Analysis and Manipulation of Android Apps and Malware in Real-Time. / Khan, Salahuddin.

2019. 205 p.

Research output: ThesisDoctoral Thesis

Unpublished

Standard

Analysis and Manipulation of Android Apps and Malware in Real-Time. / Khan, Salahuddin.

2019. 205 p.

Research output: ThesisDoctoral Thesis

Harvard

Khan, S 2019, 'Analysis and Manipulation of Android Apps and Malware in Real-Time', Ph.D., Royal Holloway, University of London.

APA

Vancouver

Author

BibTeX

@phdthesis{d2dd89c3678a4363a6e28ddf75c86e75,
title = "Analysis and Manipulation of Android Apps and Malware in Real-Time",
abstract = "The number of apps in the Google Play store (~3 million) necessitates anautomated approach towards analysis for security threats. Such analysis relieson the ability to fully comprehend, and potentially modify, the actionsbeing taken by a given app, whether low-level (system call) or high-level(services such as SMS or Location). Therefore, this thesis seeks to determinehow accurate and scalable methods for the analysis and manipulation of Android apps/malware can be constructed that transcend the significant changes to the Android system through each release.First, the author describes the potential of utilising a system call only basedapproach to reconstructing both low-level and high-level behaviours. Anovel method for automatically reconstructing system call information ina version-agnostic manner is presented, as is the robust, scalable and extensibleframework that enables real-time reconstruction, analysis and manipulationof low-level and high-level operations using this approach. While prior work does explore utilising a system call based approach it is a primitive implementation supporting a single version of Android and requiring significant manual effort. While this approach permits automatic system call reconstruction it cannot reconstruct Binder ICC and Android objects.Next, the author explores a novel approach for reconstructing Binder ICCand Android objects through static analysis of the Android framework sourcecode. This approach precisely determines the relationship between Binderinterfaces and Android objects, permitting automatic generation of reconstruction code to correctly and efficiently reconstruct Binder ICC in real-time, integrating the automatically generated code into the framework.The author demonstrates the efficacy of this design by building an informationleakage detection plug-in that uses differential analysis to detect leakage of sensitive information. This plug-in is further extended to test anti-evasion techniques.Finally, the author discusses utilising the approach in other ways, includingautomatically constructing Berkeley Packet Filter support for on-deviceanalysis.",
keywords = "Android, Malware, Binder, CopperDroid, Information Leakage Detection, Anti-Evasion",
author = "Salahuddin Khan",
year = "2019",
language = "English",
school = "Royal Holloway, University of London",

}

RIS

TY - THES

T1 - Analysis and Manipulation of Android Apps and Malware in Real-Time

AU - Khan, Salahuddin

PY - 2019

Y1 - 2019

N2 - The number of apps in the Google Play store (~3 million) necessitates anautomated approach towards analysis for security threats. Such analysis relieson the ability to fully comprehend, and potentially modify, the actionsbeing taken by a given app, whether low-level (system call) or high-level(services such as SMS or Location). Therefore, this thesis seeks to determinehow accurate and scalable methods for the analysis and manipulation of Android apps/malware can be constructed that transcend the significant changes to the Android system through each release.First, the author describes the potential of utilising a system call only basedapproach to reconstructing both low-level and high-level behaviours. Anovel method for automatically reconstructing system call information ina version-agnostic manner is presented, as is the robust, scalable and extensibleframework that enables real-time reconstruction, analysis and manipulationof low-level and high-level operations using this approach. While prior work does explore utilising a system call based approach it is a primitive implementation supporting a single version of Android and requiring significant manual effort. While this approach permits automatic system call reconstruction it cannot reconstruct Binder ICC and Android objects.Next, the author explores a novel approach for reconstructing Binder ICCand Android objects through static analysis of the Android framework sourcecode. This approach precisely determines the relationship between Binderinterfaces and Android objects, permitting automatic generation of reconstruction code to correctly and efficiently reconstruct Binder ICC in real-time, integrating the automatically generated code into the framework.The author demonstrates the efficacy of this design by building an informationleakage detection plug-in that uses differential analysis to detect leakage of sensitive information. This plug-in is further extended to test anti-evasion techniques.Finally, the author discusses utilising the approach in other ways, includingautomatically constructing Berkeley Packet Filter support for on-deviceanalysis.

AB - The number of apps in the Google Play store (~3 million) necessitates anautomated approach towards analysis for security threats. Such analysis relieson the ability to fully comprehend, and potentially modify, the actionsbeing taken by a given app, whether low-level (system call) or high-level(services such as SMS or Location). Therefore, this thesis seeks to determinehow accurate and scalable methods for the analysis and manipulation of Android apps/malware can be constructed that transcend the significant changes to the Android system through each release.First, the author describes the potential of utilising a system call only basedapproach to reconstructing both low-level and high-level behaviours. Anovel method for automatically reconstructing system call information ina version-agnostic manner is presented, as is the robust, scalable and extensibleframework that enables real-time reconstruction, analysis and manipulationof low-level and high-level operations using this approach. While prior work does explore utilising a system call based approach it is a primitive implementation supporting a single version of Android and requiring significant manual effort. While this approach permits automatic system call reconstruction it cannot reconstruct Binder ICC and Android objects.Next, the author explores a novel approach for reconstructing Binder ICCand Android objects through static analysis of the Android framework sourcecode. This approach precisely determines the relationship between Binderinterfaces and Android objects, permitting automatic generation of reconstruction code to correctly and efficiently reconstruct Binder ICC in real-time, integrating the automatically generated code into the framework.The author demonstrates the efficacy of this design by building an informationleakage detection plug-in that uses differential analysis to detect leakage of sensitive information. This plug-in is further extended to test anti-evasion techniques.Finally, the author discusses utilising the approach in other ways, includingautomatically constructing Berkeley Packet Filter support for on-deviceanalysis.

KW - Android

KW - Malware

KW - Binder

KW - CopperDroid

KW - Information Leakage Detection

KW - Anti-Evasion

M3 - Doctoral Thesis

ER -