Page d'accueil // Recherche // FSTC // Computer Sci... // Projets de r... // Combatting Context-Sensitive Mobile Malware

Combatting Context-Sensitive Mobile Malware

Code budgetaire: C15/IS/10404933
Financement: FNR - Other
Date de début: 1 avril 2016
Date de fin: 30 mars 2019


Mobile computing devices, or simply smartphones, are ubiquitous today. Many consumers rely
on their smartphone for such personal computing tasks as communication with friends and family
through numerous messengers, email activity, mobile banking, GPS navigation, etc. Moreover,
through the so-called Bring-Your-Own-Device (BYOD) schemes, smartphones are increasingly
used for executing business tasks. With this proliferation of mobile devices security and privacy
of smartphones and the data they process become crucial requirements.
Unfortunately, we know that mobile platforms today are insecure. For example, the growth
rate of mobile malware samples for the Android platform run by Google is exponential. And the
price of admitting a malicious application onto an end-user platform is often very high, especially
if the device is used in the corporate environment and handles highly sensitive information.
Malicious mobile applications are known to steal private data handled by the smartphones almost
by default. Therefore, there is a high demand for anti-virus services tailored for mobile devices
that could evaluate for a third-party application whether it is malicious or not. For example,
Google and Apple utilise their own on-market security services for application vetting. There
exist also a number of third-party online security services o ering to check security of mobile
applications, such as VirusTotal and Andrubis.

Security services o ered by antivirus companies often rely on known malware signatures.
Therefore these services do not detect zero-day malware samples that rely on new attacks or
recently discovered vulnerabilities. This approach is not suciently reliable in the context of
application market. Indeed, if Apple or Google will distribute zero-day malware, they will face
a customer drain. Thus on-market security services typically use a combination of static and
dynamic security checks that could reveal malicious behaviour. For example, if such service
detects a known root exploit code or a suspicious API calls pattern, it can mark the sample in
question as malicious. However, the recent generations of mobile malware that utilise obfuscation
and dynamic code updates to thwart the security services pose a big challenge. Such dangerous
samples can be often categorised as environment-sensitive or context-sensitive malware: they
change their behaviour depending on the context. If they are able to detect that they are
executed by a security service, they do not exhibit their malicious payload. If the payload
is obfuscated (e.g., encrypted), it can be very challenging to identify malicious code in these
Currently there exist security techniques that aim to combat this malware type. They typically
rely on machine learning-based classi ers, or they utilise discrepancies in several executions
of the same sample, and check if one of these executions actually shows malicious actions. The
challenge for a machine learning-based approach is the weakness of the feature selection. Code
obfuscation alone cannot be reliably used as a malware feature: many benign apps obfuscate
their code to thwart plagiarism. If an attacker knows which other features contribute to the malicious pro le utilised by a security service, he can change the app to avoid being compliant
with this pro le.
If a security service can nd a suitable context to execute the sample such that it exhibits
some malicious behaviour, this sample can be successfully categorised as malicious. The main
challenge for these approaches is to nd the suitable context, what can be very dicult in general,
given that malware often is able to detect that the security service's emulator is applied, and thus
to refrain from malicious actions. Generation of a right context often requires manual inspection
of the code. This is a tedious task that is often not suitable in the context of online third-party
security services, such as Andrubis.

Our contribution: In our project we plan to improve the state-of-art mechanisms for reliable
detection of malicious applications by looking simultaneously at executed and not-executed code
paths. The intuition is simple: context-sensitive malware tries to conceal the malicious behaviour,
so the most security-critical code will be hidden in the code paths that were not executed by
the security service. For such code paths we will 1) identify automatically how to bring the
app execution to these paths; and 2) analyse these code paths automatically to detect concealed
security issues. The detection will rely on machine learning techniques and data 
ow analysis.