Computer Science ›› 2017, Vol. 44 ›› Issue (6): 161-167.doi: 10.11896/j.issn.1002-137X.2017.06.027

Previous Articles     Next Articles

Two-layer Semantics-based Security Detection Approach for Android Native Libraries

YE Yi-lin, WU Li-fa and YAN Hui-ying   

  • Online:2018-11-13 Published:2018-11-13

Abstract: Native code has been widely used in Android applications,providing a new attack vector for attackers,which raises increasing security concerns.Existing Android malware detection approaches mainly focus on the analysis of Java code or the Dalvik code compiled from Java code,ignoring the native code used in Android applications.To combat this emerging threat,this paper proposed a novel two-layer semantics-based security detection method for Android native libraries.To begin with,on the base of native method call paths,the semantics of native method in Java layer is extracted by analyzing the data dependence between native methods and Java methods and the type of the entry points of native method call paths.For semantics of native code in native layer,five kinds of suspicious behaviors are defined,including data uploading,data downloading,reading or writing in sensitive system paths,sensitive strings,suspicious calling of Java methods.More specifically,IDA Pro and IDA Python are utilized to analyze the behaviors of native code mentioned above.Experiments are evaluated using the open source machine learning tool Weka with 5336 benign Android applications and 3426 Android malware,the results of which show that the best accuracy achieves 92.4%.It proves that our method can effectively detect the security of native libraries used in Android applications.

Key words: Android application,Malware detection,Semantics,Native library,Machine learning

[1] 360:2015年度中国手机安全状况报告[EB/OL].http://useit.baijia.baidu.com/article/313267.
[2] ENCK W,ONGTANG M,MCDANIEL P,et al.On lightweight mobile phone application certification[C]∥Computer and Communications Security.2009:235-245.
[3] CHAN P P,HUI L C,YIU S M,et al.DroidChecker:analyzing android applications for capability leak[C]∥Wireless Network Security.2012:125-136.
[4] FENG Y,ANAND S,DILLIG I,et al.Apposcopy:semantics-based detection of Android malware through static analysis[C]∥Foundations of Software Engineering.2014:576-587.
[5] AAFER Y,DU W,YIN H.DroidAPIMiner Mining API-Level Features for Robust Malware Detection in Android[M]∥Security and Privacy in Communication Networks.Springer International Publishing,2013:86-103.
[6] ARP D M,SPREITZENBARTH M,HUBNER M.Drebin:Effective and explainable detection of android malware in your pocket [C]∥ Network and Distributed System Security Symposium,NDSS 2014.San Diego,USA.
[7] KWONGYAN L,YIN H.DroidScope:Seamlessly Reconstruc-ting the OS and Dalvik Semantic Views for Dynamic Android Malware Analysis [C]∥Proceedings of the 21st USENIX Conference on Security Symposium.2012:29.
[8] RASTOGI V,CHEN Y,ENCK W.AppsPlayground:AutomaticSecurity Analysis of Smartphone Applications [C]∥Conference on Data and Application Security and Privacy.ACM,2013:209-220.
[9] BLASING T,BATYUK L,SCHMIDT A.An Android Application Sandbox System for Suspicious software Detection [C]∥5th International Conference on Malicious and Unwanted Software.2010.
[10] Android NDK [EB/OL].https://developer.android.com/tools/sdk/ndk/index.html.
[11] 盘点2015年度10大安卓手机系统级病毒[EB/OL].(2016-2-19).http://bobao.360.cn/learning/detail/2750.html.
[12] Androguard [EB/OL].https://github.com/androguard/androguard.
[13] ZHANG M,DUAN Y,YIN H,et al.Semantics-aware android malware classification using weighted contextual api dependency graphs[C]∥Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security.ACM,2014:1105-1116.
[14] AU K W Y,ZHOU Y F,HUANG Z,et al.Pscout:analyzing the android permission specification[C]∥Proceedings of the 2012 ACM Conference on Computer and Communications Security.ACM,2012:217-228.
[15] Weka [EB/OL].http://www.cs.waikato.ac.nz/ml/weka.
[16] Appchina [EB/OL].http://www.appchina.com.
[17] Anzhi [EB/OL].http://www.anzhi.com.
[18] Virus share [EB/OL].http://www.virusshare.com.
[19] SIEFERS J,TAN G,MORRISETT G.Robusta:Taming the native beast of the JVM[C]∥Proceedings of the 17th ACM Conference on Computer and Communications Security.ACM,2010:201-211.
[20] SUN M,TAN G.Nativeguard:Protecting android applicationsfrom third-party native libraries[C]∥Proceedings of the 2014 ACM Conference on Security and Privacy in Wireless & Mobile Networks.ACM,2014:165-176.
[21] VITOR A,ANOTONIO B,YANICK F,et al.Going Native:Using a Large-Scale Analysis of Android Apps to Create a Practical Native-Code Sandboxing Policy[C]∥Symposium on Network and Distributed System Security(NDSS 2016).Diego CA,USA.

No related articles found!
Viewed
Full text


Abstract

Cited

  Shared   
  Discussed   
No Suggested Reading articles found!