2015 17th UKSIM-AMSS International Conference on Modelling and Simulation
Android Mobile Malware Surveillance Exploitation Via Call Logs: Proof of Concept
Madihah Mohd Saudi, Farida Ridzuan, Nurlida Basir, N.F. Nabila, Sakinah Ali Pitchay, Intan Nurfarahin Ahmad Faculty of Science and Technology (FST) Universiti Sains Islam Malaysia (USIM) Bandar Baru Nilai, Nilai,Malaysia {madihah,farida,nurlida,fatin,sakinah.ali}@usim.edu.my,
[email protected]
[2]. As the most popular mobile platform, Android continues to be the most targeted mobile operating system. According to F-Secure, 97% out of 804 new threats families or variants are targeted against Android platform and the other 3% are targeted against Symbian [3]. Each year, Android malwares had gone through a great innovation to avoid detection thus research on finding the best way to detect current Android mobile malware attacks is essential to tackle this problem.
Abstract—The invention of smartphone have made life easier as it is capable of providing important functions used in user’s daily life. While different operating system (OS) platform was built for smartphone, Android has become one of the most popular choice. Nonetheless, it is also the most targeted platform for mobile malware attack causing financial loss to the victims. Therefore, in this research, the exploitation on system calls in Android OS platform caused by mobile malware that could lead to financial loss were examined. The experiment was conducted in a controlled lab environment using open source tools by implementing dynamic analysis on 1260 datasets from the Android Malware Genome Project. Based on the experiment conducted, a new system call classification to exploit call logs for mobile attacks has been developed using Covering Algorithm. This new system call classification can be used as a reference for other researcher in the same field to secure against mobile malware attacks by exploiting call logs. In the future, this new system call classification could be used as a basis to develop a new model to detect mobile attacks exploitation via call logs. Keywords- system calls, similarity analysis, exploitation of call logs using system calls, covering algorithm, data transformation, and system call classification.
I.
INTRODUCTION
The popularity of using mobile device has been constantly increasing as it does not only functioned to make calls or sending messages, but also for web browsing, social networking, installing and downloading application and online banking transaction. In addition, some users kept their confidential information such as bank account number, username and password for online banking, credit card number and private pictures in their mobile devices [1]. Thus, smartphone has become the main target for attackers to steal confidential information and to gain profit. The majority of the mobile threats reported in 2013 were motivated by profit. Figure 1 shows the mobile threats motivated by profit from year 2000 until 2013. It is clear that the trend for mobile malware attack to gain profit has increased tremendously as the number of profit-based cases in 2013 recorded 3 times higher than 2012. The malware threats on mobile devices appear in various form, such as viruses, Trojans, worms and mobile botnets 978-1-4799-8713-9/15 $31.00 © 2015 IEEE DOI 10.1109/UKSim.2015.89
Figure 1. Motivation for mobile threat from Year 2000 until 2013
Android is a mobile platform that was created by Google and the Open Handset Alliance. It is an operating system that is based on a Linux kernel and programmed with Java language [4]. Android architecture is made up of different component and layers consisting of application, libraries, android runtime and linux kernel [5]. The objectives of this research paper is to examine how mobile malware uses systems calls in making profit and to produce a system call classification that exploited call logs. This paper is organized as follows. Section 2 presents related work on mobile malware detection techniques. Section 3 describes the methodology used in this research. Section 4 presents the results of experiment carried out in this research. Section 5 includes the summary and potential future work of this research paper.
176
II.
RELATED WORKS
III.
Mobile malware is defined as a malicious code of program in the form of Trojan, virus, worm, botnet, and spyware created by the attacker with malicious purposes; infects, and targets on smartphone. Once executed, it could harm the devices and perform malicious activities such as to steal personal information and to gain profit. There are some common threats that need user participation or techniques. These techniques causing mobile malware to infiltrate and spread are repackaging, update attacks, and drive by downloads highlighted in [6] and [7]. In the past recent years, many studies had been carried out to detect mobile malware. Several researches had been conducted with different features extracted for mobile malware detection as listed in Table I. The strengths and weaknesses of the work are listed below. TABLE I.
