Malware is increasingly becoming a serious threat and a nuisance in the information and network age. Human experts have to extract (involves complex analysis of encrypted and/or packed binaries) a signature (usually a text pattern) of the malware and deploy it, to protect against a malware. However, this approach does not work for polymorphic and metamorphic malware, which have the ability to change shape from attack to attack; also, metamorphic virus detection even assuming fixed length is NP-complete. There have been numerous static code checking methods which are trying to detect anomalies and report the presence of malware. But in the current time there are numerous code obfuscation techniques which help them get away undetected. What we need is a dynamic method which reads through the processes run by the apps and detects unwanted behavior and reports it Android Systems have …

1. USING GOOD APPS for
detection of malware in
android systems
by Deepanjan Kundu
Guide: Prof. R.K.Shyamasundar

2. DETECTION
Earlier methods of virus and spyware scanners are obsolete
and some new static methods such as model checking, control
flow checking etc. for detection.
But many code obfuscation techniques such as binary
obfuscation using opaque constants can oversome such static
methods.
We need something different.

3. GOAL
1. Malware authors are using advanced techniques to evade
detection by anti-virus products and polymorphic malware now
becomes the de facto standard. Static analysis may not be
sufficient.
2. In this project, we shall arrive methods to detect
infection of android apps., using their dynamic behaviour. We
use the signature from ‘benign’ applications and use them to
detect infection. This is the opposite of the traditional
method and fits quite well in the context of Android System.

6. CHANGING FRAMEWORK
1. Identify sensitive API functions for android
2. Mark them by generating specific logs from them(eg. some
message like “BTP”)
3. Generate the log and obtain it using adb logcat
4. Collect only the ones with a BTP mark inside them with
grep
5. TID and PID problem solved. Also as fine as android
framework

7. Contd.
● Camera functions(done)
● Location data (GPS)
● Bluetooth functions(done)
● Telephony functions(done)
● SMS/MMS functions(done)
● Network/data connections(done)
● Write

8. Action CLasses
● Not all the API functions are security sensitive. So,
keep only those actions whose APIs are needed for
ensuring security.
● Classify the useful APIs into abstract classes. This
helps to greatly reduce the size of the behaviour without
losing a lot of information.
● Note that if two consecutive actions have the same class
symbol and the same input resource we keep only the first
copy and remove the later.
● Done for 62 APIs over 16 classes.

9. Abstract Activity
● We may replace the action sequences with (t 1 , O) where
O is the symbol corresponding to the high-level action
● Commonly occurring patterns (involving non-standard
resources) also have to be taken into account.
● For example, getCallCapabilities, getCalldetails,
getParent are all Call-Metadata based APIs and hence are
marked by common class symbol A.(Used by Spywares). The
Sequence BA, where B is for constructor function of the
Call Class, stands is an action sequence denoted by a.
This sequence generally takes place when a call happens.

10. Regular expression as SIgnature
1. “A.B” + “A.C” = “A.(B + C)”
2. “A m .B” + “A n .B” = “A min(m,n)+ .B”
3. “A m .B” + “A n .C” = “A min(m,n)+ .(B + C)”
4. A” + “A.B” = “A. ” + “A.B” = “A.( + B)”
Used the above properties to keep on updating the regular
expression(L1+L2), which is adding language to the existing
language, as we keep on using more logs for the application.

11. A sample result
E4|c1).(F3|E1).(c1+|c1).(E1|F1).(F1|E2).(E1|F3).(F1|L1).(G1|J
1).(c1|E1).(F1|J1).(G1|N1).(F4|O1).(G1|N1).(c1|O1).(F1|E1).(E
1|K1).(F4|J2).(G1|L2).(c1|F8).(F3|c1).(G1|I1).(c1|E6).(F1|I1)
.(e1|E1.I1.E1.G1.F2.c1.I1).(e1|E1).(e1|I1).(e1|E1).(e1|I1).(e
1|E1).(e1|G1).(e1|F2).(e1|c1).(e1|I1).(e1|E1).(e1|I1).(e1|E1)
.(e1|I1).(e1|E1).(e1|G1).(e1|F1).(e1|E1).(e1|F1).(e1|c1).(e1|
I1).(e1|E1).(e1|F1).(e1|I1).(e1|E1).(e1|I1).(e1|E1).(e1|F1).(
e1|G1).(e1|F2).(e1|c1).(e1|I1).(e1|E1).(e1|I1).(e1|E1).(e1|I1
).(e1|E1)

12. TO be done
1. The system needs a lot of polishing. Using Android
framework for such dynamic signature generation is new
and hence needs to be polished. All the steps could see
several improvements and could be covered in more depth.
2. Experiments to compare how this method would stand out as
compared to others for android systems.

13. THANK
YOU

14. References
[1] N.V.Narendra Kumar R.K.Shyamasundar George Sebastian
Saurav Yashaswee. Algorithmic Detection of Malware via
Semantic Signatures
[2] N.V.Narendra Kumar, R.K.Shyamasundar, Vivek Goswami,
Richya Bansal. Metamorphic Virus: Is it Amenable for
Algorithmic Detection?
[3] N.V.Narendra Kumar Harshit J. Shah R.K.Shyamasundar.
Benchmarking Program Behaviour for Detecting Malware
Infection

15. [4] Pallavi Maiya Aditya Kanade Rupak Majumdar. Race
Detection for Android Applications
[5] https://code.google.com/p/droidbox/