Home // Research // FSTC // Computer Sci... // Research Pro... // Combatting Context-Sensitive Mobile Malware

Combatting Context-Sensitive Mobile Malware

Budget Code: C15/IS/10404933
Funding: FNR
Start Date: April 1, 2016
End Date: March 30, 2019


Mobile computing devices, or simply smartphones, are ubiquitous today. Many consumers rely on their smartphone for such personal computing tasks as communication with friends and family through numerous messengers, email activity, mobile banking, GPS navigation, etc. Moreover, through the so-called Bring-Your-Own-Device (BYOD) schemes, smartphones are increasingly used for executing business tasks. With this proliferation of mobile devices security and privacy of smartphones and the data they process become crucial requirements. Unfortunately, we know that mobile platforms today are insecure. For example, the growth rate of mobile malware samples for the Android platform run by Google is exponential. And the price of admitting a malicious application onto an end-user platform is often very high, especially if the device is used in the corporate environment and handles highly sensitive information. Malicious mobile applications are known to steal private data handled by the smartphones almost by default. Therefore, there is a high demand for anti-virus services tailored for mobile devices that could evaluate for a third-party application whether it is malicious or not. For example, Google and Apple utilise their own on-market security services for application vetting. There exist also a number of third-party online security services offering to check security of mobile applications, such as VirusTotal and Andrubis.

Security services o ered by antivirus companies often rely on known malware signatures. Therefore these services do not detect zero-day malware samples that rely on new attacks or recently discovered vulnerabilities. This approach is not sufficiently reliable in the context of application market. Indeed, if Apple or Google will distribute zero-day malware, they will face a customer drain. Thus on-market security services typically use a combination of static and dynamic security checks that could reveal malicious behaviour. For example, if such service detects a known root exploit code or a suspicious API calls pattern, it can mark the sample in question as malicious. However, the recent generations of mobile malware that utilise obfuscation and dynamic code updates to thwart the security services pose a big challenge. Such dangerous samples can be often categorised as environment-sensitive or context-sensitive malware: they change their behaviour depending on the context. If they are able to detect that they are executed by a security service, they do not exhibit their malicious payload. If the payload is obfuscated (e.g., encrypted), it can be very challenging to identify malicious code in these samples.

Currently there exist security techniques that aim to combat this malware type. They typically rely on machine learning-based classifiers, or they utilise discrepancies in several executions of the same sample, and check if one of these executions actually shows malicious actions. The challenge for a machine learning-based approach is the weakness of the feature selection. Code obfuscation alone cannot be reliably used as a malware feature: many benign apps obfuscate their code to thwart plagiarism. If an attacker knows which other features contribute to the malicious profile utilised by a security service, he can change the app to avoid being compliant with this profile. If a security service can find a suitable context to execute the sample such that it exhibits
some malicious behaviour, this sample can be successfully categorised as malicious. The main challenge for these approaches is to find the suitable context, what can be very difficult in general, given that malware often is able to detect that the security service's emulator is applied, and thus to refrain from malicious actions. Generation of a right context often requires manual inspection of the code. This is a tedious task that is often not suitable in the context of online third-party security services, such as Andrubis.

Our contribution: In our project we plan to improve the state-of-art mechanisms for reliable detection of malicious applications by looking simultaneously at executed and not-executed code paths. The intuition is simple: context-sensitive malware tries to conceal the malicious behaviour, so the most security-critical code will be hidden in the code paths that were not executed by the security service. For such code paths we will 1) identify automatically how to bring the app execution to these paths; and 2) analyse these code paths automatically to detect concealed security issues. The detection will rely on machine learning techniques and data flow analysis.