Detecting Malicious Behavior of Android Applications

IJSTE - International Journal of Science Technology & Engineering | Volume 2 | Issue 10 | April 2016
ISSN (online): 2349-784X
Detecting Malicious Behavior of Android

Applications
Dewashish Upadhyay
Rajiv Gandhi College of Engineering & research, Nagpur
R.T.M.N University, Nagpur, India
Sharvari Dharbey
Mitalee Munghate
Anjali Bondre
Kalyani Barapatre
Rajiv Gandhi College of Engineering & research, Nagpur R.T.M.N University, Nagpur, India
Abstract
Android, is an open source platform for mobile devices and covers almost 82% of all smart phone devices in the world. This
makes its security issues more prominent, especially in user privacy leakage. We developed an Application for Android-based
mobile devices which will check the permissions of all the applications present on the device & simultaneously trace the API
calls to detect the Malicious behavior of Android application. This tool has the capability of generating log files of API calls
made by an application running on a mobile device. In addition, the dynamic monitoring feature of this application will generate
an action when the highly sensitive API will be called by any malicious application. The log file may be effectively utilized in
analyzing apps behavior and intentions, which will prove to be useful in several application domains. For example, this tool may
be used in developing malware detection analysis based upon the API call, identifying resource usages in different app
components, developing the tool for analyzing the applications behavior, and constructing efficient mobile anti-malware tools,
etc. We proposed a twostep model which combines static and dynamic analysis approaches. During the static analysis, predefined permission sets are used to determine whether an application has potential risks & in dynamic analysis for those
suspicious applications we use reverse engineering method to embed monitoring Smali code for those highly sensitive APIs such
as sending LOCATION, SMS accessing user device ID, CONTACT, etc.
Keywords: Android, API tracing, mobile security, mobile forensics
________________________________________________________________________________________________________
I.
INTRODUCTION
Android on mobile devices has become a popular mobile operating system for various devices including smartphones.
Android is the most widely used mobile operating system, with 81% of smartphones and 37% of tablets worldwide running this
Google-made OS. With rapid development of network technology, the mobile Internet has been the development trend of the
information age. According to the market research company Canalys released data, the global intelligent mobile phone shipments
in 2011 has outpaced PC, reached 487,700,000 [7]. About the proportional share of the smartphone, Android OS has been in a
rising trend. The first quarter shipments report of smartphone from Canalys showed that Android OS reached 75:6%, and there
has been some increase compared with 69:2% of the previous quarter [3]. With the popularity and rapid development of Android
OS, its security issues are also increasingly prominent. For instance, the security report from NetQin Company shows that they
detected more than 65,227 new malwares in 2012, a 263% increase over 2011. And the vast majority of malicious software is
designed to attack Android and Symbian devices. Moreover, Android devices accounted for the number of devices being
attacked 94:8%, and software for the purpose of stealing user's privacy data reached as high as 28%, ranking first in all types of
malicious behavior [11] Even though Android is built based on Linux, the API tracing techniques developed for desktops may
not be applied. Android has different system architecture. At a lower level each application is encapsulated into a separate
process and it is run by using the services provided by Linux kernel. Within each application, a virtual machine, known as a
Dalvik Virtual Machine (DVM) provides a run-time environment for the Java components included in the application (app).
All apps contain both Java and native components. Native components are simply shared libraries that are dynamically loaded at
runtime. In the Dalvik virtual machine (DVM), a shared library named libdvm.so is then used to provide a Java-level abstraction
for the apps Java components. Application developers heavily make use of the objects and methods provided by the Java
Library included in the DVM. To understand or grasp the intentions of the apps, it will be more beneficial to trace/utilize the
Java-level semantics that comprehend the behaviors of the Java components in the app rather than focusing on system call
histories captured at the lower level. Currently, the method for detecting user privacy data leakage in intelligent mobile phone
platform mainly has two categories, static and dynamic. Static analysis methods mainly focused on the control flow, data flow
and structural analysis [15]. But Android application mostly written with Java, the program will inevitably exist a large number
All rights reserved by www.ijste.org
663
Detecting Malicious Behavior of Android Applications

