Activation Pattern Analysis on Malicious Android Mobile Applications

You Joung Ham, Daeyeol Moon, Hyung-Woo Lee Dept. of Computer Engineering, Hanshin University,

411, Yangsan-dong, Osan, Gyyeonggi, 447-791, Rep. of Korea

e-mail: hwlee@hs.ac.kr

Jae Deok Lim, Jeong Nyeo Kim Cyber Security-Convergence Research Laboratory,

ETRI, 218, Gajeongno, Yuseong-gu, Daejeon, 305-700, Rep. of Korea

e-mail: jdscol92@etri.re.kr, jnkim@etri.re.kr

Abstract—the malicious android mobile applications developed by attackers are increasing rapidly. In order to reduce the damage caused by the malicious applications, the activation based pattern analysis mechanisms should be developed to determine normal and malicious apps correctly. In this paper, the malicious application activation event patterns were analyzed from the malicious game apps sampled from malware samples distributed by Android MalGenome Project. System call events are aggregated from malicious Android mobile apps. Through this process of analyzing the application activation patterns, we can extract a similarity to determine whether any given app is malicious or not.

Keywords-component; Android; Mobile Application; Activation Pattern; Malicious App.; Event Pattern.

I. INTRODUCTION Extremely large number of Android mobile application

(apps) has been developed through the Android open market. However, the distribution of malicious apps developed by attackers is also increasing rapidly due to the openness of the open market that allows anyone to develop and distribute. Attackers insert a malware in a existing normal application and distribute it to users through the open market [1,2,3,4]. In this method, attacker can get personal information stored in smartphone illegally. Therefore, the security problem of Android-based mobile device is growing significant in the user environment [4,5].

Detection methods for attacks on mobile devices [6,7,8,9] have been proposed to reduce the damage from malicious mobile apps. However, a mechanism that provides more accurate ways of determining malicious apps on common mobile devices must be developed suddenly. In first, it is necessary to analyze the attack types based on the recent security vulnerabilities of Android-based mobile devices, and analyses the characteristics of malicious apps with activation pattern using Strace tool [10] on Android Platform. Therefore, we aim to suggest a method to distinguish Android-based malicious apps based on the event pattern activated by running malicious applications.

More in detail, we analyzed the malicious event pattern from the application selected from Android MalGenome Project [11]. The actual patterns are extracted from the malicious apps of Android-based mobile devices. And then, events were collected to perform a relevance analysis between normal and malicious event set. Based on it, we can analyze event occurrence characteristics, pattern and

distribution of malicious apps. Through this process of analyzing the application activation patterns, we can extract a similarity to determine whether any given app is malicious or not.

II. MALICIOUS MOBILE APPLICATIONS ON ANDROID Malicious mobile applications on Android have been

widely distributed through the open market. The reason that the security threats targeting the Android platform are increasing is based on the fact that the Android platform provides functions that are easily accessed by allowing various forms of attacks to occur based on its openness and portable features [12]. Therefore, the security vulnerabilities of the Android platform are causing various types of attack. As in Figure 1, attackers hide a malware by activating exploits from inside a mobile app that appears normal in order to distribute it to common user’s smartphone. Users execute an installed app that includes the malware silently leaking personal information stored inside of device to get root permission and privilege. When the malware is executed, the attacker gets illegal access to the internal resource without user’s notification.

Fig 1. Attack Executed by Implicit Malicious Code What becomes a more serious problem is when a

malware is downloaded and installed from a remote server while the malicious app distributed by an attacker is started. For example, an attacker can attempt a roundabout connection through SMS and others in order to induce users to download additional malwares from C&C server. Distribution of malware in the Android platform takes various methods other than this, and the inner code of disguised malicious apps is as shown in Figure 2. Malicious

2013 First International Conference on Artificial Intelligence, Modelling & Simulation

978-1-4799-3251-1/13 $31.00 © 2013 IEEE

DOI 10.1109/AIMS.2013.25

92

2013 First International Conference on Artificial Intelligence, Modelling & Simulation

978-1-4799-3251-1/13 $31.00 © 2013 IEEE

DOI 10.1109/AIMS.2013.25

98

2013 First International Conference on Artificial Intelligence, Modelling & Simulation

978-1-4799-3251-1/13 $31.00 © 2013 IEEE

DOI 10.1109/AIMS.2013.25

98

app that is disguised as an application for translating SMS received in Android-based smart work devices to a certain language can use malwares related to information collection to execute an attack that leaks the personal information such as SMS records to external C&C server.

