Publication Type

Conference Proceeding Article

Version

publishedVersion

Publication Date

2-2023

Abstract

Understanding Android applications' behavior is essential to many security applications, e.g., malware analysis. Although many systems have been proposed to perform such dynamic analysis, they are limited by their applicable analysis environment (on device vs. emulator), transparency to subject apps, applicable runtime (Dalvik vs. ART), applicable system stack, or granularity. In this paper, we propose FA3 (Fine-Grained Android Application Analysis), a novel on-device, non-invasive, and fine-grained analysis platform by leveraging existing profiling mechanisms in the Android Runtime (ART) and kernel to inspect method invocations and control-flow transfers for both Java methods and third-party native libraries. FA3 embeds its tracing capability in multiple layers of the Android system stack to not only capture fine-grained application behaviors but ensure even non-conventional or malicious tricks of loading and executing OAT/ELF binaries cannot escape our monitoring. We carefully evaluated FA3 using real-world malware. Experimental results showed that FA3 successfully analyzes sophisticated malware samples and provides a comprehensive view of their behavior.

Keywords

Android malware, Mobile security, Android applications, Fine-grained

Discipline

Information Security | Software Engineering

Research Areas

Software and Cyber-Physical Systems

Publication

HotMobile '23: Proceedings of the 24th International Workshop on Mobile Computing Systems and Applications, Newport Beach, 22-23 February

First Page

74

Last Page

80

ISBN

9798400700170

Identifier

10.1145/3572864.3580338

Publisher

ACM

City or Country

New York

Additional URL

https://doi.org/10.1145/3572864.3580338

Share

COinS