(IJSTE/ Volume 2 / Issue 10 / 121)
of implicit function calls, and the static analysis methods cannot effectively handle it. At the same time, static method can obtain
the concrete execution path of the application without executing the source code, but it does not determine whether the path will
actually be performed, which can only be verified by dynamic method.
This paper firstly introduces the de-compilation tool named as apktool that decompiles APKs and gets the source code in
smali, and defines a series of sensitive APIs to build a sensitive API library. Then to detect the sensitive APIs in source code by
keywords searching [2], and finally view the code relevant to sensitive APIs to analyze the application and determine whether
there is sensitive data leakage.
II. RELATED WORK
Some background research on Android security is briefly introduced as follows Kui Luo proposed a byte code converter for
malicious code of leakage privacy, converting DVM (Dalvik Virtual Machine) byte code into Java code, and putting the Java
code into the Indus (a static analysis of Java code and slice tool) to analyze [17]. Leonid Batyuk proposed a method by
decompiling sample applications, in the premise of not affecting the program core function, through modifying the binary code
to separate the malicious code [2].
In signature-based malware detection systems malwares are detected by utilizing the sets of rules or policies [1]-[6]. If an
attack shows a signature exactly matching one of the known signatures, then it can be easily detected. However, this mechanism
may not be effective against new malwares with unknown signatures.
In anomaly detection approaches machine learning algorithms are first used to obtain classifiers from the known malware
behaviors [12]. Then, the classifier will be used at run-time to detect malwares. Although anomaly detection is able to detect new
or evolved malwares more effectively compared to the signature-based approaches, it sometimes causes high false positive.
Then, the classifier will be used at run-time to detect malwares. Although anomaly detection is able to detect new or evolved
malwares more effectively compared to the signature-based approaches, it sometimes causes high false positive. Malware
detection techniques may also be classified into two different categories, static vs. dynamic. In static approaches the classifier or
signatures will be obtained only from the apps codes, which remove the necessity to collect the data by running the apps [3]
these approaches have limitations. Metamorphic and polymorphic techniques may be applied to generate new signatures for the
same virus. If polymorphic techniques are used, due to the encryption, it is difficult to generate the signatures; if metamorphic
techniques are applied, all the codes will be obfuscated. In dynamic approaches, they obtain classifiers or signatures only based
upon data obtained at run-time [21]. They dont have limitations as in the static approaches, but it becomes critical how to design
and conduct app running experiments to capture their behaviors or signatures in a comprehensive manner.
III. METHODOLOGY
Fig. 1: Malware behavior analysis framework
664

