Our MobileSandbox paper from SAC2013 got an update. It has been accepted as an journal article for the upcoming edition of the International Journal of Information Security.
Our paper Post-Mortem Memory Analysis of Cold-Booted Android Devices has been accepted at IMF’14 and was presented there last week.
Da sich Mobiltelefone immer größerer Beliebtheit erfreuen, rücken sie auch immer weiter in den Fokus von Kriminellen. Waren vor ein bis zwei Jahren nur einige hundert bösartige Applikationen für mobile Endgeräte in der freien Wildbahn bekannt, sind es heute schon weit über 200.000 und es kommen täglich neue Schädlinge hinzu. Der Funktionsumfang dieser Schädlinge reicht vom Versenden von einfachen premium SMS, über Banking-Trojaner bis hin zu ausgereiften Exploits, die das infizierte Telefon zu einem fernsteuerbaren Bot verwandeln. In diesem Artikel wird ein Überblick darüber gegeben wie die aktuelle Bedrohungslage für Android Telefone aussieht. Darüber hinaus wird eines der bekanntesten Analysesysteme für schadhafte Android Applikationen vorgestellt
Den ganzen Artikel gibt es hier.
We have a 2nd paper accepted at SAC’13: Slicing Droids: Program Slicing for Smali Code. The tool’s source code will be made available after the paper has been presented.
Here is the abstract:
The popularity of mobile devices like smartphones and tablets has increased significantly in the last few years with many millions of sold devices. This growth also has its drawbacks: attackers have realized that smartphones are an attractive target and iin the last months many different kinds of malicious software (short: malware) for such devices have emerged. This worrisome development has the potential to hamper the prospering ecosystem of mobile devices and the potential for damage is huge.
Considering these aspects, it is evident that malicious apps need to be detected early on in order to prevent further distribution and infections. This implies that it is necessary to develop techniques capable of detecting malicious apps in an automated way. In this paper, we present SAAF, a Static Android Analysis Framework for Android apps. SAAF analyzes smali code, a disassembled version of the DEX format used by Android’s Java VM implementation. Our goal is to create program slices in order to perform data-flow analyses to backtrack parameters used by a given method. This helps us to identify suspicious code regions in an automated way. Several other analysis techniques such as visualization of control flow graphs or identification of ad-related code are also implemented in SAAF. In this paper, we report on program slicing for Android and present results obtained by using this technique to analyze more than 136,000 benign and about 6,100 malicious apps.
Our paper Mobile-Sandbox: Having a Deeper Look into Android Applications got accepted at SAC’13 and will be presented there at 18-22 March 2013.
Here is the abstract:
Smartphones in general and Android in particular are increasingly shifting into the focus of cybercriminals. For understanding the threat to security and privacy it is important for security researchers to analyze malicious software written for these systems. The exploding number of Android malware calls for automation in the analysis. In this paper, we present Mobile-Sandbox, a system designed to automatically analyze Android applications in two novel ways:
- it combines static and dynamic analysis, i.e., results of static analysis are used to guide dynamic analysis and extend coverage of executed code, and
- it uses specific techniques to log calls to native (i.e., “non-Java”) APIs.
For this paper we evaluated the system with more than 36,000 applications from Asian third-party mobile markets and found that 24% of them actually use native calls in their code.