隨著Android應用程式逆向工程技術的成熟，Android惡意程式在重新包裝後散播於Android應用程式市場，如此增加了Android使用者的威脅性。然而，這些被駭客重新包裝後的Android惡意程式與原先正常合法的應用程式非常相似，僅部分被注入之惡意元件不同，而這些被注入之惡意元件經常在背景運行以躲避偵測。

本研究提出基於向量機制與元件間通訊特權圖推論之Android惡意程式偵測機制，該機制包含「向量機制」與「元件間通訊特權圖推論」二個部分，以靜態檢測的角度偵測Android惡意程式。機制考慮了應用程式之靜態資訊(如權限、元件配置、意圖訊息傳遞和應用程式介面呼叫)，並藉由群聚方式以識別不同意圖之Android惡意程式，並藉此增強惡意程式塑模能力。為了提升Android惡意程式之偵測召回率，建立Android元件間通訊特權圖(Inter-Component Communication)，以描述應用程式之元件間通訊行為並突顯潛在之過度權限 (permission)。元件間通訊特權圖為一種結構，結合權限及四種元件，可用於衡量具有集中連結特性之可疑元件。

此外，我們利用提出之機制開發一套系統-「AndroVIP」。首先，系統從應用程式之設定檔(manifest)中取出靜態資訊，並以各元件之進入點往後追蹤元件間通訊及之應用程式介面呼叫。接著，其套用了「k-means」演算法來加強惡意程式建模能力。接著，再套用「kNN」演算法判別應用程式是否為惡意。在此之後，為了加強Android惡意程式之偵測準確度，系統為被分類成正常之應用程式建立元件間通訊特權圖，並應用「PageRank」演算法計算每個元間之權重分數。如元件得到較高的分數，其所屬之應用程式將被視為Android惡意程式。

在實驗中，本研究所採用之Android惡意程式收集自目前唯一的公開資料集網站(contagio mobile)，共34個種類238支惡意程式；Android正常合法應用程式則收集自Google官方Android應用程式市場(GooglePlay)，並由VirusTotal確認無任何防毒軟體判定為惡意程式，共30個種類1500支正常合法程式。

根據實驗結果，本研究所提出的機制優於2011年美國駭客年會(blackhat2011)之工具「Androguard」，我們有較高的召回率。本研究有以下幾點貢獻：(1)透過考量權限、元件配置、意圖訊息傳遞和應用程式介面呼叫，偵測識別該些隱藏惡意行為於背景之Android惡意程式；(2)自動學習Android惡意程式之靜態行為供後續分析使用;(3)設計一系統以輔助Android應用程式檢測。

The matured technology of reverse engineering is so popular that repackaged Android malware spread in the most of Android application marketplaces and causes the threat of Android malware becoming more serious. These Android malwares repackaged by hackers are quite similar with benign Android applications except of a few injected malicious components. These injected malicious components can evade the detection by exciting at the background service and increase the difficulty of detection.

In this study, we propose a mechanism that incorporate vector-based mechanism and Inter-Component Communication privilege graph inference approach to provide a static analyst paradigm for detecting the Android malware. The mechanism considers the static information including permissions, deployment of components, Intent messages passing and API calls for characterizing the Android applications behavior. In order to recognize different intentions of Android malware, different kinds of clustering algorithms can be applied to e hance the malware modeling capability. To enhance the correctness of Android malware predictions, it constructs Inter-Component Communication privilege graph that illustrates the ICC invoking behavior to manifest the potential excessive obtained permissions. It is a structured combination among permissions and four kinds of components that intends to measure the suspicious component with the centrality characteristics appearing in Android ICC privilege graph.

Besides, we leverage the proposed mechanism to develop a system, called AndroVIP (Android malware detection through Vector-based mechanism and Inter-component communication Privilege graph inference). First, the AndroVIP extracts the information (e.g., requested permissions, used components, etc) from each application’s manifest file, and regards components (Activity, Service, Receiver) as entry points drilling down for tracing Inter-Component Communications and API Calls related to permissions. Next, it applies K-means algorithm that enhance the malware modeling capability. And then, it uses KNN algorithm to classify the application as benign or malicious. After that, to enhance the correctness of Android malware predictions, AndroVIP constructs Inter-Component Communication privilege graph for applications that be classified as benign. Finally, it applies PageRank algorithm to score centrality of each component. Once the component gets high score, it would be determined as malicious, and the application that component belonged to would be regarded as Android malware.