In order to examine how mobile malware uses systems calls in making profit and to produce a system call classification that exploited call logs, this research follows the framework as illustrated in Figure 2 for data collection and analysis process. Two types of dataset which are training dataset and testing dataset were used in this research. The training dataset is downloaded from Android Malware Genome Project by [6]. This dataset contains different type of mobile malware including Trojan, worm, botnet, and viruses. This dataset consists of the Android malware found from August 2010 to October 2011 categorized into 49 different families. On the other hand, the testing dataset was downloaded from Google Apps Store website. The testing dataset is used to test the accuracy of the result produced by this research. There are a total of 10 anonymous samples downloaded from the most popular applications used amongst the Android users.
SUMMARY OF RELATED WORKS
Titles
Feature s used
Strength
Weakness
An Android Application Sandbox System For Suspicious Software Detection [8] DroidMat: Android Malware Detection through Manifest and API Calls Tracing [9]
System Call, library calls
Measurements are very diverse, delivering a very high entropy dataset Good detection for malicious and suspicious application
Yet to be found, only done POC
Kernel-based Behavior Analysis for Android Malware Detection [10] Crowdroid [11]
Filters events and system calls
Detection of Malicious Android Mobile Based on Aggregated System Call Events [12]
System Call
Tracing trough API Calls and Manife st file
Androi d System Call
Effectively detect malicious action and unknown applications Good detection as Genuine app issue different type and number of System Call compared to malicious app Improved version of Crowdroid, better malware detection
METHODOLOGY
Limited malware detection. Unable to detect DroidKungFu and BridgeBase very well. Limit to application that shows information signatures leakage only False-positive more likely to occur if the apps make use of less system call
Figure 2. Data collection and data analysis framework.
A controlled laboratory environment is then developed as illustrated in Figure 3 to conduct the research. Almost 80% of the software used in this testing were open source or available on a free basis.
The existing weakness in Crowdroid, is not addressed, no improvement on similar issue.
Figure 3. Controlled Laboratory Architecture.
The system call’s data using both datasets are executed using dynamic analysis. The system call can only be 177
generated based on the user interaction with the application. The behavior of the applications then were monitored through system calls. Figure 4 shows an example of system call captured in a running application. The process of analysis involved the following steps: • • • • •
Start the Android Virtual Device from the SDK. Install the binaries (adb install xxx.apk). Emulate the device (adb shell. by using Android Debug Bridge (ADB). Identify and retrieve the parent process of the Android application (ps). Entry point to trace the running application’s system call (strace –p id –c).
Two methods which are percentage of occurrence and covering algorithm were applied to verify the results. A. Percentage of occurence This method was developed to compare the similarity between the results. The result of the occurrence of system call for each sample is noted as 1 to indicate the presence of system call while 0 indicates the absence of system call. The result produced from previous steps is calculated to compare their existence in the sample.
Figure 4. Example of system call captured.
IV.
B. Covering algorithm Covering algorithm is used to generate system call patterns for each application. In each stage, covering approach will identify rules that cover some instances. The classification of the system call can be developed using this method.
FINDINGS
Thousands of system calls have been retrieved, but the focus of this research is only on the ones that generate bad activities in call logs surveillance in Android platform. There are 68 system calls out of 1260 samples that was discovered that could be used for mobile malware attacks. These system calls are shown in Figure 5 according to its percentage of occurrences.
Figure 5. Percentage of occurences of system calls from android malware sample.
178
Based on the analysis, there are 246 samples that indicates the exploitation in call logs that could cause financial charges. These actions include execute phone call automatically, reroute outgoing calls and directly call phone number. Figure 6 shows an example of permission allowed by malicious application in user device.
No
P11 P12
Figure 6. Example of permission allowed from malicious application in
P13
P14 P15 P16 P17 P18
user device.
