ANDRUBIS -- 1,000,000 Apps Later: A View on Current Android Malware Behaviors

Lindorfer, Martina; Neugschwandtner, Matthias; Weichselbaum, Lukas; Fratantonio, Yanick; Veen, Victor van der; Platzer, Christian

doi:10.1109/badgers.2014.7

Cited by 248 publications

(146 citation statements)

References 22 publications

Supporting

Mentioning

138

Contrasting

Order By: Relevance

“…We prefer this method for keeping the application behaviors pristine, and particularly not inducing additional bugs. Andrubis [2] and DroidScope [10] use similar approaches for tracing method calls.…”

Section: Features Analyzedmentioning

confidence: 99%

“…to navigation events (motion, click). Because of its capacity to quickly explore applications activities, it has been used by most of dynamic analysis systems (AASandbox [7], AppsPlayground [11], Andrubis [2], [13], HADM [15], Maline [16]). Monkey is sometimes confused with Monkey Runner [22] in the literature, which is a python library for writing Android test routines.…”

Section: Automated Testing Strategiesmentioning

confidence: 99%

“…It cannot be detected by the guest since it is out of its reach and it is therefore convenient for security analysis. Andrubis [2], CopperDroid [14] and DroidScope [10] take advantage of VMI to retrieve, unseen by the target malware, all systems calls done by the guest Android virtual machine.…”

Section: Features Analyzedmentioning

confidence: 99%

“…Finally, emulation suffers from inherent slowness and causes more application crashes than real devices. Dealing with virtual device evasion is a never-ending war and comes with a non-negligible computation cost [2]. To overcome this state of affairs, we propose a system that does not use virtual devices for analysing malware behavior.…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

Glassbox: Dynamic Analysis Platform for Malware Android Applications on Real Devices

Irolla

Filiol

2017

Proceedings of the 3rd International Conference on Information Systems Security and Privacy

View full text Add to dashboard Cite

Android is the most widely used smartphone OS with 82.8% market share in 2015 [1]. It is therefore the most widely targeted system by malware authors. To detect these malicious applications before they are installed on users phones, we need an automated analysis. Researchers rely on dynamic analysis to extract malware behaviors and often use emulators to do so. However, using emulators lead to new issues. Currently emulators cannot emulate SIM card, camera and microphone -components that are likely to be used by malware applications. Moreover, malware may detect emulation and as a result it does not execute the payload to prevent the analysis. Finally, emulation suffers from inherent slowness and causes more application crashes than real devices. Dealing with virtual device evasion is a never-ending war and comes with a non-negligible computation cost [2]. To overcome this state of affairs, we propose a system that does not use virtual devices for analysing malware behavior.Glassbox is a functional prototype for the dynamic analysis of malware applications. It executes applications on real devices in a monitored and controlled environment. It is a fully automated system that installs, tests and extracts features from the application for further analysis. The environment is controlled in a way that Glassbox neither suffers from malware nor becomes an infection vector through the control of web requests, calls and SMS/MMS. The features extracted are Java calls, system calls and both encrypted and non encrypted web requests. In this paper, we present the architecture of the platform and we compare it with existing Android dynamic analysis platforms.Lastly, we evaluate the capacity of Glassbox to trigger application behaviors by measuring the average coverage of basic blocks on the AndroCoverage dataset [3]. We show that it executes on average 13.52% more basic blocks than the Monkey program.

show abstract

Section: Features Analyzedmentioning

confidence: 99%

Section: Automated Testing Strategiesmentioning

confidence: 99%

Section: Features Analyzedmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Glassbox: Dynamic Analysis Platform for Malware Android Applications on Real Devices

Irolla

Filiol

2017

Proceedings of the 3rd International Conference on Information Systems Security and Privacy

View full text Add to dashboard Cite

show abstract

“…For the case of Android, there were extensive data on what malware does. Specifically, a study in "Andrubis-1,000,000 Apps Later: A View on Current Android Malware Behaviors" (Lindorfer et al, 2014) used dynamic and static analysis to analyze roughly 400,000 malware apps taken from various malware corpora. We found much less information on iOS malware and were thus forced to focus on a small list of known, existing iOS malware and to examine how the data that these pursue lined up with the more-detailed statistics available on Android.…”

Section: Malware Effectsmentioning

confidence: 99%

Can Smartphones and Privacy Coexist? Assessing Technologies and Regulations Protecting Personal Data on Android and iOS Devices

Yerukhimovich¹,

Balebako²,

Boustead³

et al. 2016

View full text Add to dashboard Cite

Measuring the risk value of sensitive dataflow path in Android applications

Feng

2016

Security Comm Networks

View full text Add to dashboard Cite

Nowadays, smartphones carry large amounts of user privacy and sensitive data. With the popularity of the Android operating system, the cases of sensitive date leakage in Android applications are on the rise and are causing a great loss to Android users. In order to mitigate this condition, static and dynamic taint analysis are applied to precisely detect sensitive data leakages. These approaches cannot distinguish sensitive data leakages in benign apps from the ones in malicious apps. Recently, the difference on sensitive data flows between benign apps and malicious apps has been found to be significant. In this paper, we further find that there exists great difference between benign and malicious apps on the frequencies of sensitive dataflow paths. This difference can be used to enforce a risk value over every sensitive dataflow path. This risk value can guide the identification of sensitive data leakages in malicious apps. We present RISKPATH, a tool that automatically calculates the risk values for sensitive dataflow paths in Android applications. Applying the result of RISKPATH to MUDFLOW framework, we increase the true positive rate of malware detection by 3.96–6.54% on different datasets with reasonable increase in time and memory consumption. Copyright © 2017 John Wiley & Sons, Ltd.

show abstract

ANDRUBIS -- 1,000,000 Apps Later: A View on Current Android Malware Behaviors

Cited by 248 publications

References 22 publications

Glassbox: Dynamic Analysis Platform for Malware Android Applications on Real Devices

Glassbox: Dynamic Analysis Platform for Malware Android Applications on Real Devices

Can Smartphones and Privacy Coexist? Assessing Technologies and Regulations Protecting Personal Data on Android and iOS Devices

Measuring the risk value of sensitive dataflow path in Android applications

Contact Info

Product

Resources

About