Combating Context-Sensitive Mobile Malware

SCHEME: CORE

CALL: 2015

DOMAIN: IS - Information Security and Trust Management

FIRST NAME: Olga

LAST NAME: Gadyatskaya

INDUSTRY PARTNERSHIP / PPP: No

INDUSTRY / PPP PARTNER:

HOST INSTITUTION: University of Luxembourg

KEYWORDS: Mobile security,Mobile malware detection,Context-sensitive malware,Android

START: 2016-04-01

END: 2019-03-31

WEBSITE: https://www.uni.lu

Submitted Abstract

With the proliferation of mobile devices security and privacy of smartphones and the data they process become crucial requirements. Unfortunately, we know that mobile platforms today are insecure. For example, the growth rate of mobile malware samples for the Android platform is exponential. In the same time, the price of admitting a malicious application onto an end-user’s platform is often very high, especially if the device is used in the corporate environment and handles highly sensitive information. Malicious mobile applications are known to steal private data handled by smartphones almost by default. Therefore, there is a high demand for anti-virus services tailored for mobile devices that could evaluate for a third-party application whether it is malicious or not. Security services offered by anti-virus companies often rely on known malware signatures. Such services can miss zero-day malware samples that utilise new attacks or recently discovered vulnerabilities. This approach is not sufficiently reliable in the context of application market. Indeed, if Apple or Google will distribute zero-day malware, they will face a customer loss. Thus, on-market security services typically use a combination of static and dynamic security checks that could reveal malicious behaviour in a submitted application. However, the recent generations of mobile malware that employ obfuscation and dynamic code updates to thwart the security services pose a big challenge. Such dangerous samples can be often categorised as context-sensitive malware: they change their behaviour depending on the context. If they are able to detect that they are executed by a security service, they do not exhibit their malicious payload. If the payload is obfuscated (e.g., encrypted), it can be very challenging to identify malicious code in these samples.Today security techniques to deal with this type of malware typically rely on discrepancies in several executions of the same sample: they check if one of these executions actually shows hints of malicious intentions. This approach depends a lot on finding the right input, or context, what is very difficult in general. Generation of a right context often requires manual inspection of the code. This is a tedious task that is not suitable for online third-party security services. In our project we will improve the state-of-art mechanisms for reliable automatic detection of malicious applications by looking simultaneously at executed and not-executed code paths. The intuition is simple: context-sensitive malware tries to conceal the malicious behaviour, so the most security-critical code will be hidden in the code paths that were not executed by the security service. For such code paths we will analyse them automatically to detect concealed security issues. The detection approach will leverage a semantic model representing malicious data flows in the not-executed code, and advanced and scalable hybrid code analysis.

This site uses cookies. By continuing to use this site, you agree to the use of cookies for analytics purposes. Find out more in our Privacy Statement