Highlighting Easily How Malicious Applications Corrupt Android Devices

Radoniaina Andriatsimandefitra 1 Valérie Viet Triem Tong 1
1 CIDRE - Confidentialité, Intégrité, Disponibilité et Répartition
IRISA-D1 - SYSTÈMES LARGE ÉCHELLE, Inria Rennes – Bretagne Atlantique , CentraleSupélec
Abstract : We propose an approach based on information flows to highlight how a ma- licious application corrupts an Android device. Basic attacks carried on by ma- licious applications often consist in leaking sensitive data to remote entities. Different works then focused on approaches to detect such attacks by analysing function calls or the access and the use of sensitive data (e.g [1,2]). However, there exist an other class of attack that threatens the integrity of the system itself or data it contains (e.g modification of the content of sensitive files or installation of new application). Such attacks tend to be overlooked and we propose here an approach to easily detect and highlight them.To highlight these attacks, we first monitor how information from an applica- tion under analysis is disseminated in the whole system thanks to an information flow monitor named Blare [3]. Blare monitors information flow between system objects (process, file and socket) at system level and logs observed flow. From the log, we build a System Flow Graph [4] that describes the observed flows in a compact format. We then filter the edges of the SFG to only keep odd flows. As Android applications are all built in the same way, they have common behaviours, which means that some information flows they cause are the same (e.g information flow with the system server process). By removing from the SFG the edges that describe information flows that are also present in SFG of benign applications, we therefore get the suspicious flows that can characterize an attack. We test our approach on 4 pieces of malware publicly known for cor- rupting Android devices and show that remaining edges of their SFGs describes the attack they are carrying.
Type de document :
Poster
Research in Attacks, Intrusions, and Defenses, Sep 2014, Gothenburg, Sweden. Research in Attacks, Intrusions, and Defenses, 2014
Liste complète des métadonnées

https://hal.inria.fr/hal-01083376
Contributeur : Radoniaina Andriatsimandefitra <>
Soumis le : lundi 17 novembre 2014 - 11:16:46
Dernière modification le : vendredi 15 juin 2018 - 16:18:06

Identifiants

  • HAL Id : hal-01083376, version 1

Citation

Radoniaina Andriatsimandefitra, Valérie Viet Triem Tong. Highlighting Easily How Malicious Applications Corrupt Android Devices. Research in Attacks, Intrusions, and Defenses, Sep 2014, Gothenburg, Sweden. Research in Attacks, Intrusions, and Defenses, 2014. 〈hal-01083376〉

Partager

Métriques

Consultations de la notice

656