SpyDroid: A Framework for Employing MultipleReal-Time Malware Detectors on Android

SpyDroid: A Framework for Employing MultipleReal-Time Malware Detectors on Android

Among all smartphone operating systems, Android occupiesover 85% market share in 2017 [1]. Moreover, Android-powered devices such as cars, fridges, televisions, point ofsale (POS) terminals, and ATM booths are expected to flooduser markets within a few years. Due to the popularity ofthe Android ecosystem, malware writers are targeting Androiddevices exclusively and the number of malware for Androidsurged exponentially in 2017. Android implements a num-ber of security mechanisms to ensure the safety of deviceresources, e.g., the permission mechanism.The permission mechanism of Android is coarse-grainedand users are usually ignorant about the sought permissions.Researchers also proposed attacks that can bypass the per-mission mechanism [2], [3]. As a result, effective detectionof malware is very important to mitigate security threats inthe Android ecosystem. Unfortunately, antiviruses are not veryeffective due to the restrictive security model of Android thatdoes not let any app scan the runtime behavior of others.Researchers have made great efforts to improve the securityof Android and proposed a number of static and dynamicanalysis techniques. In static analysis, the Android applicationfile (apk) is decompiled to perform analysis, such as data flowanalysis, control flow analysis, API call analysis, byte N-gram,and fingerprinting. Studies [4] have shown that static analysisis becoming less effective day by day due to powerful trans-formation techniques (call graph obfuscation, dynamic codeloading, manifest cheating, metamorphism, polymorphism,etc.). They concluded that dynamic analysis is a necessarycomplement to static analysis as it is less vulnerable to codetransformations.Dynamic analysis is more effective as it can extract featuresthat represent unique patterns of execution. Interestingly, ac-cording to this study [5], over 98% of the new malware arein fact variants of an existing malware family. Google usesa dynamic analysis system called Google Bouncer that ana-lyzes apks submitted to them. Unfortunately, dynamic analysistechniques that execute Android apps inside an emulator alsosuffer from the fact that malware writers can detect emulatorsand thus evade detection. Hence, real-time monitoring onuser devices becomes necessary. In addition, end users arenot benefiting from these research as it is very difficult forthem to integrate the techniques into their devices. Moreover,sometimes a specific class of malware can only be detected bya single technique or a particular antivirus. Therefore, deviceowners can be benefited by employing multiple malwaredetectors on their devices.Code Shoppy

 In this paper, we propose SpyDroid, a real-time malwaredetection framework that can deploy multiple malware detec-tors (we call them sub-detectors) on a real device. SpyDroidis designed as a part of the operating system and has twomodules for monitoring and detection. Sub-detectors monitorruntime information using the monitoring module and performanalysis to detect malware. They report their analysis resultsto the SpyDroid detector. The detector decides when to markan app as malware. A framework like SpyDroid can help third-parties (researchers and commercial vendors) to publish theirdetection techniques via application markets and users caninstall multiple sub-detectors to improve the security of theirdevices.We implement SpyDroid using the Android Open SourceProject (AOSP) [6]. However, the concept of SpyDroid isgeneric and can be implemented in any smartphone operatingsystem.https://codeshoppy.com/php-projects-titles-topics.html