Generally speaking, methods for malware analysis Mainly include static and dynamic approach. Static analysis is a kind of
method based on program's source code. It has the advantages of being wide coverage and can analyze the source code
comprehensively. However static method is based on source code. And if we cannot get the target source code, through
decompiling or reverse engineering, it is hard to analyze the program accurately, especially in the occasion that the target
program has been obfuscated. Dynamic analysis refers to the tracking and monitoring its run-time behavior through running the
program. This kind of method is more accurate for capturing the actual malicious program behavior. Meanwhile, the dynamic
method has its own disadvantages because of its limited execution coverage, that is to say we cannot guarantee all of the running
paths have been trigged during the test.
In this paper, we present a combination of static and dynamic security analysis model that can make up for their shortcomings
with each other, enable the analysis of malicious behavior more comprehensively and accurately. Figure 1 shows the whole
steps. Before analyzing the Android application, APK (android application package) needs to be statically decompiled to get the
corresponding configuration and Smali [14] files. Among them, the configuration file with the format of AndroidManifest.xml is
mainly used for permissions filtering stage, and the Smali files are mainly applied to dynamic monitoring module. First of all, we
choose those suspicious applications with great potential to leak user's privacy. Then if a program is suspicious, enter into the
dynamic monitoring module, where input the target Smali codes, embed some tracking code, repackage and re-sign the APK. In
future, once the APK is running, we can dynamically monitor the behavior of privacy leakage and give immediate alarm for
users. And those alerts or logs can be used for further detailed analysis manually or automatically. Next, we will discuss the three
core components of the framework: APK Static De-compiler, Permission Filtering Module and Dynamic Monitoring Module.
APK Static Decompiling:
Before permission filtering and dynamic monitoring, we need to extract the Android application's AndroidManifest.xml file and
Smali files corresponding to the target APK. The Android application is an installation package ended with suffix .APK (an
acronym for Android Package). APK is similar to .exe executable file in PC, after installed can be executed in Android OS
immediately. APK is actually a compressed file compliance with the ZIP format, which can be extracted by popular .zip
compatible decompression tools. In addition, it must be noted that most applications are code-obfuscated, and the unzipped file is
not able to analyze directly. It should be decompiled to extract its resource, permissions, the intermediate representation files. In
this paper, we use the apktool [1] for decompiling. The file structure of Android application after decompiled is shown in Table
1.
Permission Filtering:
Through analyzing the malware samples, we find the process of privacy leakage has two steps: read the privacy information and
send out. Accordingly, the potential causing privacy leakage permissions are also divided into two categories. One is mainly
used to read the privacy data, such as android.permission.READ PHONE STATE, which allows to read phone state, such as SIM
card, phone numbers, phone's IMEI (International Mobile Equipment Identity) and some others. The other is mainly used to send
out privacy information. Figure 2 shows the procedure of permission filtering module.
Table 1
The file structure after APK decompiled
665

Fig. 2: permissions filtering module
In Figure 2, the security policy is the core part, where each security policy is a cross combination of the above two kinds of
permission set. The first one is READ_P and the second one SEND _P. After the first step of static decompile, we can extract the
application permissions set APP_P from the App's configuration file AndroidManifest.xml. During the static decompiling phase,
we extract the permissions set APP_P form AndroidManifest.xml, and then classify APP_P into two categories, read and send
defined above. We assume that if APP P set on matrix has a valid value, that is to say, the APK requested permissions have the
higher-risk, and then the app can be regarded as suspicious. [1]
Dynamic Monitoring:
This module is to monitor the call information of sensitive APIs in APK. We implement dynamic real-time monitoring by
inserting monitoring code to the decompiled APK. Smali and baksmali are an assembler and disassembler respectively for the
.dex format used by the DVM [5]. In this paper in order to avoid the differences between JVM and DVM, we try to directly
rewrite Dalvik bytecode, insert the monitoring Smali bytecode into the decompiled Smali files. The procedure of dynamic
monitoring module is shown in Fig.3
Smali Bytecode:
Smali is an Intermediate Representation(IR) for Dalvik Bytecode. Smali code is a kind register based language which can shield
the source code level differences. For instance, malware sometimes use source code obfuscation to avoid detection. But in Smali
code, the core sensitive APIs are inevitably exposed. So, we can monitor these sensitive APIs to track the behavior of those
suspicious programs.
Fig. 3: The procedure of dynamic monitoring module
Smali Bytecode Library for Sensitive Apis:

The Smali bytecode library stores sensitive APIs and their corresponding Smali bytecode. The main function of the library is to
locate the detailed position of sensitive APIs in Smali files after the target APK was decompiled. According to the typical
sensitive APIs that malwares often used for leaking Android user's privacy data, we choose five and their class name, function
name, and Smali bytecode are indicated in Table 2.
Type
Primitive Types
Table 2
Description of smali Syntax
Syntax
V
Z
B
S
C
I
J
Meaning
Void
Boolean
Byte
Sbyte
Char
Int
Long (64 bit)
666

Reference Types
Object
Array
Array of Objects
F
D
Lpackage/name/ObjectName
Premetive type signature
Lpackage/name/ObjectName
Float
Double (64 bit)
Package.name.ObejctName
I, represent an array of int
Ljava/lang/String, represent array of strings
Monitoring bytecode library for Sensitive APIs:

