Analysis and Manipulation of Android Apps and Malware in Real-Time

Salahuddin Khan

Research output: ThesisDoctoral Thesis

289 Downloads (Pure)


The number of apps in the Google Play store (~3 million) necessitates an
automated approach towards analysis for security threats. Such analysis relies
on the ability to fully comprehend, and potentially modify, the actions
being taken by a given app, whether low-level (system call) or high-level
(services such as SMS or Location). Therefore, this thesis seeks to determine
how accurate and scalable methods for the analysis and manipulation of Android apps/malware can be constructed that transcend the significant changes to the Android system through each release.
First, the author describes the potential of utilising a system call only based
approach to reconstructing both low-level and high-level behaviours. A
novel method for automatically reconstructing system call information in
a version-agnostic manner is presented, as is the robust, scalable and extensible
framework that enables real-time reconstruction, analysis and manipulation
of low-level and high-level operations using this approach. While prior work does explore utilising a system call based approach it is a primitive implementation supporting a single version of Android and requiring significant manual effort. While this approach permits automatic system call reconstruction it cannot reconstruct Binder ICC and Android objects.
Next, the author explores a novel approach for reconstructing Binder ICC
and Android objects through static analysis of the Android framework source
code. This approach precisely determines the relationship between Binder
interfaces and Android objects, permitting automatic generation of reconstruction code to correctly and efficiently reconstruct Binder ICC in real-time, integrating the automatically generated code into the framework.
The author demonstrates the efficacy of this design by building an information
leakage detection plug-in that uses differential analysis to detect leakage of sensitive information. This plug-in is further extended to test anti-evasion techniques.
Finally, the author discusses utilising the approach in other ways, including
automatically constructing Berkeley Packet Filter support for on-device
Original languageEnglish
Awarding Institution
  • Royal Holloway, University of London
  • Cavallaro, Lorenzo, Supervisor
  • Cid, Carlos, Advisor
Award date1 Jun 2019
Publication statusUnpublished - 2019


  • Android
  • Malware
  • Binder
  • CopperDroid
  • Information Leakage Detection
  • Anti-Evasion

Cite this