CacheAlarm: Monitoring sensitive behaviors of Android apps using cache side channel

Author

Jianwen TIAN
Haoyu MA
Debin GAO, Singapore Management UniversityFollow
Xiaohui KUANG

Publication Type

Journal Article

Version

publishedVersion

Publication Date

3-2025

Abstract

Malware attack has been a serious threat to the security and privacy of both individual and corporation users of the Android platform. Business entities seek to protect themselves by means of monitoring privacy-related sensitive behaviors conducted on company-issued Android devices. However, due to Android’s own access control and privacy protection policies, this is difficult to be done with third-party apps using only normal privileges. Existing works proposed using side-channel readings from leaky APIs and system virtual files to speculate runtime app behaviors, which could be unreliable due to future system updates (that ban exploited resources), hardware jittering, etc. In this paper, we argue that a more traditional side-channel attack strategy, namely the CPU-cache-based side channel, could be exploited in the benign scenario of app behavior surveillance. Specifically, we propose CacheAlarm, a sensitive app behavior monitor and foreground app identification system, which works by measuring cache side-channel readings of selected methods within the Android framework, and conducted in-lab and in-the-wild user studies to compare the effectiveness of our scheme against SideNet, a previous Android app behavior surveillance scheme using API-based side channels. Results of the studies suggested that CacheAlarm outperforms SideNet on the accuracy of detecting sensitive behaviors in addition to gaining the capability of detecting apps running at foreground of the user device.

Keywords

Smart Phones, Operating Systems, Surveillance, Malware, Runtime, Privacy, Hardware, Accuracy, Training, Protection, Side Channel, Cache Attack, Android Applications, Dynamic Analysis, Side Channel Attacks, Behavioral Sensitization, Android Apps, Cache Side Channel, User Study, Access Control, Android Devices, Business Entities, False Positive, Typical Behavior, Target Selection, Microphone, Real World Scenarios, App Use, Situational Awareness, Related Services, Adaptive Selection, Calibration Strategy, System Calls, Cache Hit, Cache Misses, Malware Detection, Temporal Correspondence, Code Section, Small Time Window, Address Space, CPU Usage, Operating System, Cases Of Events

Discipline

Software Engineering

Research Areas

Software and Cyber-Physical Systems

Areas of Excellence

Digital transformation

Publication

IEEE Transactions on Dependable and Secure Computing

Volume

22

Issue

5

First Page

4737

Last Page

4752

ISSN

1545-5971

Identifier

10.1109/TDSC.2025.3550918

Publisher

Institute of Electrical and Electronics Engineers

Citation

TIAN, Jianwen; MA, Haoyu; GAO, Debin; and KUANG, Xiaohui. CacheAlarm: Monitoring sensitive behaviors of Android apps using cache side channel. (2025). IEEE Transactions on Dependable and Secure Computing. 22, (5), 4737-4752.
Available at: https://ink.library.smu.edu.sg/sis_research/10614

Creative Commons License

This work is licensed under a Creative Commons Attribution-NonCommercial-No Derivative Works 4.0 International License.

Additional URL

https://doi.org/10.1109/TDSC.2025.3550918