Towards mining comprehensive Android sandboxes

Author

Tien-Duy B. LE, Singapore Management UniversityFollow
Lingfeng BAO, Zhejiang University
David LO, Singapore Management UniversityFollow
Debin GAO, Singapore Management UniversityFollow
Li LI, Monash University

Publication Type

Conference Proceeding Article

Version

acceptedVersion

Publication Date

12-2018

Abstract

Android is the most widely used mobile operating system with billions of users and devices. The popularity of Android apps have enticed malware writers to target them. Recently, Jamrozik et al. proposed an approach, named Boxmate, to mine sandboxes to protect Android users from malicious behaviors. In a nutshell, Boxmate analyzes the execution of an app, and collects a list of sensitive APIs that are invoked by that app in a monitoring phase. Then, it constructs a sandbox that can restrict accesses to sensitive APIs not called by the app. In such a way, malicious behaviors that are not observed in the monitoring phase – occurring, for example, due to malicious code injection during an attack – can be prevented. Nevertheless, Boxmate only focuses on a specific API type (i.e., sensitive APIs); it also ignores parameter values of many API methods and requested permissions during the execution of a target app. As a result, Boxmate is not able to detect malicious behaviors in many cases. In this work, we address the limitation of Jamrozik et al.’s work by considering input parameters of many different types of API methods for mining a more comprehensive sandbox. Given a benign app, we first extract a list of Android permissions that the app may request during its execution. Next, we leverage an automated test case generation tool, named Droidbot, to generate a rich set of GUI test cases for exploring behaviors of the app. During the execution of these test cases, we analyze the execution of four different types of API methods. Furthermore, we record input parameters to these API methods, and classify those into four different categories. We leverage the collected parameter values, and the list of requested permissions to create a sandbox that can protect users from malicious behaviors. Our experiments on 25 pairs of real benign and malicious apps show that our approach is more effective than the coarseand fine-grained variants of Boxmate by 267.37% and 81.64% in terms of Fmeasure respectively.

Keywords

Android security, Malicious behavior detection, Mining sandboxes

Discipline

Databases and Information Systems | Numerical Analysis and Scientific Computing

Research Areas

Data Science and Engineering

Publication

ICECCS 2018: 23rd International Conference on Engineering of Complex Computer Systems: Proceedings : 12-14 December, Melbourne, Australia

First Page

51

Last Page

60

ISBN

9781538693414

Identifier

10.1109/ICECCS2018.2018.00014

Publisher

IEEE Computer Society

City or Country

Los Alamitos, CA

Citation

LE, Tien-Duy B.; BAO, Lingfeng; LO, David; GAO, Debin; and LI, Li. Towards mining comprehensive Android sandboxes. (2018). ICECCS 2018: 23rd International Conference on Engineering of Complex Computer Systems: Proceedings : 12-14 December, Melbourne, Australia. 51-60.
Available at: https://ink.library.smu.edu.sg/sis_research/4289

Copyright Owner and License

Authors

Creative Commons License

This work is licensed under a Creative Commons Attribution-NonCommercial-No Derivative Works 4.0 International License.

Additional URL

https://doi.org/10.1109/ICECCS2018.2018.00014