Abstract
With over 1,400,000 Android applications in Google Play alone, and dozens of different marketplaces, Android malware unfortunately have no difficulty to sneak in and silently spread. Known malware and their variants are nowadays quite well detected by anti-virus scanners. Nevertheless, the fundamentally new and unknown malware remain an issue. To assist research teams in the discovery of such new malware, we built an infrastructure, named SherlockDroid, whose goal is to filter out the mass of applications and only keep those which are the most likely to be malicious for future inspection by Anti-virus teams. SherlockDroid consists of marketplace crawlers, code-level property extractors and a classification tool named Alligator which decides whether the sample looks malicious or not, based on some prior learning. In our tests, we extracted properties and classified over 480K applications. During two crawling campaigns in July 2014 and October 2014, SherlockDroid crawled over 120K applications with the detection of one new malware, Android/Odpa.A!tr.spy, and two new riskware. With previous findings, this increases SherlockDroid and Alligator’s “Hall of Shame” to 8 malware and potentially unwanted applications.
Similar content being viewed by others
Notes
Mechanical Turk is a web service where registered users get paid to carry out simple tasks.
Respectively http://www.papktop.com/, http://www.appsapk.com, http://slideme.org/ and http://www.nduoa.com.
Note this is purely a customizable implementation choice. We might change it in the future if we notice malware commonly bypass those permissions.
We compared with jlibsvm [37]
References
Harley, D., Lee, A.: Heuristic analysis—detecting unknown viruses. http://www.eset.com/us/resources/white-papers/Heuristic_Analysis.pdf (2007)
Cohen, F.: Computer viruses—theory and experiments. Comput. Secur. 6, 22–35 (1987)
Mills, E.: Users upset after CA anti-virus detects Windows system file as virus (2009). http://www.cnet.com/news/users-upset-after-ca-anti-virus-detects-windows-system-file-as-virus/
Popa, B.: AVG anti-virus breaks down Windows XP due to false positive. http://news.softpedia.com/news/AVG-Anti-Virus-Breaks-Down-Windows-XP-Due-to-False-Positive-337395.shtml (2013)
Seltzer, L.: Lessons of the McAfee false positive Fiasco. http://securitywatch.pcmag.com/malware/283982-lessons-of-the-mcafee-false-positive-fiasco (2010)
Burguera, I., Zurutuza, U., Nadjm-Tehrani, S.: Crowdroid: behavior-based malware detection system for android. In: Proceedings of the 1st ACM Workshop on Security and Privacy in Smartphones and Mobile Devices. SPSM ’11, pp. 15–26. ACM, New York, NY, USA (2011)
Dini, G., Martinelli, F., Saracino, A., Sgandurra, D.: Madam: a multi-level anomaly detector for android malware. Computer Network Security. In: 6th International Conference on Mathematical Methods. Models and Architectures for Computer Network Security, MMM-ACNS, Lecture Notes in Computer Science, vol. 7531, pp. 240–253. Springer, St. Petersburg, Russia (2012)
Xie, L., Zhang, X., Seifert, J.P., Zhu, S.: pBMDS: a behavior-based malware detection system for cellphone devices. In: Proceedings of the third ACM conference on Wireless network security. WiSec ’10, pp. 37–48. ACM, New York, NY, USA (2010)
Lindorder, M., et al.: Andrubis—1,000,000 apps later: a view on current android malware behaviors. In: Proceedings of the the 3rd International Workshop on Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS) (2014)
Enck, W., Gilbert, P., Chun, B.G., Cox, L.P., Jung, J., McDaniel, P., Sheth, A.N.: Taintdroid: an information-flow tracking system for realtime privacy monitoring on smartphones. In: Proceedings of the 9th USENIX Conference on Operating Systems Design and Implementation, OSDI’10, pp. 1–6. USENIX Association, Berkeley, CA, USA (2010). URL http://dl.acm.org/citation.cfm?id=1924943.1924971
Lindorfer, M.e.a.: AndRadar: fast discovery of android applications in alternative markets. In: Proceedings of the 11th Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA) (2014)
Viennot, N., Garcia, E., Nieh, J.: A measurement study of google play. In: The 2014 ACM International Conference on Measurement and Modeling of Computer Systems, SIGMETRICS ’14, pp. 221–233. ACM, New York, NY, USA (2014)
Aung, Z., Zaw, W.: Permission-based android malware detection. Int. J. Sci. Technol. Res. 2 (2013)
Yan, L.K., Yin, H.: Droidscope: seamlessly reconstructing the os and dalvik semantic views for dynamic android malware analysis. In: USENIX Security Symposium, pp. 569–584 (2012)
