強化Andriod惡意程式之自動化動態分析機制之有效性

Abstract

Android惡意程式偵測是近來熱門的議題，而對惡意程式動態分析而言，如何自動化執行所有可能的程式路徑來觸發惡意行為是一個重大挑戰。很多惡意程式會隱匿行蹤，在無使用者點擊觸發或是等待特定條件的情況下啟動惡意行為，例如透過等待監聽系統廣播事件的方式。在本篇論文中，我們提出一個自動化動態分析惡意程式之架構，此架構可偵測機敏性資料外洩行為，運用智慧型事件觸發機制，其結合使用者介面事件觸發器來探索並啟動圖形介面活動元件，系統事件觸發器模擬系統廣播事件來自動化地揭露可能的惡意行為。 此架構建置於TaintDroid基礎上，透過監控應用程式對機敏性資訊相關應用程式介面之使用及是否有發送簡訊或撥打電話的行為，來偵測機敏性資料外洩或金錢不當得利之惡意行為。我們運用反偵測模擬器的技術來防止惡意程式透過偵測是否執行於虛擬化環境的技術來隱匿其惡意行為。此外，我們並修改系統鬧鐘管理系統服務來防止惡意程式濫用此系統服務做時間延遲攻擊。在我們取樣1034個惡意程式之研究案例中，本架構可以偵測其中706個惡意程式其有惡意行為，相較於現今既有的方法而言我們的方法有重大進步。

Android malware detection has become a very important topic in recent years. A challenge for dynamically detecting malwares is to execute all possible paths in an application to expose its malicious behavior. Stealthy attacks may wait for a user to perform a predefined action before activating themselves, for examples, listening system broadcast events to initialize its malicious activity. In this thesis, we present an automatic dynamic malware analysis framework, which detect information leakage with a smart event trigger that combines a UI-event trigger for GUI exploration and a system event trigger for simulating system broadcast events to automatically expose possible malicious behaviors. This TaintDroid-based framework monitors privacy-related API invocations, outgoing SMS messages sent and phone calls to trace the leakage of sensitive information and financial charges. We also employ Anti-Anti-Emulation to prevent malwares from detecting whether they are executed on an Android emulator and hide malicious behaviors from TaintDroid. In addition, we modified AlarmManager methods to prevent malwares from using alarm perform services to perform delayed execution attacks. In our case study with 1034 malwares, we show our framework can reveal the malicious behaviors in 706 malwares which is a significant improvement over existing methods.