The experiment result shows that the recall rate of our approach is better than one of well-known tool, Androguard, published in Blackhat 2011, which is focus on Android malware detection. The proposed approach gives the following contributions: (1) Identifying Android malware that intends to hide its malicious behavior by considering permissions, Intent message passing, API calls and Inter-Component Communication privilege; (2) Learning Android malware static behavior automatically for further Analysis; (3) Developing a system to assist Android applications vetting.

[1] “Androguard,” http://code.google.com/p/androguard/.
[2] “Android-apktool,” http://code.google.com/p/android-apktool/.
[3] “Android/basebridge,” http://droidsecurity.appspot.com/securitycenter/securitypost 20110605.html.
[4] “Android/droidkungfu,” http://www.f-secure.com/weblog/archives/00002259.html.
[5] “The androidmanifest.xml file,” http://developer.android.com/guide/topics/manifest/manifest-intro.html.
[6] “Appbrain,” http://www.appbrain.com/.
[7] “Application fundamentals,” http://developer.android.com/guide/topics/fundamentals.html.
[8] “Black hat abu dhabi 2011,” http://www.blackhat.com/html/bh-ad-11/bh-ad-11-speaker bios.html.
[9] “Contagio mobile,” http://contagiominidump.blogspot.com/.
[10] “Droidbox,” http://code.google.com/p/droidbox/.
[11] “Gartner says worldwide smartphone sales soared in fourth quarter of 2011 with 47 percent growth,” http://www.gartner.com/it/page.jsp?id=1924314.
[12] “Google play,” https://play.google.com.
[13] “Hadoop,” http://hadoop.apache.org/.
[14] “Intents and intent filters,” http://developer.android.com/guide/topics/intents/intents-filters.html.
[15] “Pagerank,” http://en.wikipedia.org/wiki/PageRank.
[16] “Pegasus: Peta-scale graph mining system,” http://www.cs.cmu.edu/ pegasus/.
[17] “Proguard,” http://proguard.sourceforge.net/.
[18] “Smartphone and app growth soars: Infographic,” http://blog.mylookout.com/blog/2012/02/06/smartphone-and-app-growth-soars-infographic/.
[19] “Virustotal,” https://www.virustotal.com/.
[20] “Weka,” http://www.cs.waikato.ac.nz/ml/weka/.
[21] “Lookout app genome report,” https://www.mylookout.com/appgenome, 2011.
[22] D. Barrera, H. G. Kayacik, P. C. van Oorschot, and A. Somayaji, “A methodology for empirical analysis of permission-based security models and its application to android,” in Proceedings of the 17th ACM conference on Computer and communications security, ser. CCS ’10. New York, NY, USA: ACM, 2010, pp. 73–84.
[23] A. Bose, X. Hu, K. G. Shin, and T. Park, “Behavioral detection of malware on mobile handsets,” in Proceedings of the 6th international conference on Mobile systems, applications, and services, ser. MobiSys ’08. New York, NY, USA: ACM, 2008, pp. 225–238.
[24] I. Burguera, U. Zurutuza, and S. Nadjm-Tehrani, “Crowdroid: Behavior-based malware detection system for android,” in Proceedings of the 1st ACM workshop on Security and privacy in smartphones and mobile devices, ser. SPSM ’11. New York, NY, USA: ACM, 2011, pp. 15–26.
[25] P. P. Chan, L. C. Hui, and S. M. Yiu, “Droidchecker: Analyzing android applications for capability leak,” in Proceedings of the fifth ACM conference on Security and Privacy in Wireless and Mobile Networks, ser. WISEC ’12. New York, NY, USA: ACM, 2012, pp. 125–136.
[26] E. Chin, A. P. Felt, K. Greenwood, and D. Wagner, “Analyzing interapplication communication in android,” in Proceedings of the 9th international conference on Mobile systems, applications, and services, ser. MobiSys ’11. New York, NY, USA: ACM, 2011, pp. 239–252.
