2. What Makes An App
Malicious?Watch
videos
on
phone
without
conversion,
any4me
and
anywhere.
We
feature
the
best
playback
experience
and
quality.
Our
video
player
supports:
All
video
formats
(need
to
choose
"soBware
decoding"
mode
in
most
cases)
Popular
sub4tle
formats
such
as
SRT,
ASS,
and
SAA
Sub4tles
built
in
MKV,
MPV,
MOV,
and
others
Mul4-‐audio
streams
and
mul4-‐sub4tles
Playlists
and
con4nuous
play
on
same
type
files
Videos
streamed
through
HTTP,
RTSP
protocols
Media
libraries
and
sort
videos
by
type
Thumbnail
displays
of
videos
MoboPlayer
3. MoboPlayer
Watch
videos
on
phone
without
conversion,
any4me
and
anywhere.
We
feature
the
best
playback
experience
and
quality.
Our
video
player
supports:
All
video
formats
(need
to
choose
"soBware
decoding"
mode
in
most
cases)
Popular
sub4tle
formats
such
as
SRT,
ASS,
and
SAA
Sub4tles
built
in
MKV,
MPV,
MOV,
and
others
Mul4-‐audio
streams
and
mul4-‐sub4tles
Playlists
and
con4nuous
play
on
same
type
files
Videos
streamed
through
HTTP,
RTSP
protocols
Media
libraries
and
sort
videos
by
type
Thumbnail
displays
of
videos
Additionally…
• Accesses user’s location.
• Accesses Telephone Network Type.
• Leaks Device’s ID through a URL Connection.
• Accesses Calendar Information.
• Can send text messages.
4. What is Potentially Malicious?
• Accesses user’s location.
• Accesses Telephone Network Type.
• Leaks Device’s ID through a URL Connection.
• Accesses Calendar Information.
• Can send text messages.
MoboPlayer
5. What is Potentially Malicious?
• Accesses user’s location.
• Accesses Telephone Network Type.
• Leaks Device’s ID through a URL Connection.
• Accesses Calendar Information.
• Can send text messages.
MoboPlayer
• Accesses User’s Location.
• Accesses Calendar Information.
• Accesses Device’s ID.
• Accesses Calendar Information.
• Can send text messages.
Contacts
+
6. What is an app’s expected behavior?
• An
applica4on’s
actual
behavior
should
be
in
bounds
of
its
alleged
behavior.
MoboPlayer
• Actual
Behavior
–
The
internal
func4onality
of
an
applica4on.
• Alleged
Behavior
–
The
behavior
defined
by
the
applica4on’s
metadata
(such
as
the
app’s
descrip4on).
7. What is an app’s expected behavior?
• An
applica4on’s
actual
behavior
should
be
in
bounds
of
its
alleged
behavior.
MoboPlayer
• Actual
Behavior
–
The
internal
func4onality
of
an
applica4on.
• Alleged
Behavior
–
The
behavior
defined
by
the
applica4on’s
metadata
(such
as
the
app’s
descrip4on).
8. Comparing Alleged and Actual Behavior
• WHYPER [3] (first attempt)
• Actual behavior: Android permissions
• Identifies sentences that described the need for a permission.
• Uses API documentation to extract semantic similarity.
• AutoCog [4] (improvement over WHYPER)
• Actual Behavior: Android permissions
• Correlates noun phrases with permissions.
• All semantic similarity is inferred from descriptions.
• Chabada [5] (State-of-the-art)
• Actual Behavior: sensitive Android APIs
• Detecting “what’s not described in the description” makes problem easier.
• Provides a better description of actual behavior.
9. Improvements Needed
• Original version of Chabada [3] only identified 56% of malware while
misclassifying 16% of benign apps.
• Improvements made in [4] only increased the accuracy to 74% malware
detection with a false positive rate of 11%.
• Similar to permissions, Android APIs are not enough to properly assess
the internal actual behavior of an applications.
10. Contributions
• In
this
Masters
Thesis
we
propose
pDroid
(privateDroid),
a
novel
approach
for
comparing
alleged
applica4on
behavior
to
actual
applica4on
behavior.
• pDroid
leverages
dataflows
extracted
from
Android
applica4ons
to
define
actual
behavior,
which
provides
a
more
in-‐depth
view
of
an
applica4on’s
inten4ons.
