Detection of repackaged mobile applications through a collaborative approach

none4noRepackaged applications are based on genuine applications, but they subtlety include some modifications. In particular, trojanized applications are one of the most dangerous threats for smartphones. Malware code may be hidden inside applications to access private data or to leak user credit. In this paper, we propose a contract-based approach to detect such repackaged applications, where a contract specifies the set of legal actions that can be performed by an application. Current methods to generate contracts lack information from real usage scenarios, thus being inaccurate and too coarse-grained. This may result either in generating too many false positives or in missing misbehaviors when verifying the compliance between the application and the contract. In the proposed framework, application contracts are generated dynamically by a central server merging execution traces collected and shared continuously by collaborative users executing the application. More precisely, quantitative information extracted from execution traces is used to define a contract describing the expected application behavior, which is deployed to the cooperating users. Then, every user can use the received contract to check whether the related application is either genuine or repackaged. Such a verification is based on an enforcement mechanism that monitors the application execution at run-time and compares it against the contract through statistical tests.openAlessandro Aldini; Fabio Martinelli; Andrea Saracino; Daniele SgandurraAldini, Alessandro; Fabio, Martinelli; Andrea, Saracino; Daniele, Sgandurr

Forced-Path Execution for Android Applications on x86 Platforms

Abstract—We present a code analysis framework that performs scalable forced-path execution of Android applications in commodity hardware. Our goal is to reveal the full application functional behavior for large commercial applications without access to source code. We do so by identifying code blocks and API calls that are deemed sensitive and provide a security report to an analyst regarding the functionality of the Android application that is under inspection. We show that our approach is scalable by allowing for the execution of each software component by numerous instances of execution modules. Each execution instance exercises a different code path through the application call-graph leading to full code and state space coverage and exposing any hidden or unwanted functionality. The output is a list of API calls, parameter values, component call graphs, and control flow graphs. We show how this can be leveraged for automated policy enforcement of runtime functionality. Index Terms—Android OS; Application Analysis; Emulation; I

Enforcing Application Security on Android Mobile Devices

Security in new generation mobile devices is currently a problem of capital importance. Smartphones and tablets have become extremely popular in the last years, especially in developed country where smartphones and tablets account for 95% of active mobile devices. Due to their popularity, these devices have fast drawn the attention of malicious developers. Attackers have started to implement and distribute applications able to harm user’s privacy, user’s money and even device and data integrity. Malicious developers have cleverly exploited the simplicity of app distribution, the sensitivity of information and operation accessible through mobile devices, together with the user limited attention to security issues. This thesis presents the study, design and implementation of a multi-component security framework for the popular Android operative system. The aim of this thesis is to provide a lightweight and user friendly security tool, extensible and modular, able to tackle current and future security threats on Android devices. The framework exploits white list-based methodologies to detect at runtime malicious behaviors of application, without being prone to the problem of zero-day-attacks (i.e. new threats not yet discovered by the community). The white-list approach is combined with a black-list security enforcement, to reduce the likelihood of false alarms and to tackle known misbehaviors before they effectively take place. Moreover the framework also combines static and dynamic analysis. It exploits probabilistic contract theory and app metadata to detect dangerous applications before they are installed (static analysis). Furthermore, detects and stop malicious kernel level events and API calls issued by applications at runtime (dynamic analysis), to avoid harm to user and her device. The framework is configurable and can be both totally transparent to the user, or have a stronger interaction when the user is more interested in a security awareness of her device. The presented security framework has been extensively tested against a testbed of more than 12000 applications including two large Android malware databases. Detection rate (95%) and false positive rate (1 per day) prove the effectiveness of the presented framework. Furthermore, a study of usability which includes energy evaluation and more than 200 user feedback is presented. These results show both the limited overhead (4% battery, 1.4% performance) imposed by the framework and the good user acceptance