Reducing the window of opportunity for Android malware Gotta catch ’em all View Full Text


Ontology type: schema:ScholarlyArticle     


Article Info

DATE

2012-05

AUTHORS

Axelle Apvrille, Tim Strazzere

ABSTRACT

Spotting malicious samples in the wild has always been difficult, and Android malware is no exception. Actually, the fact Android applications are (usually) not directly accessible from market places hardens the task even more. For instance, Google enforces its own communication protocol to browse and download applications from its market. Thus, an efficient market crawler must reverse and implement this protocol, issue appropriate search requests and take necessary steps so as not to be banned. From end-users’ side, having difficulties spotting malicious mobile applications results in most Android malware remaining unnoticed up to 3 months before a security researcher finally stumbles on it. To reduce this window of opportunity, this paper presents a heuristics engine that statically pre-processes and prioritizes samples. The engine uses 39 different flags of different nature such as Java API calls, presence of embedded executables, code size, URLs… Each flag is assigned a different weight, based on statistics we computed from the techniques mobile malware authors most commonly use in their code. The engine outputs a risk score which highlights samples which are the most likely to be malicious. The engine has been tested over a set of clean applications and malicious ones. The results show a strong difference in the average risk score for both sets and in its distribution, proving its use to spot malware. More... »

PAGES

61-71

References to SciGraph publications

  • 2012. Android Market Analysis with Activation Patterns in SECURITY AND PRIVACY IN MOBILE INFORMATION AND COMMUNICATION SYSTEMS
  • Identifiers

    URI

    http://scigraph.springernature.com/pub.10.1007/s11416-012-0162-3

    DOI

    http://dx.doi.org/10.1007/s11416-012-0162-3

    DIMENSIONS

    https://app.dimensions.ai/details/publication/pub.1023857859


    Indexing Status Check whether this publication has been indexed by Scopus and Web Of Science using the SN Indexing Status Tool
    Incoming Citations Browse incoming citations for this publication using opencitations.net

    JSON-LD is the canonical representation for SciGraph data.

    TIP: You can open this SciGraph record using an external JSON-LD service: JSON-LD Playground Google SDTT

    [
      {
        "@context": "https://springernature.github.io/scigraph/jsonld/sgcontext.json", 
        "about": [
          {
            "id": "http://purl.org/au-research/vocabulary/anzsrc-for/2008/0804", 
            "inDefinedTermSet": "http://purl.org/au-research/vocabulary/anzsrc-for/2008/", 
            "name": "Data Format", 
            "type": "DefinedTerm"
          }, 
          {
            "id": "http://purl.org/au-research/vocabulary/anzsrc-for/2008/08", 
            "inDefinedTermSet": "http://purl.org/au-research/vocabulary/anzsrc-for/2008/", 
            "name": "Information and Computing Sciences", 
            "type": "DefinedTerm"
          }
        ], 
        "author": [
          {
            "affiliation": {
              "name": [
                "Fortinet, EMEA AV Team, 120, rue Albert Caquot, 06410, Biot, France"
              ], 
              "type": "Organization"
            }, 
            "familyName": "Apvrille", 
            "givenName": "Axelle", 
            "id": "sg:person.012462664070.61", 
            "sameAs": [
              "https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.012462664070.61"
            ], 
            "type": "Person"
          }, 
          {
            "affiliation": {
              "name": [
                "Lookout Mobile Security, 1 Front Street, Suite 2700, 94111, San Francisco, CA, USA"
              ], 
              "type": "Organization"
            }, 
            "familyName": "Strazzere", 
            "givenName": "Tim", 
            "type": "Person"
          }
        ], 
        "citation": [
          {
            "id": "https://doi.org/10.1145/1557019.1557153", 
            "sameAs": [
              "https://app.dimensions.ai/details/publication/pub.1014713780"
            ], 
            "type": "CreativeWork"
          }, 