Fig 2. Malicious Code Disguised as a Normal Application

Another attack that violates personal information of user

is an unauthorized leakage of user's location information. This malicious application executes the attack of leaking user's location information without the user knowing. Other malicious applications cause financial damage by executing online banking attacks while disguising as a normal mobile security application and communicating with C&C server. The attacks on online banking process available with smart work devices can cause damage such as taking user's password while disguising as a normal application as Figure 3.

Fig 3. Unauthorized Access of User's Personal Information by Malicious App

The need to analyze inner system call events that occur

any time in the operation process of each application becomes evident in order to distinguish the normal and malicious app available on Android-based smart work devices. Therefore this paper analyzed the event pattern that occurs in the operation of malicious apps to propose a method to determine whether any given app is malicious.

III. ACTIVATION PATTERN AGGRETATION METHOD In this paper, we collected and analyzed the system call

events from Android based mobile devices appearing on executing application with installed Strace in Android kernel. It collected system call events occurring on executing normal and malicious apps from multiple commercial mobile devices based on Android platform, and it made the malicious applications detectable based on this as Figure 4. It also analyzed similarity with malicious apps by analyzing occurrence, call correlation and sequence of system call events from normal apps running on commercial mobile devices in real-time.

Fig 4. Activation Pattern based Malicious App

Determination Method

In detail, we developed event-monitoring process that enables the user to retrieve activated services and processes running on inside of Android kernel. If Activation Monitoring application is executed, it invokes event-monitoring daemon at kernel and the application is running in background as Figure 5. The background running application transfers event information to DB server in a log format whenever event occurs. DB server is implemented to collect and store the event data that comes from multiple devices. Those events information collected from the mobile device are used to detect any suspected event due to malicious exploits.

Fig 5. Activation Pattern Aggregation and Monitoring

939999

We could measure correlation between normal and malicious apps through checking what kind of system call event functions exist in two groups of apps and how frequently they show up. We also could extract system call events in Android kernel by using Strace while normal and malicious applications are running. Based on these data sets, we compared the patterns of internal event activated from Android mobile device.

Fig 6. Activation Pattern Aggregation Steps

IV. ACTIVATION PATTERN ANALYSIS OF NORMAL MOBILE APPLICATION

We can find several kinds of malicious apps from the game category of Android MalGenome Project. Therefore, the analysis on normal mobile application targeted the mostly downloaded mobile game apps.

Event analysis first targeted 28 mobile game applications that are included in the arcade and casual game category. Event call counts of normal game application in the arcade category can be illustrated as Figure 6 below. The result of analysis on event distribution of 28 normal game applications indicated that eight events of clock_gettime, epoll_wait, futex, getpid, ioctl, mprotect, read and SYS_292 occurred relatively more often than other events. And the similar operational structures between casual game apps and arcade game apps can be found because these games are considered to have some similar activation procedures.

In case of the apps in the brain game and puzzle category, we can indicated that four events of futex, ioctl, gettimeofday and SYS_290 occurred relatively more often than other events. However, distribution of system call events of normal game application in car race and sports game categories, we can see events of clock_gettime, epoll_wait, ioctl, getuid32 and mprotect more frequently than others.

Normal game applications related to previous category-based analysis and permission based-analysis often have their own characteristics, but not all of them did. Therefore, this chapter suggests the characteristics of normal applications through a graph that represents all 28 events of normal game applications. Figure 7 shows the event call count of 28 normal game application, which demonstrates that clock_gettime, clone, close, epoll_wait, futex, getpid,

gettid, gettimeofday, getuid32, ioctl, madvise, mmap2, munmap, read, SYS_292, syscall_983042, write and writev event can occur in normal game applications. Through this, we can assume that mainly about 18 events above occur in normal applications regularly. On the other hand, events including dup, epoll_ctl, fcntl64, fstat64, getdents64, getpriority, open, pread, sigprocmask, stat64, SYS_290, chmod, flock, fsync, lseek, lstat64, nanosleep, poll, prctl, rename, rt_sigreturn, sched_yield, sigaction, SYS_281, SYS_283, unlink, truncate, getcwd, chdir, umask, fchown32 and others can be assumed to occur only in normal game apps or in malicious game apps.

