An Android Malicious Code Detection Mechanism Based on Native Layer

doi:10.3969/j.issn.1006-2475.2019.05.001

Abstract

Abstract: Android’s existing malicious code detection mechanism is mainly for the bytecode layer codes. This means that malicious code embedded in Native layer can’t be detected. The latest research shows that 86% of popular Android APPs contain Native layer code. In order to solve this problem, this paper proposes an Android malicious code detection mechanism based on Native layer, which converts smali code and so file into assembly code, generates control flow graph then optimizes it. Through comparing with malware library by subgraph isomorphism method, the similarity values are calculated and compared with the given thresholds to determine whether the software under test contains malicious code. The experimental results show that compared with the others the method can detect malicious code of Native layer and has higher accuracy and detection rate.

Key words: Android, malware detection, control flow graph, subgraph isomorphism

CLC Number:

TP302.7

SUN Bing-lin, ZHUANG Yi. An Android Malicious Code Detection Mechanism Based on Native Layer[J]. Computer and Modernization, doi: 10.3969/j.issn.1006-2475.2019.05.001.

References

［1］ 360互联网安全中心,360烽火实验室. 2017年Android恶意软件年度专题报告［EB/OL］. （2018-03-02）［2018-08-21］. http://zt.360.cn/1101061855.php?dtid=11010-61451&did=491056914.
［2］杨欢,张玉清,胡予濮,等. 基于多类特征的Android应用恶意行为检测系统［J］. 计算机学报, 2014,37(1):15-27.
［3］ AFONSO V, BIANCHI A, FRATANTONIO Y, et al. Going Native: Using a large-scale analysis of Android Apps to create a practical Native-code sandboxing policy［C］// Symposium on Network and Distributed System Security. 2016:1-15.
［4］ SUN X, ZHONGYANG Y, XIN Z, et al. Detecting code reuse in Android applications using component-based control flow graph［C］//IFIP International Information Security Conference. 2014:142-155.
［5］ ZHAO Z, WANG J, BAI J. Malware detection method based on the control-flow construct feature of software［J］. IET Information Security, 2014,8(1):18-24.
［6］ SARACINO A, SGANDURRA D, DINI G, et al. Madam: Effective and efficient behavior-based Android malware detection and prevention［J］. IEEE Transactions on Dependable and Secure Computing, 2018,15(1):83-97.
［7］〖KG-*2〗LI J, SUN L, YAN Q, et al. Signicant permission identication for machine learning based Android malware detection［J］. IEEE Transactions on Industrial Informatics, 2018,14(7):3216-3225.
［8］ QIAO M, SUNG A H, LIU Q. Merging permission and API features for Android malware detection［C］// 2016 IEEE the 5th IIAI International Congress on Advanced Applied Informatics. 2016:566-571.
［9］ NARAYANAN A, CHANDRAMOHAN M, CHEN L, et al. A multi-view context-aware approach to Android malware detection and malicious code localization［J］. Empirical Software Engineering, 2018,23(3):1222-1274.
［10］FEIZOLLAH A, ANUAR N B, SALLEH R, et al. Androdialysis: Analysis of Android intent effectiveness in malware detection［J］. Computers & Security, 2017,65:121-134.
［11］XU K, LI Y, DENG R H. ICCDetector: ICC-based malware detection on Android［J］. IEEE Transactions on Information Forensics and Security, 2016,11(6):1252-1264.
［12］ENCK W, ONGTANG M, MCDANIEL P. On lightweight mobile phone application certification［C］// Proceedings of the 16th ACM Conference on Computer and Communications Security. 2009:235-245.
［13］XIAO X, WANG Z, LI Q, et al. ANNs on co-occurrence matrices for mobile malware detection［J］. The KSII Transactions on Internet and Information Systems, 2015,9(7):2736-2754.
［14］SANTOS I, BREZO F, UGARTE-PEDRERO X, et al. Opcode sequences as representation of executables for data-mining-based unknown malware detection［J］. Information Sciences, 2013,231:64-82.
［15］DIMJAEVI〖XCC.TIF,JZ〗 M, ATZENI S, UGRINA I, et al. Evaluation of Android malware detection based on system calls［C］// Proceedings of 2016 ACM on International Workshop on Security and Privacy Analytics. 2016:1-8.
［16］SHABTAI A, KANONOV U, ELOVICI Y, et al. “Andromaly”: A behavioral malware detection framework for Android devices［J］. Journal of Intelligent Information Systems, 2012,38(1):161-190.
［17］王志强,张玉清,刘奇旭,等. 一种Android恶意行为检测算法［J］. 西安电子科技大学学报(自然科学版), 2015,42(3):8-14.
［18］ZOU S, ZHANG J, LIN X. An effective behavior-based Android malware detection system［J］. Security & Communication Networks, 2015,8(12):2079-2089.
［19］FEIZOLLAH A, ANUAR N B, SALLEH R, et al. Comparative evaluation of ensemble learning and supervised learning in Android malwares using network-based analysis［C］// Advanced Computer and Communication Engineering Technology. 2015:1025-1035.
［20］ALAM S, QU Z, RILEY R, et al. Droidnative: Semantic-based detection of Android Native code malware［J］. Computer Science, 2016, arXiv:1602.04693.
［21］CORDELLA L P, FOGGIA P, SANSONE C, et al. A (sub) graph isomorphism algorithm for matching large graphs［J］. IEEE Transactions on Pattern Analysis and Machine Intelligence, 2004,26(10):1367-1372.
［22］Argus Cyber Security Lab. Android Malware Dataset［EB/OL］. ［2018-11-01］. http://amd.arguslab.org.
［23］VirusTotal Website. VirusTotal［DB/OL］. ［2018-11-01］. https://www.virustotal.com/#/home/upload.
［24］Desnos A. Androguard: Reverse Engineering, Malware and Goodware Analysis of Android Applications［EB/OL］. ［2018-11-01］. https://github.com/androguard/androguar.

[1]	FENG Dong, CHEN Xiao. Validity Check of Instructions and Actions of POF Entries [J]. Computer and Modernization, 2020, 0(10): 23-30.
[2]	JIANG Na1, ZHANG Lei2. Oximeter Client Software Based on Android [J]. Computer and Modernization, 2014, 0(4): 130-132.