How 1 Million App Calls can Tell you a Bit About Malware – Part 1

Recently, I collaborated with a number of researchers from the Software Systems Laboratory of Columbia University, on a study regarding POSIX (Portable Operating System Interface) abstractions. In a nutshell, we measured how and to what extent traditional POSIX abstractions are being used in modern operating systems, and whether new abstractions are taking form, dethroning traditional ones. The results of this study were presented at the 11th European Conference on Computer Systems (EuroSys ’16).

In one of our experiments, we examined which POSIX calls are used by both benign Android applications (~1 million) coming from the Google Play Store, and malicious Android applications (1260) taken from a well-known dataset. The popularity of POSIX calls between the benign and malicious applications can be seen in Figure 1. An interesting observation involves outliers illustrating that there are POSIX interfaces which are popular only for malicious applications. Table 1, presents a set of indicative abstractions that are popular among malicious apps and unpopular among benign ones.

StaticAnalysisMalicious

Figure 1: Comparing the popularity of POSIX calls between benign Google Play applications and malicious applications (taken from a popular dataset). There are some outliers identifying POSIX calls, which are popular only for malicious applications.

table1

Table 1: Popular POSIX abstractions among malicious applications (and at the same time unpopular among benign ones).

We attempted to create a simple filter that identifies potentially malicious applications based on the three most unpopular abstractions among benign applications and at the same time popular among malicious ones. In particular, we checked if an application uses at least one of the following abstractions: ptsname, unlockpt (two pseudo-terminal functions – malicious application developers are most likely attempting to exploit interfaces known to be old, poorly maintained, and buggy) and setsid. We checked our filter against a set of applications taken from the Google Play store (465000). Our initial findings though, were not significant. Specifically, our filter indicated that 1633 applications were suspicious. To validate our result, we checked these applications against the 54 antiviruses provided by the VirusTotal service. To achieve this, we used the framework that I presented in my previous blog post. We found that 413 (25.29%) of them are potentially malicious. Furthermore, Figure 2 indicates that in most cases only one antivirus issued an alarm, which is probably a false positive.

In my next post I will discuss about a more robust filter based on binary classifier and also about potentially malicious applications that include obfuscated libraries.

Figure 2: Potentially Malicious Applications found on Google Play Store. The identification was based on a simple filter that involved the three most unpopular POSIX abstractions among benign applications and at the same time popular among malicious ones.

Figure 2: Potentially Malicious Applications found on Google Play Store. The identification was based on a simple filter that involved the three most unpopular POSIX abstractions among benign applications and at the same time popular among malicious ones.

This entry was posted in Security & Privacy by Dimitris Mitropoulos. Bookmark the permalink.

About Dimitris Mitropoulos

Dimitris Mitropoulos is a software and security engineer at the Greek Research and Technology Network (GRNET) and a research associate at the Athens University of Economics and Business. Dr. Mitropoulos holds a BSc in Informatics and Telecommunications from the National and Kapodistrian University of Athens, an MSc and a PhD in Cyber Security from the Athens University of Economics and Business. He has also been a postdoctoral researcher at the Network Security Laboratory (NSL) of Columbia University in the City of New York. He has worked in the industry as a software engineer and has been involved in several EU and US funded R&D projects. His research interests include application security, systems security, software evolution and software engineering. He a member of ACM, IEEE, OWASP and SysSec.

Leave a Reply

Your email address will not be published. Required fields are marked *