Highlighting easily how malicious applications

Goal

• Focus on integrity.
• Monitor information flows.
• Filter these flows to uncover suspicious ones.

Hypothesis

• Android apps share some common behaviours.
• Some of the information flows are common between apps.

Approach

• Tag the .apk of the Android application to be analysed.
• Monitor and logs how information from this app is disseminated.
• Build the corresponding System Flow Graph (SFG).
• Filter the edges of the benign SFG.

Blare (an information flow monitor)

• System objects are process, files and sockets.
• Monitors information flow between system objects.
• Uses tainting.
• Developed as a Linux Security Module.

Blare (an information flow monitor)

• Uses LSM hooks to intercept syscalls.
• Observes information flows.
• Logs any information flow involving tainted data.

System Flow Graph

• Describes in a compact way the information flows logged by Blare.
• Directed graph G = (V,E)
• Each node represents a system object.

System Flow Graph

• Each node has 3 attributes: type, name and identifier.
• Each edge from two nodes represents a unique information flow.

Experiments

•  DroidKungFu1, DroidKungFu2, jSMSHider and BadNews.
• 7 applications from Google Play .

Example of SFG

LSM Hook

• A hook is an upcall to the module.
• Hooks where a user-level syscall access an important object.

AndroBlare

• Blare is an experimental host-based, policy-based IDS for Linux.
• Blare on Android.
• Adapted to take into account the binder.
• Tracks the system calls that may involve information flows.