A Static API Analysis and Installation Advisory System for Android Applications

Android系統已經成為現在主流的智慧型裝置作業系統。目前Android對可疑軟體的防護主要是依靠使用者自身的判斷，Android系統本身只提供給使用者簡略的資訊。在這篇論文中，我們主要想要改進這點，給使用者更詳細的資訊來判斷一個應用程式是否為可疑軟體。一旦使用者上傳了一個apk檔案，系統會開始提取裡面的資訊包含了API calls、permissions還有自訂的features。我們主要用的是靜態分析的方法來分析，並且把分析的結果存回資料庫，最後再把結果轉換成容易理解的敘述上傳到網頁上，為了那些對智慧型裝置不熟悉的使用者，我們為他們評估了應用程式的風險程度，以分數的方式呈現，並設定了一個門檻來判斷其是否為可疑軟體。門檻的決定是透過分析一部分的樣本，找尋可疑軟體的常見特徵，並給定各個特徵一個加權分數並透過不斷的測試與調整以得到最好的準確率，我們的樣本包含了936個應用程式，裡面有200個可疑軟體以及736個無害的應用程式，最終測出來的結果是85.15%的準確率。Android has been one of the most popular operating systems for the mobile devices. And the Android’s permission system can inform users the privacy information used by the applications to be installed, but it only tells the very basic information. In this paper, the goal is to make sure users can understand the risks of installing an application. When users upload an .apk file, the proposed system extracts information about this application, including using API calls, permissions, and selected features. To analyze individual privacy breach or possibility of attack, with selected features and heuristic rules, we used static analysis and focused on analyzing the disassembled code. The analytic results are kept in the database, and then the results are translated into understandable sentences and displayed on a webpage for users to access. For the non-technical users, we make an assessment for them. We calculate the risk score for each individual application, and set a threshold to determine if it is a malware or not. The risk score is heuristic-based. We applied the analytic tools on part of the benign and malware datasets, and examined the results to find the pattern of determining the malicious applications, and then gave them a weighted function, which is adjusted by knowledge and the test results, to achieve the highest accuracy. Our dataset contains 936 applications, including 200 malwares and 736 benign applications. The result is 85.15% accuracy with 81.5% true positive rate and 13.86% false positive rate.口試委員審定書 i 摘要 ii Abstract iii Chapter 1 Introduction 1 1.1 Existing Android Permission System 3 1.2 Contribution 5 1.3 Thesis Organization 6 Chapter 2 Related Work 7 2.1 Other Malware Detecting Techniques 7 2.1.1 Static Analysis 8 2.1.2 Dynamic Analysis 10 2.2 Introduction to Analysis Tools 11 2.2.1 Androguard 11 2.2.2 Apktool 12 2.2.3 Stowaway 13 2.2.4 PSCOUT 13 Chapter 3 Proposed Technique 15 3.1 Operating Process 16 3.2 Feature Extraction 17 3.2.1 How to Extract Features 18 3.2.1.1 Parsing AndroidManifest.xml 19 3.2.1.2 Parsing Disassembled DVM Codes 20 3.3 Extract Privacy Breach API Calls 24 3.4 Extract Dangerous API Calls 24 3.5 Translation and Estimating Risk Scores 25 3.5.1 Translation the Features 25 3.5.2 Estimating Risk Scores 25 Chapter 4 Experiment Setup & Results 27 4.1 Evaluation metrics 27 4.2 Datasets 28 4.2.1 Contaigo: Malware dataset 28 4.2.2 Benign App Dataset 30 4.3 Environment 31 4.4 Experiment Results 32 4.4.1 Malware App Detection Rate 32 4.4.2 Advisory System 34 4.4.3 System Overhead 37 Chapter 5 Conclusion 38 Reference 3