Cross-layer dynamic analysis of Android applications

Abstract

Android has become the most popular mobile operating system, and billions of Android applications (apps) have been downloaded from the both official and various third-party markets. Unfortunately, not all apps are benign or well designed, and understanding the behaviours of Android apps is essential for analyzing and detecting malicious apps. To achieve this goal, various static bytecode analysis and dynamic behavior analysis approaches have been proposed. This thesis focuses on dynamic analysis because static analysis could be impeded by the dynamic features of programming languages or the protection mechanisms adopted by apps. Although a number of dynamic analysis approaches have been proposed to monitor the behaviours of Android apps and profile performance issues, the state-of-the-art methods are limited in their ability to deal with the multiple-layer nature of Android, and thus they cannot analyze and correlate an app's behaviours in various layers and track its cross-layer information leakage flow. In this thesis, we propose novel cross-layer dynamic analysis mechanisms and develop efficient tools to inspect Android apps. More precisely, we propose Malton, a novel on-device non-invasive analysis platform for the new Android runtime, i.e., the ART runtime. Malton runs on real mobile devices and provides a comprehensive view of malware's behaviours by conducting multi-layer monitoring and information flow tracking, as well as efficient path exploration. We have evaluated Malton using real-world malware samples. The experimental results showed that Malton is more effective than the existing tools, with the capability to analyze sophisticated malware samples and provide a comprehensive view of malicious behaviours of these samples. Android malware are also becoming more and more sophisticated to evade detection and analysis; one of the most popular techniques adopted by Android malware to protect themselves is packing. Packing services were provided to protect benign apps from being pirated, but Android malware authors also start to adopt packing services to protect the malware from being detected and analyzed. Hence, we propose a novel adaptive approach and develop PackerGrind, a new tool based on cross-layer inspection, to unpack Android apps. Packing services (or packers) have been used by not only app developers to protect their apps but also attackers to hide the malicious component and evade the detection. Although there are a few recent studies on unpacking Android apps, it has been shown that the evolving packers can easily circumvent them because they are not adaptive to the changes of packers. PackerGrind can reveal the protection mechanisms of packers, recover the Dex files with low overhead, and handle the evolution of packers. In addition, to improve the efficiency of malware detection, there are various cloud-based Android malware detection approaches proposed. These approaches obtain the behaviors of Android apps on mobile devices, then upload the obtained information to the server for malware detection, and obtain the detection result when detection finishes. When we use these cloud-based detection mechanism, we need take the network performance into account because, if we upload the behaviours of apps and download detection results under poor network status, network traffic jam could be caused. However, when we measure the network performance using existing mobile network measurement apps, there are a set of factors (e.g., Android system architecture and implementation patterns) that could affect the measurement results. We employ the cross-layer dynamic analysis mechanism to conduct the first systematic study on the factors that could bias the measurement results of network features. In particular, we identify new factors, revisit known factors, and propose a novel approach with new tools to discover these factors in proprietary apps. We also develop a new measurement app named MobiScope for demonstrating how to mitigate the negative effects of these factors and obtain the accurate and stable network features. The extensive experimental results illustrate the negative effects of various factors and the improvement in network measurement brought by MobiScope.