          {
            "id": "sg:pub.10.1007/978-3-642-30244-2_1", 
            "sameAs": [
              "https://app.dimensions.ai/details/publication/pub.1015698038", 
              "https://doi.org/10.1007/978-3-642-30244-2_1"
            ], 
            "type": "CreativeWork"
          }, 
          {
            "id": "https://doi.org/10.1109/malware.2010.5665792", 
            "sameAs": [
              "https://app.dimensions.ai/details/publication/pub.1094002064"
            ], 
            "type": "CreativeWork"
          }
        ], 
        "datePublished": "2012-05", 
        "datePublishedReg": "2012-05-01", 
        "description": "Spotting malicious samples in the wild has always been difficult, and Android malware is no exception. Actually, the fact Android applications are (usually) not directly accessible from market places hardens the task even more. For instance, Google enforces its own communication protocol to browse and download applications from its market. Thus, an efficient market crawler must reverse and implement this protocol, issue appropriate search requests and take necessary steps so as not to be banned. From end-users\u2019 side, having difficulties spotting malicious mobile applications results in most Android malware remaining unnoticed up to 3 months before a security researcher finally stumbles on it. To reduce this window of opportunity, this paper presents a heuristics engine that statically pre-processes and prioritizes samples. The engine uses 39 different flags of different nature such as Java API calls, presence of embedded executables, code size, URLs\u2026 Each flag is assigned a different weight, based on statistics we computed from the techniques mobile malware authors most commonly use in their code. The engine outputs a risk score which highlights samples which are the most likely to be malicious. The engine has been tested over a set of clean applications and malicious ones. The results show a strong difference in the average risk score for both sets and in its distribution, proving its use to spot malware.", 
        "genre": "research_article", 
        "id": "sg:pub.10.1007/s11416-012-0162-3", 
        "inLanguage": [
          "en"
        ], 
        "isAccessibleForFree": false, 
        "isPartOf": [
          {
            "id": "sg:journal.1136175", 
            "issn": [
              "2274-2042", 
              "1772-9904"
            ], 
            "name": "Journal of Computer Virology and Hacking Techniques", 
            "type": "Periodical"
          }, 
          {
            "issueNumber": "1-2", 
            "type": "PublicationIssue"
          }, 
          {
            "type": "PublicationVolume", 
            "volumeNumber": "8"
          }
        ], 
        "name": "Reducing the window of opportunity for Android malware Gotta catch \u2019em all", 
        "pagination": "61-71", 
        "productId": [
          {
            "name": "readcube_id", 
            "type": "PropertyValue", 
            "value": [
              "71a995d77830af1d0429c22a5f7ca5b2ab3ab9902babc6b72ab9d93a2592817e"
            ]
          }, 
          {
            "name": "doi", 
            "type": "PropertyValue", 
            "value": [
              "10.1007/s11416-012-0162-3"
            ]
          }, 
          {
            "name": "dimensions_id", 
            "type": "PropertyValue", 
            "value": [
              "pub.1023857859"
            ]
          }
        ], 
        "sameAs": [
          "https://doi.org/10.1007/s11416-012-0162-3", 
          "https://app.dimensions.ai/details/publication/pub.1023857859"
        ], 
        "sdDataset": "articles", 
        "sdDatePublished": "2019-04-10T21:39", 
        "sdLicense": "https://scigraph.springernature.com/explorer/license/", 
        "sdPublisher": {
          "name": "Springer Nature - SN SciGraph project", 
          "type": "Organization"
        }, 
        "sdSource": "s3://com-uberresearch-data-dimensions-target-20181106-alternative/cleanup/v134/2549eaecd7973599484d7c17b260dba0a4ecb94b/merge/v9/a6c9fde33151104705d4d7ff012ea9563521a3ce/jats-lookup/v90/0000000001_0000000264/records_8687_00000522.jsonl", 
        "type": "ScholarlyArticle", 
        "url": "http://link.springer.com/10.1007%2Fs11416-012-0162-3"
      }
    ]
     