The monitoring bytecode library is to store the sensitive APIs calling information when the APK is running. For different APIs,
monitoring information to be recorded is different. Such as SMS sending text messages, we need to record the message
recipients as well as the content of the message. The unique part of each API is its input and output. According to API's function
prototypes and register naming principles in Smali syntax, we can obtain the Smali register number of each API parameters.
According to Smali syntax, there are two ways to determine a method that how many registers are available, which can be shown
in Table 3.
Class Name
Table 3
Smali bytecode library for sensitive API
Descripti
Function Name
on
android.telephony.SmsManager
sendTextMessage(String,
String,String,PendingInt
ent, Pending-Intent)
android.location.LocationManag
er
getLastKnownLocation
(String)
android.telephony.TelephonyMan
ager
getDeviceId()
android.location.LocationManag
er
getSimSerialNumber()
android.telephony.TelephonyMan
ager
getLine1Number()
Send
messagess
Get
location
Get ID,
IMEI of
phone
Get SIM
serial
Number
Get phone
Number
Smali Bytecode
Landroid/telephony/SmsManager
sendTextMessage(Ljava/lang/String.Ljava/lang/String;Ljava/lan
g/String Landroid/app/PendingIntent;
Landroid/app/P endingIntent ;)
Landroid/location/LocationManager getLast
KnownLocation(Ljava/lang/String)
Landroid/telephony/TelephonyManager get
DeviceId()Ljava/lang/String
Landroid/telephony/TelephonyManager get SimSerialNumber ()
Ljava/lang/String
Landroid/telephony/TelephonyManager get Line1Number ()
Ljava/lang/String
IV. EXPERIMENT
Before experiment, some necessary tools such as Eclipse, JDK6, JRE6, Android SDK, Python2.7, and other tools will be
installed. APK static de-compiler and permissions filtering module were implemented with Java. Among them, APK static
compiling module is to call apktool [27]. Permissions filtering module mainly implements security policy settings; extract
permissions feature from Androidmanifest.xml that generated by static decompiling module. Dynamic monitoring module is to
scan the Smali files generated by APK static decompiling module, embed monitoring bytecode, repackage and re-sign the Smali
files to generate a new APK. Then we run the new APK in Android emulator, it will generate some running logs or monitoring
report to show what has happened. To illustrate Android users facing the growing threat of information leakage, we choose 642
popular applications to conduct experiments in the Permissions filtering module. We handled 642 APK samples by permissions
filtering module and found that almost 26% apps have security risks for leakage user's sensitive data. The security policy violated
by most of those 642 apps is about IMEI permission combinations, namely, the most common information leaked is IMEI. The
reason may be the IMEI can determine phone type and device parameters, and can provide accurate user identity information for
developers and advertisers. The next is phone Number, Contacts, and Location. If these sensitive information is used illegally, it
will possibly bring huge losses to users. To verify effectiveness and feasibility of dynamic monitoring module, we did
experiments on the Android emulator in Windows7. We chose an APK, SendSMS_example.apk, that will automatically send
text message in the background. The prototype system successfully detected the leakage behavior.
Table 4
Analysis of suspicious applications
Leakage corresponding to Policies App Amount
LOCATION
27
SMS_TEXT
14
CONTACTS
32
PHONE NUMBER
77
IMEI
273
Ratio
17.59
44%
9.50%
33.07%
V. CONCLUSION
Our experiments goal was to develop an efficient API call tracing tool for static & dynamic app behavior analysis. This tool
may be applied to a wide range of applications including designing effective malware detection techniques on mobile devices.
667