P19
246 samples were further analysed using Covering Algorithm method to classify pattern for each of the samples. It has been identified that there are 60 possible patterns of system calls that could exploit call logs which could cause financial charges to user. The list of system call patterns are presented in Table II. TABLE II. No
P1 P2 P3 P4 P5 P6 P7 P8 P9 P10
P20 P21 P22
LIST OF PATTERN
P23
Pattern
a3+a4+a5+a6+a7+a8+a9+a10+a11+a12+a13+a14+a1 6+a17+a18+a20+a21+a28+a29+a31+a32+a39+a40+a 42+a43+a47+a56+a57+a58+a59+a60+a62+a66 a3+a4+a5+a6+a7+a8+0+a10+a11+a12+a13+a14+a16 +a17+a18+a20+a21+a28+a29+a39+a40+a42+a56+a5 7+a58+a59+a62+a66 a3+a4+a5+a6+a7+a8+a9+a10+a11+a12+a13+a14+a1 6+0+a18+0+a20+a21+a28+a29+a40+a42+a43+a47+a 56+a57+a58+a59+a62+a66 a3+a4+a5+a6+a7+a8+a9+a10+a11+a12+a13+a14+a1 6+a17+a18+0+a20+a21+a28+a29+a31+a32+a39+a40 +a43+a47+a56+a57+a58+a59+a60+a62+a66 a3+a4+a5+a6+a7+a8+a9+a10+a11+a12+a13+a14+a1 6+a18+a20+a21+a28+a29+a40+a43+a47+a56+a57+a 58+a59+a62+a66 a3+a4+a5+a6+a7+a8+a10+a11+a12+a13+a14+a16+a 17+a18+a20+a21+a28+a29+a56+a58+a59+a62+a66 a3+a4+a5+a6+a7+a8+a9+a10+a11+a12+a13+a14+a1 6+a17+a20+a21+a26+a29+a41+a56+a58+a59+a62 a3+a4+a5+a6+a7+a8+a10+a11+a12+a13+a14+a16+a 17+a18+a20+a21+a28+a29+a42+a56+0+a58+a59+a6 2+a66 a3+a4+a5+a6+a7+a8+a9+a10+a11+a12+a13+a14+a1 6+a17+a20+a21+a26+a29+a41+a56+a58+a59 a3+a4+a5+a6+a7+a8+a9+a10+a11+a12+a13+a14+a1 6+a17+a18+a20+a21+a28+a29+a56+a58+a59+a62+a 66
P24 P25 P26 p27 P28 P29 P30 P31 P32 P33
179
Pattern
a3+a4+a5+a6+a7+a8+a9+a10+a11+a12+a13+a14+a1 +a18+a20+a21+a2+a29+a32+a40+a43+a47+a56+a57 +a58+a59+a62+a66 a3+a4+a5+a6+a7+a8+a10+a11+a12+a13+a14+a16+a 17+a18+a20+a21+a28+a29+a32+a56+a58+a59+a62+ a66 a3+a4+a5+a6+a7+a8+a9+a10+a11+a12+a13+a14+a1 6+a17+a18+a19+a20+a21+a26+a28+a29+a31+a33+a 39+a40+a41+a42+a43+a44+a47+a48+a56+a57+a58+ a59+a62+a66 a3+a4+a5+a6+a7+a8+a9+a10+a11+a12+a13+a14+a1 6+a17+a18+a20+a21+a29++a56+a57+a58+a59+a62+ a66 a3+a4+a5+a7+a8+a9+a10+a11+a12+a13+a14+a16+a 17+a18+a20+a24+a26+a28+a29+a30+a31+a51+a56+ a58+a59 a3+a4+a5+a6+a7+a8+a9+a10+a11+a12+a14+a17+a2 0+a23+a29+a56+a58+a59 a3+a4+a5+a6+a7+a8+a9+a10+a11+a12+a13+a14+a1 6+a17+a18+a20+a21+a24+a26+a28+a29+a30+a31+a 33+a39+a42+a43+a51+a56+a58+a59 a3+a4+a5+a7+a8+a9+a10+a11+a12+a14+a17+a20+a 21+a23+a29+a56+a58+a59 a3+a4a5+a7+a8+a9+a10+a11+a12+a13+a14+a16+a1 7+a20+a21+a26+a29+a56+a58+a59 a3+a4+a5+a7+a8+a9+a10+a11+a12+a14+a17+a20+a 21+a23+a29+a39+a56+a58+a59 a3+a4+a5+a7+a8+a9+a10+a11+a12+a13+a14+a16+a 17+a20+a26+a28+a29+a56+a58+a59 a3+a4+a5+a7+a8+a9+a10+a11+a12+a13+a14+a17+a 20+a21+a23+a24+a28+a29+a30+a31+a39+a40+a41+ a56 a3+a4+a5+a7+a8+a9+a10+a11+a12+a13+a14+a16+a 17+a20 a3+a4+a5+a7+a8+a9+a10+a11+a12+a13+a14+a16+a 17+a18+a20+a21+a24+a26+a28+a29+a31+a32+a33+ a56 a3+a4+a5+a6+a7+a8+a9+a10+a11+a12+a14+a16+a1 7+a20+a21+a26+a29+a56+a58+a59+a60+a62+a66 a3+a4+a5+a7+a8+a9+a10+a11+a12+a13+a14+a16+a 17+a18+a20+a21+a24+a26+a29+a56+a58+a59+a60+ a62+a66 a3+a4+a5+a6+a7+a8+a9+a10+a11+a12+a13+a14+a1 6+a17+a18+a20+a21+a23+a26+a28+a29+a46+a56+a 58+a59+60+62+a66 a3+a4+a5+a7+a8+a9+a10+a11+a12+a13+a14+a16+a 17+a18+a20+a21+a23+a29+a56+a58+a59 a3+a4+a5+a7+a8+a10+a11+a12+a13+a14+a16+a17+ a20+a21+a24+a26+a28+a29+a31+a56+a58+a59+60+ 62+a66 a3+a4+a5+a7+a8+a9+a10+a11+a12+a13+a14+a16+a 17+a20+a21+a26+a28+a29+a30+a56+a58+a59 a3+a4+a5+a7+a8+a9+a10+a11+a12+a13+a14+a16+a 17+a18+a19+a20+a21+a24+a26+a27+a28+a29+a31+ a32+a33+a56+a58+a59 a3+a4+a5+a7+a8+a10+a11+a12+a13+a14+a16+a17+ a20+a21+a24+a26+a28+a29+a31+a56+a58+a59 a3+a4+a5+a6+a7+a8+a9+a10+a11+a12+a13+a14+a1 6+a17+a20+a21+a23+a24+a26+a28+a29+a31+a32+a 33+a39+a40+a56+a58+a59
No
P34 P35 P36 P37 P38 P39 P40 P41 P42 P43 P44 P45 P46 P47 P48 P49 P50 P51 P52 P53 P54 P55 P56 P57
Pattern
No
a3+a4+a5+a7+a8+a9+a10+a11+a12+a13+a14+a16+a 17+a18+a20+a21+a26+a29+a56+a58+a59 a3+a4+a5+a7+a8+a9+a10+a11+a12+a14+a16+a17+a 20+a26+a29+a56+a58+a59 a3+a4+a5+a7+a8+a9+a10+a11+a12+a13+a14+a16+a 17+a20+a28+a29+a30+a56+a58+a59 a3+a4+a5+a6+a7+a8+a9+a10+a11+a12+a13+a14+a1 6+a17+a20+a21+a26+a28+a29+a41+a56+a58+a59 a3+a4+a5+a6+a7+a8+a9+a10+a11+a12+a13+a14+a1 6+a17+a18+a20+a21+a23+a26+a28+a29+a46+a56+a 58+a59+a60+a62+a66 a3+a4+a5+a6+a7+a8+a9+a10+a11+a12+a13+a14+a1 6+a17+a18+a20+a23+a24+a26+a28+a29+a31+a32+a 34+a35+a36+a37+a38+a45+a51+a56+a58+a59 a3+a4+a5+a6+a7+a8+a9+a10+a11+a12+a13+a14+a1 6+a17+a20+a21+a26+a28+a29+a41+a56+a58+a59+a 60+a62+a66 a3+a4+a5+a7+a8+a9+a10+a11+a12+a13+a14+a16+a 17+a18+a19+a20+a21+a24+a26+a27+a28+a29+a31+ a32+a33+a56+a58+a59+a60+a62+a66 a3+a4+a5+a8+a10+a11+a12+a14+a17+a20+a29+a56 +a58+a59 a3+a4+a5+a7+a8+a9+a10+a11+a12+a13+a14+a16+a 17+a18+a20+a21+a24+a26+a28+a29+a31+a32+a39+ a40+a56+a58+a59+a60+a62+a66 a3+a4+a5+a7+a8+a9+a10+a11+a12+a13+a14+a16+a 17+a18+a20+a21+a23+a24+a26+a28+a29+a31+a32+ a33+a39+a40+a56+a58+a59+a60+a62+a66 a3+a4+a5+a7+a8+a9+a10+a11+a12+a14+a16+a17+a 20+a26+a29+a56+a58+a59+a60+a62+a66 a3+a4+a5+a6+a7+a8+a9+a10+a11+a12+a14+a16+a1 7+a20+a21+a26+a29+a46+a56+a58+a59 a3+a4+a5+a7+a8+a9+a10+a11+a12+a13+a14+a16+a 17+a18+a20+a21+a24+a26+a29+a56+a58+a59 a3+a4+a5+a7+a8+a9+a10+a11+a12+a15+a20+a29+a 56+a58+a59 a3+a4+a5+a7+a8+a9+a10+a11+a12+a13+a14+a16+a 17+a18+a20+a21+a24+a26+a28+a29+a31+a32+a39+ a40+a56+a58+a59 a3+a4+a5+a7+a8+a9+a10+a11+a12+a13+a14+a16+a 17+a18+a20+a21+a23+a24+a26+a28+a29+a31+a32+ a33+a39+a40+a56+a58+a59 a3+a4+a6+a7+a8+a9+a10+a11+a12+a13+a14+a16+a 17+a18+a20+a21+a26+a27+a28+a29+a30+a56+a58+ a59 a3+a4+a5+a7+a8+a9+a10+a11+a12+a14+a16+a17+a 18+a20+a26+a28+a29+a56+a58+a59 a3+4+a5+a7+a8+a9+a10+a11+a12+a13+a14+a16+a1 7+a18+a20+a26+a29+a56+a58+a59 a3+a4+a5+a6+a7+a8+a9+a10+a11+a12+a13+a14+a1 6+a17+a18+a20+a21+a23+a28+a29+a30+a42+a43+a 56+a58+a59 a3+a4+a5+a6+a7+a8+a9+a10+a11+a12+a13+a14+a1 6+a17+a18+a19+a20+a21+a28+a29+a30+a56+a58+a 59 a3+a4+a5+a7+a8+a9+a10+a11+a12+a14+a16+a17+a 18+a20+a26+a29+a56+a58+a59 a3+a4+a5+a6+a7+a8+a9+a10+a11+a12+a13+a14+a1 6+a17+a18+a20+a21+a23+a24+a26+a27+a28+a29+a 30+a31+a32+a39+a40+a42+a43+a56+a58+a59
P58
Pattern
a3+a4+a5+a6+a7+a8+a9+a10+a11+a12+a13+a14+a1 6+a17+a20+a21+a24+a26+a28+a29+a56+a58+a59 a3+a4+a5+a7+a8+a9+a10+a11+a12+a13+a14+a20+a 24+a27+a28+a29+1+a32+a39+a56+a58+a59 a3+a4+a5+a6+a7+a8+a9+a10+a11+a12+a13+a14+a1 6+a17+a18+a20+a21+a24+a27+a28+a29+a56+a58+a 59
P59 P60
A new classification system call for call logs exploitation is proposed and developed based on the 60 identified patterns. Testing is carried out by using 10 anonymous dataset gathered from Google Apps from game applications. The accuracy of data classification system call for call logs were evaluated and the result of the testing dataset are presented in Table III. TABLE III.
RESULT OF TESTING DATASET
Testing Dataset
Combination of system call generated
Status from allowed permission
A1
No combination match No combination match No combination match No combination match No combination match No combination match No combination match Combination of P1
No financial charge to user No financial charge to user No financial charge to user No financial charge to user No financial charge to user No financial charge to user No financial charge to user Financial charge to user. Automatically doing phone call. No financial charge to user No financial charge to user
A2 A3 A4 A5 A6 A7 A8
A9 A10
No combination match No combination match
From the sample test above, only A8’s combination matched with pattern 1. Permission allowed in sample A8 had been reviewed to evaluate the accuracy of the test. Results for the test shows that A8’s combination allowed the application to do phone call automatically hence causing financial charge to the users. The system call that has been classified can then be used to develop a new model to detect mobile attacks exploitation via call logs. V.