• We
evaluate
pDroid
using
1562
benign
applica4ons
and
243
malicious
applica4ons.
• pDroid
correctly
iden4fied
91.4%
of
malware
with
a
false
posi4ve
rate
of
4.9%.
11. Terminology
• (Sensi5ve)
Source
:
An
Android
API
method
that
provides
the
Android
app
with
sensi4ve
user
informa4on
• Ex:
TelephonyManager.getLine1Number()
• (Sensi5ve)
Sink
:
An
Android
API
that
exports
informa4on
from
the
applica4on.
• Ex:
SmsManager.sendTextMessage()
• Dataflow
:
Tuple
containing
a
source
and
sink.
• Ex:
TelephonyManager.getLine1Number()
èSmsManager.sendTextMessage()
• NO_SENSITIVE_SINK
:
A
dataflow
containing
a
NON_SENSITIVE_SINK
• Ex:
TelephonyManager.getLine1Number() è NO_SENSITIVE_SINK
• NO_SENSITIVE_SOURCE : A dataflow ending in a sensitive sink, but did not contain
sensitive information
• Ex: NO_SENSITIVE_SOURCE è SmsManager.sendTextMessage()
12. APIs compared to dataflows
This
is
a
great
mul4func4onal
image
editor!
With
this
app
photo
edi4ng
has
become
a
real
art:
you
can
localize
the
applied
photo
effect
with
a
touch
of
your
finger!
Photo
Wonder
is
everyone’s
favorite
app
to
create
beauty
&
style
in
any
photo.
Create
collages,
take
selfies
with
real-‐4me
filters,
add
beauty
features
and
so
much
more!
With
over
200
million
users
over
218
countries,
the
award-‐winning
app
is
ranked
top
5
in
Photo
&
Video
apps
in
over
20
countries.
16. pDroid Overview
• Stage
1:
Cluster
Applica4ons
with
similar
alleged
behavior.
• Sani4ze
Textual
Descrip4ons
• Use
Latent-‐Dirichlet
Alloca4on
(LDA)
to
create
app
categories
• Use
Affinity
Propaga4on
to
cluster
applica4ons
with
similar
alleged
behavior
• Step
2:
Detec4ng
anomalous
actual
behavior
• Iden4fy
unusual
dataflows
or
combina4ons
of
dataflows
in
each
cluster.
• Assign
a
“anomaly”
score
to
all
applica4ons
using
distance-‐based
outlier
detec4on
in
each
app
cluster
• Step
3:
Classifica4on
• Use
a
two-‐class
SVM
to
classify
applica4ons
as
benign
or
malicous
17. Stage 1: Sanitizing
• Every Textual Description goes through a sanitizing process
• URLs are removed
• Non-ASCII values removed
• Common English words removed
• Uncommon and ubiquitous terms are removed.
• Apply a Porter Stemmer
• (charge, charged, and charging all become ‘charg’)
18. Stage 1: Sanitizing
Pinterest
is
a
visual
bookmarking
tool
that
helps
you
discover
and
save
crea4ve
ideas.
Use
Pinterest
to
make
meals,
plan
travel,
do
home
improvement
projects
and
more.
With
Pinterest
you
can:
•
Plan
a
project:
Home
remodels,
garden
redesigns
and
other
DIYs
•
Get
crea4ve
ideas:
Recipes
to
cook,
ar4cles
to
read,
giBs
to
buy
and
ways
to
save
money
•
Explore
a
hobby:
From
comic
art
and
camping,
to
woodworking
and
weaving
•
Save
travel
inspira4on:
Outdoor
adventures,
family
fun,
road
trips
and
more
•
Find
your
style:
Fashion,
home
decor,
grooming
4ps
and
beauty
inspira4on
•
Pin
from
your
mobile
browser:
Save
good
things
you
find
around
the
web
pinterest
visual
bookmark
tool
help
discov
save
crea4v
idea
use
pinterest
make
meal
plan
travel
home
improv
project
pinterest
plan
project
home
remodel
garden
redesign
diy
get
crea4v
idea
recip
cook
ar4cl
read
giB
buy
way
save
money
explor
hobbi
comic
art
camp
woodwork
weav
save
travel
inspir
outdoor
adventur
famili
fun
road
trip
find
style
fashion
home
decor
groom
4p
beau4
inspir
pin
mobil
browser
save
good
thing
find
around
web
19. Stage 1: LDA
• LDA discovers the underlying topics (app
categories) that generated the documents
(app descriptions).
