DroidAlarm: an all-sided static analysis tool for Android privilege-escalation malware

  • Authors:

  • Yibing Zhongyang;Zhi Xin;Bing Mao;Li Xie

  • Affiliations:

  • Nanjing University, Nanjing, China;Nanjing University, Nanjing, China;Nanjing University, Nanjing, China;Nanjing University, Nanjing, China

  • Venue:
  • Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security
  • Year:
  • 2013

Quantified Score

Hi-index 0.00

Visualization

Abstract

Since smartphones have stored diverse sensitive privacy information, including credit card and so on, a great deal of malware are desired to tamper them. As one of the most prevalent platforms, Android contains sensitive resources that can only be accessed via corresponding APIs, and the APIs can be invoked only when user has authorized permissions in the Android permission model. However, a novel threat called privilege escalation attack may bypass this watchdog. It's presented as that an application with less permissions can access sensitive resources through public interfaces of a more privileged application, which is especially useful for malware to hide sensitive functions by dispersing them into multiple programs. We explore privilege-escalation malware evolution techniques on samples from Android Malware Genome Project. And they have showed great effectiveness against a set of powerful antivirus tools provided by VirusTotal. The detection ratios present different and distinguished reduction, compared to an average 61% detection ratio before transformation. In order to conquer this threat model, we have developed a tool called DroidAlarm to conduct a full-spectrum analysis for identifying potential capability leaks and present concrete capability leak paths by static analysis on Android applications. And we can still alarm all these cases by exposing capability leak paths in them.