Tracing Malicious Android Applications From Memory Dumps

Abstract

With the rapid increase in smartphone users, Android has become the most widely used Operating System in mobile devices. Due to its popularity, Android is the prime target for malicious applications, which poses a serious and evolving security threat to these devices. Existing studies focused on statistical features such as intent, permissions, API calls, and entropy for the detection of malicious apps. It is di cult to achieve a high degree of accuracy using static analysis due to the growing use of modern obfuscation techniques in Android applications. In recent years, dynamic analysis has come out as the front runner for in-depth analysis of software applications. Contemporary studies have shown e cient malware detection using resource consumption, opcode, heap dump information, object reference graph, and Process Control Block (PCB), which are extracted from process memory. Among the aforementioned feature sources, PCB contains the most in-depth and precise working information for the analysis of Android applications. Due to the complex structure of PCB in Linux-based Operating System, very limited existing work has explored the possibility of malware detection using PCB. In this study, a framework for ngerprinting malicious Android applications is presented. The implemented framework is capable of installing, executing, issuing pseudorandom events to the application, dumping memory of the device, extract PCB from memory dump and saving the result to a datastore (csv le). We extracted a comprehensive feature set that comprises of 526 features, which are then reduced to 98 features for identi cation and categorization of Android applications into ve distinct categories. The proposed feature set is evaluated by using Decision Tree, NB, SVM and KNN machine learning classi ers. The results demonstrate that the proposed PCB-based features can signi cantly improve malware detection using Decision Tree and SVM