• LDA Provides a document-topic
distribution for each app description.
• “How related is the description to a topic”
20. Stage 1: LDA
Share your photos and videos , and keep up with your friends and interests. Instagram is a simple way to
capture and share the worlds moments. Follow your friends and family to see what theyre up to, and
discover accounts from all over the world that are sharing things you love. Join the community of over 400
million people and express yourself by sharing photos and videos from your daywhether its your morning
routine or the trip of a lifetime.
Use Instagram to:
• Edit and share photos and videos with filters and creative tools to change photo brightness ,
contrast and saturation , as well as shadows , highlights , perspective and more.
• Discover photos and videos you might like and follow new accounts in the Explore tab.
• Send private messages , photos , videos and posts from your feed directly to friends with
Instagram Direct.
• Instantly share photos and videos on Facebook , Twitter , Tumblr and other social networks.
Figure 3.3: Application Description for the Android Application Instagram.
Communica4on
Photos
&
Videos
Social
Media
22. Stage 1: LDA
Table 3.1: Top words in each category.
Topic Topic Name Top Stemmed Terms In Each Application Cluster.
0 Language languag word learn english german translat spanish french dictionari chines
1 Holidays and Religion christma year holidai santa christian celebr gift polic islam tree
2 Cooking and Food recip beer cake chicken appl cook chocol bake salad creams
3 Fitness and Diet weight bodi diet exercis workout food lose yoga train
4 Fashion girl beauti pictur sexi fashion cheerlead design hair high nail
5 Casino Games slot machin card poker player coin casino spin bonu high
6 Fantasy Games stori halloween world magic monster build adventur citi collect
7 Puzzle Games puzzl level bubbl mode match challeng score classic player
8 Broadcasting radio flag station countri channel world stream broadcast internet listen
9 Racing Games race ball speed level jump control score challeng world mode
10 Reading book question quiz answer read aikido logo test bibl reader
11 Photos and Videos photo imag color share pictur facebook save friend e↵ect
12 Weather weather locat citi travel inform guid forecast rout attract find
13 Communication version email googl user work contact permiss send internet requir
14 Action Games weapon zombi enemi battl fight power world action shoot attack
15 Finance calcul track manag data account market rate expens currenc list
16 Themes theme launcher instal gold appli choos menu icon locker getjar
17 File and System file player mobil control manag connect media wifi network secur
23. Stage 1: LDA
Top
four
topics
for
Android
Applica4on
Instagram:
• Topic
11
(Photos)
with
a
probability
of
60.2%
• Topic
26
(Social
Media)
with
a
probability
of
26.2%
• Topic
9
(Racing
Games)
with
a
probability
of
8.49%
✗
• Topic
24
(Informa4on)
with
a
probability
of
4.80%
Top
four
topics
for
Android
Applica4on
Mountain
Climb
Race
2:
• Topic
11
(Racing
Game)
with
a
probability
of
90.4%
• Topic
26
(Social
Media)
with
a
probability
of
2.47% ✗
• Topic
9
(Inspira4onal)
with
a
probability
of
2.33% ✗
• Topic
24
(Puzzle
Games)
with
a
probability
of
.67% ✗
27. Stage 1: App Clustering
• Choosing
a
clustering
algorithm
• 1st
Choice:
• K-‐means
(general-‐purpose)
• Well-‐known
and
scalable
• Requires
K
to
be
predetermined.
(difficult
to
determine).
• 2nd
Choice:
• Affinity
Propaga4on
• Uneven
cluster
sizes
(expected).
• Does
not
require
predetermined
amount
of
clusters
(desired).
• Evalua4on
showed
that
Affinity
Propaga4on
outperformed
K-‐means.
28. Stage 1: Final Output & Stage 2 Recap
• Application clusters containing apps with
similar document-topic distributions.
• Step 2 Recap:
• Extract Dataflows in each application cluster.
• Create Sensitivity Scores
• Compare extract dataflows and identify anomalies.
• Create anomaly scores for applications.
