GroddDroid: a Gorilla for Triggering Malicious Behaviors

Abstract : Android malware authors use sophisticated techniques to hide the malicious intent of their applications. They use cryptography or obfuscation techniques to avoid detection during static analysis. They can also avoid detection during a dynamic analysis. Frequently, the malicious execution is postponed as long as the malware is not convinced that it is running in a real smartphone of a real user. However, we believe that dynamic analysis methods give good results when they really monitor the malware execution. In this article, we propose a method to enhance the execution of the malicious code of unknown malware. We especially target malware that have triggering protections, for example branching conditions that wait for an event or expect a specific value for a variable before triggering malicious execution. In these cases, solely executing the malware is far from being sufficient. We propose to force the triggering of the malicious code by combining two contributions. First, we define an algorithm that automatically identifies potentially malicious code. Second, we propose an enhanced monkey called GroddDroid, that stimulates the GUI of an application and forces the execution of some branching conditions if needed. The forcing is used by GroddDroid to push the execution flow towards the previously identified malicious parts of the malware and execute it. The source code for our experiments with GroddDroid is released as free software. We have verified on a malware dataset that we investigated manually that the malicious code is accurately executed by GroddDroid. Additionally, on a large dataset of 100 malware we precisely identify the nature of the suspicious code and we succeed to execute it at 28%.
Type de document :
Communication dans un congrès
10th International Conference on Malicious and Unwanted Software, Oct 2015, Fajardo, Puerto Rico. IEEE Computer Society, pp.119-127, 2015, 〈10.1109/MALWARE.2015.7413692〉
Liste complète des métadonnées

Littérature citée [24 références]  Voir  Masquer  Télécharger

https://hal.inria.fr/hal-01201743
Contributeur : Jean-François Lalande <>
Soumis le : mardi 8 mars 2016 - 16:17:43
Dernière modification le : vendredi 15 juin 2018 - 16:18:01
Document(s) archivé(s) le : dimanche 13 novembre 2016 - 10:45:44

Fichiers

malcon15-hal.pdf
Fichiers produits par l'(les) auteur(s)

Identifiants

Citation

Adrien Abraham, Radoniaina Andriatsimandefitra, Adrien Brunelat, Jean-François Lalande, Valérie Viet Triem Tong. GroddDroid: a Gorilla for Triggering Malicious Behaviors. 10th International Conference on Malicious and Unwanted Software, Oct 2015, Fajardo, Puerto Rico. IEEE Computer Society, pp.119-127, 2015, 〈10.1109/MALWARE.2015.7413692〉. 〈hal-01201743v2〉

Partager

Métriques

Consultations de la notice

920

Téléchargements de fichiers

597