| Recently the market of Android has shown an explosive development.Unfortunately the increasing popularity turns the Android platform into the main target of malware.At the same time,the limited security protection built-in Android makes the situation much worse.In this paper,we present a new framework named Defensor which takes the practicability and effectiveness into consideration.Firstly,the background of Android will be introduced,including the architecture of Android,four main components and the communication channels between them.In particular,Binder has been paid more attention in this paper.Binder is the basic of ICC,Defensor can get sufficient information from it.In this section,we also introduce another work on obfuscation of android application through native code.Native code is a part that many defense methods easily neglect.However,native code plays an important role in obfuscation on android platform.In this section,we construct six different obfuscation methods.All of them can hide malicious action efficiently.According to the experiment,six method or their combination bypass all the 54 AV engines on VirusTotal.We do suggest all defense methods pay more attention on native code obfuscation.Secondly,we introduce some most related work,and gives the design of Defensor.Defensor is consist of two parts,which are kernel module and Application.Kernel module can interceptor sensitive system calls and reconstruct the high level activities.Application can response for the interaction with user.The core part of Defensor is built in Linux kernel,which results in a small size of TCB.Defensor is a system-wide lightweight inspecting framework.It can closely monitor the malicious behaviors within and across applications,such as sending SMS to premium rate numbers,stealing privacy from the compromised device and getting root privileges through root exploits.This type of monitor is mandatory.Any application installed on the phone and any components including malicious native code can’t bypass it.Defensor can not only rebuild the high level behaviors from system calls,but also extract the context information that the behavior runs in.Context-based information likes background and foreground contributes a lot to the accuracy of malware detection.Finally,we evaluate the Defensor on real malware。Five different categories malware are taken into consideration.Defensor can defend all of these five categories malware,and the overhead introduced by Defensor is limited.According to the experiment,the average overhead introduced by Defensor is 5%. |
PDF Full Text Request