29. Stage 2: Extracting Dataflows
• Android
API
methods
providing
sensi4ve
informa4on
are
considered
taint
sources
• Data
origina4ng
from
these
sources
is
considered
tainted.
• Taint
analysis
tracks
sensi4ve
data
un4l
it
leaves
the
system
through
a
tainted
sink.
• pDroid
uses
FlowDroid
(context-‐,
flow-‐,
field-‐,
object-‐sensi4ve)
• SUSI
list
of
source
and
sinks
used.
37. Static Taint Analysis
• Android
API
methods
providing
sensi4ve
informa4on
are
considered
taint
sources
• Data
origina4ng
from
these
sources
is
considered
tainted.
• Taint
analysis
tracks
sensi4ve
data
un4l
it
leaves
the
system
through
a
tainted
sink.
• pDroid
uses
FlowDroid
(context-‐,
flow-‐,
field-‐,
object-‐sensi4ve)
for
analysis
• Uses
SuSI
list
of
sensi4ve
sources
and
sinks
38. Static Taint Analysis
• Android
API
methods
providing
sensi4ve
informa4on
are
considered
taint
sources
• Data
origina4ng
from
these
sources
is
considered
tainted.
• Taint
analysis
tracks
sensi4ve
data
un4l
it
leaves
the
system
through
a
tainted
sink.
• pDroid
uses
FlowDroid
(context-‐,
flow-‐,
field-‐,
object-‐sensi4ve)
for
analysis
• Uses
SuSI
list
of
sensi4ve
sources
and
sinks
41. Stage 2: Sensitivity Scores
• Sensi4vity
of
a
dataflow
should
depend
on
applica4on
cluster.
• Sensi4vity
should
depend
on
malicious
poten4al.
• To
calculate
the
sensi4vity
of
a
dataflow
d
in
cluster
c,
we
assume
that
if
many
applica4ons
in
the
cluster
are
using
d
it
is
not
as
sensi4ve
(N
=
|c|,
ad
is
amount
of
app
using
d
in
c).
Wc,d =
N
ad
42. Stage 2: Identifying Suspicious Actual Behavior
• For
every
applica4on
cluster,
pDroid
uses
distance-‐
based
outlier
detec4on
to
detect
abnormal
actual
behavior.
• An
applica4on
is
then
assigned
an
anomaly
score:
• An
app’s
anomaly
score
is
its
average
distance
to
its
5
nearest
(most
similar)
neighbors.
• To
leverage
the
sensi4vity
scores,
pDroid
uses
weighted
euclidean
distance.
• If
an
app
does
not
use
a
dataflow,
d,
Wd
=
0.
43. Stage 2: Final Output
Applica5on
Anomaly
Score
Benign/Malicous
air.com.mobigrow.canyouescape
.869
B
biz.mtoy.blockpuzzle.revolu4on
7.23
B
com.adwo.android.snake
79.725
M
com.bankey.candy
14.703
B
com.camelgames.abnormalup
38.54
M
com.game.BubbleShooter
0.56
B
com.icegame.fruitlink
8.748
B
44. Stage 2: Final Output
• com.camelgames.abnormalup
per-‐dataflow
scores
45. Stage 3: Classification
• pDroid
does
not
do
per
cluster
classifica4on,
but
aggregates
all
apps
for
training.
• Each
app
is
represented
by
its
per-‐cluster
normalized
anomaly
score
and
the
amount
of
unique
dataflows
in
the
app.
• For
classifica4on,
pDroid
uses
a
support-‐vector
machine
with
a
radial
basis
func4on
(RBF)
kernel.
• The
SVM
is
trained
using
benign
and
malicious
applica4on
47. Experimental Setup
• All
results
were
calculated
using
Stra4fied
10-‐fold
cross
valida4on.
• Evaluated
the
True
Posi4ve
Rate
(TPR),
True
Nega4ve
Rate
(TNR),
and
geometric
accuracy.
Predicted
as
Malicious
Predicted
as
Benign
Malicious
Apps
True
Posi4ve
False
Nega4ve
Benign
Apps
False
Posi4ve
True
Nega4ve
48. Evaluation
pDroid
classified
applica4ons
with
a
geometric
accuracy
of
93.5%.