Fig 7. Normal Game App. System Call Event Pattern

V. ACTIVATION PATTERN ANALYSIS OF MALICIOUS MOBILE APPLICATION

A. Classification of Malicious Mobile Application Android MalGenome Project categorizes 1,260 samples

of malicious apps largely by their characteristics to Malware Installation, Activation, Malicious Payloads and Permission Uses[9]. Additionally, we can classify malicious app into Repacking, Update-Attack, Drive-by Download and Standalone [11,12] based on its internal activity pattern.

First, Repacking is a method that repacks an application, in which the malicious developer downloads an application that has been registered by online such as in Android official market, inserts a malware, which has been modified from apk or jar file, and distributes it. Disguising as a normal application, it leaks personal or financial information of users by causing damages often [9,15].

Secondly, Update attack is a method that installs a malicious app when a user downloads an update. It cannot only install an app that the user don't know but also leak private information or lead to billing. Also, update attack has a self-update feature, and can be divided into four main techniques [9].

The third group, Drive-by download, is a form of remote attack that downloads and executes a malware without the user knowing and mainly user-after-free and Heap Spraying method attack cases are found. Drive-by-download has a long patch cycle, so the relevant vulnerability is attacked before the patching, allowing leakage of user's private

94100100

information. This Drive-By-Download attack also, like the update attack, is difficult to detect compared to other malicious apps.

Lastly, Standalone is a type of app that runs by itself without help from any different tool. This Standalone can be divided to four main groups. First group distinguishes itself as spyware apps, and aims to be installed in a victim's smart phone. The second group appears to be normal, but contains false application that execute malicious action such as sending SMS without the user knowing or taking information that certifies the identification or the user. The third group contains application of malicious features such as intentionally sending unauthorized SMS or automatically registering to small additional services. The difference from the second group is that this group does not disguise as normal. Lastly, the fourth group contains applications that rely on route authorization to help it features. However, these applications use a route attack that makes a detour around the internal security sandbox without asking the user [14,16,17].

B. Activity Pattern Analysis of Malicious App Malwares contained in the Update Attack are

AnserverBot, BaseBridge, DroidKungFuUpdate and Plankton, and each contains 187, 122, 1, and 11 APK files respectively. Among the malicious app, BaseBridge and ArtifactDataCable app can change the Wi-Fi option without the user knowing and another application is additionally installed to damage by leaking SMS, personal information, call records or causing billings when the app starts. Malwares included in Drive-by Download are four types of GGTraker, JiFake, Spitmo and Zitmo. This paper analyzed malicious application events targeting the apk file contained in each malware. Among four malwares included in Update Attack, event call counts of 7 malicious applications can be illustrated as Figure 8 below.

Fig 8. Malicious App. Pattern – Update Attack

In case of Update Attack, we can find a pattern that

system call events of fchown32, fdatasync, mkdir, rmdir, statfs64 and umask which were relatively hard to be found in the earlier system call events of normal application. These system call events can be used to create or delete directory or have features of synchronization of data in file disk, obtaining file system information, creation of file mask, therefore these events were used to causing damage on user's device.

Among four malwares included in Drive-by Download, event call counts of 3 malicious applications can be

illustrated as Figure 9 below. In this case, system call events of bind, brk, connect, msgget, recv, recvfrom, select, semget, semop and setsockopt were relatively hard to be found in the earlier system call events of Update Attack. The occurred system call events might be used to change the size of data segments in the process, or return the identification number of message queue and read the data and message from socket. These features allow a supposition that Drive-by-Download leaks user's personal information such as SMS or financial information by executing orders from a certain external server or leads malicious application downloads by leading the user to connect to malicious URL.

Fig 9. Malicious App. Pattern – Drive-by Download

Figure 10 illustrates that system call counts of

clock_gettime, epoll_wait, futex, getpid, getuid32, ioctl, mprotect, read, SYS_292, write, which occurs mainly in normal application, are equally occurring. However, 17 system call events of bind, brk, connect, fchown32, fdatasync, fsync, mkdir, msgget, recv, recvfrom, rmdir, select, semget, semop, setsockopt, statfs64 and umask, which do not occur in normal application, are found in malicious applications. Therefore, any given apps could be suspected as malicious mobile application if the 17 kinds of system call events above have occurred simultaneously in the application.