[27] A. Desnos, “Android: Static analysis using similarity distance,” Hawaii International Conference on System Sciences, vol. 0, pp. 5394–5403, 2012.
[28] A. Desnos and G. Gueguen, “Android: From reversing to decompilation,” Blackhat, 2011.
[29] F. Di Cerbo, A. Girardello, F. Michahelles, and S. Voronkova, “Detection of malicious applications on android os,” in Proceedings of the 4th international conference on Computational forensics, ser. IWCF’10. Berlin, Heidelberg: Springer-Verlag, 2011, pp. 138–149.
[30] B. Dixon, Y. Jiang, A. Jaiantilal, and S. Mishra, “Location based power analysis to detect malicious code in smartphones,” in Proceedings of the 1st ACM workshop on Security and privacy in smartphones and mobile devices, ser. SPSM ’11. New York, NY, USA: ACM, 2011, pp. 27–32.
[31] W. Enck, P. Gilbert, B.-G. Chun, L. P. Cox, J. Jung, P. McDaniel, and A. N. Sheth, “Taintdroid: An information-flow tracking system for realtime privacy monitoring on smartphones,” in Proceedings of the 9th USENIX conference on Operating systems design and implementation, ser. OSDI’10. Berkeley, CA, USA: USENIX Association, 2010, pp. 1–6.
[32] W. Enck, M. Ongtang, and P. McDaniel, “On lightweight mobile phone application certification,” in Proceedings of the 16th ACM conference on Computer and communications security, ser. CCS ’09. New York, NY, USA: ACM, 2009, pp. 235–245.
[33] A. P. Felt, E. Chin, S. Hanna, D. Song, and D. Wagner, “Android permissions demystified,” in Proceedings of the 18th ACM conference on Computer and communications security, ser. CCS ’11. New York, NY, USA: ACM, 2011, pp. 627–638.
[34] A. P. Felt, M. Finifter, E. Chin, S. Hanna, and D. Wagner, “A survey of mobile malware in the wild,” in Proceedings of the 1st ACM workshop on Security and privacy in smartphones and mobile devices, ser. SPSM ’11. New York, NY, USA: ACM, 2011, pp. 3–14.
[35] A. P. Felt, K. Greenwood, and D. Wagner, “The effectiveness of application permissions,” in Proceedings of the 2nd USENIX conference on Web application development, ser. WebApps’11. Berkeley, CA, USA: USENIX Association, 2011, pp. 7–7.
[36] A. P. Fuchs, A. Chaudhuri, and J. S. Foster, “SCanDroid: Automated Security Certification of Android Applications,” Department of Computer Science, University of Maryland, College Park, Tech. Rep. CS-TR-4991, November 2009.
[37] P. Gilbert, B.-G. Chun, L. P. Cox, and J. Jung, “Vision: Automated security validation of mobile apps at app markets,” in Proceedings of the second international workshop on Mobile cloud computing and services, ser. MCS ’11. New York, NY, USA: ACM, 2011, pp. 21–26.
[38] M. Grace, Y. Zhou, Z. Wang, and X. Jiang, “Systematic detection of capability leaks in stock Android smartphones,” in Proceedings of the 19th Network and Distributed System Security Symposium (NDSS), Feb. 2012.
[39] U. Kang, C. E. Tsourakakis, and C. Faloutsos, “Pegasus: A peta-scale graph mining system,” in ICDM, 2009, pp. 229–238.
[40] H. Kim, J. Smith, and K. G. Shin, “Detecting energy-greedy anomalies and mobile malware variants,” in Proceedings of the 6th international conference on Mobile systems, applications, and services, ser. MobiSys ’08. New York, NY, USA: ACM, 2008, pp. 239–252.
[41] S. Kim, J. I. Cho, H. W. Myeong, and D. H. Lee, “A study on static analysis model of mobile application for privacy protection,” in Computer Science and Convergence, ser. Lecture Notes in Electrical Engineering, J. J. (Jong Hyuk) Park, H.-C. Chao, M. S. Obaidat, and J. Kim, Eds. Springer Netherlands, 2012, vol. 114, pp. 529–540.
