Author: | Xue, Lei |
Title: | Cross-layer dynamic analysis of Android applications |
Advisors: | Luo, Xiapu (COMP) |
Degree: | Ph.D. |
Year: | 2017 |
Subject: | Hong Kong Polytechnic University -- Dissertations Smartphones -- Security measures Mobile computing -- Security measures Malware (Computer software) Operating systems (Computers) |
Department: | Department of Computing |
Pages: | xvi, 137 pages : illustrations |
Language: | English |
Abstract: | Android has become the most popular mobile operating system, and billions of Android applications (apps) have been downloaded from the both official and various third-party markets. Unfortunately, not all apps are benign or well designed, and understanding the behaviours of Android apps is essential for analyzing and detecting malicious apps. To achieve this goal, various static bytecode analysis and dynamic behavior analysis approaches have been proposed. This thesis focuses on dynamic analysis because static analysis could be impeded by the dynamic features of programming languages or the protection mechanisms adopted by apps. Although a number of dynamic analysis approaches have been proposed to monitor the behaviours of Android apps and profile performance issues, the state-of-the-art methods are limited in their ability to deal with the multiple-layer nature of Android, and thus they cannot analyze and correlate an app's behaviours in various layers and track its cross-layer information leakage flow. In this thesis, we propose novel cross-layer dynamic analysis mechanisms and develop efficient tools to inspect Android apps. More precisely, we propose Malton, a novel on-device non-invasive analysis platform for the new Android runtime, i.e., the ART runtime. Malton runs on real mobile devices and provides a comprehensive view of malware's behaviours by conducting multi-layer monitoring and information flow tracking, as well as efficient path exploration. We have evaluated Malton using real-world malware samples. The experimental results showed that Malton is more effective than the existing tools, with the capability to analyze sophisticated malware samples and provide a comprehensive view of malicious behaviours of these samples. Android malware are also becoming more and more sophisticated to evade detection and analysis; one of the most popular techniques adopted by Android malware to protect themselves is packing. Packing services were provided to protect benign apps from being pirated, but Android malware authors also start to adopt packing services to protect the malware from being detected and analyzed. Hence, we propose a novel adaptive approach and develop PackerGrind, a new tool based on cross-layer inspection, to unpack Android apps. Packing services (or packers) have been used by not only app developers to protect their apps but also attackers to hide the malicious component and evade the detection. Although there are a few recent studies on unpacking Android apps, it has been shown that the evolving packers can easily circumvent them because they are not adaptive to the changes of packers. PackerGrind can reveal the protection mechanisms of packers, recover the Dex files with low overhead, and handle the evolution of packers. In addition, to improve the efficiency of malware detection, there are various cloud-based Android malware detection approaches proposed. These approaches obtain the behaviors of Android apps on mobile devices, then upload the obtained information to the server for malware detection, and obtain the detection result when detection finishes. When we use these cloud-based detection mechanism, we need take the network performance into account because, if we upload the behaviours of apps and download detection results under poor network status, network traffic jam could be caused. However, when we measure the network performance using existing mobile network measurement apps, there are a set of factors (e.g., Android system architecture and implementation patterns) that could affect the measurement results. We employ the cross-layer dynamic analysis mechanism to conduct the first systematic study on the factors that could bias the measurement results of network features. In particular, we identify new factors, revisit known factors, and propose a novel approach with new tools to discover these factors in proprietary apps. We also develop a new measurement app named MobiScope for demonstrating how to mitigate the negative effects of these factors and obtain the accurate and stable network features. The extensive experimental results illustrate the negative effects of various factors and the improvement in network measurement brought by MobiScope. |
Rights: | All rights reserved |
Access: | open access |
Files in This Item:
File | Description | Size | Format | |
---|---|---|---|---|
991022020028903411.pdf | For All Users | 1.4 MB | Adobe PDF | View/Open |
Copyright Undertaking
As a bona fide Library user, I declare that:
- I will abide by the rules and legal ordinances governing copyright regarding the use of the Database.
- I will use the Database for the purpose of my research or private study only and not for circulation or further reproduction or any other purpose.
- I agree to indemnify and hold the University harmless from and against any loss, damage, cost, liability or expenses arising from copyright infringement or unauthorized usage.
By downloading any item(s) listed above, you acknowledge that you have read and understood the copyright undertaking as stated above, and agree to be bound by all of its terms.
Please use this identifier to cite or link to this item:
https://theses.lib.polyu.edu.hk/handle/200/9236