System Calls Analysis of Malwares on Android

Full Text PDF PDF
Author(s) F. Tchakounte | P. Dayang
Pages 669-674
Volume 2
Issue 9
Date September, 2013
Keywords Malware, analysis, Android, User Interface, malicious, unconscious
Abstract

Android devices are targeted by malicious developers whose aim is to infiltrate these equipments in order to manipulate user’s data. They insert malicious code inside the applications they publish into Google Play or unofficial app-stores. Once installed, these apps disguise and send back information to the attacker's server. In general, mobile malware can be analysed using two different and complementary techniques: static and dynamic analysis. The first one consists on scrutinizing behaviour of malware during execution and the second consists on the reverse engineering of the malicious application from the .apk and mainly focuses on AndroidManifest.xml and classes.dex files. In this paper, we scrutinize dynamic low-level analysing kernel invocations initiated by the malicious code at the moment the user runs it. Most often, the attacker entices the user in presenting him well designed User Interface (UI) to convince him to apply naively an action. These interfaces can be to validate a form, check, select, click a button or to open a window. In this work, we found a new scenario of how the user can be lured to aid the malicious developer. We discovered that if the user clicks in a region of mobile screen that is distinct to what the attacker programmed to lure the user, attacker malicious events are triggered. So, the user is continuing to participate unintentionally with random events (such as click on the activity window) to the malicious spreading of the malware inside the system. This result show firstly that the user does not need to manipulate (interact with) the application to divulge unconsciously its sensitive information and secondly that the system lacks to control events initiated by the user on applications unintentionally. Moreover, we confirm that malwares may not start automatically at the Kernel layer: they require the user to manually run the infected application.

< Back to September Issue