Predicted
as
Malicious
Predicted
as
Benign
Malicious
Apps
91.4%
8.6%
Benign
Apps
4.9%
95.1%
49. Evaluation
• pDroid
correctly
classified
91%
of
malware
with
a
false
posi4ve
rate
of
5%
91%
95%
0%
25%
50%
75%
100%
Malicous
Apps
Benign
Apps
Correct
Classifica5on
50. Evaluation
95%
93%
88%
80%
85%
90%
95%
100%
Affinity
Propaga5on
k-‐Means
(k=30)
No
Clustering
True
Nega5ve
Rate
by
Clustering
Technique
• Applica4on
Clustering
reduces
the
false
posi4ve
rate
by
7.1%.
• Applica4on
Clustering
increases
the
true
posi4ve
rate
by
2.0%.
51. Evaluation
95%
90%
85%
90%
95%
100%
Sensi5vity
Scores
No
Sensi5vity
Scores
True
Nega5ve
Rate
by
Clustering
Technique
• Sensi4vity
Scores
reduce
the
false
posi4ve
rate
by
5.0%.
52. Insight
• Applica4on
Clustering
&
Sensi4vity
Scores
only
marginally
improved
the
True
Posi4ve
Rate
• Why?
“Malware
handles
data
differently”
• Malicious
Payloads
can
be
injected
into
a
variety
of
different
apps
without
affec4ng
the
expected
behavior.
• Sinks
leaking
sensi4ve
data
differ
considerably
between
benign
and
malicious
apps.
[3]
Sample
of
Applica5ons
infected
by
DroidDream
• Super
Guitar
Solo
• Photo
Editor
• Super
Ringtone
Maker
• Bowling
Time
• Advanced
Barcode
Scanner
• Music
Box
• Super
Stopwatch
&
Time
53. Comparison to Related Work.
94%
81.00%
0%
25%
50%
75%
100%
pDroid
Chabada
Geometric
Accuracy
54. Limitations
• pDroid ignores flows taking place in advertisement
frameworks (most are obfuscated
• Using the amount of dataflows for classification could be
easily manipulated.
• FlowDroid does not provide inter-component and inter-
app communication.
• A well-crafted textual description could manipulate an
app’s assignment.
55. Future Work
• Many
frameworks
can
detect
malware,
but
pDroid
unique
method
of
comparing
most
similar
applica4ons
should
allow
it
to
be
a
successful
tool
in
detec4ng
“grayware.”
• pDroid’s
ability
to
detect
per-‐dataflow
anomaly
scores
can
be
used
to
create
reports
describing
how
an
applica4on
handles
an
end
user’s
dataflows.
56. Insight
The
stark
difference
between
dataflows
in
malicious
applica4ons
and
benign
make
malicious
dataflow
anomalous
in
almost
every
cluster.
57. References:
[1]
Roman
Unucheck
and
Chebyshev
Victor.
Mobile
malware
evolu4on
2015.
Accessed:
6-‐7-‐2016
[2]
Adrienne
Porter
Felt,
Serge
Egelman,
and
David
Wagner.
“I’ve
got
99
problems,
but
vibra4on
ain’t
one:
a
survey
of
smartphone
users’
concerns”.
In:
Proceedings
of
the
second
ACM
workshop
on
Security
and
privacy
in
smartphones
and
mobile
devices.
ACM.
2012,
pp.
33–44
[3]
Pandita,
Rahul,
et
al.
"Whyper:
Towards
automa4ng
risk
assessment
of
mobile
applica4ons."
Presented
as
part
of
the
22nd
USENIX
Security
Symposium
(USENIX
Security
13).
2013
[4]
Qu,
Zhengyang,
et
al.
"Autocog:
Measuring
the
descrip4on-‐to-‐permission
fidelity
in
android
applica4ons."
Proceedings
of
the
2014
ACM
SIGSAC
Conference
on
Computer
and
Communica4ons
Security.
ACM,
2014.
[5]
Gorla,
Alessandra,
et
al.
"Checking
app
behavior
against
app
descrip4ons."
Proceedings
of
the
36th
Interna4onal
Conference
on
SoBware
Engineering.
ACM,
2014.
[6]
Kuznetsova,
Konstan4n,
et
al.
"Mining
Android
Apps
for
Anomalies."