Bläsing, T., Schmidt, A.D., Batyuk, L., Camtepe, S.A., Albayrak, S.: An Android application Sandbox System for suspicious software detection. In: 5th International Conference on Malicious and Unwanted Software (MALWARE’2010). Nancy, France (2010)
Shabtai, A., Kanonov, U., Elovici, Y., Glezer, C., Weiss, Y.: “Andromaly”: a behavioral malware detection framework for android devices. J. Intell. Inf. Syst. 38(1), 161–190 (2012). doi:10.1007/s10844-010-0148-x
Arp, D., Spreitzenbarth, M., Habner, M., Gascon, H., Rieck, K.: Drebin: efficient and explainable detection of Android malware in your pocket. In: Proceedings of the 17th Network and Distributed System Security Symposium (NDSS) (2014)
Rastogi, V., Chen, Y., Enck, W.: Appsplayground: automatic security analysis of smartphone applications. In: Proceedings of the Third ACM Conference on Data and Application Security and Privacy. CODASPY ’13, pp. 209–220. ACM, New York, NY, USA (2013)
Zhou, Y., Wang, Z., Zhou, W., Jiang, X.: Hey, you, get off of my market: detecting malicious apps in official and alternative android markets. In: Proceedings of the 19th Network and Distributed System Security Symposium (NDSS 2012). San Diego, CA, USA (2012)
Reina, A., Fattori, A., Cavallaro, L.: A system call-centric analysis and stimulation technique to automatically reconstruct android malware behaviors. In: Proceedings of the 6th European Workshop on System Security (EUROSEC 2013). Prague, Czech Republic (2013)
Apvrille, A., Strazzere, T.: Reducing the window of opportunity for Android malware. Gotta catch’em all. J. Comput. Virol. 8, 61–71 (2012)
Demiroz, A.: Google play crawler java api. https://github.com/Akdeniz/google-play-crawler
INTERPOL, Kaspersky Lab: 60 % of android attacks use financial malware. http://www.kaspersky.com/about/news/virus/2014/sixty-per-cent-of-Android-attacks-use-financial-malware
Chakradeo, S., Reaves, B., Traynor, P., Enck, W.: MAST: triage for market-scale mobile malware analysis. In: Proceedings of 6th WiSec (2013)
Sanz, B., Santos, I., Laorden, C., Ugarte-Pedrero, X., Bringas, P.G., Maranon, G.A.: Puma: Permission usage to detect malware in android. In: A. Herrero, V., Snasel, A., Abraham, I., Zelinka, B., Baruque, H., Quintian-Pardo, J.L., Calvo-Rolle, J., Sedano, E., Corchado (eds.) CISIS/ICEUTE/SOCO Special Sessions, Advances in Intelligent Systems and Computing, vol. 189, pp. 289–298. Springer. URL http://dblp.uni-trier.de/db/conf/softcomp/soco2012s.html#SanzSLUBA12 (2012)
Zhao, M., Zhang, T., Ge, F., Yuan, Z.: Robotdroid: a lightweight malware detection framework on smartphones. J. Netw. 7(4) (2012). URL http://ojs.academypublisher.com/index.php/jnw/article/view/jnw0704715722
Schulz, Patrick.: Dalvik Bytecode Obfuscation on Android (2012). http://www.dexlabs.org/blog/bytecode-obfuscation
Lindorfer, M., Kolbitsch, C., Milani Comparetti, P.: Detecting environment-sensitive malware. In: Proceedings of the 14th International Conference on Recent Advances in Intrusion Detection, RAID’11, pp. 338–357. Springer-Verlag, Berlin, Heidelberg (2011). doi:10.1007/978-3-642-23644-0_18
Book, T., Pridgen, A., Wallach, D.S.: Longitudinal analysis of android ad library permissions. CoRR abs/1303.0857 (2013)
de Pontevès, K., Apvrille, A.: Analysis of android in-app advertisement kits. In: The 23rd Virus Bulletin International Conference, pp. 157–162 (2013)
Fortiguard Center: Android/RuSMS.AO (2013). Fortiguard Encyclopedia, http://www.fortiguard.com/encyclopedia/virus/#id=5897642
Apvrille, L.: Alligator: anaLyzing malware wIth partitioning and probability-based algorithms. http://alligator.telecom-paristech.fr/ (2014)
Apvrille, L., Apvrille, A.: Pre-filtering mobile malware with Heuristic techniques. In: GreHack, pp. 43–59. Grenoble, France (2013)
Chang, C.C., Lin, C.J.: LIBSVM: a library for support vector machines. ACM Trans. Intell. Syst. Technol. 2, 27:1–27:27 (2011). Software available at http://www.csie.ntu.edu.tw/~cjlin/libsvm
Schapire, R.E., Singer, Y.: Improved boosting algorithms using confidence-rated predictions. In: Machine learning, pp. 80–91 (1999)
Kose, N., Apvrille, L., Dugelay, J.L.: Facial makeup detection technique based on texture and shape analysis. In: 11th IEEE International Conference on Automatic Face and Gesture Recognition (FG 2015) (2015)
Soergel, D.: Efficient training of support vector machines in java. https://github.com/davidsoergel/jlibsvm (2014)
Acknowledgments
We wish to thank Ruchna Nigam, for her help on SherlockDroid.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Apvrille, A., Apvrille, L. SherlockDroid: a research assistant to spot unknown malware in Android marketplaces. J Comput Virol Hack Tech 11, 235–245 (2015). https://doi.org/10.1007/s11416-015-0245-z
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11416-015-0245-z