CONCLUSION
As a conclusion, this research is conducted to discern the exploitation of call logs based on system calls behavior and has managed to encounter the malware application
180
[5]
S. Y. Yerima, S. Sezer, S., G. McWilliams, and I. Muttik, “A New Android Malware Detection Approach Using Bayesian Classification, “ 2013 IEEE 27th International Conference on Advanced Information Networking and Applications (AINA), pp. 121–128, 2013. [6] Y. Zhou, and X. Jiang., “Dissecting android malware: Characterization and evolution,” 2012 IEEE Symposium on Security and Privacy (SP), IEEE, May 2012, pp. 95-109, doi: 10.1109/SP.2012.16. [7] F. Tchakounte and P. Dayang, “System Calls Analysis of Malwares on Android,” International Journal of Science and Technology, vol.2, Sep. 2013, No. 9. [8] T. Blasing, L. Batyuk, A. D. Schmidt, S. Camtepe, S. and S. Albayrak, “An android application sandbox system forsuspicious software detection,” 2010 5th International Conference on Malicious and Unwanted Software (MALWARE), pp. 55-62., 2010. [9] D. J. Wu, C. H. Mao, T. E. Wei, H. M. Lee, and K.-P. Wu, “DroidMat: Android Malware Detection through Manifest and API Calls Tracing,” 2012 Seventh Asia Jt. Conf. Inf. Secur., pp. 62–69, Aug. 2012. [10] G. Al-Saadoon and H. Al-Bayatti, “A Comparison of Trojanhorse Virus Behavior in Linux and Windows Operating Systems,” World of Computer Science and InformationTechnology Journal, vol. 1, No. 3, pp. 56-62, 2011. [11] I. Burguera, U. Zurutuza, and S. Nadjm-Tehrani, ”Crowdroid: behavior-based malware detection system for android,” Proceedings of the 1st ACM workshop on Security and Privacy in smartphones and mobile devices, ACM, Oct. 2012, pp. 15-26, doi: 10.1145/2046614.2046619. [12] Y. J Ham and H. W. Lee, “Detection of Malicious Android Mobile Applications Based on Aggregated System Call Events,” International Journal of Computer and Communication Engineering , vol. 3, no. 2, pp. 149-154, 2014.
exploitation attacks on call logs. This result could be used as a reference by other researchers with similar interest. For future work, the system call classification could be carried out prior to data transformation. This new system call classification will be used as a basis to develop a new model to detect mobile attacks exploitation via call logs. ACKNOWLEDGMENT The authors would like to express their gratitude to Ministry of Education Malaysia, Universiti Sains Islam Malaysia and Islamic Science Institute (ISI), USIM for the support and facilities provided. This research paper is supported by MOE [FRGS/1/2014/ICT04/USIM/02/1], USIM [PPP/FST/SKTS/30/12712], RAGS grants [RAGS/FST/36/51013] and [RAGS/1/2014/ICT07/USIM/2]. REFERENCES [1]
[2]
[3]
[4]
Z. Abdullah, M. M. Saudi, and N. B. Anuar, “Mobile botnet detection: Proof of concept,” 2014 IEEE 5th Control Syst. Grad. Res. Colloq., pp. 257–262, 2014. M. Eslahi, R. Salleh, and N. B. Anuar, “MoBots: A new generation of botnets on mobile devices and networks,” 2012 International Symposium on Computer Applications and Industrial Electronics (ISCAIE), (Iscaie), pp. 262-266, 2012. F-secure Labs. (September, 2013). F-secure Mobile threat Report July–September 2013, Available: http://www.fsecure.com/static/doc/labs_global/Research/ D. Himanshu et. al, Mobile Application Security, Mcgraw-Hill Osborne Media, 2010.
181