The tool focuses on detecting sensitive API calls and studying obfuscated smali source code so as to identify the potential
privacy theft and determine whether there is sensitive data leakage. As a conclusion, it shows some advantages of our approach:
1) Using Smali bytecode, it is based on intermediate language, which shows some advantages over Java source code method
and it possesses anti-obfuscation to a certain degree.
2) The method is simple, just insert some monitoring Smali bytecode, and the performance influence can be ignored.
3) This method can be used in a wide scale, which can deploy remotely and provide monitoring service automatically.
Future scope of the paper will be adding a dynamic module to the current application which will generate an action log that will
trace the behavior of each and every application through sensitive API calls.
REFERENCES
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
[15]
[16]
[17]
[18]
[19]
[20]
[21]
[22]
[23]
[24]
[25]
[26]
[27]
[28]
[29]
[30]
[31]
Quan Qian, Jing Cai, Mengbo Xie, Rui Zhang. - Malicious Behavior Analysis for Android Applications International Journal of Network Security, Vol.18,
No.1, PP.182-192, Jan. 2016.
W. Enck, M. Ongtang, and P. McDaniel, On lightweight mobile phone application certification, in Proc. the 16th ACM conference on Computer and
communications security, CCS 09, New York, NY, USA, 2009. ACM, pp. 235245.
A. P. Fuchs, A. Chaudhuri, and J. S. Foster, SCanDroid Automated Security Certification of Android Applications, Technical Report CSTR- 4991,
Department of Computer Science, University of Maryland, College Park, November 2009.
H. Kim, J. Smith, and K. G. Shin. Detecting energy-greedy anomalies and mobile malware variants, in Proc. the 6th international conference on Mobile
systems, applications, and services, MobiSys 08, 239252, New York, NY, USA, 2008, ACM.
M. Ongtang, S. McLaughlin, W.Enck, and P. McDaniel, Semanticallyrich application-centric security in android, in Proc. the 2009Annual Computer
Security Applications Conference, ACSAC 09, 340349, Washington, DC, USA, 2009.
Y. Zhou, Z. Wang, W. Zhou, and X. Jiang, Hey, you, get off of my market: Detecting malicious apps in official and alternative Android markets,
presented at the 19th Annual Network & Distributed System Security Symposium, Feb. 2012.
L. Liu, G. Yan, X. Zhang, and S. Chen. Virusmeter: Preventing your cellphone from spies, in Proc. the 12th International Symposium on Recent
Advances in Intrusion Detection, RAID 09, pp. 244264, Berlin, Heidelberg, Springer-Verlag. -2792-2 50, 2009.
A.-D. Schmidt, J. H. Clausen, A. Camtepe, and S. Albayrak. Detecting symbian os malware through static function call analysis, March 2006, 1522,
IEEE, 2009.
A. Shabtai and Y. Elovici, Applying behavioral detection on android based devices, Mobilware, pp. 235249, 2010.
P. Teufl, S. Kraxberger, C. Orthacker, G. Lackner, M. Gissing, A. Marsalek, J. Leibetseder, and O. Prevenhueber, Android market analysis with
activation patterns, Mobisec, 2011.
M. Zhao, F. Ge, T. Zhang, and Z. Yuan, Anti maldroid: An efficient svm based malware detection framework for android, in C. Liu, J. Chang, and A.
Yang, editors, Communications in Computer and Information Science, vol. 243, pp. 158166, Springer, 2011.
D. Barrera, H. G. Kayacik, P. C. van Oorschot, and A. Somayaji, A methodology for empirical analysis of permission-based security models and its
application to android, in Proc. the 17th ACM conference on Computer and communications security, pp. 7384, New York, NY, USA, 2010, ACM.
E. Chin, A. P. Felt, K. Greenwood, and D. Wagner. Analyzing inter application communication in android, in Proc. the 9th international conference on
Mobile systems, applications, and services, MobiSys 11, pp. 239252, New York, NY, USA, 2011.
F. D. Cerbo, A. Girardello, F. Michahelles, and S. Voronkova, Detection of malicious applications on android os, in Proc. the 4th international
conference on Computational forensics, pp. 138149, Berlin, Heidelberg, 2011, Springer-Verlag.