    Download the RDF metadata as:  json-ld nt turtle xml License info

    HOW TO GET THIS DATA PROGRAMMATICALLY:

    JSON-LD is a popular format for linked data which is fully compatible with JSON.

    curl -H 'Accept: application/ld+json' 'https://scigraph.springernature.com/pub.10.1007/s11416-012-0162-3'

    N-Triples is a line-based linked data format ideal for batch operations.

    curl -H 'Accept: application/n-triples' 'https://scigraph.springernature.com/pub.10.1007/s11416-012-0162-3'

    Turtle is a human-readable linked data format.

    curl -H 'Accept: text/turtle' 'https://scigraph.springernature.com/pub.10.1007/s11416-012-0162-3'

    RDF/XML is a standard XML format for linked data.

    curl -H 'Accept: application/rdf+xml' 'https://scigraph.springernature.com/pub.10.1007/s11416-012-0162-3'


     

    This table displays all metadata directly associated to this object as RDF triples.

    78 TRIPLES      21 PREDICATES      30 URIs      19 LITERALS      7 BLANK NODES

    Subject Predicate Object
    1 sg:pub.10.1007/s11416-012-0162-3 schema:about anzsrc-for:08
    2 anzsrc-for:0804
    3 schema:author N945ebf92f497416f977602f8f925381c
    4 schema:citation sg:pub.10.1007/978-3-642-30244-2_1
    5 https://doi.org/10.1109/malware.2010.5665792
    6 https://doi.org/10.1145/1557019.1557153
    7 schema:datePublished 2012-05
    8 schema:datePublishedReg 2012-05-01
    9 schema:description Spotting malicious samples in the wild has always been difficult, and Android malware is no exception. Actually, the fact Android applications are (usually) not directly accessible from market places hardens the task even more. For instance, Google enforces its own communication protocol to browse and download applications from its market. Thus, an efficient market crawler must reverse and implement this protocol, issue appropriate search requests and take necessary steps so as not to be banned. From end-users’ side, having difficulties spotting malicious mobile applications results in most Android malware remaining unnoticed up to 3 months before a security researcher finally stumbles on it. To reduce this window of opportunity, this paper presents a heuristics engine that statically pre-processes and prioritizes samples. The engine uses 39 different flags of different nature such as Java API calls, presence of embedded executables, code size, URLs… Each flag is assigned a different weight, based on statistics we computed from the techniques mobile malware authors most commonly use in their code. The engine outputs a risk score which highlights samples which are the most likely to be malicious. The engine has been tested over a set of clean applications and malicious ones. The results show a strong difference in the average risk score for both sets and in its distribution, proving its use to spot malware.
    10 schema:genre research_article
    11 schema:inLanguage en
    12 schema:isAccessibleForFree false
    13 schema:isPartOf N36c396c70f134249ac3e06bd3fff10fe
    14 Neb86ba2685ec453ba5ec8d9f064e4767
    15 sg:journal.1136175
    16 schema:name Reducing the window of opportunity for Android malware Gotta catch ’em all
    17 schema:pagination 61-71
    18 schema:productId N40c41759f2354049a3c088e0774498c8
    19 N511c040342fb4628861e6af2aee2ed4d
    20 Nd367a920b19d4418a68a3349be560922
    21 schema:sameAs https://app.dimensions.ai/details/publication/pub.1023857859
    22 https://doi.org/10.1007/s11416-012-0162-3
    23 schema:sdDatePublished 2019-04-10T21:39
    24 schema:sdLicense https://scigraph.springernature.com/explorer/license/
    25 schema:sdPublisher N7420747bd6c04ff0be2c7984a13ea48b
    26 schema:url http://link.springer.com/10.1007%2Fs11416-012-0162-3
    27 sgo:license sg:explorer/license/
    28 sgo:sdDataset articles
    29 rdf:type schema:ScholarlyArticle
    30 N1f5ed830b2044e8b870a4d42e2321bd9 schema:name Fortinet, EMEA AV Team, 120, rue Albert Caquot, 06410, Biot, France
    31 rdf:type schema:Organization
    32 N36c396c70f134249ac3e06bd3fff10fe schema:volumeNumber 8
    33 rdf:type schema:PublicationVolume
    34 N36c78c32563442469727e81475cf7136 schema:affiliation N9956f4a2033b402f8583a2df76e03cdf
    35 schema:familyName Strazzere
    36 schema:givenName Tim
    37 rdf:type schema:Person
    38 N40c41759f2354049a3c088e0774498c8 schema:name doi
    39 schema:value 10.1007/s11416-012-0162-3
    40 rdf:type schema:PropertyValue
    41 N511c040342fb4628861e6af2aee2ed4d schema:name readcube_id
    42 schema:value 71a995d77830af1d0429c22a5f7ca5b2ab3ab9902babc6b72ab9d93a2592817e
    43 rdf:type schema:PropertyValue
    44 N7420747bd6c04ff0be2c7984a13ea48b schema:name Springer Nature - SN SciGraph project
    45 rdf:type schema:Organization
    46 N945ebf92f497416f977602f8f925381c rdf:first sg:person.012462664070.61
    47 rdf:rest Nbbddb7ef99e241048a02eed746f91642
    48 N9956f4a2033b402f8583a2df76e03cdf schema:name Lookout Mobile Security, 1 Front Street, Suite 2700, 94111, San Francisco, CA, USA
    49 rdf:type schema:Organization
    50 Nbbddb7ef99e241048a02eed746f91642 rdf:first N36c78c32563442469727e81475cf7136
    51 rdf:rest rdf:nil
    52 Nd367a920b19d4418a68a3349be560922 schema:name dimensions_id
    53 schema:value pub.1023857859
    54 rdf:type schema:PropertyValue
    55 Neb86ba2685ec453ba5ec8d9f064e4767 schema:issueNumber 1-2
    56 rdf:type schema:PublicationIssue
    57 anzsrc-for:08 schema:inDefinedTermSet anzsrc-for:
    58 schema:name Information and Computing Sciences
    59 rdf:type schema:DefinedTerm
    60 anzsrc-for:0804 schema:inDefinedTermSet anzsrc-for:
    61 schema:name Data Format
    62 rdf:type schema:DefinedTerm
    63 sg:journal.1136175 schema:issn 1772-9904
    64 2274-2042
    65 schema:name Journal of Computer Virology and Hacking Techniques
    66 rdf:type schema:Periodical
    67 sg:person.012462664070.61 schema:affiliation N1f5ed830b2044e8b870a4d42e2321bd9
    68 schema:familyName Apvrille
    69 schema:givenName Axelle
    70 schema:sameAs https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.012462664070.61
    71 rdf:type schema:Person
    72 sg:pub.10.1007/978-3-642-30244-2_1 schema:sameAs https://app.dimensions.ai/details/publication/pub.1015698038
    73 https://doi.org/10.1007/978-3-642-30244-2_1
    74 rdf:type schema:CreativeWork
    75 https://doi.org/10.1109/malware.2010.5665792 schema:sameAs https://app.dimensions.ai/details/publication/pub.1094002064
    76 rdf:type schema:CreativeWork
    77 https://doi.org/10.1145/1557019.1557153 schema:sameAs https://app.dimensions.ai/details/publication/pub.1014713780
    78 rdf:type schema:CreativeWork
     




    Preview window. Press ESC to close (or click here)


    ...