Fig 10. Malicious App, Total System Call Pattern

As shown in Figure 11, we can find a pattern that the

system call events such as bind, brk, connect, fdatasync, mkdir, msgget, pwrite, recv, recvfrom, rename, rt_sigreturn, semget, semop, setsockopt, socket, statfs64, SYS_224 and SYS_248 were occurred only in malicious application. And 11 system call such as chdir, flock, getcwd, nanosleep, poll, prctl, rt_sigreturn, sigaction, SYS_281 and SYS_283 were occurred only in normal application. And those occurred both in normal and malicious app were 40 including access, chmod and clock_gettime.

95101101

Fig 11. Activity Pattern Comparison between Normal

and Malicious Application

VI. DISTINCTION OF MALICIOUS APP BASED ON ACTIVITY PATTERN

A. Distinction Procedure based on Activity Pattern We can construct a determination method between

normal and malicious application events based on the event analysis on normal and malicious application described previously. When a user downloaded and installed a found app, it is difficult to distinguish whether the app is malicious or not. This paper proposed a distinction method for installed apps based on permission. APK file installed in the mobile device should be analyzed in order to distinguish whether the installed app is malicious or normal by decompressing and obtaining the assembly code. Extracting application permission from AndroidManifest.xml in the decompressed folder and analyzing them based on normal permission group and malicious permission group can distinguish whether the given app is normal or malicious. Algorithm that distinguished malicious app through the similarity of activity pattern aggregated from apps can be illustrated as Figure 12.

Fig 12. System Call Event Categorization Procedure

Installing a found app, obtaining permissions contained in the apps and extracting events using Strace can draw out

similarity with normal event group and malicious event group. We randomly chose 10 apps categorized normal and malicious app. Through which, SimAppNml (Similarity to Normal) and SimAppMal (Similarity to Malicious) were drawn through this and the similarity equation, (k-SimAppNml)*(SimAppMal *k (i=1,2,…,n) provides the final result of distinguishing normal or malicious. Here, S(Similarity) ranges from 0 to 1, and k represents the weighted value.

B. Malicious Application Distinction Frequent normal event group consists of 32 events that

occurred only in the previously addressed normal apps including clock_gettime, epoll_wait, getcwd and poll, and those that occurred more often in normal apps among those that occurred in both normal and malicious apps. On the other hand, malicious event group also consists of 36 events including bind, pwrite, rename and unlink, and those that occur relatively more often in malicious apps among those that occurred in both normal and malicious apps. As the result, the normal and malicious similarity of normal apps and malicious apps based on normal event groups and malicious event groups can be illustrated as a graph in Figure 13 below.

Fig 13. Normal and Malicious Similarity Calculation to Distinct Malicious Attack

SimAppNml, the number of normal app events that

correspond to normal event group, was confirmed to give relatively higher value in normal apps than in malicious apps. The reason is because the normal event group is a group of events that occur both in normal and malicious apps but occur more often in normal apps. On the other hand, SimAppMal, the number of malicious and normal events that correspond to the malicious event group over the number of malicious app events, gave much higher value in the malicious apps that in normal apps because the event group occurred only in malicious apps will be have a malware.

In order to make a more precise distinction on whether the events found in some apps are closer to malicious, we can use similarity equation. We have suggested a malicious app distinction method by assign weighted value k to activated event in the malicious event group to distinguish

96102102

malicious app through the analyzed similarity. Malicious events that correspond more to the malicious event group occurred more than normal app events in Figure 11. Therefore, SimAppMal, to which the weighted value of k is multiplied, gives much larger value than SimAppNml does. As above, malicious app distinction similarity showed a high value for a given malicious application. Therefore this equation could be expected to show the same result when applied to a found app in another mobile environment.

VII. CONCLUSIONS Android-based applications can be developed in an open-

source form due to the openness of Android. Therefore, apps that contain malware and disguise as a normal app can be distributed through Android official market, Internet, black markets and other distribution routes. Common mobile devices based on Android platform as well as Android devices are exposed to attack attempts by malicious apps.

This paper targeted game applications of Google Play Store as normal and 1,260 malicious samples distributed by Android MalGenome Project as abnormal, and proposed an effective method for distinguishing malicious apps in Android-based common mobile device environment based on these events.

First, the forms of recent Android device risks and malicious app attacks have been analyzed. Also, the characteristics of system call events that occur in normal or malicious apps have been compared and analyzed using Strace module, which can collect system call events in Android kernel. Based on the result, this paper used similarity analysis algorithm on events that occurred in normal and malicious apps in Android-based common mobile devices to propose an algorithm that can distinguish malicious apps.

