Khaled/0000-0003-3327-2822WOS:000545934700001In this paper, a malware classification model has been proposed for detecting malware samples in the Android environment. The proposed model is based on converting some files from the source of the Android applications into grayscale images. Some image-based local features and global features, including four different types of local features and three different types of global features, have been extracted from the constructed grayscale image datasets and used for training the proposed model. To the best of our knowledge, this type of features is used for the first time in the Android malware detection domain. Moreover, the bag of visual words algorithm has been used to construct one feature vector from the descriptors of the local feature extracted from each image. The extracted local and global features have been used for training multiple machine learning classifiers including Random forest, k-nearest neighbors, Decision Tree, Bagging, AdaBoost and Gradient Boost. The proposed method obtained a very high classification accuracy reached 98.75% with a typical computational time does not exceed 0.018 s for each sample. The results of the proposed model outperformed the results of all compared state-of-art models in term of both classification accuracy and computational time

Estado del arte utilizando mapeo sistemático para las técnicas de análisis de malware en android

Los ataques de Malware enfocados en Android son un problema global, para prevenir los ataques a dispositivos móviles se han propuesto técnicas para estudiar los diversos tipos de programas maliciosos. En la presente investigación se formuló un estado del arte mediante mapeo sistemático, para extraer las revistas y conferencias de mayor relevancia, de 2017 al 2021. La revisión de literatura sistemática analizó las técnicas de Malware en Android, para construir un esquema de clasificación y ponerlos en la estructura de análisis estáticos, dinámicos e híbridos. La taxonomía reveló los métodos, herramientas y sistemas de aprendizaje más utilizados, por lo que se encontraron las mejoras y limitaciones de cada una de las técnicas de análisis. Los datos cuantitativos mostrados por la métrica de acurracy con la que se identifico´ un promedio con respecto a los resultados: análisis estático = 95.36%, análisis dinámico = 92.44% y análisis hibrido = 96.81%. Por tanto, estos resultados muestran que el análisis híbrido cuenta con ventajas sobre las técnicas de análisis estático o dinámico, reduciendo sus limitaciones y mejorando la detección de Malware en Android. Finalmente, la mejor opción para analizar el malware es el aprendizaje supervisado para clasificar las nuevas generaciones de Malware a partir de dos características: sus familias y la frecuencia de uso.Malware attacks go to Android are a global prob lem, so that to prevent attacks on mobile devices, some techniques have been proposed to study the differents types of malicious programs. In this research, a state of the art was formulated using a systematic mapping, to extract the most relevant journals and conferences, from 2017 to 2021. The systematic literature review analyzed the Malware techniques in Android, in order to build a scheme of classification and put them into the structure of static, dynamic, or hybrid analyzes. The taxonomy revealed the methods, tools and learning systems more used, so that found the improvements and limitations of each of the analysis techniques. Quantitative data showed by the accuracy metric, were: static analysis = 95.36%, dynamic analysis = 92.44% and hybrid analysis = 96.81%. Therefore, these results show that the hybrid analysis has some advantages over the static or dynamic analysis technique, reducing its limitations and improving the detection of Malware in Android. Finally, the better option to analize malware is the supervised learning to classify the new generations of Malware from two features: their families and frequency used

Feature Selection on Permissions, Intents and APIs for Android Malware Detection

Malicious applications pose an enormous security threat to mobile computing devices. Currently 85% of all smartphones run Android, Google’s open-source operating system, making that platform the primary threat vector for malware attacks. Android is a platform that hosts roughly 99% of known malware to date, and is the focus of most research efforts in mobile malware detection due to its open source nature. One of the main tools used in this effort is supervised machine learning. While a decade of work has made a lot of progress in detection accuracy, there is an obstacle that each stream of research is forced to overcome, feature selection, i.e., determining which attributes of Android are most effective as inputs into machine learning models. This dissertation aims to address that problem by providing the community with an exhaustive analysis of the three primary types of Android features used by researchers: Permissions, Intents and API Calls. The intent of the report is not to describe a best performing feature set or a best performing machine learning model, nor to explain why certain Permissions, Intents or API Calls get selected above others, but rather to provide a holistic methodology to help guide feature selection for Android malware detection. The experiments used eleven different feature selection techniques covering filter methods, wrapper methods and embedded methods. Each feature selection technique was applied to seven different datasets based on the seven combinations available of Permissions, Intents and API Calls. Each of those seven datasets are from a base set of 119k Android apps. All of the result sets were then validated against three different machine learning models, Random Forest, SVM and a Neural Net, to test applicability across algorithm type. The experiments show that using a combination of Permissions, Intents and API Calls produced higher accuracy than using any of those alone or in any other combination and that feature selection should be performed on the combined dataset, not by feature type and then combined. The data also shows that, in general, a feature set size of 200 or more attributes is required for optimal results. Finally, the feature selection methods Relief, Correlation-based Feature Selection (CFS) and Recursive Feature Elimination (RFE) using a Neural Net are not satisfactory approaches for Android malware detection work. Based on the proposed methodology and experiments, this research provided insights into feature selection – a significant but often overlooked issue in Android malware detection. We believe the results reported herein is an important step for effective feature evaluation and selection in assisting malware detection especially for datasets with a large number of features. The methodology also has the potential to be applied to similar malware detection tasks or even in broader domains such as pattern recognition

STASH : Securing transparent authentication schemes using prover-side proximity verification

Peer reviewe

Reinforcing the weakest link in cyber security: securing systems and software against attacks targeting unwary users

Unwary computer users are often blamed as the weakest link on the security chain, for unknowingly facilitating incoming cyber attacks and jeopardizing the efforts to secure systems and networks. However, in my opinion, average users should not bear the blame because of their lack of expertise to predict the security consequence of every action they perform, such as browsing a webpage, downloading software to their computers, or installing an application to their mobile devices. My thesis work aims to secure software and systems by reducing or eliminating the chances where users’ mere action can unintentionally enable external exploits and attacks. In achieving this goal, I follow two complementary paths: (i) building runtime monitors to identify and interrupt the attack-triggering user actions; (ii) designing offline detectors for the software vulnerabilities that allow for such actions. To maximize the impact, I focus on securing software that either serve the largest number of users (e.g. web browsers) or experience the fastest user growth (e.g. smartphone apps), despite the platform distinctions. I have addressed the two dominant attacks through which most malicious software (a.k.a. malware) infections happen on the web: drive-by download and rogue websites. BLADE, an OS kernel extension, infers user intent through OS-level events and prevents the execution of download files that cannot be attributed to any user intent. Operating as a browser extension and identifying malicious post-search redirections, SURF protects search engine users from falling into the trap of poisoned search results that lead to fraudulent websites. In the infancy of security problems on mobile devices, I built Dalysis, the first comprehensive static program analysis framework for vetting Android apps in bytecode form. Based on Dalysis, CHEX detects the component hijacking vulnerability in large volumes of apps. My thesis as a whole explores, realizes, and evaluates a new perspective of securing software and system, which limits or avoids the unwanted security consequences caused by unwary users. It shows that, with the proposed approaches, software can be reasonably well protected against attacks targeting its unwary users. The knowledge and insights gained throughout the course of developing the thesis have advanced the community’s awareness of the threats and the increasing importance of considering unwary users when designing and securing systems. Each work included in this thesis has yielded at least one practical threat mitigation system. Evaluated by the large-scale real-world experiments, these systems have demonstrated the effectiveness at thwarting the security threats faced by most unwary users today. The threats addressed by this thesis have span multiple computing platforms, such as desktop operating systems, the Web, and smartphone devices, which highlight the broad impact of the thesis.Ph.D