[42] S. Lee and M. Hayes, “Properties of the singular value decomposition for efficient data clustering,” vol. 11, no. 11, pp. 862–866, November 2004.
[43] L. Liu, G. Yan, X. Zhang, and S. Chen, “Virusmeter: Preventing your cellphone from spies,” in Proceedings of the 12th International Symposium on Recent Advances in Intrusion Detection, ser. RAID ’09. Berlin, Heidelberg: Springer-Verlag, 2009, pp. 244–264.
[44] P. Liu, S. X. D. Tan, H. Li, Z. Qi, J. Kong, B. McGaughy, and L. He, “An efficient method for terminal reduction of interconnect circuits considering delay variations,” in Proceedings of the 2005 IEEE/ACM International conference on Computer-aided design, ser. ICCAD ’05. Washington, DC, USA: IEEE Computer Society, 2005, pp. 821–826.
[45] P. Liu, S. X.-D. Tan, B. McGaughy, L. Wu, and L. He, “Termmerg: An efficient terminal-reduction method for interconnect circuits,” IEEE Trans. on CAD of Integrated Circuits and Systems, vol. 26, no. 8, pp. 1382–1392, 2007.
[46] M. Ongtang, S. McLaughlin, W. Enck, and P. McDaniel, “Semantically rich application-centric security in android,” in Proceedings of the 2009 Annual Computer Security Applications Conference, ser. ACSAC ’09. Washington, DC, USA: IEEE Computer Society, 2009, pp. 340–349.
[47] L. Page, S. Brin, R. Motwani, and T. Winograd, “The pagerank citation ranking: Bringing order to the web.” Stanford InfoLab, Technical Report 1999-66, November 1999, previous number = SIDL-WP-1999-0120.
[48] A.-D. Schmidt, J. H. Clausen, A. Camtepe, and S. Albayrak, “Detecting symbian os malware through static function call analysis,” no. March 2006. IEEE, 2009, pp. 15–22.
[49] A. Shabtai and Y. Elovici, “Applying behavioral detection on android-based devices,” in MOBILWARE, 2010, pp. 235–249.
[50] A. Shabtai, U. Kanonov, Y. Elovici, C. Glezer, and Y. Weiss, “”andromaly”: A behavioral malware detection framework for android devices,” J. Intell. Inf. Syst., vol. 38, no. 1, pp. 161–190, 2012.
[51] P. Teufl, S. Kraxberger, C. Orthacker, G. Lackner, M. Gissing, A. Marsalek, J. Leibetseder, and O. Prevenhueber, “Android market analysis with activation patterns,” in MOBISEC, 2011.
[52] T. Vidas, D. Votipka, and N. Christin, “All your droid are belong to us: A survey of current android attacks,” in Proceedings of the 5th USENIX conference on Offensive technologies, ser. WOOT’11. Berkeley, CA, USA: USENIX Association, 2011, pp. 10–10.
[53] L. Xie, X. Zhang, J.-P. Seifert, and S. Zhu, “pbmds: A behavior-based malware detection system for cellphone devices,” in Proceedings of the third ACM conference on Wireless network security, ser. WiSec ’10. New York, NY, USA: ACM, 2010, pp. 37–48.
[54] X. J. Yajin Zhou, “Dissecting android malware: Characterization and evolution,” in Proceedings of the 33rd IEEE Symposium on Security and Privacy, May 2012.
[55] M. Zhao, F. Ge, T. Zhang, and Z. Yuan, “Antimaldroid: An efficient svm-based malware detection framework for android,” in ICICA (1), ser. Communications in Computer and Information Science, C. Liu, J. Chang, and A. Yang, Eds., vol. 243. Springer, 2011, pp. 158–166.
[56] W. Zhou, Y. Zhou, X. Jiang, and P. Ning, “Detecting repackaged smartphone applications in third-party android marketplaces,” in Proceedings of the second ACM conference on Data and Application Security and Privacy, ser. CODASPY ’12. New York, NY, USA: ACM, 2012, pp. 317–326.
[57] Y. Zhou, Z. Wang, W. Zhou, and X. Jiang, “Hey, you, get off of my market: Detecting malicious apps in official and alternative Android markets,” in Proceedings of the 19th Annual Network & Distributed System Security Symposium, Feb. 2012.