Use of the method proposed in this paper could analyze the characteristics of system call events that occurred when normal apps and malicious apps were in action, which could be applied to a method of distinguishing whether any given app is malicious. Also, the sequence analysis based on system call events extracted from Strace could draw out a system function that occurs both in normal and malicious apps with more frequent occurrence in malicious apps and relatively less frequent occurrence in normal apps. This confirmed the existence of system call function sequence of consistent pattern when an app is running.

Future research can expand the application of the method proposed in this research to more various forms of mobile apps to increase the accuracy of malware distinction on a found app, contributing to a safer user environment for common mobile devices.

ACKNOWLEDGEMENTS This research was funded by the MSIP (Ministry of Science,

ICT & Future Planning), Korea in the ICT R&D Program 2013.

REFERENCES

[1] Google Play Android Market, https://play.google.com/store/apps [2] More than 700,000 malicious Android apps wreak havoc on the web,

http://www.neowin.net/news/more-than-700000-malicious-apps-wreak-havoc-in-the-play-store

[3] Android (operating system), http://en.wikipedia.org/wiki/Android_(operating_system)

[4] Uncovering Android Master Key that Makes 99% of Devices Vulnerable, http://bluebox.com/corporate-blog/bluebox-uncovers-android-master-key/

[5] W. Enck, D. Octeau, P. McDaniel and S. Chaudhuri, “A Study of Android Application Security,” Proceedings of the 20th USENIX Security Symposium, 2011.

[6] Iker Burquera, Urko Zurutuza, Simin Nadjm-Tehrani, “Crowdroid: behavior-based malware detection system for Android,” Proceedings of the 1st ACM workshop on Security and privacy in smartphones and mobile devices, pp.15-26, 2011

[7] Te-En Wei, Ching-Hao Mao, Albert B. Jeng, Hahn-Ming Lee, Horng-Tzer Wang, Dong-Jie Wu, "Android Malware Detection via a Latent Network Behavior Analysis," IEEE 11th International Conference on Trust, Security and Privacy in Computing and Communications, 2012

[8] Dong-Jie Wu, Ching-Hao Mao, Te-en Wei, Hahn-Ming Lee, Kuo-Ping Wu, “DroidMat: Android Malware Detection through Manifest and API Calls Tracing,” 2013 7th Asia Joint Conference on Information Security, 2012.

[9] You-Joung Ham, Won-bin Choi, Hyung-Woo Lee, JaeDeok Lim, Jeong Nyeo Kim, “Vulnerability monitoring mechanism in Android based smartphone with correlation analysis on event-driven activities,” 2012 2nd International Conference on Computer Science and Network Technology, pp.371-375, 2012

[10] strace, http://en.wikipedia.org/wiki/Strace [11] Yajin Zhou, Xuxian Jiang, “Dissecting Android Malware:

Characterization and Evolution,” Proceedings of the 33rd IEEE Symposium on Security and Privacy, 2012.

[12] Xuxian Jiang, Yajin Zhou, Android Malware, Springer, NY, USA (2013)

[13] M. Nauman, S. Khan and X. Zhang, “Apex: Extending Android Permission Model and Enforcement with User- Defined Runtime Constraints,” Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security, 2010

[14] A.PorterFelt, M.Finifter, E.Chin, S.Hanna and D.Wagner, “A Survey of Mobile Malware In The Wild,” Proceedings of the 1st Workshop on Security and Privacy in Smartphones and Mobile Devices, 2011.

[15] W. Zhou, Y. Zhou, X. Jiang and P. Ning, “DroidMOSS: Detecting Repackaged Smartphone Applications in Third- Party Android Marketplaces,” Proceedings of the 2nd ACM Conference on Data and Application Security and Privacy, 2012.

[16] Derek James, Android Game Programming For Dummies, John Wiley & Sons, Inc., Hoboken, New Jersey, USA (2013)

[17] Ziguard Mednieks, Laird Dornin, G. Blake Meike and Masumi Nakamura, Programming Android, O’Reilly, Sebastopol, CA, USA (2012)

[18] AhnLab V3 Mobile 2.0, http://www.ahnlab.co.kr/kr/site/product/productView.do?prodSeq=67

[19] ALYac Android, http://asia.alyac.com/home/android.aspx [20] Kaspersky Internet Security for Android,

http://www.kaspersky.com/android-security [21] BullGuard Smart Mobile Security,

http://www.bullguard.com/products/bullguard-mobile-security.aspx

97103103