Michael Grace, Yajin Zhou, Qiang Zhang, Shihong Zou, Xuxian Jiang
Smartphone sales have recently experienced explosive growth.
Their popularity also encourages malware authors to penetrate
various mobile marketplaces with malicious applications (or apps).
These malicious apps hide in the sheer number of other normal
apps, which makes their detection challenging. Existing mobile
anti-virus software are inadequate in their reactive nature by
relying on known malware samples for signature extraction.
In this paper, we propose a proactive scheme to spot zero-day
Android malware. Without relying on malware samples and their
signatures, our scheme is motivated to assess potential security
risks posed by these untrusted apps. Specifically, we have developed
an automated system called RiskRanker to scalably analyze whether
a particular app exhibits dangerous behavior (e.g., launching a root
exploit or sending background SMS messages). The output is then
used to produce a prioritized list of reduced apps that merit further
investigation. When applied to examine 118,318 total apps collected
from various Android markets over September and October 2011,
our system takes less than four days to process all of them and
effectively reports 3281 risky apps. Among these reported apps,
we successfully uncovered 718 malware samples (in 29 families)
and 322 of them are zero-day (in 11 families). These results
demonstrate the efficacy and scalability of RiskRanker to police
Android markets of all stripes.
Public Review uploaded by lzhong:
This public review was prepared by Patrick McDaniel.
This paper presents a malware detection system that scans Android markets for malicious applications. The first detection stage tries to find apps with native code that invoke known root exploits or that send premium SMS messages without previous user input. The second stage deals with obfuscated apps and tries to detect malicious apps that are encrypted or that load additional code. The system manages to find several zero-day malware apps in various Android markets.
The paper identifies a number of interesting behaviors in applications and the PC deeply appreciated the sophistication of the techniques. The case studies represented by a number of the applications were compelling and results meaningful. The PC reached consensus quickly that the paper should be accepted into the program.
The PC felt that the techniques employed in this paper were somewhat incremental. In response to comments, the authors have revised the final version of the paper to better highlight the methodological contributions. The PC also had concerns that the techniques could easily be circumvented by an adversary who new they were being used. This led several of the PC members to comment that the value of the technical approach in this paper may be increasingly limited over time.