M. Grace, Y. Zhou, Z. Wang, and X. Jiang, Systematic detection of capability leaks in stock Android smartphones, in Proc. the 19th Network and
Distributed System Security Symposium (NDSS), Feb. 2012.
S. Kim, J. I. Cho, H. W. Myeong, and D. H. Lee, A study on static analysis model of mobile application for privacy protection, in J. J. J. H. Park, H.-C.
Chao, M. S. Obaidat, and J. Kim, editors, Computer Science and Convergence, Lecture Notes in Electrical Engineering, pp. 529540, Springer Netherlands,
vol. 114, 2012.
W. Zhou, Y. Zhou, X. Jiang, and P. Ning. Detecting repackaged smartphone applications in third-party android marketplaces, in Proc. the second ACM
conference on Data and Application Security and Privacy, CODASPY 12, pp. 317326, New York, NY, USA, ACM, 2012.
B. Dixon, Y. Jiang, A. Jaiantilal, and S. Mishra, Location based power analysis to detect malicious code in smartphones, in Proc. the 1st ACM
workshop on Security and privacy in smartphones and mobile devices, SPSM 11, pp. 2732, New York, NY, USA, ACM, 2011.
Seonho Choi, Michael Bijou, Kun Sun, and Edward Jung -- API Tracing Tool for Android-Based Mobile Devices International Journal of Information and
Education Technology, Vol. 5, No. 6, June 2015
W. Enck, P. Gilbert, B.-G. Chun, L. P. Cox, J. Jung, P. McDaniel, and A. N. Sheth, Taintdroid: An information-flow tracking system for realtime privacy
monitoring on smartphones, in Proc. the 9th USENIX conference on Operating systems design and implementation, OSDI10,
MCS 11, pp. 2126, New York, NY, USA, ACM, 2011. U. Mitra, A. Ortega, J. Heidemann, and C. Papadopoulos, Detecting and Identifying Malware:
A New Signal Processing Goal, IEEE Signal Processing Magazine, pp. 107-111, September 2006.
Android Developers. (April 15, 2014). Signing Your Applications. [Online]. Available: http://developer.android.com/tools/publishing/app-signing.html.
Oracle.
(April
15,
2014).
Jarsigner
JAR
Signing
and
Verification
Tool.
[Online].
Available:
http://docs.oracle.com/javase/6/docs/technotes/tools/windows/jarsigne r.html.
Schmidt, A.D., Bye, R., Schmidt, H.G., Clausen, J.H., Kiraz, O., Yuksel, K.A., Camtepe, S.A., Albayrak, S.: Static Analysis of Executables for
Collaborative Malware Detection on Android. In: Proceedings of IEEE International Conference on Communications, ICC 2009, Dresden, Germany, 14-18
June 2009, IEEE (2009)
Enck, W., Ongtang, M., McDaniel, P.: On lightweight mobile phone application certification. In: CCSProceedings09: of the 16th ACM conference on
Computer and Communication Security, New York, NY, USA, ACM (2009) 235-245
Android Developers. (April 15, 2014). Android Debug Bridge. Web. [Online]. Available: http://developer.android.com/tools/help/adb.html.
Privacy San Francisco, CA, May 2012. A. Shabtai, U. Kanonov, Y. Elovici, C. Glezer, Y. Weiss: Andromaly a behavioral malware detection framework
for android devices. Journal of Intelligent Information Systems 38(1) (January 2011) 161-190
K. Hanumantha Rao, G. Srinivas, A. Damodhar, M. Vikas Krishna:
Implementation of Anomaly Detection Technique Using Machine
Learning Algorithms: Internatinal Journal of Computer Science and Telecommunications (Volume2, Issue3, June 2011)
Android
Developers.
(April
15,
2014).
Profiling
with
Trace
view
and
dmtracedump.Web.[Online].Available:
http://developer.android.com/tools/debugging/debugging-tracing.html
Wikipedia. (April 15, 2014). Comma-separated values. [Online]. Available: http://en.wikipedia.org/wiki/Comma-separated_values
Y. J. Zhou and X. X. Jiang, Dissecting android malware: characterization and evolution, presented at the 33rd IEEE Symposium on Security and
668

Detecting Malicious Behavior of Android Applications

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Detecting Malicious Behavior of Android Applications

Uploaded by

Copyright:

Available Formats

IJSTE - International Journal of Science Technology & Engineering | Volume 2 | Issue 10 | April 2016

ISSN (online): 2349-784X