Poster Abstract: Highlighting Easily How Malicious Applications Corrupt Android Devices

摘要

We propose an approach based on information flows to highlight how a malicious application corrupts an Android device. Basic attacks carried on by malicious applications often consist in leaking sensitive data to remote entities. Different works then focused on approaches to detect such attacks by analysing function calls or the access and the use of sensitive data (e.g). However, there exist an other class of attack that threatens the integrity of the system itself or data it contains (e.g modification of the content of sensitive files or installation of new application). Such attacks tend to be overlooked and we propose here an approach to easily detect and highlight them. To highlight these attacks, we first monitor how information from an application under analysis is disseminated in the whole system thanks to an information flow monitor named Blare. Blare monitors information flow between system objects (process, file and socket) at system level and logs observed flow. Prom the log, we build a System Flow Graph that describes the observed flows in a compact format. We then filter the edges of the SFG to only keep odd flows. As Android applications are all built in the same way, they have common behaviours, which means that some information flows they cause are the same (e.g information flow with the system_server process). By removing from the SFG the edges that describe information flows that are also present in SFG of benign applications, we therefore get the suspicious flows that can characterize an attack. We test our approach on 4 pieces of malware publicly known for corrupting Android devices and show that remaining edges of their SFGs describes the attack they are carrying.