Detecting Malicious Behaviors And Categorization Of Android Applications

In recent years, Android platform developed rapidly with the merits of its superior user experience and openness. Meanwhile, it has also become the primary target of malicious attackers. With the diversification of mobile terminal application scenarios, like mobile entertainment, mobile office and mobile payments that are closely related to the users. The security issues of mobile devices increasingly attract extensive attention of subscribers, especially, the Android users which account for the largest proportion. Malicious attackers obtain illegal benefits through a variety of ways, like malicious deduction, bundled installation and malicious advertisements. The categories of applications from Android markets tend to be diverse and the behaviors of malicious application tend to be increasingly complicated. The management of Android markets and malicious application detection are confronted with enormous challenges. To classify applications correctly is the prerequisite of market management and malicious application detection. Therefore, studies on automatic classification of Android applications also are of great significance.In this thesis, an automatic classification method based on multiple classifiers is proposed. An alarm is triggered if a malicious application is detected. Otherwise, the application will be automatically categorized. Our work is summarized as follows:(1) The security analysis of Android platform is studied from several aspects, including system architecture of Android platform, the core component and the basic structure of Android applications. Moreover, the security mechanisms of Android is analysed so as to understand Android deeply, such as Android access control, permission check, sandbox, digital signatures. Meanwhile, the paper briefly presents the detection technology of malicious applications including static analysis and dynamic analysis.(2) The available features in malicious application detection are analysed, like the requested permissions, Java code, intent-filter, system calls and user behaviors. The features are summarized from three respects:static features, dynamic features and application metadata.(3) A voting method based on multiple classifiers is proposed, and a systematic workflow of malware detection and automatic categorization of Android applications is developed. Based on the Android application samples and the 7 kinds of static features extracted from the samples provided by our research group, the whole workflow and the voting method is implemented. Experimental results show that the proposed method is effective for detecting malicious behaviors and categorizing Android applications.