A malware analysis and detection system for mobile devices / Ali Feizollah

摘要

Smartphones, tablets, and other mobile devices have quickly become ubiquitous due to their highly personal and powerful attributes. Android has been the most popular mobile operating system. Such popularity, however, also extends to attackers. The amount of Android malware has risen steeply during the last few years, making it the most targeted mobile operating system. Although there have been important advances made on malware analysis and detection in traditional PCs during recent decades, adopting and adapting those methods to mobile devices poses a considerable challenge. Power consumption is one major constraint that makes traditional detection methods impractical for mobile devices, while cloud-based techniques raise many privacy concerns. This study examines the problem of Android malware, and aims to develop and implement new approaches to help users confront such threats more effectively, considering the limitations of these devices. First, we present a comprehensive analysis on the development of mobile malware, specifically Android, over recent years, as well as the most useful and salient analysis and detection methods for Android malware. We also discuss a compilation of available tools for Android malware analysis. Secondly, we propose a number of new and distinctive Android malware analysis and detection methods. More specifically, we introduce AndroDialysis, which is a static analysis method. Recent research has focused on analysing Android Intent in the XML file. We propose a new method of analysing Android Intent in Java code, which includes implicit intent and explicit intent. We used a Drebin data sample, which is a collection of 5,560 applications, as well as clean data sample containing 1,846 applications. The results show a detection rate of 91% using Android Intent against 83% using Android permission. We also introduce a dynamic analysis method, AndroPsychology, in order to analyse the network communications of Android applications. We extracted 30 different features from network traffic. We then used feature selection algorithms and deep learning algorithms to build a detection model. The results show that network traffic is an appropriate candidate for Android malware detection. Finally, we assembled AndroDialysis and AndroPsychology in order to build a comprehensive analysis and detection system for Android, called DroidProtect. Unlike current systems that either perform analyses on the device or send the whole application to a server for analyses, our system has the distinction of extracting features on the device and analysing them on the Google App Engine servers using an offloading technique. Our extensive experiments show that the energy consumption of the proposed system is less than currently available systems.